[opensc-devel] Signing with PKCS#11 and Pin Pad Reader

Thu, 13 May 2010 15:46:26 -0700 

Hi,

I try to use the pkcs#11 library (actually the respective OpenSSL 
engine) with a pin pad reader on OS X.  The reader is a Gemalto PC 
Pinpad, the card is a Feitian PKI card.  I test using the pkcs11-tool, 
but the behaviour with the OpenSSL engine seems to be the same.  Up to 
hash calculation, everything works fine.  However, signing things with 
an activated pin pad does not work with the error
PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)
At that point, I entered a correct pin using the pin pad.

I already tried the possible combinations of cache_pin and lock_login 
options as well as turning the options under "reader_driver pcsc" on and 
off without success.  If I disable the pin pad, everything seems to work 
fine.

Cheers,
Jakob

Below some debug information.

OS X: 10.5.8

opensc-tool -i:
opensc 0.12.0-svn-r4341 [gcc  4.0.1 (Apple Inc. build 5490)]
Enabled features: zlib readline iconv openssl 
pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)

pkcs15-tool --dump:
Using reader with a card: Gemplus GemPC Pinpad 00 00
PKCS#15 Card [CernVM]:
        Version        : 1
        Serial number  : 3089520016010310
        Manufacturer ID: EnterSafe
        Last update    : 20100513140331Z
        Flags          : PRN generation, EID compliant

PIN [User PIN]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x30], initialized, needs-padding
        Length    : min_len:4, max_len:16, stored_len:16
        Pad char  : 0x00
        Reference : 1
        Type      : ascii-numeric
        Path      :

Private RSA Key [CernVM Master Key]
        Com. Flags  : 3
        Usage       : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength   : 2048
        Key ref     : 1
        Native      : yes
        Path        : 3f005015
        Auth ID     : 01
        ID          : 19e096dd973630c31174206d692d0af624fef41a

Public RSA Key [CernVM Public Key]
        Com. Flags  : 2
        Usage       : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags: [0x0]
        ModLength   : 2048
        Key ref     : 0
        Native      : no
        Path        : 3f0050153000
        Auth ID     :
        ID          : 19e096dd973630c31174206d692d0af624fef41a

Pin pad *disabled*, pkcs11-tool -t -l --slot 1:
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (CernVM Master Key)
   all 4 signature functions seem to work
   testing signature mechanisms:
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
   testing key 0 (CernVM Master Key)
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Key unwrap (RSA)
   testing key 0 (CernVM Master Key)
   ERR: C_UnwrapKey failed: CKR_SESSION_READ_ONLY (0xb5)
   ERR: C_UnwrapKey failed: CKR_SESSION_READ_ONLY (0xb5)
   ERR: C_UnwrapKey failed: CKR_SESSION_READ_ONLY (0xb5)
   ERR: C_UnwrapKey failed: CKR_SESSION_READ_ONLY (0xb5)
     DES-CBC:     DES-EDE3-CBC:     BF-CBC:     CAST5-CFB: Decryption (RSA)
   testing key 0 (CernVM Master Key)
     RSA-X-509: OK
     RSA-PKCS: OK

Pin pad *enabled*, pkcs11-tool -t -l --slot 1:
C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (CernVM Master Key)
error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN 
(0x101)

