Re: [opensc-devel] Feitian ePass+SCR301 problem
Jan Just Keijser wrote: Jean-Michel Pouré - GOOZE wrote: On Thu, 2010-05-20 at 12:35 +0200, Jan Just Keijser wrote: At this point I downloaded and built opensc-0.11.13 As explained in the tutorial, you must build OpenSC from SVN version: http://www.gooze.eu/howto/smartcard-quickstarter-guide/installing-from-sources This will fix your problems. I just did a svn co http://www.opensc-project.org/svn/opensc/trunk opensc cd opensc ./bootstrap ./configure --enable-pcsc --prefix=/user/janjust/local/feitian --with-pcsc-provider=/usr/lib64/libpcsclite.so.1 make make install then $ ./openssl OpenSSL engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine -x509 -out cert.pem -text engine pkcs11 set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req OpenSSL quit in other words: same error. See http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 for the full log For me works the following sequence: # pkcs15-init -E # pkcs15-init --profile pkcs15+onepin -C --label IDX-SCM --pin 99 --puk 88 # pkcs15-init -G rsa1024 -l Generated -a 53434d --pin 99 -u sign,decrypt # pkcs11-tool --module ./build/lib/opensc-pkcs11.so --slot 1 --sign --input-file ./data_128_bytes.bin --output-file ./data.signed You can send here full logs of such session, I'll try to compare. Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian ePass+SCR301 problem
Douglas E. Engert wrote: After looking at your http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 and reading these mails again, this does not look like a reader or pcsc problem. You were not able to write your Globus key to the card, and were not able to generate a key on the card. I get the exact same problem with both the Feitian SCR301 reader and with the Omnikey reader - this suggests that it's the card itself, not the card reader indeed. In http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 it fails trying to use a key that is not on the card, or is not valid. 69 84 is iso7816.c:102:iso7816_check_sw: Referenced data invalidated So the traces to send to the list are: write and existing key to the card generate a key on the card. Is the card capable of using 2048 bit key? The Gooze tutorial suggests that it is possible. With the latest pcsc driver from Ludovic I was able to verify this. I was unable to run the newest pcsc driver on my CentOS machine though. What size was the Globus key? 1024 bits Jan Just Keijser wrote: hi all, a new attempt, this time with the Omnikey reader that Jean-Michel so kindly sent me (thanks again!). This time I attached the card reader to a CentOS 5 box which has - openssl 0.9.8e - opensc 0.11.9 - pcsc-1.4.102 Later on I added opensc 0.11.13 (read below) I started out with the gooze tutorial again http://www.gooze.eu/howto/smartcard-quickstarter-guide ardeche [janjust] pkcs15-init -E Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 --label janjust Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] pkcs15-init --store-certificate ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: ardeche [janjust] pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted At this point I downloaded and built opensc-0.11.13 like this: ardeche [janjust] head -10 config.log This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. It was created by opensc configure 0.11.13, which was generated by GNU Autoconf 2.64. Invocation command line was $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian After the build and install I continued: ardeche [janjust] ./pkcs15-init --generate-key rsa/2048 --auth-id 01 Using reader with a card: OmniKey CardMan 3121 00 00 User PIN required. Please enter User PIN: [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning with: Transmit failed [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit failed: Transmit failed [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: EnterSafe generate RSA key pair failed: Transmit failed Failed to generate key: Transmit failed this still fails, but that might be related to the older pcsc-lite version... ardeche [janjust] ./pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted So I commented out 'assert(0)' in card-entersafe.c: ardeche [janjust] ./pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: I had to enter the PIN 4 times, but OK: ardeche [janjust] ./pkcs15-tool --dump Using reader with a card: OmniKey CardMan 3121 00 00 PKCS#15 Card [janjust]: Version: 1 Serial number : 3092541116010310 Manufacturer ID: EnterSafe Last update: 20100520100048Z Flags : EID compliant PIN [User PIN] Com. Flags: 0x3 ID: 01 Flags : [0x30], initialized, needs-padding Length: min_len:4,
Re: [opensc-devel] Feitian ePass+SCR301 problem
