Hello Ludovic,
Ludovic Rousseau wrote:
> 2010/5/11 Viktor TARASOV <viktor.tara...@opentrust.com>:
>
>> Ludovic Rousseau wrote:
>>
>>> 2010/5/11 Viktor TARASOV <viktor.tara...@opentrust.com>:
>>>
>>>
>>>>> I can send an OpenSC log file level=99 (200 KB uncompressed) if needed.
>>>>> I use the current SVN version of OpenSC.
>>>>>
>>>>>
>>>> Please, do it.
>>>>
>>>>
>>> Attached. bzip2 compressed.
>>>
>>> I have a Feitian smart card and use the entersafe card driver.
>>>
>>> It may be an entersafe card driver bug.
>>> log says:
>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11]
>>> iso7816.c:102:iso7816_check_sw: Security status not satisfied
>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11]
>>> card-entersafe.c:900:entersafe_compute_with_prkey: internal set
>>> security env failed: Security status not satisfied
>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11] sec.c:56:sc_compute_signature:
>>> returning with: -1211
>>>
>>>
>> OK, thanks.
>>
>> I have this card and I'll look it before the end of
>> this week (with 'Gemalto PC PinPad Reader').
>>
>
> I think you will need this patch to use the Gemalto pinpad:
>
> Index: src/libopensc/card-entersafe.c
> ===================================================================
> --- src/libopensc/card-entersafe.c (revision 4340)
> +++ src/libopensc/card-entersafe.c (working copy)
> @@ -938,7 +938,7 @@
> {
> pin->encoding = SC_PIN_ENCODING_ASCII;
> pin->min_length = 4;
> - pin->max_length = 16;
> + pin->max_length = 8;
> pin->pad_length = 16;
> pin->offset = 5 + num * 16;
> pin->pad_char = 0x00;
>
> The reader does not accept PIN longer than 8. I willl write about that
> on my blog [1] later.
>
Using actual trunk I cannot sign with Feitian card neither with
conventional reader nor with pin pad.
The reason, afais, in both cases is the same -- after user PIN was
validated, the signing key parent DF is selected by full path. Feitian
UserPIN is local one, and so its 'validated' flag is lost. (Still to be
looked for -- why PKCS#15 pin cache is not working here.)
In fact, there is no real need to select key DF -- it's already selected
by the previous operations,
but the card->cache (that keeps current path) is invalidated and
'compute signature' procedure has to other way to ensure sign key's DF
then re-selection.
To keep valid card->cache (and current path) I'll do two small changes
to trunk:
- in entersafe profile for the user PIN add flag 'local' (in fact it's
really 'local', but actual profile has no this flag);
- set default value of 'lock_login' to 'true' (as it stated by the
comments in opensc.conf, but not in reality) .
After these changes, the card->cache->current_path will be properly
filled up when verifying PKCS#15 PIN,
and card->cache will not be invalidated between 'C_Login' and 'C_Sign'.
> Bye
>
> [1] http://ludovicrousseau.blogspot.com/
>
Kind wishes,
Viktor.
--
Viktor Tarasov <viktor.tara...@opentrust.com>
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
