On Wed, 2010-08-25 at 10:55 +0300, Martin Paljak wrote:
> Hello,
>
> On Aug 24, 2010, at 10:09 AM, Patrik Martinsson wrote:
> > Question #1,
> >
> > Try pkcs11_inspect.
> > $ pkcs11_inspect
> > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
> > supported or invalid
> > [opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported
> > INS byte in APDU
> > PIN for token: xxxx
> > Printing data for mapper cn:
> > username
> >
> > Works like a charm, however it gives me those two lines which is a bit
> > worrying/annoying.
> > What do they mean and is there anything i can do to fix them ?
> card-setcos.c does not override iso7816.get_challenge, but the card rejects
> the ISO version. This results in C_GenerateRandom() failing, but I guess
> pkcs11_inspect will then just use some other random source. OpenSC SVN/0.12+
> will not output such internal errors to stderr by default, so you'll not see
> it in future versions.
>
> If everything is working fine, there's nothing to worry about. If not, then
> it can be fixed by implementing a proper GET CHALLENGE method in
> card-setcos.c. If you can sniff the correct APDU for this (or if you have the
> manual) would be great. Or something in pkcs11_inspect should be fixed to not
> depend on the smart card module C_GenerateRandom().
I think that it is highly possible that most setcos cards will do fine
with the current implementation of get_challenge(). This is because the
driver is about 8 years old. So, anyone else would had reported this bug
before, if it was a general one. My assumption is, that this particular
card lakes the required hardware.
Attached is a patch, which exposes the RNG functionality only if the
token itself states support for it.
Regards
Andre
> > Question #2,
> > I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
> >
> > That one is failing telling me, "assertion 'slot_id >= 1' failed",
> > obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
> That assertion seems to come from something else than OpenSC. Where can the
> source code of the gdm-plugin-smartcard be downloaded? I suspect the assert
> is erroneous, as from the PKCS#11 spec:
> """
> A priori, any value of CK_SLOT_ID can be a valid slot identifier—in
> particular, a system may have a slot identified by the value 0. It need not
> have such a slot, however.
> """
>
> Cheers,
Index: pkcs11/framework-pkcs15.c
===================================================================
--- pkcs11/framework-pkcs15.c (revision 4654)
+++ pkcs11/framework-pkcs15.c (working copy)
@@ -722,8 +722,14 @@
if (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD) {
slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
}
- if (p15card->card->caps & SC_CARD_CAP_RNG)
+
+ /* State support for RNG when:
+ * 1. the token itself states this capability
+ * 2. the driver supports get_challenge() for this token
+ */
+ if (p15card->flags & SC_PKCS15_CARD_FLAG_PRN_GENERATION && p15card->card->ops->get_challenge != NULL)
slot->token_info.flags |= CKF_RNG;
+
slot->fw_data = fw_data = calloc(1, sizeof(*fw_data));
fw_data->auth_obj = auth;
Index: pkcs11/pkcs11-object.c
===================================================================
--- pkcs11/pkcs11-object.c (revision 4654)
+++ pkcs11/pkcs11-object.c (working copy)
@@ -978,7 +978,7 @@
rv = get_session(hSession, &session);
if (rv == CKR_OK) {
slot = session->slot;
- if (slot->card->framework->get_random == NULL)
+ if (!(slot->token_info.flags & CKF_RNG))
rv = CKR_RANDOM_NO_RNG;
else if (slot->card->framework->seed_random == NULL)
rv = CKR_RANDOM_SEED_NOT_SUPPORTED;
@@ -1005,7 +1005,7 @@
rv = get_session(hSession, &session);
if (rv == CKR_OK) {
slot = session->slot;
- if (slot->card->framework->get_random == NULL)
+ if (!(slot->token_info.flags & CKF_RNG))
rv = CKR_RANDOM_NO_RNG;
else
rv = slot->card->framework->get_random(slot->card, RandomData, ulRandomLen);
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