Viktor TARASOV wrote: Jan Just Keijser wrote: Jean-Michel Pouré - GOOZE wrote: On Thu, 2010-05-20 at 12:35 +0200, Jan Just Keijser wrote: At this point I downloaded and built opensc-0.11.13 As explained in the tutorial, you must build OpenSC from SVN version: http://www.gooze.eu/howto/smartcard-quickstarter-guide/installing-from-sources This will fix your problems. I just did a svn co http://www.opensc-project.org/svn/opensc/trunk opensc cd opensc ./bootstrap ./configure --enable-pcsc --prefix=/user/janjust/local/feitian --with-pcsc-provider=/usr/lib64/libpcsclite.so.1 make make install then $ ./openssl OpenSSL engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine -x509 -out cert.pem -text engine pkcs11 set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req OpenSSL quit in other words: same error. See http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 for the full log For me works the following sequence: # pkcs15-init -E # pkcs15-init --profile pkcs15+onepin -C --label IDX-SCM --pin 99 --puk 88 # pkcs15-init -G rsa1024 -l Generated -a 53434d --pin 99 -u sign,decrypt # pkcs11-tool --module ./build/lib/opensc-pkcs11.so --slot 1 --sign --input-file ./data_128_bytes.bin --output-file ./data.signed You can send here full logs of such session, I'll try to compare. I don't have access to the card readers right now but I will try this on tuesday and will report my findings here then. cheers, JJK ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian ePass+SCR301 problem
On Fri, 07 May 2010 18:36:39 +0800, Jan Just Keijser janj...@nikhef.nl wrote: More information for the Feitian folks: I also tried the driver bundle from the ftsafe website but it only supports the SCR200 card reader, not the 301 ; what was/am I doing wrong there? Thank you for testing Feitian products, AFAIK SCR301 is compliant with CCID V1.1, so no proprietary driver needed. On Thu, 20 May 2010 18:35:13 +0800, Jan Just Keijser janj...@nikhef.nl wrote: [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data invalidated [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: returning with: Card command failed [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card command failed [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Card command failed 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req this is - again - the error -1200 . The full opensc-debug.log file is http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 I got similar result on my debian 5(engine-pkcs11, pcsclite, pcscd, OpenSSL, all distribution version) with OpenSC r4365, here are the commands I use: pkcs15-init -E pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 --label janjust openssl genrsa 2048 id_rsa.pem openssl rsa -pubout id_rsa.pem id_rsa.pub pkcs15-init --store-private-key id_rsa.pem --id 45 --auth-id 01 --pin 123456 openssl OpenSSLengine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so OpenSSLreq -engine pkcs11 -new -key 45 -keyform engine -x509 -out cert.pem -text Thanks to http://www.gooze.eu/howto/smartcard-quickstarter-guide/generating-transferring-and-extracting-x-509-certificates, I found -key 45 should be -key slot_X-id_45, where X is the slot number you got through pkcs11-tool --list-slots. Here are the following commands that works for me: OpenSSLreq -engine pkcs11 -new -key slot_1-id_45 -keyform engine -x509 -out cert.pem -text OpenSSLquit openssl verify -CAfile cert.pem cert.pem pkcs15-init --store-certificate cert.pem --auth-id 01 --id 123456 --format pem I also attached the log in detail. On Thu, 20 May 2010 19:50:46 +0800, Jan Just Keijser janj...@nikhef.nl wrote: $ ./openssl OpenSSL engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine -x509 -out cert.pem -text engine pkcs11 set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req OpenSSL quit in other words: same error. See http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 for the full log I saw slot_1-id_6606, please run pkcs11-tool --list-slots and pkcs15-tool --dump, to see if you have a private key with ID 6606 in the card that was inserted in slot 1? Regards, Xiaoshuo log.tar.bz2 Description: application/bzip2 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian ePass+SCR301 problem
On Fri, 21 May 2010 02:41:21 +0800, Andreas Jellinghaus a...@dungeon.inka.de wrote: It would be great if the entersafe driver could be improved to the point, where src/test/regression/ test suite works with the cards. The test suite provides a very good way for us to test many different card features, and make sure new versions of opensc still work as good as old cards. I think entersafe is still missing some features we need to run the test suite. maybe it is possible to improve that? Regards, Andreas I understand, that involves compatibility concern with our middleware, we are trying to fix this gap, to be more and more compliant with standard. Regards, Xiaoshuo ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] AccessMode in ISO7816-15
