[opensc-devel] PIN caching problems with pkcs11-helper 1.08
We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. /Jonatan Fri Aug 5 09:37:04 2011 us=441187 pkcs12_file = '[UNDEF]' Fri Aug 5 09:37:04 2011 us=441666 pkcs11_providers = /usr/lib/opensc-pkcs11.so Fri Aug 5 09:37:04 2011 us=441680 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441694 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441708 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441721 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441734 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441748 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441761 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441775 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441788 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441802 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441815 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441828 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441842 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441856 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441869 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441883 pkcs11_protected_authentication = DISABLED Fri Aug 5 09:37:04 2011 us=441897 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441911 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441924 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441938 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441951 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441965 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441978 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=441992 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442005 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442019 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442039 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442053 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442067 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442080 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442093 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442107 pkcs11_private_mode = Fri Aug 5 09:37:04 2011 us=442120 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442134 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442147 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442165 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442179 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442193 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442206 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442220 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442233 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442246 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442260 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442273 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442286 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442300 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442313 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442326 pkcs11_cert_private = DISABLED Fri Aug 5 09:37:04 2011 us=442340 pkcs11_pin_cache_period = -1 Fri Aug 5 09:37:04 2011 us=442354 pkcs11_id = 'OpenSC\x20Project/PKCS\x2315/28088614271A/OpenSC\x20Card\x20\x28Jonatan02\x20VPN\x29/46' Fri Aug 5 09:37:04 2011 us=442368 pkcs11_id_management = DISABLED Fri Aug 5 09:37:04 2011 us=442956 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] built on Jul 1 2011 Fri Aug 5 09:37:04 2011 us=443026 PKCS#11: pkcs11_initialize - entered Fri Aug 5 09:37:04 2011 us=443191 PKCS#11: pkcs11_initialize - return 0-'CKR_OK' Fri Aug 5 09:37:04 2011 us=443215 PKCS#11: pkcs11_addProvider -
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Hello, 2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. This might be relevant: PKCS#11: __pkcs11h_certificate_doPrivateOperation entry certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0, source_size=0024, target=0x757936, *p_target_size=0024 the target size is the same as input size, which makes one of the operations fail with CKR_BUFFER_TOO_SMALL and will trigger another try, which will mean another PIN entry. Probably something else is fishy as well. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Minidriver in 'write' mode
Hello, I would like to implement 'write' mode of minidriver and have created the dedicated branch in github. It's only the begining and at the moment 'works-for-me' key generation, request signing and certificate import with IE on the XP platform. Currently the OpenSC minidriver emulates the (Base)CSP related file system. With this approach it becomes difficult and uncertain to implement 'fine' support of the minidriver functionalities -- chache, files and containers freshness, GUIDs generated by CSP, PKCS#15 card producers resolve this problem by creating parallel CSP file system, invisible for PKCS#15, or by creating 'DATA' objects with the common 'application' attribute, for ex. BaseCSP. I guess that this second approach is more appropriate for the OpenSC minidriver. The capability of the card to support 'write' minidriver mode will be declared in 'card_atr' section of opensc.conf. It presumes that card supports the pkcd15-init. For such card all pkcs15-init operations (executed by tools, pkcs#11 or minidriver) will try to update the BaseCSP 'DATA' objects. What do you think about? Any suggestions, wishes, considerations are heartily welcome. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch: remove slots of detached reader(token)
Le 08/08/2011 16:31, Ludovic Rousseau a écrit : 2011/7/19 Viktor Tarasovviktor.tara...@gmail.com: Le 18/07/2011 14:52, Ludovic Rousseau a écrit : 2011/7/10 Viktor Tarasovviktor.tara...@gmail.com: Hi, Hello, there is patch proposal to treat properly the 'detach token(reader)' event and to remove the slots associated to the removed token. Tested in Linux and windows. 'SCardGetStatusChange' have different behavior in Linux and Windows. Needs to be studied and validated for Mac. https://github.com/viktorTarasov/OpenSC/commit/62bda63bd66c4849c0ca4303a9682fb6f6bacd7d /* When token is hot-unplugged: * - in Linux (pcsc-lite) * -- SCardGetStatusChange returns OK; * -- current reader state is 'UNKNOWN'; * -- 'Refresh-attributes' returns 'SC_ERROR_READER_DETACHED'. * * - in Windows (WinSCard): * -- SCardGetStatusChange failes with SCARD_E_NO_READERS_AVAILABLE; * -- 'Refresh-attributes' returns 'SC_ERROR_NO_READERS_FOUND'. * * - FIXME: Mac? */ I just checked on Mac OS X 10.6.8 (Snow Leopard) and I have nearly the same result as on GNU/Linux. On GNU/Linux : new state is 14 =['Changed', 'Unknown', 'Unavailable'] On Mac OS X : new state is 6 =['Changed', 'Unknown] On Windows, do you also get the error SCARD_E_NO_READERS_AVAILABLE when you use TWO readers in the SCardGetStatusChange() call? I do not completely follow. SCardGetStatusChange is called by refresh_attributes(sc_reader_t *reader). In this context there is only one reader. When this reader is unplugged in Windows the SCardGetStatusChange returns 8010002E -- SCARD_E_NO_READERS_AVAILABLE. In Linux SCardGetStatusChange returns OK and properly sets a new reader status. Imho both have a reason. I can't reproduce the problem on my Windows XP using my Python sample. If SCardGetStatusChange() is called with a removed/unknown reader then Windows SCardGetStatusChange() returns with SCARD_E_UNKNOWN_READER. I just changed pcsc-lite in revision 5881 to also return SCARD_E_UNKNOWN_READER when called with unknown reader(s). If I unplug a reader while SCardGetStatusChange() is running I get SCARD_S_SUCCESS and the new reader state is ['Ignore', 'Changed', 'Unavailable'] Viktor, are you using Windows XP? or a newer version? I use WindowsXP SP2 in VM and pkcs11-tool from OpenSC to make the tests . I will experiment with more debugs to get know the details of the calling context . For you the 'normal' behavior of SCardGetStatusChange() is to return SCARD_S_SUCCESS and appropriate reader status, is it so? Bye Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch: remove slots of detached reader(token)
2011/8/11 Viktor Tarasov viktor.tara...@gmail.com: Le 08/08/2011 16:31, Ludovic Rousseau a écrit : 2011/7/19 Viktor Tarasovviktor.tara...@gmail.com: Le 18/07/2011 14:52, Ludovic Rousseau a écrit : 2011/7/10 Viktor Tarasovviktor.tara...@gmail.com: Hi, Hello, there is patch proposal to treat properly the 'detach token(reader)' event and to remove the slots associated to the removed token. Tested in Linux and windows. 'SCardGetStatusChange' have different behavior in Linux and Windows. Needs to be studied and validated for Mac. https://github.com/viktorTarasov/OpenSC/commit/62bda63bd66c4849c0ca4303a9682fb6f6bacd7d /* When token is hot-unplugged: * - in Linux (pcsc-lite) * -- SCardGetStatusChange returns OK; * -- current reader state is 'UNKNOWN'; * -- 'Refresh-attributes' returns 'SC_ERROR_READER_DETACHED'. * * - in Windows (WinSCard): * -- SCardGetStatusChange failes with SCARD_E_NO_READERS_AVAILABLE; * -- 'Refresh-attributes' returns 'SC_ERROR_NO_READERS_FOUND'. * * - FIXME: Mac? */ I just checked on Mac OS X 10.6.8 (Snow Leopard) and I have nearly the same result as on GNU/Linux. On GNU/Linux : new state is 14 = ['Changed', 'Unknown', 'Unavailable'] On Mac OS X : new state is 6 = ['Changed', 'Unknown] On Windows, do you also get the error SCARD_E_NO_READERS_AVAILABLE when you use TWO readers in the SCardGetStatusChange() call? I do not completely follow. SCardGetStatusChange is called by refresh_attributes(sc_reader_t *reader). In this context there is only one reader. When this reader is unplugged in Windows the SCardGetStatusChange returns 8010002E -- SCARD_E_NO_READERS_AVAILABLE. In Linux SCardGetStatusChange returns OK and properly sets a new reader status. Imho both have a reason. I can't reproduce the problem on my Windows XP using my Python sample. If SCardGetStatusChange() is called with a removed/unknown reader then Windows SCardGetStatusChange() returns with SCARD_E_UNKNOWN_READER. I just changed pcsc-lite in revision 5881 to also return SCARD_E_UNKNOWN_READER when called with unknown reader(s). If I unplug a reader while SCardGetStatusChange() is running I get SCARD_S_SUCCESS and the new reader state is ['Ignore', 'Changed', 'Unavailable'] Viktor, are you using Windows XP? or a newer version? I use WindowsXP SP2 in VM and pkcs11-tool from OpenSC to make the tests . I will experiment with more debugs to get know the details of the calling context . I used my Python sample test http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/UnitaryTests/SCardGetStatusChange.py?view=markup For you the 'normal' behavior of SCardGetStatusChange() is to return SCARD_S_SUCCESS and appropriate reader status, is it so? Yes. Unless the reader is unknown (has been removed) _before_ SCardGetStatusChange() is called. From your log opensc-debug.win32.detach-unique-token.log I interpret it as: - OpenSC gets a card removed event 2011-07-22 11:34:45.763 'Aktiv Rutoken ECP 0' before=0x00010122 now=0x000B 2011-07-22 11:34:45.763 card removed event - OpenSC calls SCardGetStatusChange() and get SCARD_E_NO_READERS_AVAILABLE 2011-07-22 11:34:45.950 [opensc-pkcs11] reader-pcsc.c:361:pcsc_detect_card_presence: called 2011-07-22 11:34:45.950 Aktiv Rutoken ECP 0 check 2011-07-22 11:34:45.950 Aktiv Rutoken ECP 0:SCardGetStatusChange failed: 0x8010002e 2011-07-22 11:34:45.950 [opensc-pkcs11] reader-pcsc.c:365:pcsc_detect_card_presence: returning with: -1101 (No readers found) Since this is a token, a card removed event is also a reader removed event. So it is normal to get an error from SCardGetStatusChange(). pcsc-lite will return SCARD_E_UNKNOWN_READER instead of SCARD_E_NO_READERS_AVAILABLE returned by Windows XP. Windows XP also returns SCARD_E_UNKNOWN_READER (with my sample). So I guess my Python sample does not do exactly what OpenSC is doing. I will do more testing and try to find in which cases Windows returns SCARD_E_NO_READERS_AVAILABLE. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Support for Secret Key Objects both session and on card
On 8/11/2011 11:19 AM, Viktor Tarasov wrote:
Le 11/08/2011 16:49, Douglas E. Engert a écrit :
Victor,
Martin points out that both your branch and my ecdh branch
at dengert/OpenSC define a struct sc_pkcs15_skey_info.
https://github.com/viktorTarasov/OpenSC/commit/819bd829563020c2abad7537a245d57604951aec
I will look it more carefully a little bit later.
But the first impression that the intersection of our codes if quite limited.
My code mainly concerns the 'secretKey' pkcs15 object as it defined by
standard and it's using as 'authenticationKey'.
Afais, you don't need it and intersection is limited by the definition of
'secret_key_info' data type.
In my ecdh branch, there is a hook to call a sc_pkcs15init_store_secret_key
routine that should allow for storing a secret key on a card.
I did not address the generation of a secret key other then via derive.
I believe my skey_info contains all the fields that your version needs.
Your definition is wider and en-globes the mine, so I propose to go ahead
with your patches,
and I will later update my branch.
Thanks. That's up to Martin.
See my note of 8/5 Mods to add C_DeriveKey and Session
based Secret Key Objects at GitHub
In order to support C_DeriveKey, PKCS#11 session based secret
key objects, are needed, even if the card can not support
secret keys or even if the card is not a PKCS#15 card.
An skey_info structure is needed, and it also needs to
store the value, key-type and length.
Much of the code needed for session based objects, is provided
by the code controlled by #ifdef USE_PKCS15_INIT. (I only
needed secret key objects, so did not attempt to provide
support of other session based objects, but in the future
someone may want these too.
This code then assumes that a profile is required but a
session based object does not need a profile and the object
is never written to the card. For example in framework-pkcs15.c
pkcs15_create_objects it checks for a profile:
rc = sc_pkcs15init_bind(p11card-card, pkcs15, NULL,profile);
then goes on to create the object calling one of the
pkcs15_create_* functions, assuming the object will be on
created on the card.
I have added a pkcs15_create_secret_key function, that
will create session based objects, and has the hooks to
allow one to write a sc_pkcs15init_store_secret_key.
Note that in my pkcs15_create_secret_key function, I have
initialized a skey_info structure, which in all the other
objects are initialized in the sc_pkcs15init_store_* functions.
The creation of the *_info structures for the other objects
could also be moved up a level.
This is what I found I needed in libopensc/pkcs15.h
struct sc_pkcs15_skey_info {
struct sc_pkcs15_id id;
unsigned int usage, access_flags;
int native, key_reference;
size_t value_len;
unsigned long key_type;
int algo_refs[SC_MAX_SUPPORTED_ALGORITHMS];
struct sc_path path; /* if on card */
struct sc_pkcs15_der data;
};
typedef struct sc_pkcs15_skey_info sc_pkcs15_skey_info_t;
#define sc_pkcs15_skey sc_pkcs15_data
#define sc_pkcs15_skey_t sc_pkcs15_data_t
--
Douglas E. Engert deeng...@anl.gov
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
You might consider this useful as well (card detection): http://download.oracle.com/javase/6/docs/jre/api/security/smartcardio/spec/javax/smartcardio/package-summary.html it works very well under Sun/Oracle Java. Best regards VLP __ Od: NdK ndk.cla...@gmail.com Komu: opensc-devel@lists.opensc-project.org, helpcrypto helpcrypto helpcry...@gmail.com Datum: 10.08.2011 08:36 Předmět: Re: [opensc-devel] Java and pkcs11 On 09/08/2011 20:48, Vlastimil Pavicek wrote: I haven't read the whole thread, but you might find this library useful (it is easier to use than JNI/JNA): http://jce.iaik.tugraz.at/sic/Products/Core-Crypto-Toolkits/PKCS-11-Wrapper Tks. Found last night. It's used by j4sign[1] that targets multiple platforms. By its own it seems it's not enough, but it have to be used in parallel with the OCF wrapper (for card detection). I'll have to dig better... [1] http://j4sign.sourceforge.net/index.html BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
