On Sunday 21. October 2012 17:24:41 you wrote:
> Hello,
>
> Le 19/10/2012 15:02, Mathias Tausig a écrit :
> > I am writing a PKCS#15 application for a (cardos v4.4) smartcard which
> > references an external signature application. The RSA key and the PIN are
> > stored in that external application, the PIN needs to be verified upon
> > every key usage.
> >
> > To accomplish this, I have set the userConsent value in the
> > PrivateKeyDictionaryFile to 1.
> >
> > Here is the content of the PrkDF (output from openssl):
> >
> > 0:d=0 hl=2 l= 67 cons: SEQUENCE
> >
> > 2:d=1 hl=2 l= 30 cons: SEQUENCE
> > 4:d=2 hl=2 l= 18 prim: UTF8STRING :Signaturschlüssel
> >
> > 24:d=2 hl=2 l= 2 prim: BIT STRING
> >
> > 0000 - 07 80 ..
> >
> > 28:d=2 hl=2 l= 1 prim: OCTET STRING
> >
> > 0000 - 11 .
> >
> > 31:d=2 hl=2 l= 1 prim: INTEGER :01
> > 34:d=1 hl=2 l= 14 cons: SEQUENCE
> > 36:d=2 hl=2 l= 1 prim: OCTET STRING :B
> > 39:d=2 hl=2 l= 2 prim: BIT STRING
> >
> > 0000 - 05 .
> > 0002 - <SPACES/NULS>
> >
> > 43:d=2 hl=2 l= 2 prim: BIT STRING
> >
> > 0000 - 03 b8 ..
> >
> > 47:d=2 hl=2 l= 1 prim: INTEGER :02
> > 50:d=1 hl=2 l= 17 cons: cont [ 1 ]
> > 52:d=2 hl=2 l= 15 cons: SEQUENCE
> > 54:d=3 hl=2 l= 6 cons: SEQUENCE
> > 56:d=4 hl=2 l= 4 prim: OCTET STRING
> >
> > 0000 - 3f 00 1f ff ?...
> >
> > 62:d=3 hl=2 l= 2 prim: INTEGER :0400
> > 66:d=3 hl=2 l= 1 prim: INTEGER :14
> > 69:d=0 hl=2 l= 0 prim: EOC
> >
> > The problem is, that when I try to use the card with pkcs11-tool (either
> > with the --test option or with a --sign command), it doesn't verify the
> > pin before signing. Here is the relevant part of the APDU output:
> >
> > Oct 19 14:40:20 off17 pcscd[4590]: 00006755 APDU: 00 A4 08 00 02 1F FF
> > Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00
> > Oct 19 14:40:20 off17 pcscd[4590]: 00001410 APDU: 00 20 00 81 06 31 32 33
> > 34 35 36
> > Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00
> > Oct 19 14:40:20 off17 pcscd[4590]: 00005039 APDU: 00 A4 08 00 02 50 15
> > Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00
> > Oct 19 14:40:20 off17 pcscd[4590]: 00001737 APDU: 00 A4 08 00 02 1F FF
> > Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00
> > Oct 19 14:40:20 off17 pcscd[4590]: 00000164 APDU: 00 22 01 B6 03 83 01 02
> > Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00
> > Oct 19 14:40:20 off17 pcscd[4590]: 00000185 APDU: 00 2A 9E 9A 80 00 01 FF
> > FF FF FF FF FF FF FF FF F
> > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> > FF FF FF FF FF FF FF FF F
> > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
> > FF FF FF FF FF FF FF FF F
> > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03
> > 02 1A 05 00 04 14 04 75 9
> > 5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
> > Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82
> >
> > In the first two commands the signature DF (1fff) is entered and the PIN
> > verified, thant it switches back to the PKCS#15 DF without doing anything
> > there (APDU#3). Than the signature DF is reentered and a signing command
> > is tried without prior authentication.
> >
> > Is this a bug, is the userConsent field not heeded, or am I missing
> > something?
> Please confirm (or not) -- in your test you are not using the current OpenSC
> pkcs#11 module but only using the pkcs11-tool.
>
> According to your logs, the application DF is selected between the PIN
> verifying and 'sign' operation. That's the behavior of the previous
> versions of OpenSC.
>
> Could you tell us more about the application that generates the APDUs?
> If it based on the older OpenSC version, try to change the 'lock_login'
> configuration option.
I am using opensc-12.2, the version shipped with openSuse 12.2 (32 bit), which
is the most current stable version (according to the opensc homepage).
Here is the p11spy output produced by
pkcs11-tool --module pkcs11-spy.so --sign --login --input-file /tmp/csr --
output-file /tmp/csr.sig -m SHA1-RSA-PKCS --verbose --pin "123456"
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/pkcs11/opensc-pkcs11.so"
0: C_GetFunctionList
Returned: 0 CKR_OK
1: C_Initialize
[in] pInitArgs = (nil)
Returned: 0 CKR_OK
2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 4
[out] *pulCount = 0x4
Returned: 0 CKR_OK
3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot -1
Slot 1
Slot 5
Slot 9
[out] *pulCount = 0x4
Returned: 0 CKR_OK
4: C_GetSlotInfo
[in] slotID = 0xffffffff
[out] pInfo:
slotDescription: 'Virtual hotplug slot '
' '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 6
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
5: C_GetSlotInfo
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Cherry SmartBoard XX44 00 00 '
' '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
6: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'test card (Signatur '
manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-'
model: 'PKCS#15 '
serialNumber: '910E207A1616152D'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 6
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 50c
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
7: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x6
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x953bf10
Returned: 0 CKR_OK
8: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'test card (Signatur '
manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-'
model: 'PKCS#15 '
serialNumber: '910E207A1616152D'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 6
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 50c
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
9: C_Login
[in] hSession = 0x953bf10
[in] userType = CKU_USER
[in] pPin[ulPinLen] bfcc30ce / 6
31323334 3536
Returned: 0 CKR_OK
10: C_FindObjectsInit
[in] hSession = 0x953bf10
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
11: C_FindObjects
[in] hSession = 0x953bf10
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x95369e8 matches
Returned: 0 CKR_OK
12: C_FindObjectsFinal
[in] hSession = 0x953bf10
Returned: 0 CKR_OK
13: C_SignInit
[in] hSession = 0x953bf10
pMechanism->type=CKM_SHA1_RSA_PKCS
[in] hKey = 0x95369e8
Returned: 0 CKR_OK
14: C_Sign
[in] hSession = 0x953bf10
[in] pData[ulDataLen] bfcc05eb / 4
626C610A
Returned: 257 CKR_USER_NOT_LOGGED_IN
15: C_SignInit
[in] hSession = 0x953bf10
pMechanism->type=CKM_SHA1_RSA_PKCS
[in] hKey = 0x95369e8
Returned: 0 CKR_OK
16: C_SignUpdate
[in] hSession = 0x953bf10
[in] pPart[ulPartLen] bfcc05eb / 4
626C610A
Returned: 0 CKR_OK
17: C_SignFinal
[in] hSession = 0x953bf10
Returned: 257 CKR_USER_NOT_LOGGED_IN
18: C_Finalize
Returned: 0 CKR_OK
Displaying the private key with pkcs11-tool shows, that
CKA_ALWAYS_AUTHENTICATE is set corrrectly:
Private Key Object; RSA
label: Signaturschlüssel
ID: 42
Usage: sign
Access: always authenticate
cheers
Mathias
>
> Kind regards,
> Viktor.
>
> > _______________________________________________
> > opensc-devel mailing list
> > opensc-devel@lists.opensc-project.org
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
