Re: [opensc-devel] changeset 3765 and sc_keycache_set_pin_name
Am Dienstag 06 Oktober 2009 16:06:52 schrieb Aktiv Co. Aleksey Samsonov: > Aktiv Co. Aleksey Samsonov: > > Hello, > > Rutoken initialization failed after > > http://www.opensc-project.org/opensc/changeset/3765#file8 > > $ pkcs15-init -l "Rutoken ECP User PIN" -a 02 --pin "12345678" --puk "" > > -P --so-pin "87654321" -F > > Failed to store PIN: Requested object not found > > => > > new_entry -> calloc > > ... > > sc_keycache_get_key -> search_key -> if (s->len != 0) then error > > > > Any idea? > > Thanks. > > Cause: http://www.opensc-project.org/opensc/changeset/3741 hmm. I'm not 100% sure how keycache works either. but that code is bogus - int is returned from the function, written into an unsigned int, which is then checked "< 0" which can't ever happen to unsigned int. thus I "fixed" the code to get the value as int, compare "< 0" and only write it into the unsigned int len field if it is >= 0. but no idea when keycache code is actually used. can you post a backtrace? or does anyone else know? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc 0.11.* release?
Andreas Jellinghaus: > Am Dienstag 06 Oktober 2009 10:17:08 schrieb Aktiv Co. Aleksey Samsonov: >> I want to make a few changes to cleanup. >> It takes me a few hours to do it. > > ok. no hurries, let me know when its done. a few days more or less > before the next release doesn't matter. > >> And there is a patch "[PATCH] Fix OpenSC PKCS#11 object grouping" [1]. >> If you want to apply it, I can do it. (src/pkcs11/framework-pkcs15.c was >> changed in revision 3757) > > thanks, please do. I forgot about those (a send patch was send as follow up). I finished this work, but have one problem (for Rutoken S/Rutoken ECP http://www.opensc-project.org/pipermail/opensc-devel/2009-October/012599.html) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] changeset 3765 and sc_keycache_set_pin_name
Hello Aleksey and others, Those of you who have used pkcs15init API, can anyone explain the way keycache works? There is some extra magic happening that does not only USER_PIN/SO_PIN <-> PIN value mapping but deals with "naming PINs"? What is this used for in keycache.c: libopensc/opensc.h:#define SC_AC_SYMBOLIC 0x0010 /* internal use only */ I've checked how card initialization works with KEYCACHE_DEBUG enabled but I can't really make conclusions as I've never directly worked with src/pkcs15init Thanks, On 06.10.2009, at 17:06, Aktiv Co. Aleksey Samsonov wrote: > Aktiv Co. Aleksey Samsonov: >> Hello, >> Rutoken initialization failed after >> http://www.opensc-project.org/opensc/changeset/3765#file8 >> $ pkcs15-init -l "Rutoken ECP User PIN" -a 02 --pin "12345678" -- >> puk "" >> -P --so-pin "87654321" -F >> Failed to store PIN: Requested object not found >> => >> new_entry -> calloc >> ... >> sc_keycache_get_key -> search_key -> if (s->len != 0) then error >> >> Any idea? >> Thanks. > > Cause: http://www.opensc-project.org/opensc/changeset/3741 > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] changeset 3765 and sc_keycache_set_pin_name
Aktiv Co. Aleksey Samsonov: > Hello, > Rutoken initialization failed after > http://www.opensc-project.org/opensc/changeset/3765#file8 > $ pkcs15-init -l "Rutoken ECP User PIN" -a 02 --pin "12345678" --puk "" > -P --so-pin "87654321" -F > Failed to store PIN: Requested object not found > => > new_entry -> calloc > ... > sc_keycache_get_key -> search_key -> if (s->len != 0) then error > > Any idea? > Thanks. Cause: http://www.opensc-project.org/opensc/changeset/3741 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] Fix OpenSC PKCS#11 object grouping
Hello, Pierre Ossman: > On Mon, 5 Oct 2009 11:28:12 +0300 > Martin Paljak wrote: > >> On 05.10.2009, at 11:01, Pierre Ossman wrote: >>> New attempt, this time against r3756 (r18006 was our internal repo, >>> for >>> those curious :)), as an attachment and without a signature on the >>> mail. Hopefully everyone can read it this time. >> Applies and works for me. >> > > Glad to hear it. Does that also mean it will get merged in trunk? > >>> Oh yeah, I also forgot to mention that this patch also adds some more >>> debug output. I found it helpful to see how the library chooses to >>> associate objects, even though it currently only prints the index >>> number. >> Maybe you can improve it so that it would log object/auth IDs? This >> would facilitate better debugging by looking at pkcs15-tool -D and >> then pkcs#11 debug log? >> > > Sure. Included patch gives this debug output: Thanks! Committed in revision 3769. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] pam_pkcs11: fix buildsystem
2009/10/6 Diego Elio “Flameeyes” : > Il giorno Tue, 06/10/2009 alle 10.10 +0200, Ludovic Rousseau ha scritto: >> >> According to gcc(1): > > You're looking at the wrong command's man page (and actually, you cannot > find it on any manpage): that -shared is part of libtool's interface > (it's LTLIBRARY for a reason). > > See my own guide at > http://www.flameeyes.eu/autotools-mythbuster/libtool/index.html#libtool.plugins.dlopen > for some further details. Great. Patch applied in revision 378. >> If you do not want the static libs (and I guess nobody will use them) >> you should use: >> ./configure --disable-static >> I don't know if you can configure configure.in to use --disable-static >> by default. > > Well, as a matter of fact, you can: > > AC_PROG_LIBTOOL([disable-static]) > > or, for newer libtool > > LT_INIT([disable-static]) Thanks for the info. bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] changeset 3765 and sc_keycache_set_pin_name
Hello, Rutoken initialization failed after http://www.opensc-project.org/opensc/changeset/3765#file8 only (trunk/src/pkcs15init/keycache.c) Example: $ pkcs15-init -E -C --so-pin "87654321" --so-puk "" OK! $ pkcs15-init -l "Rutoken ECP User PIN" -a 02 --pin "12345678" --puk "" -P --so-pin "87654321" -F Failed to store PIN: Requested object not found Breakpoint 2, sc_keycache_set_pin_name (path=0x8140590, ref=1, name=0) at keycache.c:251 251 if (name < 0 || name >= SC_PKCS15INIT_NPINS) (gdb) n 248 { (gdb) 251 if (name < 0 || name >= SC_PKCS15INIT_NPINS) (gdb) 256 if ((old = named_pin[name]) != NULL) { (gdb) 261 if (ref >= 0) { (gdb) 264 if (!(s = find_entry(path, SC_AC_CHV, ref, 0))) { (gdb) 265 s = new_entry(path, SC_AC_CHV, ref); (gdb) s new_entry (path=0x8140590, type=1, ref=1) at keycache.c:154 154 { (gdb) n 157 s = (struct secret *) calloc(1, sizeof(*s)); (gdb) finish Run till exit from #0 new_entry (path=0x8140590, type=1, ref=1) at keycache.c:157 0xb7fa5703 in sc_keycache_set_pin_name (path=0x8140590, ref=1, name=0) at keycache.c:265 265 s = new_entry(path, SC_AC_CHV, ref); Value returned is $1 = (struct secret *) 0x8144790 (gdb) n 266 if (s == NULL) (gdb) 269 r = sc_keycache_get_key(path, SC_AC_CHV, -1, s->value, MAX_SECRET); (gdb) 270 if(r < 0) (gdb) 292 } (gdb) p r $2 = -1407 => new_entry -> calloc ... sc_keycache_get_key -> search_key -> if (s->len != 0) then error Any idea? Thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] pam_pkcs11: fix buildsystem
Il giorno Tue, 06/10/2009 alle 10.10 +0200, Ludovic Rousseau ha scritto: > > According to gcc(1): You're looking at the wrong command's man page (and actually, you cannot find it on any manpage): that -shared is part of libtool's interface (it's LTLIBRARY for a reason). See my own guide at http://www.flameeyes.eu/autotools-mythbuster/libtool/index.html#libtool.plugins.dlopen for some further details. > > If you do not want the static libs (and I guess nobody will use them) > you should use: > ./configure --disable-static > I don't know if you can configure configure.in to use --disable-static > by default. Well, as a matter of fact, you can: AC_PROG_LIBTOOL([disable-static]) or, for newer libtool LT_INIT([disable-static]) but the point here is that those libraries cannot be built statically at all, so for systems where shared objects are not supported, well, PAM does not exist. By the way, just so you know, I don't think any of the modern (and also not-so-modern) OSes lacks shared object supports: I'm pretty sure that Linux, the BSDs (all of them), OS X, Windows, Solaris, I _think_ even Hurd do support them, so it's not really a problem. -- Diego Elio Pettenò — “Flameeyes” http://blog.flameeyes.eu/ If you found a .asc file in this mail and know not what it is, it's a GnuPG digital signature: http://www.gnupg.org/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc 0.11.* release?
Am Dienstag 06 Oktober 2009 10:17:08 schrieb Aktiv Co. Aleksey Samsonov: > I want to make a few changes to cleanup. > It takes me a few hours to do it. ok. no hurries, let me know when its done. a few days more or less before the next release doesn't matter. > And there is a patch "[PATCH] Fix OpenSC PKCS#11 object grouping" [1]. > If you want to apply it, I can do it. (src/pkcs11/framework-pkcs15.c was > changed in revision 3757) thanks, please do. I forgot about those (a send patch was send as follow up). Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [PATCH] pam_pkcs11: fix buildsystem
2009/10/5 Diego Elio “Flameeyes” : > Hi, Hello, > I'm a Gentoo Linux developer and I recently got my hands on a token that > works with opensc, so I started looking into improving our support for > it in PAM (I'm the maintainer of the PAM packages). > > Looking at pam_pkcs11 I found that the build system is slightly > sub-optimal, in the sense that it builds, by default, static objects for > plugins (like the PAM module itself), According to gcc(1): -shared Produce a shared object which can then be linked with other objects to form an executable. Not all systems support this option. For predictable results, you must also specify the same set of options that were used to generate code (-fpic, -fPIC, or model suboptions) when you specify this option.[1] "Not all systems support this option". If you do not want the static libs (and I guess nobody will use them) you should use: ./configure --disable-static I don't know if you can configure configure.in to use --disable-static by default. > and uses a custom override rule > for install to avoid installing the static version. Fixed in revision 376. > It also install the examples in the datadir instead of the docdir (which > is what you would probably want, even the manual on the site refers > to /usr/share/doc). Fixed in revision 373. > The attached patch fixes both problems, and at the same time defines a > pamdir variable that can be used to select a different location for the > PAM module (not all systems use the same path). Thanks for the patch. Please, can you split the patch in independent patches next time, so we can discuss/apply them independently? Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc 0.11.* release?
Hello, Andreas Jellinghaus: > Am Samstag 03 Oktober 2009 10:05:37 schrieb Andreas Jellinghaus: >> Hi, >> >> shall we create a new opensc 0.11.* release? things to wait for >> before we create such a release? > > Aleksey commited the latest rutoken changes for GOST algorithm, > I added the pending patches for westcos driver and GemsafeV2 > emulation. Is there anything else? Shall we create a new 0.11.* > release? I want to make a few changes to cleanup. It takes me a few hours to do it. And there is a patch "[PATCH] Fix OpenSC PKCS#11 object grouping" [1]. If you want to apply it, I can do it. (src/pkcs11/framework-pkcs15.c was changed in revision 3757) Thanks [1] http://www.opensc-project.org/pipermail/opensc-devel/2009-October/012580.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed [3757] add GOST R 34.10-2001 algorithm (only PKCS#11) by Aktiv Co.
Alon Bar-Lev: > The pkcs11.h hank looks right. > > On Tue, Oct 6, 2009 at 8:08 AM, Andreas Jellinghaus > wrote: >>> When updating pkcs11.h, please sync with scut [1] >>> Maintainer is at [2]. >> no worries, I will take care of that. is the patch ok >> otherwise? then I will apply it. Thanks very much! Before I had time to create a patch for them. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-user] Gemalto Classic TPC IM
Am Dienstag 06 Oktober 2009 09:00:19 schrieb Georges Bart: > This patch is not finished and will lock many cards. ok, thanks for letting me know. I reverted the changes. > I do not use/work on this code any more so I can't really help. so I guess it is best to leave the code out of opensc, unless a new active maintainer for the code steps forward. Thanks, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-user] Gemalto Classic TPC IM
2009/9/21 Andreas Jellinghaus : > Am Donnerstag 22 Mai 2008 15:42:19 schrieb Georges Bart: >> > I bought a card from gemalto (Classic TPC IM) and I've got some problem >> > to interact with it and opensc. >> >> I think your card is using the GemSafe v2 applet with a PKCS#15 mapping. >> >> I sent a patch last year to try to support this card in OpenSC. >> http://www.opensc-project.org/pipermail/opensc-user/2007-August/001958.html >> >> I attach a new version of the patch against trunk as of today and with >> corrections suggested by Andreas. > > oops, this patch was ignored for some reason. > > can everyone please review the patch? > unless some issue is found, I think we should > apply it. This patch is not finished and will lock many cards. The PIN sent to the card is hard coded inside the source code in ./src/libopensc/card-gemsafeV2.c: static const u8 pin[] = {0x31, 0x32, 0x33, 0x34, 0x35, 0x36, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; So if your PIN is not "123456" you will lock your card. > I'm not 100% sure why the new function sc_pkcs15_read_file_key_ref is needed, > or if we can handle that some other way. but it's not a big deal if we mark > it "gemsave V2 workaround" and keep that change. I made some comments in http://www.opensc-project.org/pipermail/opensc-user/2007-August/001958.html I attach a patch to use the Gemsafe v2 card. some specificity - some DF can't be parsed if the PIN code is not submitted before So I submit the PIN right in the gemsafeV2_init function (before the card is parsed) - the public keys are read by key ref. I added a sc_pkcs15_read_file_key_ref() function - the get data command is a bit different I do not use/work on this code any more so I can't really help. Ciao -- GB ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel