Re: [opensc-devel] PIN not sent to card before signing

Tue, 23 Oct 2012 01:43:40 -0700 

On Monday 22. October 2012 13:45:36 Douglas E. Engert wrote:
> Based on the information in this thread, it looks like
> pkcs11-tool is is missing two lines that would check
> if the CKA_ALWAYS_AUTHENTICATE is set for the key
> in the sign_data routine.
> 
> Can you try the attached patch?
> 

I tried it out and had to adapt it a little bit to make it compile (the 
getALWAYS_AUTHENTICATE function needed a forward declaration). But I'm afraid 
it didn't help. It did do an extra C_Login call:

12: C_FindObjectsFinal
[in] hSession = 0x92c5f10
Returned:  0 CKR_OK


13: C_SignInit
[in] hSession = 0x92c5f10
pMechanism->type=CKM_SHA1_RSA_PKCS            
[in] hKey = 0x92c09e8
Returned:  0 CKR_OK


14: C_GetAttributeValue
[in] hSession = 0x92c5f10
[in] hObject = 0x92c09e8
[in] pTemplate[1]: 
    CKA_ALWAYS_AUTHENTICATE  bfa0ef23 / 1
[out] pTemplate[1]: 
    CKA_ALWAYS_AUTHENTICATE  True
Returned:  0 CKR_OK


15: C_GetTokenInfo
[in] slotID = 0x1
[out] pInfo: 
      label:                  'GLOBALTRUST test card (Signatur '
      manufacturerID:         'CardOS V4.4 (C) Siemens AG 1994-'
      model:                  'PKCS#15         '
      serialNumber:           '910E207A1616152D'
      ulMaxSessionCount:       0
      ulSessionCount:          0
      ulMaxRwSessionCount:     0
      ulRwSessionCount:        0
      ulMaxPinLen:             8
      ulMinPinLen:             6
      ulTotalPublicMemory:     -1
      ulFreePublicMemory:      -1
      ulTotalPrivateMemory:    -1
      ulFreePrivateMemory:     -1
      hardwareVersion:         0.0
      firmwareVersion:         0.0
      time:                   '                '
      flags:                   50c
        CKF_LOGIN_REQUIRED               
        CKF_USER_PIN_INITIALIZED         
        CKF_PROTECTED_AUTHENTICATION_PATH
        CKF_TOKEN_INITIALIZED            
Returned:  0 CKR_OK


16: C_Login
[in] hSession = 0x92c5f10
[in] userType = CKU_CONTEXT_SPECIFIC
[in] pPin[ulPinLen] bfa1109d / 6
    31323334 3536
Returned:  0 CKR_OK


17: C_Sign
[in] hSession = 0x92c5f10
[in] pData[ulDataLen] bfa0f348 / 4
    626C610A
Returned:  257 CKR_USER_NOT_LOGGED_IN


18: C_SignInit
[in] hSession = 0x92c5f10
pMechanism->type=CKM_SHA1_RSA_PKCS            
[in] hKey = 0x92c09e8
Returned:  0 CKR_OK


19: C_SignUpdate
[in] hSession = 0x92c5f10
[in] pPart[ulPartLen] bfa0f348 / 4
    626C610A
Returned:  0 CKR_OK


20: C_SignFinal
[in] hSession = 0x92c5f10
Returned:  257 CKR_USER_NOT_LOGGED_IN


21: C_Finalize
Returned:  0 CKR_OK


Here are the coresponding APDUs

Oct 23 10:38:15 off17 pcscd[4499]: 00008338 APDU: 00 A4 08 00 02 1F FF
Oct 23 10:38:15 off17 pcscd[4499]: 00020184 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00001183 APDU: 00 20 00 81 06 31 32 33 34 35 
36
Oct 23 10:38:15 off17 pcscd[4499]: 00047776 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00007895 APDU: 00 A4 08 00 02 1F FF
Oct 23 10:38:15 off17 pcscd[4499]: 00022121 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00001175 APDU: 00 20 00 81 06 31 32 33 34 35 
36
Oct 23 10:38:15 off17 pcscd[4499]: 00048801 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00009766 APDU: 00 A4 08 00 02 50 15
Oct 23 10:38:15 off17 pcscd[4499]: 00020231 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00000181 APDU: 00 A4 08 00 02 1F FF
Oct 23 10:38:15 off17 pcscd[4499]: 00020820 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00000128 APDU: 00 22 01 B6 03 83 01 02
Oct 23 10:38:15 off17 pcscd[4499]: 00018865 SW: 90 00
Oct 23 10:38:15 off17 pcscd[4499]: 00000169 APDU: 00 2A 9E 9A 80 00 01 FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 04 
75 95 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
Oct 23 10:38:15 off17 pcscd[4499]: 00039823 SW: 69 82
Oct 23 10:38:15 off17 pcscd[4499]: 00000132 APDU: 00 2A 9E 9A 23 30 21 30 09 06 
05 2B 0E 03 02 1A 05 00 04 14 04 75 95 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 
9E 0C 47 BB 80
Oct 23 10:38:15 off17 pcscd[4499]: 00016864 SW: 69 82
Oct 23 10:38:15 off17 pcscd[4499]: 00000982 APDU: 00 2A 9E 9A 14 04 75 95 D0 FA 
E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
Oct 23 10:38:15 off17 pcscd[4499]: 00015032 SW: 69 82

The problem remains the same: After verifiying the PIN, the PKCS#15 DF is 
selected without doing anything there, and then the signature DF is reselected 
and the authentication is lost in the process. This behaviour makes me think, 
that the problem is rathe in opensc-pkcs11.so and not in pkcs11-tool.
I also tried to use the pinpad to enter the pin (instead of specifying it on 
the command line), but the outcome was the same.

cheers
Mathias
--- src/tools/pkcs11-tool.c     2011-07-05 13:28:53.000000000 +0200
+++ src/tools/pkcs11-tool.c     2012-10-23 10:20:51.817544765 +0200
@@ -50,6 +50,7 @@
 extern void *C_LoadModule(const char *name, CK_FUNCTION_LIST_PTR_PTR);
 extern CK_RV C_UnloadModule(void *module);
 
+static CK_BBOOL getALWAYS_AUTHENTICATE (CK_SESSION_HANDLE sess, 
CK_OBJECT_HANDLE obj);
 #define NEED_SESSION_RO        0x01
 #define NEED_SESSION_RW        0x02
 
@@ -1296,6 +1297,9 @@
                if (rv != CKR_OK)
                        p11_fatal("C_SignInit", rv);
 
+               if (getALWAYS_AUTHENTICATE(session, key))
+                   login(session,CKU_CONTEXT_SPECIFIC);
+
                sig_len = sizeof(sig_buffer);
                rv =  p11->C_Sign(session, in_buffer, r, sig_buffer, &sig_len);
        }

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to