On Thursday 25. October 2012 09:13:58 Douglas E. Engert wrote: > [...] > >>> Oct 24 16:35:41 off17 pcscd[4490]: 00000477 APDU: 00 2A 9E 9A 80 00 01 > >>> FF > >>> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > >>> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > >>> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > >>> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 > >>> 2B 0E 03 02 1A 05 00 04 14 04 75 95 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A > >>> 34 9E 0C 47 BB 80 > >>> Oct 24 16:35:41 off17 pcscd[4490]: 00048524 SW: 67 00 > >> > >> Actually here is the problem. The above 67 00 is wrong length. The > >> card-cardos.c tried this: > >> 0xb721d900 16:35:41.223 [opensc-pkcs11] > >> card-cardos.c:836:cardos_compute_signature: trying RSA_PURE_SIG (padded > >> DigestInfo) > >> > >> but it failed, so it tries again: > >> 0xb721d900 16:35:41.272 [opensc-pkcs11] > >> card-cardos.c:842:cardos_compute_signature: trying RSA_SIG (just the > >> DigestInfo) > >> > >>> Oct 24 16:35:41 off17 pcscd[4490]: 00000378 APDU: 00 2A 9E 9A 23 30 21 > >>> 30 > >>> 09 06 05 2B 0E 03 02 1A 05 00 04 14 04 75 95 D0 FA E9 72 FB ED 0C 51 B4 > >>> A4 1C 7A 34 9E 0C 47 BB 80 > >>> Oct 24 16:35:41 off17 pcscd[4490]: 00023629 SW: 69 82 > >> > >> The 69 82 is Command not allowed, Security Status not satisfied (i.e. > >> user_consent) > >> > >> The question is why does it try the padded DigestInfo first? > >> See the comments in card-cardos.c at line 821. > >> If the right FLAGS are set, it should get it right the first time. > > > > You are right! Reselecting the signature DF keeps the security status > > active (I tried it). I looked at the source code of the corresponding > > part (card- cardos.c, line 821), and the commentary gives it away: > > > > /* XXX As we don't know what operations are allowed with a > > > > * certain key, let's try RSA_PURE etc. and see which operation > > * succeeds (this is not really beautiful, but currently the > > * only way I see) -- Nils > > * > > * We also check for several caps flags here to pervent > > generating > > * invalid signatures with duplicated hash prefixes with some > > cards > > */ > > > > This is wrong. You can read those informations from the > > supportedAlgorithms > > sequence in the TokenInfo file (I have to lines there with RSA_PKCS and > > SHA1_RSA_PKCS as mechanisms and both with RSA2_SIG for the algorithm > > (which is also the algorithm of the key)). > > > >> There are 4 other pkcs15-*.c modules that use the card-cardos.c driver. > >> It looks like your card is not one of them. This is were others on the > >> list > >> with CardOS cards could help. > > > > I don't understand that. Do you mean, that it selects the wrong card > > driver? I have manually created the PKCS#15 application to reference a > > seperate signature application. > > There are 4 pkcs15 emulation modules that appear to use the card-cardos.c > driver, pkcs15-aactalis.c, pkcs15-infocamere.c, pkcs15-postecert.c, and > pkcs15-tccardos. The PKCS15 emulation modules help fill in some of the > details. > > The setting of the SC_CARD_CAP_ONLY_* flags used in card-cardos.c, are set > in pkcs15.c in a fix_starcos-pkcs15-card(), and maybe a similar response to > the type of problem you are seeing. (but not a generic fix, if the flags > can be derived form some information on the card.) > > I don't have any CardOS cards or experience with them but others > on this list do, and they should respond. > > What might be the issue is CardOS is not a true PKCS15 card, > or does not store all the FLAGS that are required, or none of the previous > cards supported user_consent, or user_consent was never set on and keys > on these cards. > > I see the problem, but without any CardOS cards, don't know the best > way to fix it.
I have written a patch, which uses the algorithm information which is stored in the TokenInfo file of PKCS#15, and issued a pull request for it: https://github.com/OpenSC/OpenSC/pull/97 cheers Mathias _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
