Developers, Could this be a card that is enforcing user_consent. i.e. CKA_ALWAYS_AUTHENTICATIE and the pkcs11-tool is not doing this?
The one card I know that does enforce it (newewr PIV cards), requires the sign operation to be preceeded immediatley by the presentation of the pin. Łukasz, Can you look at your trace and see if any other operations are sent to the card between these too? On 8/12/2011 8:51 AM, TMS Brokers / Łukasz Kościesza wrote: > I use pkcs11-tool > pkcs11-tool --module /usr/lib/opensc-pkcs11.so --sign --slot 1 -m RSA-PKCS > --input-file file.txt --output-file signature.txt --pin my_pin > > It's sending the PIN to the card (I can see it in APDU log a little bit > earlier in logs). > If I enter wrong PIN it's failing, so it also checks the PIN. > > -----Original Message----- > From: opensc-devel-boun...@lists.opensc-project.org > [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of Douglas > E. Engert > Sent: Friday, August 12, 2011 3:39 PM > To: opensc-devel@lists.opensc-project.org > Subject: Re: [opensc-devel] Cryptotech Setcos card signing problem > > It looks like you did not logon to the card. > > Did the program ever ask for the pin? > > What program are you using? > > > On 8/12/2011 7:05 AM, TMS Brokers / Łukasz Kościesza wrote: >> Hi all, >> >> I’m trying to sign a file using compiled from sources opensc 12.2. >> >> Card is manufactured by Cryptotech and it has setcos 4.1.1 on board. >> >> The card was initialized by www.sigillum.pl<http://www.sigillum.pl> company. >> >> Even though PIN is fine and there are no failures in the card reading >> process I keep on receiving: Security status not satisfied, after sending >> portion of data for signing. >> >> Can anyone point me to some solution? >> >> Here is the part of the logs which I guess is relevant: >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] >> framework-pkcs15.c:2630:pkcs15_prkey_sign: Initiating signing operation, >> mechanism 0x1. >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] reader-pcsc.c:511:pcsc_lock: called >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] >> framework-pkcs15.c:3611:reselect_app_df: reselect application df >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] card.c:571:sc_select_file: called; >> type=2, path=3f00de00 >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: >> reader 'ACS ACR38U 00 00' >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Outgoing APDU data [ 7 bytes] ===================================== >> >> 00 A4 08 00 02 DE 00 ....... >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.314 [opensc-pkcs11] >> reader-pcsc.c:176:pcsc_internal_transmit: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Incoming APDU data [ 2 bytes] ===================================== >> >> 61 2D a- >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] iso7816.c:481:iso7816_select_file: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] card.c:597:sc_select_file: returning >> with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> framework-pkcs15.c:2710:pkcs15_prkey_sign: Selected flags 12. Now computing >> signature for 3 bytes. 512 bytes reserved. >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> pkcs15-sec.c:190:sc_pkcs15_compute_signature: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> pkcs15-sec.c:191:sc_pkcs15_compute_signature: security operation flags 0x12 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> pkcs15-sec.c:273:sc_pkcs15_compute_signature: supported algorithm flags >> 0x80000033, private key usage 0x26 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:273:sc_get_encoding_flags: >> called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:277:sc_get_encoding_flags: >> iFlags 0x12, card capabilities 0x80000033 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:306:sc_get_encoding_flags: >> pad flags 0x10, secure algorithm flags 0x2 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:307:sc_get_encoding_flags: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> pkcs15-sec.c:324:sc_pkcs15_compute_signature: DEE flags:0x00000012 >> alg_info->flags:0x80000033 pad:0x00000010 sec:0x00000002 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:232:sc_pkcs1_encode: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:236:sc_pkcs1_encode: hash >> algorithm 0x10, pad algorithm 0x0 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] padding.c:255:sc_pkcs1_encode: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] pkcs15-sec.c:42:select_key_file: >> called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] card.c:571:sc_select_file: called; >> type=2, path=3f00df01efd5 >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: >> reader 'ACS ACR38U 00 00' >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Outgoing APDU data [ 9 bytes] ===================================== >> >> 00 A4 08 00 04 DF 01 EF D5 ......... >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.363 [opensc-pkcs11] >> reader-pcsc.c:176:pcsc_internal_transmit: called >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Incoming APDU data [ 2 bytes] ===================================== >> >> 61 25 a% >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] iso7816.c:481:iso7816_select_file: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] card.c:597:sc_select_file: returning >> with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] pkcs15-sec.c:68:select_key_file: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] sec.c:66:sc_set_security_env: called >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: >> reader 'ACS ACR38U 00 00' >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Outgoing APDU data [ 12 bytes] ===================================== >> >> 00 22 41 B6 07 80 01 02 81 02 EF D5 ."A......... >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.419 [opensc-pkcs11] >> reader-pcsc.c:176:pcsc_internal_transmit: called >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Incoming APDU data [ 2 bytes] ===================================== >> >> 90 00 .. >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] sec.c:70:sc_set_security_env: >> returning with: 0 (Success) >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] sec.c:52:sc_compute_signature: called >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] card.c:292:sc_lock: called >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: >> reader 'ACS ACR38U 00 00' >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Outgoing APDU data [ 8 bytes] ===================================== >> >> 00 2A 9E 9A 03 41 6C 61 .*...Ala >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.446 [opensc-pkcs11] >> reader-pcsc.c:176:pcsc_internal_transmit: called >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] apdu.c:184:sc_apdu_log: >> >> Incoming APDU data [ 2 bytes] ===================================== >> >> 69 82 i. >> >> ====================================================================== >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] iso7816.c:103:iso7816_check_sw: >> Security status not satisfied >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] >> iso7816.c:820:iso7816_compute_signature: returning with: -1211 (Security >> status not satisfied) >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] sec.c:56:sc_compute_signature: >> returning with: -1211 (Security status not satisfied) >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] >> pkcs15-pin.c:553:sc_pkcs15_pincache_revalidate: called >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] >> pkcs15-pin.c:566:sc_pkcs15_pincache_revalidate: Could not find pin object >> for auth_id 01 >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] >> pkcs15-sec.c:380:sc_pkcs15_compute_signature: sc_compute_signature() failed: >> -1211 (Security status not satisfied) >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] card.c:330:sc_unlock: called >> >> 0xb7b1d6c0 13:35:27.471 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called >> >> 0xb7b1d6c0 13:35:27.481 [opensc-pkcs11] >> framework-pkcs15.c:2721:pkcs15_prkey_sign: Sign complete. Result -1211. >> >> 0xb7b1d6c0 13:35:27.481 [opensc-pkcs11] >> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1211 >> (Security status not satisfied) >> >> 0xb7b1d6c0 13:35:27.481 [opensc-pkcs11] pkcs11-object.c:635:C_Sign: C_Sign() >> = CKR_USER_NOT_LOGGED_IN >> >> >> >> _______________________________________________ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > -- Douglas E. Engert <deeng...@anl.gov> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
