[opensc-devel] build fatal
Hello I cant build anymore opensc, get failure : Cannot export sc_der_clear: symbol not defined Should I remove « sc_der_clear » from libopensc.exports list ? Any objections ? François. smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Envoi d'un message : nsis_setup.patch.tar.gz
Looks great. Unfortunately there is a bug opened in nsis that forbid running on 64bit, so I cannot test it. You can commit it if you like to maintain this... Few notes: 1. +if [ "${BUILD_FOR_WINDOWS}" = "1" ]; then should be: [ -n "${BUILD_FOR_WINDOWS}" ] && nsis 2. Why we need the .in file? Can't makensis accept variable from cmdline? 3. Can you please put all nsis related files in nsis/ directory or similar? 4. Don't you like to install the csp? Thanks! On Wed, Feb 10, 2010 at 2:07 PM, François Leblanc wrote: > > Alon, > > What do you think about this patch to create installable release . > > Something like this can be ok ? > > (I don't have makensis on my linux developement server but I have it on my > windows client and I > Run it on script generated and get it working.) > > Regards, > François. > > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] MyeID card in OpenSC
Hello Toni, Aventra development wrote: > Our MyEID card works in our environment and we have some customers who use > it with OpenSC. We use pscs-lite. I'm sorry that we haven't had time to > investigate the problems that you Andreas had with the card. > > Our plan is to also support PKCS#15 init, but with lack of time and > understanding of how the init works, we have not been able to completely > implement the init functionality. Many of the other card types have separate > tools for initializing the cards, and this is perhaps something we have to > go for too. > > One issue you Andreas might have is with the send and receive size, since > the card is a T=1 protocol card while many other are T=0. Look here for more > information: http://www.opensc-project.org/opensc/wiki/MyEID (Smart card > reader configuration). > The pkcs15init has been changed recently, a will change more. It would be nice if you could send me a couple of MyEID cards and, if possible, the card specification. So that, I could do, at least, the non-regression tests for your card and help you with the pkcs15init support of your card. > Kind regards, > > Toni Sjöblom > Aventra Ltd. > Kind wishes, Viktor Tarasov. > > >> -Original Message- >> From: Martin Paljak [mailto:martin.pal...@gmail.com] On Behalf Of Martin >> Paljak >> Sent: 1. helmikuuta 2010 15:57 >> To: Viktor TARASOV >> Cc: Aventra development; opensc-devel (opensc-devel) >> Subject: MyeID card in OpenSC >> >> Hello. >> >> On Feb 1, 2010, at 15:07 , Viktor TARASOV wrote: >> >>> actually this card is the only one that partly uses the Old pkcs15init >>> > API. > >> This card was added just recently (September 2009) so there should not be >> > many > >> (if any) public users and the developer should be reachable (added to Cc >> > just > >> in case). >> >> >>> I would like to migrate it to the New API. >>> >> I suggest to make a best effort try and if it fails, it will be reported. >> >> >> -- >> Martin Paljak >> http://martin.paljak.pri.ee >> +3725156495 >> > > > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Envoi d'un message : nsis_s etup.patch.tar.gz
Alon, What do you think about this patch to create installable release . Something like this can be ok ? (I don't have makensis on my linux developement server but I have it on my windows client and I Run it on script generated and get it working.) Regards, François. nsis-setup.patch.tar.gz Description: GNU Zip compressed data smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] MyeID card in OpenSC
Hello all, Our MyEID card works in our environment and we have some customers who use it with OpenSC. We use pscs-lite. I'm sorry that we haven't had time to investigate the problems that you Andreas had with the card. Our plan is to also support PKCS#15 init, but with lack of time and understanding of how the init works, we have not been able to completely implement the init functionality. Many of the other card types have separate tools for initializing the cards, and this is perhaps something we have to go for too. One issue you Andreas might have is with the send and receive size, since the card is a T=1 protocol card while many other are T=0. Look here for more information: http://www.opensc-project.org/opensc/wiki/MyEID (Smart card reader configuration). Kind regards, Toni Sjöblom Aventra Ltd. > -Original Message- > From: Martin Paljak [mailto:martin.pal...@gmail.com] On Behalf Of Martin > Paljak > Sent: 1. helmikuuta 2010 15:57 > To: Viktor TARASOV > Cc: Aventra development; opensc-devel (opensc-devel) > Subject: MyeID card in OpenSC > > Hello. > > On Feb 1, 2010, at 15:07 , Viktor TARASOV wrote: > > actually this card is the only one that partly uses the Old pkcs15init API. > This card was added just recently (September 2009) so there should not be many > (if any) public users and the developer should be reachable (added to Cc just > in case). > > > I would like to migrate it to the New API. > I suggest to make a best effort try and if it fails, it will be reported. > > > -- > Martin Paljak > http://martin.paljak.pri.ee > +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN cache issue