Hi, The 'accessMode' bit string, encoded by the native Oberthur middleware for the IAS/ECC cards, can be up to 10 bits length. In PKCS#15 (v1.1) for the 'accessMode' only three bits defined: 'read', 'update', 'execute'. In ECC specification (CEN/TS 15480-2:2007) one more: 'delete'. Have you an access to 7816-15, please? Does it's 'accessMode' definition identical to the one defined in PKCS#15? Do you know other specifications that define more of the AccessMode operations? Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] AccessMode in ISO7816-15
Hi Viktor, ISO 7816-15:2004 defines read(0), update(1), execute(2) and delete(3). Andreas Viktor TARASOV schrieb: Hi, The 'accessMode' bit string, encoded by the native Oberthur middleware for the IAS/ECC cards, can be up to 10 bits length. In PKCS#15 (v1.1) for the 'accessMode' only three bits defined: 'read', 'update', 'execute'. In ECC specification (CEN/TS 15480-2:2007) one more: 'delete'. Have you an access to 7816-15, please? Does it's 'accessMode' definition identical to the one defined in PKCS#15? Do you know other specifications that define more of the AccessMode operations? Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian ePass+SCR301 problem
I looked at the two logs you sent, and I don't see where the private key is generated on the card, or where the Globus private key was written to the card. I don't have any of these cards, so I may have missed something. I would have expected the log to have some entries for entersafe_gen_key, or entersafe_write_. In both the dumps, the trace of the pkcs15-init --store-private-key is from lines 42 to 58, and looks like it only 16 lines long, and only tests if a card is present. Xiaoshuo Wu wrote: On Fri, 07 May 2010 18:36:39 +0800, Jan Just Keijser janj...@nikhef.nl wrote: More information for the Feitian folks: I also tried the driver bundle from the ftsafe website but it only supports the SCR200 card reader, not the 301 ; what was/am I doing wrong there? Thank you for testing Feitian products, AFAIK SCR301 is compliant with CCID V1.1, so no proprietary driver needed. On Thu, 20 May 2010 18:35:13 +0800, Jan Just Keijser janj...@nikhef.nl wrote: [opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Referenced data invalidated [opensc-pkcs11] card-entersafe.c:920:entersafe_compute_with_prkey: returning with: Card command failed [opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Card command failed [opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: sc_compute_signature() failed: Card command failed 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req this is - again - the error -1200 . The full opensc-debug.log file is http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 I got similar result on my debian 5(engine-pkcs11, pcsclite, pcscd, OpenSSL, all distribution version) with OpenSC r4365, here are the commands I use: pkcs15-init -E pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 --label janjust openssl genrsa 2048 id_rsa.pem openssl rsa -pubout id_rsa.pem id_rsa.pub pkcs15-init --store-private-key id_rsa.pem --id 45 --auth-id 01 --pin 123456 The log for the above is in lines 42-58 of the dumps, and it looks like it only test the card, and does not store the key. openssl OpenSSLengine dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so OpenSSLreq -engine pkcs11 -new -key 45 -keyform engine -x509 -out cert.pem -text Thanks to http://www.gooze.eu/howto/smartcard-quickstarter-guide/generating-transferring-and-extracting-x-509-certificates, I found -key 45 should be -key slot_X-id_45, where X is the slot number you got through pkcs11-tool --list-slots. Here are the following commands that works for me: OpenSSLreq -engine pkcs11 -new -key slot_1-id_45 -keyform engine -x509 -out cert.pem -text OpenSSLquit openssl verify -CAfile cert.pem cert.pem pkcs15-init --store-certificate cert.pem --auth-id 01 --id 123456 --format pem I also attached the log in detail. On Thu, 20 May 2010 19:50:46 +0800, Jan Just Keijser janj...@nikhef.nl wrote: $ ./openssl OpenSSL engine dynamic -pre SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/user/janjust/local/feitian/lib/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/user/janjust/local/feitian/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine OpenSSL req -engine pkcs11 -new -key slot_1-id_6606 -keyform engine -x509 -out cert.pem -text engine pkcs11 set. PKCS#11 token PIN: You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [GB]: State or Province Name (full name) [Berkshire]: Locality Name (eg, city) [Newbury]: Organization Name (eg, company) [My Company Ltd]: Organizational Unit Name (eg, section) []: Common Name (eg, your name or your server's hostname) []: Email Address []: 28400:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 28400:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: error in req OpenSSL quit in other words: same error. See http://www.nikhef.nl/~janjust/feitian/opensc-debug.log-20100520 for the full log I saw slot_1-id_6606, please run pkcs11-tool --list-slots and pkcs15-tool --dump, to see if you have a private key with ID 6606 in the card that was inserted in slot 1? Regards, Xiaoshuo