Tail of the debug for the above command:
0xa0515720 00:32:29.646 [opensc-pkcs11] iso7816.c:102:iso7816_check_sw: 
Security status not satisfied
0xa0515720 00:32:29.646 [opensc-pkcs11] 
card-entersafe.c:900:entersafe_compute_with_prkey: internal set security 
env failed: Security status not satisfied
0xa0515720 00:32:29.646 [opensc-pkcs11] sec.c:56:sc_compute_signature: 
returning with: -1211
0xa0515720 00:32:29.646 [opensc-pkcs11] 
pkcs15-pin.c:509:sc_pkcs15_pincache_revalidate: called
0xa0515720 00:32:29.646 [opensc-pkcs11] card.c:320:sc_unlock: called
0xa0515720 00:32:29.646 [opensc-pkcs11] 
pkcs15-sec.c:296:sc_pkcs15_compute_signature: sc_compute_signature() 
failed: Security status not satisfied
0xa0515720 00:32:29.646 [opensc-pkcs11] card.c:320:sc_unlock: called
0xa0515720 00:32:29.646 [opensc-pkcs11] 
framework-pkcs15.c:2447:pkcs15_prkey_sign: Sign complete. Result -1211.
0xa0515720 00:32:29.646 [opensc-pkcs11] 
misc.c:59:sc_to_cryptoki_error_common: opensc error: Security status not 
satisfied (-1211)
0xa0515720 00:32:29.646 [opensc-pkcs11] pkcs11-object.c:659:C_SignFinal: 
C_SignFinal() = CKR_USER_NOT_LOGGED_IN
0xa0515720 00:32:29.647 [opensc-pkcs11] pkcs11-global.c:289:C_Finalize: 
C_Finalize()
0xa0515720 00:32:29.647 [opensc-pkcs11] ctx.c:773:sc_cancel: called
0xa0515720 00:32:29.647 [opensc-pkcs11] ctx.c:775:sc_cancel: trying pcsc
0xa0515720 00:32:29.647 [opensc-pkcs11] reader-pcsc.c:552:pcsc_cancel: 
called
0xa0515720 00:32:29.647 [opensc-pkcs11] slot.c:126:card_removed: Gemplus 
GemPC Pinpad 00 00: card removed
0xa0515720 00:32:29.647 [opensc-pkcs11] slot.c:310:slot_token_removed: 
slot_token_removed(0x1)
0xa0515720 00:32:29.647 [opensc-pkcs11] 
pkcs11-session.c:130:sc_pkcs11_close_all_sessions: real 
C_CloseAllSessions(0x1) 3
0xa0515720 00:32:29.647 [opensc-pkcs11] 
pkcs11-session.c:102:sc_pkcs11_close_session: real C_CloseSession(0x5095d0)
0xa0515720 00:32:29.647 [opensc-pkcs11] 
pkcs11-session.c:102:sc_pkcs11_close_session: real C_CloseSession(0x509890)
0xa0515720 00:32:29.647 [opensc-pkcs11] card.c:320:sc_unlock: called
0xa0515720 00:32:29.647 [opensc-pkcs11] reader-pcsc.c:508:pcsc_unlock: 
called
0xa0515720 00:32:29.647 [opensc-pkcs11] slot.c:310:slot_token_removed: 
slot_token_removed(0x2)
0xa0515720 00:32:29.647 [opensc-pkcs11] 
pkcs11-session.c:130:sc_pkcs11_close_all_sessions: real 
C_CloseAllSessions(0x2) 1
0xa0515720 00:32:29.647 [opensc-pkcs11] slot.c:310:slot_token_removed: 
slot_token_removed(0x3)
0xa0515720 00:32:29.647 [opensc-pkcs11] 
pkcs11-session.c:130:sc_pkcs11_close_all_sessions: real 
C_CloseAllSessions(0x3) 1
0xa0515720 00:32:29.647 [opensc-pkcs11] slot.c:310:slot_token_removed: 
slot_token_removed(0x4)
0xa0515720 00:32:29.648 [opensc-pkcs11] 
pkcs11-session.c:130:sc_pkcs11_close_all_sessions: real 
C_CloseAllSessions(0x4) 1
0xa0515720 00:32:29.648 [opensc-pkcs11] pkcs15.c:831:sc_pkcs15_unbind: 
called
0xa0515720 00:32:29.648 [opensc-pkcs11] 
pkcs15-pin.c:551:sc_pkcs15_pincache_clear: called
0xa0515720 00:32:29.648 [opensc-pkcs11] 
misc.c:59:sc_to_cryptoki_error_common: opensc error: No errors (0)
0xa0515720 00:32:29.648 [opensc-pkcs11] card.c:237:sc_disconnect_card: 
called
0xa0515720 00:32:29.648 [opensc-pkcs11] 
reader-pcsc.c:457:pcsc_disconnect: called
0xa0515720 00:32:30.112 [opensc-pkcs11] card.c:252:sc_disconnect_card: 
returning with: 0
0xa0515720 00:32:30.112 [opensc-pkcs11] ctx.c:804:sc_release_context: called
0xa0515720 00:32:30.112 [opensc-pkcs11] reader-pcsc.c:695:pcsc_finish: 
called
error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN 
(0x101)
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to