Re: [opensc-devel] CA key on card: how?
Hello, On Feb 18, 2011, at 12:30 AM, NdK wrote: > On 17/02/2011 22:55, Andreas Jellinghaus wrote: > >> no, that wiki page is correct and works for me - done it a hundred times. >> it uses the key on the card, and the card does the signature (you cannot >> read the private key, a smart card won't ever give it to you). > Yup. That's why keys are generated on card :) Unless the key is exportable If you want to sign certificates with a smart card (run a CA against a PKCS#11 token) then EJBCA is the most feature complete solution I know. But most probably too much hassle for a few certificates for home use. > *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of > the PINs I created works: > $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config > openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1 Have you tried some other format? slot_XX:id_XX ? (even though it should be the same). Having OpenSC log with the relevant C_OpenSession() and C_Login lines is useful as well. > engine "pkcs11" set. > PKCS#11 token PIN: > Login failed > PKCS11_get_private_key returned NULL > cannot load Private Key from engine > 3074688648:error:800050A4:Vendor defined:PKCS11_login:PIN > locked:p11_slot.c:157: > 3074688648:error:26096080:engine routines:ENGINE_load_private_key:failed > loading private key:eng_pkey.c:126: > unable to load Private Key > > I obviously tried all the PINs (included SOPIN). The strange thing is > that NO PIN is locked after all the tries I did... Is any PIN locked or counter decreasing? What is the output of pkcs11-tool --module /path/to/pkcs11.so -L ? -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Implement PIN retries in entersafe driver
Hi, I've added SC_PIN_CMD_GET_INFO handling in entersafe_pin_cmd(), C_GetTokenInfo() will get PIN retries now, you can run "pkcs11-tool --test-hotplug" to see if PIN is locked. Regards, Xiaoshuo trunk.5121.pin_tries_left.diff Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] CA key on card: how?
Am Donnerstag 17 Februar 2011, um 23:30:57 schrieb NdK: > On 17/02/2011 22:55, Andreas Jellinghaus wrote: > > no, that wiki page is correct and works for me - done it a hundred times. > > it uses the key on the card, and the card does the signature (you cannot > > read the private key, a smart card won't ever give it to you). > > Yup. That's why keys are generated on card :) > > > so maybe "10" is the wrong key id or something like that? > > I generated it with > $ pkcs15-init -G rsa/2048 -a 3 --id 10 -l "Root CA" you specified "-a 3" so the pin 3 is needed to use the key. I hope you did create such a pin? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] CA key on card: how?
On 17/02/2011 22:55, Andreas Jellinghaus wrote: > no, that wiki page is correct and works for me - done it a hundred times. > it uses the key on the card, and the card does the signature (you cannot > read the private key, a smart card won't ever give it to you). Yup. That's why keys are generated on card :) > so maybe "10" is the wrong key id or something like that? I generated it with $ pkcs15-init -G rsa/2048 -a 3 --id 10 -l "Root CA" and "pkcs15-tool -k" shows, amongt others: Private RSA Key [Root CA] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref: 8 Native : yes Path : 3f0050154b08 Auth ID: 03 ID : 10 So it seems correct. *But* if I specify a slot too, it asks me for a PIN. Too bad *none* of the PINs I created works: $ openssl req -days 3650 -new -out rootca.csshl.org.csr -config openssl.conf -engine pkcs11 -keyform engine -key 1:10 -sha1 engine "pkcs11" set. PKCS#11 token PIN: Login failed PKCS11_get_private_key returned NULL cannot load Private Key from engine 3074688648:error:800050A4:Vendor defined:PKCS11_login:PIN locked:p11_slot.c:157: 3074688648:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key I obviously tried all the PINs (included SOPIN). The strange thing is that NO PIN is locked after all the tries I did... Any hint about where to bang my head? Tks! BYtE! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] CA key on card: how?
Am Donnerstag 17 Februar 2011, um 22:24:41 schrieb NdK: > I've found a lot of tutorials to use openssl to generate self-signed > certs (OK for my root CA), but couldn't find one where the signature is > done by the card. Even on > http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart no, that wiki page is correct and works for me - done it a hundred times. it uses the key on the card, and the card does the signature (you cannot read the private key, a smart card won't ever give it to you). so maybe "10" is the wrong key id or something like that? good luck! Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] CA key on card: how?
Hi all. I'm now looking at another issue. Having stored "enough" certs on card, I'm now trying to push it to the limit. Seems that openssh can't be told which key to use, but that's not OpenSC related (unless someone here knows how to do it). So falling back to pam_pkcs11 and CA handling. I've found a lot of tutorials to use openssl to generate self-signed certs (OK for my root CA), but couldn't find one where the signature is done by the card. Even on http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart seems openssl requires read access to the secret key, actually "banning" keys generated on-card: $ openssl req -config openssl.conf -engine pkcs11 -new -key 10 -keyform engine -out req.pem -text -x509 -subj "/CN=csshl.org Root CA" engine "pkcs11" set. Invalid slot number: 0 PKCS11_get_private_key returned NULL cannot load Private Key from engine 3075466888:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:126: unable to load Private Key Any hint on how to instruct openssl to use the card to sign? And on a related issue (step 2), can the public key be removed after loading the cert? Tks! BYtE! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Strange VS preprocessor behavior
On Feb 17, 2011, at 7:56 PM, Viktor TARASOV wrote: > Hi, > > I'm trying to compile OpenSC on the > Windows Server 2008 R2 Enterprise OS 64-bit > using compiler > Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for > 80x86 > installed with Visual Studio v10.0 > > It seems that for the quoted form of #include macro preprocessor do not looks > for the file to include in the directory of the file that contains this > #include statement. > And so there are the errors like > scconf.c(32) : fatal error C1083: Cannot open include file: 'scconf.h': No > such file or directory > > Everything goes well with the local path added to the 'include path' compiler > option. '/I.\ ' > > > There is no such a problem with > Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.21022.08 for > 80x86 > Windows XP SP3 > OS 32-bit > > > I would like to commit the local path in '/I' compiler option. Have you any > objection, please? Can you try with platform SDK for Windows 7 (SDK version 7.1) instead? We've had other various issues with VS2010 in .ee , but OpenSC compilation with VS2010 for 64bit should work (at least not with this behavior, AFAIK) Unlike VS Eexpress, platform SDK comes with cross compilers and is a free download as well. I'd suggest using Platform SDK for "recommended build platform" instead of VS or VS Express. -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Strange VS preprocessor behavior
Viktor TARASOV wrote: > Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 .. > It seems that for the quoted form of #include macro preprocessor do > not looks for the file to include in the directory of the file that > contains this #include statement. That seems wrong. Oh well. > I would like to commit the local path in '/I' compiler option. Have > you any objection, please? I think that's OK, but please avoid the trailing backslash. /I. should be enough to make it work. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Strange VS preprocessor behavior
Hi, I'm trying to compile OpenSC on the Windows Server 2008 R2 Enterprise OS 64-bit using compiler Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 16.00.30319.01 for 80x86 installed with Visual Studio v10.0 It seems that for the quoted form of #include macro preprocessor do not looks for the file to include in the directory of the file that contains this #include statement. And so there are the errors like scconf.c(32) : fatal error C1083: Cannot open include file: 'scconf.h': No such file or directory Everything goes well with the local path added to the 'include path' compiler option. '/I.\ ' There is no such a problem with Microsoft (R) 32-bit C/C++ Optimizing Compiler Version 15.00.21022.08 for 80x86 Windows XP SP3 OS 32-bit I would like to commit the local path in '/I' compiler option. Have you any objection, please? Kind wishes, Viktor. -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Messaging and concurrent access to card
El jue, 17-02-2011 a las 16:50 +0100, Frank Morgner escribió: > On Monday, February 14 at 12:22PM, jons...@terra.es wrote: > > In the testing process of OpenDNIe I've found a problem related with > > concurrent > > access to opensc-pkcs11 library. (from a previous mail from Douglas) > Does the card impose some CKA_ALWAYS_AUTHENTICATE restriction, such as > the PIN must be presented before each crypto operation for some > private key, with no intervening operations? Yes: DNIe enforces user authentication before any access to any object stored in card) > > In short: as DNIe can only handle one SM at a time (no virtual channel > > support), > > there is no (known) way to get concurrent pkcs11 access > > > > This "feature" makes unusable most of signing applets commonly used in many > > official sites > > > > Afaik opensc-pkcs11 is thread/process aware, and non-sm based cards can > > successfully > > handle "n" processes without any problem noticed. but for DNIe, I need some > > way > > to "centralize" all SM task in a single process/thread > > I am not very familiar with PKCS/11 and even less with OpenSC's > implementation. But why don't you store the needed SM-data in the card's > private data? This way each card handle has it's own SM context and > could access the card with different SM parameters (if supported). Sorry I can't: AFAIK DNIe is "read only", at least at user level Ideally, virtual channels should be used, but not enought documentation on card to make sure that DNIe supports them. Need to test... So cannot store sm context in card > If you think about sharing an SM context between different card handles, > I think this is not a good idea. This would require you to establish an > other mechanism to verify if access is allowed other than using the > smart card. Such relaying is in general not a good idea. If you need to > do it anyway, you could simply copy the SM context (the card's private > data) to an other card handle. I know. I was thinking on a SM daemon connected to opensc by mean of Unix Domain sockets (that can handle user permissions byself) to assure that only one user can access to encoding daemon. But this solution is not portable to Windows > > I'm thinking on a sort of "SM daemon" to take care on apdu encoding/decoding > > Please have a look at victor's repository > http://www.opensc-project.org/svn/opensc/branches/vtarasov/opensc-sm.trunk/ > He uses relaying to a distant entity to encode/decode SM APDUs. This > sounds pretty much like what you have in mind. I'll take a look. Actually I know about 4 different approaches - Use virtual channels. But need to test for feature availability on DNIe card - Handle SM channel at pcsc -or ccid- level. (too complicated for me) - Find a way to share sm context to all applications that concurrently try to access the card - Convince every one to stop using signing applets, and just work with Firefox's "crypto.signText()" funcion :-). But this does still makes collide firefox with other apps (ie: openoffice) ¿Ideas? BTW. Martin told me about trying to find a portable, simple, no external libraries dependent way to ask user for PIN or Signature Confirmation as a previous task for DNIe integration into OpenSC Mainstream. Anyone working on this? Volunteers? :-) Juan Antonio smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Messaging and concurrent access to card
On Monday, February 14 at 12:22PM, jons...@terra.es wrote: > In the testing process of OpenDNIe I've found a problem related with > concurrent > access to opensc-pkcs11 library. > > In short: as DNIe can only handle one SM at a time (no virtual channel > support), > there is no (known) way to get concurrent pkcs11 access > > This "feature" makes unusable most of signing applets commonly used in many > official sites > > Afaik opensc-pkcs11 is thread/process aware, and non-sm based cards can > successfully > handle "n" processes without any problem noticed. but for DNIe, I need some > way > to "centralize" all SM task in a single process/thread I am not very familiar with PKCS/11 and even less with OpenSC's implementation. But why don't you store the needed SM-data in the card's private data? This way each card handle has it's own SM context and could access the card with different SM parameters (if supported). If you think about sharing an SM context between different card handles, I think this is not a good idea. This would require you to establish an other mechanism to verify if access is allowed other than using the smart card. Such relaying is in general not a good idea. If you need to do it anyway, you could simply copy the SM context (the card's private data) to an other card handle. > I'm thinking on a sort of "SM daemon" to take care on apdu encoding/decoding Please have a look at victor's repository http://www.opensc-project.org/svn/opensc/branches/vtarasov/opensc-sm.trunk/ He uses relaying to a distant entity to encode/decode SM APDUs. This sounds pretty much like what you have in mind. Greets, Frank. pgpx6rQRJbw2l.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[5195] card-piv: 'ssize_t' is not defined when compiling with Visual Studio
On 16.02.2011 17:39, Douglas E. Engert wrote: > > > On 2/16/2011 6:21 AM, Martin Paljak wrote: >> Hello, >> On Feb 16, 2011, at 12:32 PM, webmas...@opensc-project.org wrote: >>> --- >>> card-piv: 'ssize_t' is not defined when compiling with Visual Studio >> >> (I'm on the road not connected to work PC with git and more links, but some >> comments nevertheless) >> >> Windows does have SSIZE_T. But Windows prototype for uses int for _read(). >> So the best solution probably lies in between two options, the other one >> being mapping SSIZE_T in winconfig.h instead. >> >> http://msdn.microsoft.com/en-US/library/ms235412(v=VS.80).aspx >> http://msdn.microsoft.com/en-us/library/aa383751(v=vs.85).aspx >> > > The ssize_t was added in #5135 to fix other issues. > > Since this is the only place in OpenSC to test the results of a read like > this, another approach would be in the attachment. This also makes sure > that there are at least 2 bytes read. Fine, will you commit it? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