Hi Martin, Viktor TARASOV wrote: Martin Paljak wrote: On Feb 3, 2010, at 18:41 , Viktor TARASOV wrote: Maybe pin cache should be attached not to 'pkcs15_card', but to the PIN 'pkcs15_object' ? In object info there are path, reference, flags, ... Why not. If objects get destroyed and don't leak it would probably be as good. What would you say about pincache as a der-value of the pkcs15 PIN object? So that, to the existing API to access pkcs15 objects can be used to access pincache. If no objections, I'll commit the final patch proposal for the libopensc part. I've tested it in conjunction with another proposal, that replaces static keycache in the pkcs15init part (keycache is not needed in pkcs11). This second one is a little bit voluminous -- it contains the changes to the internal pkcs15init API, discussed in http://www.opensc-project.org/pipermail/opensc-devel/2010-February/013254.html Together these two patches have been tested with Oberthur, CardOS ans SetCOS. I'll wait for more cards to test, before submitting the second one. Kind wishes, Viktor. -- Viktor Tarasov Index: src/libopensc/pkcs15-pin.c === --- src/libopensc/pkcs15-pin.c (révision 4012) +++ src/libopensc/pkcs15-pin.c (copie de travail) @@ -204,16 +204,17 @@ */ int sc_pkcs15_verify_pin(struct sc_pkcs15_card *p15card, struct sc_pkcs15_pin_info *pin, -const u8 *pincode, size_t pinlen) +const unsigned char *pincode, size_t pinlen) { int r; sc_card_t *card; struct sc_pin_cmd_data data; SC_FUNC_CALLED(p15card->card->ctx, 2); - if ((r = _validate_pin(p15card, pin, pinlen)) != SC_SUCCESS) - return r; + r = _validate_pin(p15card, pin, pinlen); + SC_TEST_RET(card->ctx, r, "PIN value do not conforms the PIN policy"); + card = p15card->card; r = sc_lock(card); @@ -464,59 +465,53 @@ free(pin); } + /* Add a PIN to the PIN cache related to the card. Some operations can trigger re-authentication later. */ static void sc_pkcs15_pincache_add(struct sc_pkcs15_card *p15card, struct sc_pkcs15_pin_info *pininfo, const u8 *pin, size_t pinlen) { - int i; - sc_pkcs15_pincache_entry_t *entry; - sc_pkcs15_object_t *obj; + struct sc_context *ctx = p15card->card->ctx; + struct sc_pkcs15_object *obj = NULL; + int r; - SC_FUNC_CALLED(p15card->card->ctx, 2); + SC_FUNC_CALLED(ctx, 2); if (!p15card->opts.use_pin_cache) return; + r = sc_pkcs15_find_pin_by_reference(p15card, NULL, pininfo->reference, &obj); + if (r < 0) { + sc_debug(ctx, "PIN with reference 0x%X not found", pininfo->reference); + return; + } + /* Is it a user consent protecting PIN ? */ - if (sc_pkcs15_find_prkey_by_reference(p15card, NULL, pininfo->reference, &obj) == SC_SUCCESS) { - if (obj->user_consent) { - sc_debug(p15card->card->ctx, "Not caching userconsent related PIN"); - return; - } + if (obj->user_consent) { + sc_debug(ctx, "Cache is not supported for the PIN related to 'user consent'"); + return; } - for (i=0; ipin_cache[i] == NULL) { - entry = (sc_pkcs15_pincache_entry_t *) sc_mem_alloc_secure(sizeof(sc_pkcs15_pincache_entry_t)); - if (!entry) - return; - memcpy(&entry->id, &pininfo->auth_id, sizeof(sc_pkcs15_id_t)); - memcpy(&entry->pin, pin, pinlen); - entry->len = pinlen; - entry->counter = 0; - p15card->pin_cache[i] = entry; - return; - } else { /* Update the existing PIN */ - sc_pkcs15_pincache_entry_t *entry = p15card->pin_cache[i]; - if (sc_pkcs15_compare_id(&entry->id, &pininfo->auth_id)) { - memcpy(&entry->pin, pin, pinlen); - entry->len = pinlen; - entry->counter = 0; - return; - } - - } - } + r = sc_pkcs15_allocate_object_content(obj, pin, pinlen); + if (r != SC_SUCCESS) { + sc_debug(ctx, "Failed to allocate object content"); + return; + } + + obj->usage_counter = 0; + sc_debug(ctx, "PIN(type:%X,reference:%X) cached", pininfo->type, pininfo->reference); + } + /* Validate the PIN code associated with an object */ -int sc_pkcs15_pincache_revalidate(struct sc_pkcs15_card *p15card, const sc_pkcs15_object_t *obj)
[opensc-devel] current ubuntu situation
all packages except openct and opensc: up to date. nice. opensc: old 0.11.9 package, without the important starcos fix, so I hope they can update this soon. I opened a bug for it. openct: totaly outdated and broken (not migrated from hal to udev). won't work except for serial readers. for openct the current debian package is broken too, as they didn't fix it either. patches for all bugs and build changes are available, as well as prepared "0.6.19-0" package I build myself, so it should be easy for them to add the fixes. If you know how to make sure that these bugs are fixed before the next release: help is very welcome! https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/519711 https://bugs.launchpad.net/ubuntu/+source/openct/+bug/519713 Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] change attributes?
Andreas Jellinghaus wrote: > I didn't even know opensc could do that. > we got a bug about this not working: > pkcs15-init -A pubkey --id 45 --label 'Monkey Man' --verbose --verbose > 'For me it works' in trunk with Oberthur and CardOS cards. For a while, I have no cflex to test. > details in the bug report: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=505598 > > all debian bug reports: > http://bugs.debian.org/cgi-bin/pkgreport.cgi?repeatmerged=no&src=opensc > > I didn't even know those bugs existed, some even have patches or are > small issues that can be easily fixed. > > so if you have some time, it would be nice to help to test/verify/fix > these issues. > > Regards, Andreas > Kind wishes, Viktor. > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] mozilla / opensc and pins for lawfull signatures
On Feb 10, 2010, at 10:34 , Andreas Jellinghaus wrote: > i.e. are we missing some flag, or is firefox doing the wrong > thing (so we can reassign that bug to whoever might be able > to fix firefox)? It is a feature/bug of Firefox. https://bugzilla.mozilla.org/show_bug.cgi?id=511652 -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] mozilla / opensc and pins for lawfull signatures
Am Mittwoch 10 Februar 2010 09:19:08 schrieb Viktor TARASOV: > Actually, OpenSC/pkcs11 creates a slot for every non-sopin PIN (and, in > current trunk, non-unblocking PIN). > Afais, in 'fineid' card there are two PINs: UserPIN and SignPIN. > Mozila will ask to login into the every available slot. thought so. but isn't there some flag we set for those lawfull signature pins? nonrepudiation or something like that? could mozilla/firefox use such a flag to decide to not login into that slot? i.e. are we missing some flag, or is firefox doing the wrong thing (so we can reassign that bug to whoever might be able to fix firefox)? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] mozilla / opensc and pins for lawfull signatures
On Feb 10, 2010, at 10:19 , Viktor TARASOV wrote: > > I don't see 'fineid' in the current OpenSC sources. http://www.opensc-project.org/opensc/wiki/FinnishEid -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] mozilla / opensc and pins for lawfull signatures
On Feb 10, 2010, at 10:09 , Andreas Jellinghaus wrote: > a user reports that mozilla asks for his pin for lawfull signatures. > > not sure if this is an opensc bug or a firefox/mozilla problem. > > if anyone knows this complex, can you check if the fineid driver > is doing the right thing? > > here is the bug report: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410025 1. mozilla-opensc (the signer package) should be deprecated and not used. 2. it is a "feature" of Firefox to ask all the PINs of all tokens installed before reading the certificates. ("friendly certs" feature of NSS) -- Martin Paljak http://martin.paljak.pri.ee +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] mozilla / opensc and pins for lawfull signatures
Andreas Jellinghaus wrote: > a user reports that mozilla asks for his pin for lawfull signatures. > > not sure if this is an opensc bug or a firefox/mozilla problem. > > if anyone knows this complex, can you check if the fineid driver > is doing the right thing? > Actually, OpenSC/pkcs11 creates a slot for every non-sopin PIN (and, in current trunk, non-unblocking PIN). Afais, in 'fineid' card there are two PINs: UserPIN and SignPIN. Mozila will ask to login into the every available slot. I don't see 'fineid' in the current OpenSC sources. > here is the bug report: > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410025 > > Regards, Andreas > Regards, Viktor. > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] mozilla / opensc and pins for lawfull signatures
a user reports that mozilla asks for his pin for lawfull signatures. not sure if this is an opensc bug or a firefox/mozilla problem. if anyone knows this complex, can you check if the fineid driver is doing the right thing? here is the bug report: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=410025 Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel