Re: [opensc-devel] SCardConnect(), dwPreferredProtocols and detecting Pinpad
2009/12/3 Viktor TARASOV : > Hi, Hello, > for me, PinPad is not detected with dwPreferredProtocols=0 > in the preceding SCardConnect() call (src/libopensc/reader-pcsc.c +917). > > With dwPreferredProtocols=SCARD_PROTOCOL_ANY it's detected normally. > > Is it question of version of PCSC(1.4.3-16) or CCID(1.3.0-15)? Exact. This bug has been corrected in revision 2957 [1] of pcsc-lite. The correction appeared in version pcsc-lite 1.5.0. The Apple version of pcsc-lite still have the bug. Bye [1] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2008-May/003131.html -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Aktiv Co. Aleksey Samsonov wrote: > Viktor TARASOV: >>> - in CKU_SO_PIN context -- set PIN after SOPIN authentication; >>> >> Sorry, it's not good idea -- there should be possibility to change >> SOPIN. > > Incidentally, this isn't work for current trunk. (change SOPIN by > C_SetPin) (see slot_data_auth/slot_data_pin_info and > http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c?rev=3868#L852) > > > In fact, thanks. 'In pricipe' SOPIN can be accessed in the CKU_SO_PIN context, for example with the C_SetPIN(). The standard says that C_SetPIN modifies the PIN of the current user. But actually, in pkcs15_change_pin() the logged user type is not checked. -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman wrote: > On Thu, 03 Dec 2009 14:57:34 +0100 > Viktor TARASOV wrote: > > >> Another possible, 'alternative to alternative' scheme is to use C_SetPin() >> in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). >> >> So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, >> in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. >> >> Afais, CKU_CONTEXT_SPECIFIC is not actually used. >> >> > > The problem here is that this is not something that's specified in the > standard, and it's not the system existing implementations use. > > I think that as far as the interface goes, C_Login(CKU_SO) followed by > C_InitPin() is set in stone as we want to be compatible with what's > already out there. > In fact, reading the pkcs11.v2.20 pp 116: C_SetPIN modifies the PIN of the user that is currently logged in, or the CKU_USER PIN if the session is not logged in. So, C_Login(CKU_SO) + C_InitPIN() is not the only PIN unblocking scheme. > Rgds > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman wrote: > On Thu, 03 Dec 2009 14:57:34 +0100 > Viktor TARASOV wrote: > > >> Another possible, 'alternative to alternative' scheme is to use C_SetPin() >> in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). >> >> So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, >> in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. >> >> Afais, CKU_CONTEXT_SPECIFIC is not actually used. >> >> > > The problem here is that this is not something that's specified in the > standard, and it's not the system existing implementations use. > > I think that as far as the interface goes, C_Login(CKU_SO) followed by > C_InitPin() is set in stone as we want to be compatible with what's > already out there. > That's right. Any way, with the existing standard we cannot cover all the variations of the PKCS15 contents and different card specifications. As for me, for the cards (rather 'pkcs15 contents') that do not have SOPIN or the only useful SOPIN function is 'unblock_user_pin' it's acceptable to use PUK as SOPIN and to use 'sc_pkcs15_unblock_pin' in C_InitPIN() . I'm not talking about the other possible situations with SOPIN!=PUK, number of PUKs, ... I guess that some option (use-puk-as-sopin) can be introduced into the 'pkcs11' section of opensc.conf. > Rgds > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Viktor TARASOV: >> - in CKU_SO_PIN context -- set PIN after SOPIN authentication; >> > Sorry, it's not good idea -- there should be possibility to change SOPIN. Incidentally, this isn't work for current trunk. (change SOPIN by C_SetPin) (see slot_data_auth/slot_data_pin_info and http://www.opensc-project.org/opensc/browser/trunk/src/pkcs11/framework-pkcs15.c?rev=3868#L852) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Viktor TARASOV wrote: > Viktor TARASOV wrote: > >> Aktiv Co. Aleksey Samsonov wrote: >> >> >>> Pierre Ossman: >>> >>> >>> I think we might have a language barrier here as I'm not quite following what you're trying to say. >>> Sorry for inconvenience caused. >>> >>> >>> >>> The basic problem is that none of my PKCS#15 cards have an object for the PUK (and from what I can tell the PKCS#15 standard doesn't require them to). This means that we cannot do a C_Login with the PUK beforehand (as we cannot figure out the reference of the PUK for the VERIFY operation). >>> Then "alternative sheme" isn't correct in this case. But, I fear for >>> call sc_pkcs15_unblock_pin if we have a cached SO PIN (if SO PIN != PUK). >>> >>> >>> >> Another possible, 'alternative to alternative' scheme is to use C_SetPin() >> in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). >> >> So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, >> in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. >> >> Afais, CKU_CONTEXT_SPECIFIC is not actually used. >> >> > Even better, > for C_SetPIN(): > - in CKU_USER_PIN context -- change PIN; > > - in CKU_SO_PIN context -- set PIN after SOPIN authentication; > Sorry, it's not good idea -- there should be possibility to change SOPIN. > - in CKU_SPECIFIC context -- 'one_step_unblock_PIN' or unblock PIN after > PUK (when PUK != SOPIN) authentication; > > >> >> >>> ___ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>> >>> >>> >>> >> >> > > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Viktor TARASOV: > Another possible, 'alternative to alternative' scheme is to use C_SetPin() > in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). > > So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, > in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. > > Afais, CKU_CONTEXT_SPECIFIC is not actually used. I think, this is a very good idea. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Thu, 03 Dec 2009 14:57:34 +0100 Viktor TARASOV wrote: > > Another possible, 'alternative to alternative' scheme is to use C_SetPin() > in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). > > So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, > in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. > > Afais, CKU_CONTEXT_SPECIFIC is not actually used. > The problem here is that this is not something that's specified in the standard, and it's not the system existing implementations use. I think that as far as the interface goes, C_Login(CKU_SO) followed by C_InitPin() is set in stone as we want to be compatible with what's already out there. Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Viktor TARASOV wrote: > Aktiv Co. Aleksey Samsonov wrote: > >> Pierre Ossman: >> >> >>> I think we might have a language barrier here as I'm not quite >>> following what you're trying to say. >>> >>> >> Sorry for inconvenience caused. >> >> >> >>> The basic problem is that none of my PKCS#15 cards have an object for >>> the PUK (and from what I can tell the PKCS#15 standard doesn't require >>> them to). This means that we cannot do a C_Login with the PUK >>> beforehand (as we cannot figure out the reference of the PUK for the >>> VERIFY operation). >>> >>> >> Then "alternative sheme" isn't correct in this case. But, I fear for >> call sc_pkcs15_unblock_pin if we have a cached SO PIN (if SO PIN != PUK). >> >> > > Another possible, 'alternative to alternative' scheme is to use C_SetPin() > in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). > > So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, > in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. > > Afais, CKU_CONTEXT_SPECIFIC is not actually used. > Even better, for C_SetPIN(): - in CKU_USER_PIN context -- change PIN; - in CKU_SO_PIN context -- set PIN after SOPIN authentication; - in CKU_SPECIFIC context -- 'one_step_unblock_PIN' or unblock PIN after PUK (when PUK != SOPIN) authentication; > >> ___ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel >> >> >> > > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Aktiv Co. Aleksey Samsonov wrote: > Pierre Ossman: > >> I think we might have a language barrier here as I'm not quite >> following what you're trying to say. >> > > Sorry for inconvenience caused. > > >> The basic problem is that none of my PKCS#15 cards have an object for >> the PUK (and from what I can tell the PKCS#15 standard doesn't require >> them to). This means that we cannot do a C_Login with the PUK >> beforehand (as we cannot figure out the reference of the PUK for the >> VERIFY operation). >> > > Then "alternative sheme" isn't correct in this case. But, I fear for > call sc_pkcs15_unblock_pin if we have a cached SO PIN (if SO PIN != PUK). > Another possible, 'alternative to alternative' scheme is to use C_SetPin() in the specific context (after C_Login(CKU_SPECIFIC_CONTEXT)). So, in CKU_USER_PIN context C_SetPin() is used to change user PIN, in CKU_CONTEXT_SPECIFIC it's used to unblock user PIN. Afais, CKU_CONTEXT_SPECIFIC is not actually used. > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Thu, 3 Dec 2009 16:29:23 +0300 "Aktiv Co. Aleksey Samsonov" wrote: > > The basic problem is that none of my PKCS#15 cards have an object for > > the PUK (and from what I can tell the PKCS#15 standard doesn't require > > them to). This means that we cannot do a C_Login with the PUK > > beforehand (as we cannot figure out the reference of the PUK for the > > VERIFY operation). > > Then "alternative sheme" isn't correct in this case. But, I fear for > call sc_pkcs15_unblock_pin if we have a cached SO PIN (if SO PIN != PUK). > Can that happen when using the API correctly though? PKCS#11 only has two types of PIN, so SO PIN must be the PUK. -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman: > I think we might have a language barrier here as I'm not quite > following what you're trying to say. Sorry for inconvenience caused. > The basic problem is that none of my PKCS#15 cards have an object for > the PUK (and from what I can tell the PKCS#15 standard doesn't require > them to). This means that we cannot do a C_Login with the PUK > beforehand (as we cannot figure out the reference of the PUK for the > VERIFY operation). Then "alternative sheme" isn't correct in this case. But, I fear for call sc_pkcs15_unblock_pin if we have a cached SO PIN (if SO PIN != PUK). ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
On Thu, 3 Dec 2009 13:38:43 +0300 "Aktiv Co. Aleksey Samsonov" wrote: > > What are the cards support it? (sc_pkcs15_unblock_pin with "puk" is > CKU_SO and "newpin" is pPin) How many of them from the total number > working in OpenSC? > > Alternative sheme: > Reimplement "reset_retry_counter" or "pin_cmd -> SC_PIN_CMD_UNBLOCK" > that it no use "puk" and "newpin", it merely send apdu with ref_unblock_pin. > At that time C_Login(..., CKU_SO, ...); C_InitPIN(..., "", 0) -> > sc_pkcs15_unblock_pin(..., NULL, 0, "", 0); > But, I don't like misuse of C_InitPIN concept. I think we might have a language barrier here as I'm not quite following what you're trying to say. The basic problem is that none of my PKCS#15 cards have an object for the PUK (and from what I can tell the PKCS#15 standard doesn't require them to). This means that we cannot do a C_Login with the PUK beforehand (as we cannot figure out the reference of the PUK for the VERIFY operation). My patch hacks around this limitation by caching the PUK and sending it with the RESET RETRY COUNTER operation, where the reference number of the PUK isn't needed. As for which cards will support this, it should be the same set as those "pkcs15-tool --unblock-pin" supports as it should work in the same way. Rgds -- Pierre OssmanOpenSource-based Thin Client Technology System Developer Telephone: +46-13-21 46 00 Cendio ABWeb: http://www.cendio.com signature.asc Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SCardConnect(), dwPreferredProtocols and detecting Pinpad
Martin Paljak wrote: > On 03.12.2009, at 11:57, Viktor TARASOV wrote: > > >> Hi, >> >> for me, PinPad is not detected with dwPreferredProtocols=0 >> in the preceding SCardConnect() call (src/libopensc/reader-pcsc.c +917). >> >> With dwPreferredProtocols=SCARD_PROTOCOL_ANY it's detected normally. >> >> Is it question of version of PCSC(1.4.3-16) or CCID(1.3.0-15)? >> > It was fixed in pcsc-lite v1.5.5. Probably for a while the __APPLE__ ifdef > can be extended to #ifndef _WIN32. > I'll do it. >> By the way, in pcsc_connect() the SCardConnect() procedure is called >> with SCARD_PROTOCOL_ANY >> (src/libopensc/reader-pcsc.c +523). >> > Does it generate problems? > No. Sorry, comparison is not valid, in these two cases there are different SCARD_SHARE modes. -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Unblocking PIN via PKCS#11?
Pierre Ossman: > On Wed, 2 Dec 2009 12:48:56 +0300 > "Aktiv Co. Aleksey Samsonov" wrote: >> Pierre Ossman: >>> I've had another look at this and implemented a somewhat ugly hack to >>> provide this functionality. Basically C_Login will return success for >>> CKU_SO if it can't find an auth object and then rely on the PIN cache >>> in C_InitPIN. >>> >>> Comment away! >> Please see: >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012894.html >> http://www.opensc-project.org/pipermail/opensc-devel/2009-November/012891.html >> > > I see. Does anyone have any comments on the general principle though > before I start putting time into updating to trunk? > +/* This assumes that either: > + * (a) We have a cached SO PIN > + * (b) We have previously logged in as CKU_SO and the card > + * will therefore accept the unblock request. */ > +rc = sc_pkcs15_unblock_pin(fw_data->p15_card, pin, > + slot_data->pin[CKU_SO].value, > + slot_data->pin[CKU_SO].len, > + pPin, ulPinLen); What are the cards support it? (sc_pkcs15_unblock_pin with "puk" is CKU_SO and "newpin" is pPin) How many of them from the total number working in OpenSC? Alternative sheme: Reimplement "reset_retry_counter" or "pin_cmd -> SC_PIN_CMD_UNBLOCK" that it no use "puk" and "newpin", it merely send apdu with ref_unblock_pin. At that time C_Login(..., CKU_SO, ...); C_InitPIN(..., "", 0) -> sc_pkcs15_unblock_pin(..., NULL, 0, "", 0); But, I don't like misuse of C_InitPIN concept. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SCardConnect(), dwPreferredProtocols and detecting Pinpad
On 03.12.2009, at 11:57, Viktor TARASOV wrote: > Hi, > > for me, PinPad is not detected with dwPreferredProtocols=0 > in the preceding SCardConnect() call (src/libopensc/reader-pcsc.c +917). > > With dwPreferredProtocols=SCARD_PROTOCOL_ANY it's detected normally. > > Is it question of version of PCSC(1.4.3-16) or CCID(1.3.0-15)? It was fixed in pcsc-lite v1.5.5. Probably for a while the __APPLE__ ifdef can be extended to #ifndef _WIN32. > By the way, in pcsc_connect() the SCardConnect() procedure is called > with SCARD_PROTOCOL_ANY > (src/libopensc/reader-pcsc.c +523). Does it generate problems? -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] SCardConnect(), dwPreferredProtocols and detecting Pinpad
Hi, for me, PinPad is not detected with dwPreferredProtocols=0 in the preceding SCardConnect() call (src/libopensc/reader-pcsc.c +917). With dwPreferredProtocols=SCARD_PROTOCOL_ANY it's detected normally. Is it question of version of PCSC(1.4.3-16) or CCID(1.3.0-15)? By the way, in pcsc_connect() the SCardConnect() procedure is called with SCARD_PROTOCOL_ANY (src/libopensc/reader-pcsc.c +523). Kind wishes, Viktor Tarasov. || -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pam_pkcs11 & CFK_LOGIN_REQUIRED
2009/12/2 Oleg Smirnov : > Hi! > > pam_pkcs11 doesn't work with cards with no PIN installed. It tries to > C_Login() whenever PIN is really needed and fails with "C_Login() > failed: 0x0102". > > I've made a patch which corrects this behavior: > > * implements get_slot_login_required() function what checks whether > current slot requires login > * makes pam_pkcs11 ask for PIN only if it is needed Committed in revision 379. http://www.opensc-project.org/pam_pkcs11/changeset/379 Thanks -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
