On Sunday 21. October 2012 17:24:41 you wrote: > Hello, > > Le 19/10/2012 15:02, Mathias Tausig a écrit : > > I am writing a PKCS#15 application for a (cardos v4.4) smartcard which > > references an external signature application. The RSA key and the PIN are > > stored in that external application, the PIN needs to be verified upon > > every key usage. > > > > To accomplish this, I have set the userConsent value in the > > PrivateKeyDictionaryFile to 1. > > > > Here is the content of the PrkDF (output from openssl): > > > > 0:d=0 hl=2 l= 67 cons: SEQUENCE > > > > 2:d=1 hl=2 l= 30 cons: SEQUENCE > > 4:d=2 hl=2 l= 18 prim: UTF8STRING :Signaturschlüssel > > > > 24:d=2 hl=2 l= 2 prim: BIT STRING > > > > 0000 - 07 80 .. > > > > 28:d=2 hl=2 l= 1 prim: OCTET STRING > > > > 0000 - 11 . > > > > 31:d=2 hl=2 l= 1 prim: INTEGER :01 > > 34:d=1 hl=2 l= 14 cons: SEQUENCE > > 36:d=2 hl=2 l= 1 prim: OCTET STRING :B > > 39:d=2 hl=2 l= 2 prim: BIT STRING > > > > 0000 - 05 . > > 0002 - <SPACES/NULS> > > > > 43:d=2 hl=2 l= 2 prim: BIT STRING > > > > 0000 - 03 b8 .. > > > > 47:d=2 hl=2 l= 1 prim: INTEGER :02 > > 50:d=1 hl=2 l= 17 cons: cont [ 1 ] > > 52:d=2 hl=2 l= 15 cons: SEQUENCE > > 54:d=3 hl=2 l= 6 cons: SEQUENCE > > 56:d=4 hl=2 l= 4 prim: OCTET STRING > > > > 0000 - 3f 00 1f ff ?... > > > > 62:d=3 hl=2 l= 2 prim: INTEGER :0400 > > 66:d=3 hl=2 l= 1 prim: INTEGER :14 > > 69:d=0 hl=2 l= 0 prim: EOC > > > > The problem is, that when I try to use the card with pkcs11-tool (either > > with the --test option or with a --sign command), it doesn't verify the > > pin before signing. Here is the relevant part of the APDU output: > > > > Oct 19 14:40:20 off17 pcscd[4590]: 00006755 APDU: 00 A4 08 00 02 1F FF > > Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00 > > Oct 19 14:40:20 off17 pcscd[4590]: 00001410 APDU: 00 20 00 81 06 31 32 33 > > 34 35 36 > > Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00 > > Oct 19 14:40:20 off17 pcscd[4590]: 00005039 APDU: 00 A4 08 00 02 50 15 > > Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00 > > Oct 19 14:40:20 off17 pcscd[4590]: 00001737 APDU: 00 A4 08 00 02 1F FF > > Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00 > > Oct 19 14:40:20 off17 pcscd[4590]: 00000164 APDU: 00 22 01 B6 03 83 01 02 > > Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00 > > Oct 19 14:40:20 off17 pcscd[4590]: 00000185 APDU: 00 2A 9E 9A 80 00 01 FF > > FF FF FF FF FF FF FF FF F > > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > FF FF FF FF FF FF FF FF F > > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > FF FF FF FF FF FF FF FF F > > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 > > 02 1A 05 00 04 14 04 75 9 > > 5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80 > > Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82 > > > > In the first two commands the signature DF (1fff) is entered and the PIN > > verified, thant it switches back to the PKCS#15 DF without doing anything > > there (APDU#3). Than the signature DF is reentered and a signing command > > is tried without prior authentication. > > > > Is this a bug, is the userConsent field not heeded, or am I missing > > something? > Please confirm (or not) -- in your test you are not using the current OpenSC > pkcs#11 module but only using the pkcs11-tool. > > According to your logs, the application DF is selected between the PIN > verifying and 'sign' operation. That's the behavior of the previous > versions of OpenSC. > > Could you tell us more about the application that generates the APDUs? > If it based on the older OpenSC version, try to change the 'lock_login' > configuration option.
I am using opensc-12.2, the version shipped with openSuse 12.2 (32 bit), which is the most current stable version (according to the opensc homepage). Here is the p11spy output produced by pkcs11-tool --module pkcs11-spy.so --sign --login --input-file /tmp/csr -- output-file /tmp/csr.sig -m SHA1-RSA-PKCS --verbose --pin "123456" *************** OpenSC PKCS#11 spy ***************** Loaded: "/usr/lib/pkcs11/opensc-pkcs11.so" 0: C_GetFunctionList Returned: 0 CKR_OK 1: C_Initialize [in] pInitArgs = (nil) Returned: 0 CKR_OK 2: C_GetSlotList [in] tokenPresent = 0x0 [out] pSlotList: Count is 4 [out] *pulCount = 0x4 Returned: 0 CKR_OK 3: C_GetSlotList [in] tokenPresent = 0x0 [out] pSlotList: Slot -1 Slot 1 Slot 5 Slot 9 [out] *pulCount = 0x4 Returned: 0 CKR_OK 4: C_GetSlotInfo [in] slotID = 0xffffffff [out] pInfo: slotDescription: 'Virtual hotplug slot ' ' ' manufacturerID: 'OpenSC (www.opensc-project.org) ' hardwareVersion: 0.0 firmwareVersion: 0.0 flags: 6 CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK 5: C_GetSlotInfo [in] slotID = 0x1 [out] pInfo: slotDescription: 'Cherry SmartBoard XX44 00 00 ' ' ' manufacturerID: 'OpenSC (www.opensc-project.org) ' hardwareVersion: 0.0 firmwareVersion: 0.0 flags: 7 CKF_TOKEN_PRESENT CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK 6: C_GetTokenInfo [in] slotID = 0x1 [out] pInfo: label: 'test card (Signatur ' manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-' model: 'PKCS#15 ' serialNumber: '910E207A1616152D' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 6 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 50c CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_PROTECTED_AUTHENTICATION_PATH CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 7: C_OpenSession [in] slotID = 0x1 [in] flags = 0x6 pApplication=(nil) Notify=(nil) [out] *phSession = 0x953bf10 Returned: 0 CKR_OK 8: C_GetTokenInfo [in] slotID = 0x1 [out] pInfo: label: 'test card (Signatur ' manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-' model: 'PKCS#15 ' serialNumber: '910E207A1616152D' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 6 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 50c CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_PROTECTED_AUTHENTICATION_PATH CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 9: C_Login [in] hSession = 0x953bf10 [in] userType = CKU_USER [in] pPin[ulPinLen] bfcc30ce / 6 31323334 3536 Returned: 0 CKR_OK 10: C_FindObjectsInit [in] hSession = 0x953bf10 [in] pTemplate[1]: CKA_CLASS CKO_PRIVATE_KEY Returned: 0 CKR_OK 11: C_FindObjects [in] hSession = 0x953bf10 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x95369e8 matches Returned: 0 CKR_OK 12: C_FindObjectsFinal [in] hSession = 0x953bf10 Returned: 0 CKR_OK 13: C_SignInit [in] hSession = 0x953bf10 pMechanism->type=CKM_SHA1_RSA_PKCS [in] hKey = 0x95369e8 Returned: 0 CKR_OK 14: C_Sign [in] hSession = 0x953bf10 [in] pData[ulDataLen] bfcc05eb / 4 626C610A Returned: 257 CKR_USER_NOT_LOGGED_IN 15: C_SignInit [in] hSession = 0x953bf10 pMechanism->type=CKM_SHA1_RSA_PKCS [in] hKey = 0x95369e8 Returned: 0 CKR_OK 16: C_SignUpdate [in] hSession = 0x953bf10 [in] pPart[ulPartLen] bfcc05eb / 4 626C610A Returned: 0 CKR_OK 17: C_SignFinal [in] hSession = 0x953bf10 Returned: 257 CKR_USER_NOT_LOGGED_IN 18: C_Finalize Returned: 0 CKR_OK Displaying the private key with pkcs11-tool shows, that CKA_ALWAYS_AUTHENTICATE is set corrrectly: Private Key Object; RSA label: Signaturschlüssel ID: 42 Usage: sign Access: always authenticate cheers Mathias > > Kind regards, > Viktor. > > > _______________________________________________ > > opensc-devel mailing list > > opensc-devel@lists.opensc-project.org > > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel