[opensc-devel] OpenSC 12.1
Hello, Can anybody tell me if the release of OpenSC 21.1 is on track for March 8th? If not, when is the predicted date? Best Regards, Brian Thomas ITSEC Specialist Systems Engineer Astronautics Corporation of America 414-449-4223 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] ssh error
On 23/02/2011 21:19, Martin Paljak wrote: >> Enter PIN for 'MyEID (User Auth)': >> C_Sign failed: 257 > This means: #define CKR_USER_NOT_LOGGED_IN(0x101UL) > Having OpenSC debug.log would be useful - is the right PIN verified before as > it should be. I tried to enable debug.log, but only got an empty file... Is there a guide somewhere? So I tested w/ a key created as: keyuse=digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment,keyAgreement,keyCertSign,cRLSign pkcs15-init -G rsa/2048 --insecure --id 1001 -u $keyuse -l "da-tecnici" --pin $PIN1 And I still get that NOT_LOGGED_IN ! :( Since no pin is to be asked, why does it say I'm not logged in? BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] r5124
Hello Martin,
I would like to commit the attached patch. Any objections?
On Thu, 2011-02-03 at 14:36 +0200, Martin Paljak wrote:
> Hello,
>
> On Thu, Jan 27, 2011 at 20:08, Andre Zepezauer
> wrote:
> > Hello Martin,
> >
> > some comments on r5124:
> >
> > 1. The values of pin_info->reference and prkey_info->key_reference
> > shouldn't be compared because:
> >
> > * pin_info->reference is used as P2 parameter in VERIFY command
> > * prkey_info->key_reference is used in MSE SET tag 0x84
>
> OK, I see your point.
> Looking at your patch: could it be extracted into a small lookup
> function like the current one that is used? such a small lookup
> function with a small doxygen doc would look really nice.
>
> I see it has been working up to because of a coincidence...
Index: src/libopensc/pkcs15-pin.c
===
--- src/libopensc/pkcs15-pin.c (revision 5215)
+++ src/libopensc/pkcs15-pin.c (working copy)
@@ -499,12 +499,21 @@
return;
}
- /* If the PIN protects a private key with user consent, don't cache it */
- if (sc_pkcs15_find_prkey_by_reference(p15card, NULL, pin_info->reference, &obj) == SC_SUCCESS) {
- if (obj->user_consent) {
- sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "Not caching a PIN protecting a key with user consent");
- return;
+ /* If the PIN protects an object with user consent, don't cache it */
+ obj = p15card->obj_list;
+ while (obj != NULL) {
+ /* Compare 'sc_pkcs15_object.auth_id' with 'sc_pkcs15_pin_info.auth_id'.
+ * In accordance with PKCS#15 "6.1.8 CommonObjectAttributes" and
+ * "6.1.16 CommonAuthenticationObjectAttributes" with the exception that
+ * "CommonObjectAttributes.accessControlRules" are not taken into account. */
+ if (sc_pkcs15_compare_id(&obj->auth_id, &pin_info->auth_id)) {
+ /* Caching is refused, if the protected object requires user consent */
+ if (obj->user_consent > 0) {
+sc_debug(ctx, SC_LOG_DEBUG_NORMAL, "caching refused (user consent)");
+return;
+ }
}
+ obj = obj->next;
}
r = sc_pkcs15_allocate_object_content(pin_obj, pin, pinlen);
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Atomic cert import
Hello, On Feb 28, 2011, at 2:44 PM, NdK wrote: > Could it be possible to check the available space on card files before > importing PKCS12 certs? Or at least "rollback" already done additions. Rollback would be a nice feature. > Now it could easily happen that a cert is only partially stored, since > the private key goes first, then every cert in the chain. > So after an import I could find a partial cert, maybe only the private > key and a first-level cert, w/o the rest of the chain. Partially stored certificate (broken certificate) ? That would be bad. I'm not sure how universally available would be checking for write errors beforehand, thus a rollback could be a better and more reliable scheme. > > Should I file it as an enhancement request in the tracker? Yes, sure. -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Atomic cert import
Hi all. Could it be possible to check the available space on card files before importing PKCS12 certs? Or at least "rollback" already done additions. Now it could easily happen that a cert is only partially stored, since the private key goes first, then every cert in the chain. So after an import I could find a partial cert, maybe only the private key and a first-level cert, w/o the rest of the chain. Should I file it as an enhancement request in the tracker? Tks, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] gnome-keyring PKCS#11 glue project
On 02/28/2011 10:42 AM, Martin Paljak wrote: > Hello, On Feb 23, 2011, at 10:14 AM, Stef Walter wrote: > >> Hi guys. As a follow up from the security devroom at FOSDEM, I'm >> working out hosting and mailing lists for the PKCS#11 glue stuff >> [1] that I talked about. This includes things like p11-kit, trust >> assertions, pkcs11 uris and more. >> >> Unless there are serious objections I'm requesting hosting at >> freedesktop.org [2]. While this PKCS#11 glue research and work does >> not only apply to the desktop, it's primary motivation *is* desktop >> integration. > > > Great! > > > Personally I like p11-kit more than p11-glue, even if in real world > it would be a glue thing :) Yes, p11-kit will still be the name of the proxy module and library. What we're calling the PKCS#11 Glue Project will include more than just that component. Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#11 glue project
Hello, On Feb 23, 2011, at 10:14 AM, Stef Walter wrote: > Hi guys. As a follow up from the security devroom at FOSDEM, I'm working > out hosting and mailing lists for the PKCS#11 glue stuff [1] that I > talked about. This includes things like p11-kit, trust assertions, > pkcs11 uris and more. > > Unless there are serious objections I'm requesting hosting at > freedesktop.org [2]. While this PKCS#11 glue research and work does not > only apply to the desktop, it's primary motivation *is* desktop integration. Great! Personally I like p11-kit more than p11-glue, even if in real world it would be a glue thing :) -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] PKCS#11 glue project
Hi guys. As a follow up from the security devroom at FOSDEM, I'm working out hosting and mailing lists for the PKCS#11 glue stuff [1] that I talked about. This includes things like p11-kit, trust assertions, pkcs11 uris and more. Unless there are serious objections I'm requesting hosting at freedesktop.org [2]. While this PKCS#11 glue research and work does not only apply to the desktop, it's primary motivation *is* desktop integration. BTW, I've done more work on p11-kit [3] config, uris, and other fixes. I'll be documenting this more once hosting is available. [1] http://thewalter.net/stef/misc/trust-assertion-notes.ps [2] https://bugs.freedesktop.org/show_bug.cgi?id=34408 [3] http://thewalter.net/git/cgit.cgi/p11-kit/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
