On Thu, 2010-08-26 at 14:32 +0200, Andre Zepezauer wrote:
> On Wed, 2010-08-25 at 10:55 +0300, Martin Paljak wrote:
> > Hello,
> >
> > On Aug 24, 2010, at 10:09 AM, Patrik Martinsson wrote:
> > > Question #1,
> > >
> > > Try pkcs11_inspect.
> > > $ pkcs11_inspect
> > > [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
> > > supported or invalid
> > > [opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported
> > > INS byte in APDU
> > > PIN for token: xxxx
> > > Printing data for mapper cn:
> > > username
> > >
> > > Works like a charm, however it gives me those two lines which is a bit
> > > worrying/annoying.
> > > What do they mean and is there anything i can do to fix them ?
> > card-setcos.c does not override iso7816.get_challenge, but the card rejects
> > the ISO version. This results in C_GenerateRandom() failing, but I guess
> > pkcs11_inspect will then just use some other random source. OpenSC
> > SVN/0.12+ will not output such internal errors to stderr by default, so
> > you'll not see it in future versions.
> >
> > If everything is working fine, there's nothing to worry about. If not, then
> > it can be fixed by implementing a proper GET CHALLENGE method in
> > card-setcos.c. If you can sniff the correct APDU for this (or if you have
> > the manual) would be great. Or something in pkcs11_inspect should be fixed
> > to not depend on the smart card module C_GenerateRandom().
>
> I think that it is highly possible that most setcos cards will do fine
> with the current implementation of get_challenge(). This is because the
> driver is about 8 years old. So, anyone else would had reported this bug
> before, if it was a general one. My assumption is, that this particular
> card lakes the required hardware.
>
> Attached is a patch, which exposes the RNG functionality only if the
> token itself states support for it.
One file was missing in the previous patch, which is now included.
> > > Question #2,
> > > I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
> > >
> > > That one is failing telling me, "assertion 'slot_id >= 1' failed",
> > > obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
> > That assertion seems to come from something else than OpenSC. Where can the
> > source code of the gdm-plugin-smartcard be downloaded? I suspect the assert
> > is erroneous, as from the PKCS#11 spec:
> > """
> > A priori, any value of CK_SLOT_ID can be a valid slot identifier—in
> > particular, a system may have a slot identified by the value 0. It need not
> > have such a slot, however.
> > """
> >
> > Cheers,
> _______________________________________________
> opensc-devel mailing list
> [email protected]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
Index: pkcs11/framework-pkcs15.c
===================================================================
--- pkcs11/framework-pkcs15.c (revision 4654)
+++ pkcs11/framework-pkcs15.c (working copy)
@@ -722,8 +722,14 @@
if (p15card->card->reader->capabilities & SC_READER_CAP_PIN_PAD) {
slot->token_info.flags |= CKF_PROTECTED_AUTHENTICATION_PATH;
}
- if (p15card->card->caps & SC_CARD_CAP_RNG)
+
+ /* State support for RNG when:
+ * 1. the token itself states this capability and
+ * 2. the driver supports get_challenge() for this token
+ */
+ if (p15card->flags & SC_PKCS15_CARD_FLAG_PRN_GENERATION && p15card->card->ops->get_challenge != NULL)
slot->token_info.flags |= CKF_RNG;
+
slot->fw_data = fw_data = calloc(1, sizeof(*fw_data));
fw_data->auth_obj = auth;
Index: pkcs11/pkcs11-object.c
===================================================================
--- pkcs11/pkcs11-object.c (revision 4654)
+++ pkcs11/pkcs11-object.c (working copy)
@@ -978,7 +978,7 @@
rv = get_session(hSession, &session);
if (rv == CKR_OK) {
slot = session->slot;
- if (slot->card->framework->get_random == NULL)
+ if (!(slot->token_info.flags & CKF_RNG))
rv = CKR_RANDOM_NO_RNG;
else if (slot->card->framework->seed_random == NULL)
rv = CKR_RANDOM_SEED_NOT_SUPPORTED;
@@ -1005,7 +1005,7 @@
rv = get_session(hSession, &session);
if (rv == CKR_OK) {
slot = session->slot;
- if (slot->card->framework->get_random == NULL)
+ if (!(slot->token_info.flags & CKF_RNG))
rv = CKR_RANDOM_NO_RNG;
else
rv = slot->card->framework->get_random(slot->card, RandomData, ulRandomLen);
Index: libopensc/pkcs15.c
===================================================================
--- libopensc/pkcs15.c (revision 4654)
+++ libopensc/pkcs15.c (working copy)
@@ -825,9 +825,6 @@
goto error;
}
done:
- /* If card driver states that it has a (P)RNG, overwrite (possibly missing) tokeninfo flags */
- if (card->caps & SC_CARD_CAP_RNG)
- p15card->flags |= SC_PKCS15_CARD_FLAG_PRN_GENERATION;
/* for starcos cards only: fix asn1 integers */
if (strcmp(p15card->card->driver->short_name,"starcos") == 0
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
