Based on the information in this thread, it looks like
pkcs11-tool is is missing two lines that would check
if the CKA_ALWAYS_AUTHENTICATE is set for the key
in the sign_data routine.
Can you try the attached patch?
On 10/22/2012 3:10 AM, Mathias Tausig wrote:
On Sunday 21. October 2012 17:24:41 you wrote:
Hello,
Le 19/10/2012 15:02, Mathias Tausig a écrit :
I am writing a PKCS#15 application for a (cardos v4.4) smartcard which
references an external signature application. The RSA key and the PIN are
stored in that external application, the PIN needs to be verified upon
every key usage.
To accomplish this, I have set the userConsent value in the
PrivateKeyDictionaryFile to 1.
Here is the content of the PrkDF (output from openssl):
0:d=0 hl=2 l= 67 cons: SEQUENCE
2:d=1 hl=2 l= 30 cons: SEQUENCE
4:d=2 hl=2 l= 18 prim: UTF8STRING :Signaturschlüssel
24:d=2 hl=2 l= 2 prim: BIT STRING
0000 - 07 80 ..
28:d=2 hl=2 l= 1 prim: OCTET STRING
0000 - 11 .
31:d=2 hl=2 l= 1 prim: INTEGER :01
34:d=1 hl=2 l= 14 cons: SEQUENCE
36:d=2 hl=2 l= 1 prim: OCTET STRING :B
39:d=2 hl=2 l= 2 prim: BIT STRING
0000 - 05 .
0002 - <SPACES/NULS>
43:d=2 hl=2 l= 2 prim: BIT STRING
0000 - 03 b8 ..
47:d=2 hl=2 l= 1 prim: INTEGER :02
50:d=1 hl=2 l= 17 cons: cont [ 1 ]
52:d=2 hl=2 l= 15 cons: SEQUENCE
54:d=3 hl=2 l= 6 cons: SEQUENCE
56:d=4 hl=2 l= 4 prim: OCTET STRING
0000 - 3f 00 1f ff ?...
62:d=3 hl=2 l= 2 prim: INTEGER :0400
66:d=3 hl=2 l= 1 prim: INTEGER :14
69:d=0 hl=2 l= 0 prim: EOC
The problem is, that when I try to use the card with pkcs11-tool (either
with the --test option or with a --sign command), it doesn't verify the
pin before signing. Here is the relevant part of the APDU output:
Oct 19 14:40:20 off17 pcscd[4590]: 00006755 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00001410 APDU: 00 20 00 81 06 31 32 33
34 35 36
Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00005039 APDU: 00 A4 08 00 02 50 15
Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00001737 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00000164 APDU: 00 22 01 B6 03 83 01 02
Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00000185 APDU: 00 2A 9E 9A 80 00 01 FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03
02 1A 05 00 04 14 04 75 9
5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82
In the first two commands the signature DF (1fff) is entered and the PIN
verified, thant it switches back to the PKCS#15 DF without doing anything
there (APDU#3). Than the signature DF is reentered and a signing command
is tried without prior authentication.
Is this a bug, is the userConsent field not heeded, or am I missing
something?
Please confirm (or not) -- in your test you are not using the current OpenSC
pkcs#11 module but only using the pkcs11-tool.
According to your logs, the application DF is selected between the PIN
verifying and 'sign' operation. That's the behavior of the previous
versions of OpenSC.
Could you tell us more about the application that generates the APDUs?
If it based on the older OpenSC version, try to change the 'lock_login'
configuration option.
I am using opensc-12.2, the version shipped with openSuse 12.2 (32 bit), which
is the most current stable version (according to the opensc homepage).
Here is the p11spy output produced by
pkcs11-tool --module pkcs11-spy.so --sign --login --input-file /tmp/csr --
output-file /tmp/csr.sig -m SHA1-RSA-PKCS --verbose --pin "123456"
*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib/pkcs11/opensc-pkcs11.so"
0: C_GetFunctionList
Returned: 0 CKR_OK
1: C_Initialize
[in] pInitArgs = (nil)
Returned: 0 CKR_OK
2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 4
[out] *pulCount = 0x4
Returned: 0 CKR_OK
3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot -1
Slot 1
Slot 5
Slot 9
[out] *pulCount = 0x4
Returned: 0 CKR_OK
4: C_GetSlotInfo
[in] slotID = 0xffffffff
[out] pInfo:
slotDescription: 'Virtual hotplug slot '
' '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 6
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
5: C_GetSlotInfo
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Cherry SmartBoard XX44 00 00 '
' '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
6: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'test card (Signatur '
manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-'
model: 'PKCS#15 '
serialNumber: '910E207A1616152D'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 6
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 50c
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
7: C_OpenSession
[in] slotID = 0x1
[in] flags = 0x6
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x953bf10
Returned: 0 CKR_OK
8: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo:
label: 'test card (Signatur '
manufacturerID: 'CardOS V4.4 (C) Siemens AG 1994-'
model: 'PKCS#15 '
serialNumber: '910E207A1616152D'
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 6
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 50c
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_PROTECTED_AUTHENTICATION_PATH
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK
9: C_Login
[in] hSession = 0x953bf10
[in] userType = CKU_USER
[in] pPin[ulPinLen] bfcc30ce / 6
31323334 3536
Returned: 0 CKR_OK
10: C_FindObjectsInit
[in] hSession = 0x953bf10
[in] pTemplate[1]:
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK
11: C_FindObjects
[in] hSession = 0x953bf10
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x95369e8 matches
Returned: 0 CKR_OK
12: C_FindObjectsFinal
[in] hSession = 0x953bf10
Returned: 0 CKR_OK
13: C_SignInit
[in] hSession = 0x953bf10
pMechanism->type=CKM_SHA1_RSA_PKCS
[in] hKey = 0x95369e8
Returned: 0 CKR_OK
14: C_Sign
[in] hSession = 0x953bf10
[in] pData[ulDataLen] bfcc05eb / 4
626C610A
Returned: 257 CKR_USER_NOT_LOGGED_IN
15: C_SignInit
[in] hSession = 0x953bf10
pMechanism->type=CKM_SHA1_RSA_PKCS
[in] hKey = 0x95369e8
Returned: 0 CKR_OK
16: C_SignUpdate
[in] hSession = 0x953bf10
[in] pPart[ulPartLen] bfcc05eb / 4
626C610A
Returned: 0 CKR_OK
17: C_SignFinal
[in] hSession = 0x953bf10
Returned: 257 CKR_USER_NOT_LOGGED_IN
18: C_Finalize
Returned: 0 CKR_OK
Displaying the private key with pkcs11-tool shows, that
CKA_ALWAYS_AUTHENTICATE is set corrrectly:
Private Key Object; RSA
label: Signaturschlüssel
ID: 42
Usage: sign
Access: always authenticate
cheers
Mathias
Kind regards,
Viktor.
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
--
Douglas E. Engert <deeng...@anl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ,pkcs11-tool.c Sun Sep 16 15:57:44 2012
+++ pkcs11-tool.c Mon Oct 22 13:37:06 2012
@@ -1372,6 +1372,9 @@
r = read(fd, in_buffer, sizeof(in_buffer));
} while (r > 0);
+ if (getALWAYS_AUTHENTICATE(session, key))
+ login(session,CKU_CONTEXT_SPECIFIC);
+
sig_len = sizeof(sig_buffer);
rv = p11->C_SignFinal(session, sig_buffer, &sig_len);
if (rv != CKR_OK)
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel