Re: [opensc-devel] cardos split-key
Hi Viktor, If you send me your address, I'll send you one for free ;-) Cardos 4.3B on a SLE66 320P (32k) Startkey FF and an empty pkcs15 structure. Regards, Vital _ ZETES BE- Rue de Strasbourg 3, 1130 Brussels ___ WWW.ZETES.COM | ALWAYS A GOOD ID # Do not print this e-mail unless absolutely necessary # -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel-boun...@lists.opensc-project.org] On Behalf Of João Poupino Sent: dinsdag 17 november 2009 15:39 To: Viktor TARASOV Cc: opensc-de...@opensc-project.org Subject: Re: [opensc-devel] cardos split-key Hi Viktor, Viktor TARASOV wrote: Is it possible to buy somewhere 2-3 cards CardOS, that will be accepted by OpenSC (formatted, initialized, ...)? Viktor. You can get some eTokens (32K and 64K) that will be accepted by OpenSC and are relatively cheap, at ebay [1]. Regards, João [1] - http://shop.ebay.com/i.html?_kw=etoken_fcid=164_localstpos=_sticky=1_stpos=gbr=1 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pkcs11 trouble on 0.12.0-svn
Hi there, Does someone do commands like : pkcs11-tool -l -O It fails for me: error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0) but if I do : pkcs11-tool -T Available slots: Slot 4 CEVGroup Software Reader 1 token label: westcos (User PIN) token manuf: CEV token model: PKCS#15 token flags: login required, PIN initialized, token initialized serial num : 0102030405060708 Martin, In revision 3845 you merged [3823:3844] to your branche before swapping it to trunk but it seems that 3823 changes was not included in this merge, I've no noticed other change not included. Could you have a look please. Regards, François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11 trouble on 0.12.0-svn
François Leblanc: Hi there, Hi, Does someone do commands like : pkcs11-tool -l -O It fails for me: error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0) but if I do : pkcs11-tool -T Available slots: Slot 4 CEVGroup Software Reader 1 Please try $ pkcs11-tool -l -O --slot 4 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11 trouble on 0.12.0-svn
François Leblanc wrote: Hi there, Does someone do commands like : pkcs11-tool -l -O It fails for me: error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0) but if I do : pkcs11-tool -T Available slots: Slot 4 CEVGroup Software Reader 1 token label: westcos (User PIN) token manuf: CEV token model: PKCS#15 token flags: login required, PIN initialized, token initialized serial num : 0102030405060708 for me the following works: ./build/bin/pkcs11-tool --module ./build/lib/opensc-pkcs11.so -T Available slots: Slot 4 OmniKey CardMan 3121 01 00 ... ./build/bin/pkcs11-tool --module ./build/lib/opensc-pkcs11.so --slot 4 -l -O Please enter User PIN: ... By default, should it look for the first non-empty slot? It seemed to me that not. Martin, In revision 3845 you merged [3823:3844] to your branche before swapping it to trunk but it seems that 3823 changes was not included in this merge, I've no noticed other change not included. Could you have a look please. Regards, François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11 trouble on 0.12.0-svn
for me the following works: ./build/bin/pkcs11-tool --module ./build/lib/opensc-pkcs11.so -T Available slots: Slot 4 OmniKey CardMan 3121 01 00 ... ./build/bin/pkcs11-tool --module ./build/lib/opensc-pkcs11.so --slot 4 -l -O Please enter User PIN: ... Yes, thank you, work for me too with --slot option. François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ID of cryptographic objects
Hello, Viktor TARASOV wrote: Aleksey Samsonov wrote: Thanks, but some potencial memory leaks. See patch in attachment. You can apply this patch, if you think it should be. ok As for me, there is no potential leaks -- I trust entirely the sc_asn1_encode() . Agree, there is an excessive 'if' . Personally, I prefer to know with more precision where an error took place, but I agree, it's a question of taste. Does anyone think that there is potencial memory leaks and correction is necessary? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Hi! I have the same issue with 0.11.11 version.. just traced the problem to the same place. Any ideas what is wrong? Regards, Toni -Original Message- From: François Leblanc I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... François. -Message d'origine- De : Aventra development [mailto:developm...@aventra.fi] Envoyé : mercredi 18 novembre 2009 15:13 À : 'opensc-devel (opensc-devel)' Cc : François Leblanc Objet : RE: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key . Hi! I have the same issue with 0.11.11 version.. just traced the problem to the same place. Any ideas what is wrong? Regards, Toni -Original Message- From: François Leblanc I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
On 18.11.2009, at 16:53, François Leblanc wrote: Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. For the trunk branch, I don't know if the comment to changeset 3784 is OK: https://www.opensc-project.org/opensc/changeset/3784 This can't affect 0.11. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Martin Paljak wrote: On 18.11.2009, at 16:53, François Leblanc wrote: Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. For the trunk branch, I don't know if the comment to changeset 3784 is OK: https://www.opensc-project.org/opensc/changeset/3784 This can't affect 0.11. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . I've seen in docs If the token has a protected authentication path, as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. Or the user might not even use a PIN-authentication could be achieved by some fingerprint-reading device, for example. To log into a token with a protected authentication path, the pPin parameter to C_Login should be NULL_PTR. When C_Login returns, whatever authentication method supported by the token will have been performed; a return value of CKR_OK means that the user was successfully authenticated, and a return value of CKR_PIN_INCORRECT means that the user was denied access. for target 2 it will be ok, after provided CKF_PROTECTED_AUTHENTICATION_PATH for pinpad readers, so for target 1 and 2 we can call 'sc_pkcs15init_set_callbacks' and give a function witch return p15card-pin_cache[] value if not null, ask on pinpad readers if it's a pinpad reader and error elsewhere. What do you think? François. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
François Leblanc wrote: There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . I've seen in docs If the token has a protected authentication path, as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. Or the user might not even use a PIN-authentication could be achieved by some fingerprint-reading device, for example. To log into a token with a protected authentication path, the pPin parameter to C_Login should be NULL_PTR. When C_Login returns, whatever authentication method supported by the token will have been performed; a return value of CKR_OK means that the user was successfully authenticated, and a return value of CKR_PIN_INCORRECT means that the user was denied access. for target 2 it will be ok, after provided CKF_PROTECTED_AUTHENTICATION_PATH for pinpad readers, so for target 1 and 2 we can call 'sc_pkcs15init_set_callbacks' and give a function witch return p15card-pin_cache[] value if not null, ask on pinpad readers if it's a pinpad reader and error elsewhere. What do you think? François. I have no answer; do not tried to use pinpad with the actual OpenSC version. In my 'local OpenSC' I modified do_get_and_verify_secret() to not return an error if there was no PIN value obtained (from cache or callback) and if there is CKF_PROTECTED_AUTHENTICATION_PATH. Then PIN-pad is managed at the libopensc card specific level . Don't know if it's generally acceptable. Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel