Re: [opensc-devel] Entersafe driver has no write support?
Le mardi 27 septembre 2011 à 20:28 +0200, Stef Walter a écrit : If it can't be fixed, then does anyone have any other recommendations for cards that are well rounded OpenSC cards that I can develop against? Dear Stef, We are just releasing the ePass2003 and we want to make it the ultimate token for Free Software developers and users: http://www.gooze.eu/feitian-epass-2003-free-software-developer-kit So we will find a solution. Stay tuned I will get back to you shortly. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Entersafe driver has no write support?
On 09/28/2011 08:11 AM, Jean-Michel Pouré - GOOZE wrote: However I was surprised by getting back CKR_FUNCTION_NOT_SUPPORTED when calling the PKCS#11 C_CreateObject method. It looks like the Entersafe driver doesn't support write operations. Am I misreading something? In card-entersafe.c in the sc_get_driver() function it sets both ops.write_binary and ops.delete_file to NULL. Dear Stef, No support of delete operations is normal, it is a security measure to ensure that an object cannot be overwritten by an attacker. But PKCS#11 C interface should support writing objects. For example, Firefox manager allows importing of entersafe objects using PKCS#11. I found the source of the problem. We first have to perform C_CreateObject for the CKO_PRIVATE_KEY and then running C_CreateObject for a matching certificate will work. Is this fragility necessary, or is it something that we should try to fix in opensc? Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: http://www.opensc-project.org/files/build.old/ (btw the link to the builds if any newer shall be available from this page is corrupt: http://www.opensc-project.org/opensc/wiki/build). When I use the 009 build then every thing is fine. However I'd like to use the latest version, and Alon had a few month ago made a newer build which I could not test until now. When trying the build 010 OpenVPN fails to connect. I get asked twice for PIN before it does something and then fails to connect and tries again/ask for PIN. By the way here: http://sites.google.com/site/alonbarlev/openssh-pkcs11 I found some info about PKCS11 and OpenSSL don't know if it may be related... Regards, PR Here is the OpenVPN log (did not find any OpenSC/OpenSSL log...?!): Sat Sep 24 14:52:10 2011 us=515000 Current Parameter Settings: Sat Sep 24 14:52:10 2011 us=515000 config = 'C:Program FilesOpenVPNshareopenvpn-win32configConfig.ovpn' Sat Sep 24 14:52:10 2011 us=515000 mode = 0 Sat Sep 24 14:52:10 2011 us=515000 show_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_digests = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_engines = DISABLED Sat Sep 24 14:52:10 2011 us=515000 genkey = DISABLED Sat Sep 24 14:52:10 2011 us=515000 key_pass_file = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 show_tls_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles [default]: Sat Sep 24 14:52:10 2011 us=515000 proto = udp Sat Sep 24 14:52:10 2011 us=515000 local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 local_port = 0 Sat Sep 24 14:52:10 2011 us=515000 remote = 'vpn.reebs.org' Sat Sep 24 14:52:10 2011 us=515000 remote_port = 1194 Sat Sep 24 14:52:10 2011 us=515000 remote_float = ENABLED Sat Sep 24 14:52:10 2011 us=515000 bind_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 bind_local = DISABLED Sat Sep 24 14:52:10 2011 us=515000 connect_retry_seconds = 5 Sat Sep 24 14:52:10 2011 us=515000 connect_timeout = 10 Sat Sep 24 14:52:10 2011 us=515000 connect_retry_max = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_server = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_port = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_retry = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles END Sat Sep 24 14:52:10 2011 us=515000 remote_random = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ipchange = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev = 'tap' Sat Sep 24 14:52:10 2011 us=515000 dev_type = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev_node = 'OpenVPN' Sat Sep 24 14:52:10 2011 us=515000 lladdr = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 topology = 1 Sat Sep 24 14:52:10 2011 us=515000 tun_ipv6 = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_remote_netmask = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_noexec = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_nowarn = DISABLED Sat Sep 24 14:52:10 2011 us=515000 shaper = 0 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 link_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 link_mtu_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra = 32 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 fragment = 0 Sat Sep 24 14:52:10 2011 us=515000 mtu_discover_type = -1 Sat Sep 24 14:52:10 2011 us=515000 mtu_test = 0 Sat Sep 24 14:52:10 2011 us=515000 mlock = DISABLED Sat Sep 24 14:52:10 2011 us=515000 keepalive_ping = 0 Sat Sep 24 14:52:10 2011 us=515000 keepalive_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 inactivity_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_send_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout_action = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_timer_remote = DISABLED Sat Sep 24 14:52:10 2011 us=515000 remap_sigusr1 = 0 Sat Sep 24 14:52:10 2011 us=515000 explicit_exit_notification = 0 Sat Sep 24 14:52:10 2011 us=515000 persist_tun = ENABLED Sat Sep 24 14:52:10 2011 us=515000 persist_local_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_remote_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_key = ENABLED Sat Sep 24 14:52:10 2011 us=515000 mssfix = 1450 Sat Sep 24 14:52:10 2011 us=515000 resolve_retry_seconds = 10 Sat Sep 24 14:52:10 2011 us=515000 username = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 groupname = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 chroot_dir = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 cd_dir =
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Hi Alon, Thank you for feedback! I guess you just fixed the link to the builds as 2 minutes ago it did not work ;) I will test this asap Regards On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: http://www.opensc-project.org/files/build.old/ (btw the link to the builds if any newer shall be available from this page is corrupt: http://www.opensc-project.org/opensc/wiki/build). When I use the 009 build then every thing is fine. However I'd like to use the latest version, and Alon had a few month ago made a newer build which I could not test until now. When trying the build 010 OpenVPN fails to connect. I get asked twice for PIN before it does something and then fails to connect and tries again/ask for PIN. By the way here: http://sites.google.com/site/alonbarlev/openssh-pkcs11 I found some info about PKCS11 and OpenSSL don't know if it may be related... Regards, PR Here is the OpenVPN log (did not find any OpenSC/OpenSSL log...?!): Sat Sep 24 14:52:10 2011 us=515000 Current Parameter Settings: Sat Sep 24 14:52:10 2011 us=515000 config = 'C:Program FilesOpenVPNshareopenvpn-win32configConfig.ovpn' Sat Sep 24 14:52:10 2011 us=515000 mode = 0 Sat Sep 24 14:52:10 2011 us=515000 show_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_digests = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_engines = DISABLED Sat Sep 24 14:52:10 2011 us=515000 genkey = DISABLED Sat Sep 24 14:52:10 2011 us=515000 key_pass_file = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 show_tls_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles [default]: Sat Sep 24 14:52:10 2011 us=515000 proto = udp Sat Sep 24 14:52:10 2011 us=515000 local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 local_port = 0 Sat Sep 24 14:52:10 2011 us=515000 remote = 'vpn.reebs.org' Sat Sep 24 14:52:10 2011 us=515000 remote_port = 1194 Sat Sep 24 14:52:10 2011 us=515000 remote_float = ENABLED Sat Sep 24 14:52:10 2011 us=515000 bind_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 bind_local = DISABLED Sat Sep 24 14:52:10 2011 us=515000 connect_retry_seconds = 5 Sat Sep 24 14:52:10 2011 us=515000 connect_timeout = 10 Sat Sep 24 14:52:10 2011 us=515000 connect_retry_max = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_server = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_port = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_retry = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles END Sat Sep 24 14:52:10 2011 us=515000 remote_random = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ipchange = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev = 'tap' [... Save message length ...] ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: http://www.opensc-project.org/files/build.old/ (btw the link to the builds if any newer shall be available from this page is corrupt: http://www.opensc-project.org/opensc/wiki/build). When I use the 009 build then every thing is fine. However I'd like to use the latest version, and Alon had a few month ago made a newer build which I could not test until now. When trying the build 010 OpenVPN fails to connect. I get asked twice for PIN before it does something and then fails to connect and tries again/ask for PIN. By the way here: http://sites.google.com/site/alonbarlev/openssh-pkcs11 I found some info about PKCS11 and OpenSSL don't know if it may be related... Regards, PR Here is the OpenVPN log (did not find any OpenSC/OpenSSL log...?!): Sat Sep 24 14:52:10 2011 us=515000 Current Parameter Settings: Sat Sep 24 14:52:10 2011 us=515000 config = 'C:Program FilesOpenVPNshareopenvpn-win32configConfig.ovpn' Sat Sep 24 14:52:10 2011 us=515000 mode = 0 Sat Sep 24 14:52:10 2011 us=515000 show_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_digests = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_engines = DISABLED Sat Sep 24 14:52:10 2011 us=515000 genkey = DISABLED Sat Sep 24 14:52:10 2011 us=515000 key_pass_file = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 show_tls_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles [default]: Sat Sep 24 14:52:10 2011 us=515000 proto = udp Sat Sep 24 14:52:10 2011 us=515000 local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 local_port = 0 Sat Sep 24 14:52:10 2011 us=515000 remote = 'vpn.reebs.org' Sat Sep 24 14:52:10 2011 us=515000 remote_port = 1194 Sat Sep 24 14:52:10 2011 us=515000 remote_float = ENABLED Sat Sep 24 14:52:10 2011 us=515000 bind_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 bind_local = DISABLED Sat Sep 24 14:52:10 2011 us=515000 connect_retry_seconds = 5 Sat Sep 24 14:52:10 2011 us=515000 connect_timeout = 10 Sat Sep 24 14:52:10 2011 us=515000 connect_retry_max = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_server = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_port = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_retry = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles END Sat Sep 24 14:52:10 2011 us=515000 remote_random = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ipchange = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev = 'tap' Sat Sep 24 14:52:10 2011 us=515000 dev_type = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev_node = 'OpenVPN' Sat Sep 24 14:52:10 2011 us=515000 lladdr = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 topology = 1 Sat Sep 24 14:52:10 2011 us=515000 tun_ipv6 = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_remote_netmask = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_noexec = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_nowarn = DISABLED Sat Sep 24 14:52:10 2011 us=515000 shaper = 0 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 link_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 link_mtu_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra = 32 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 fragment = 0 Sat Sep 24 14:52:10 2011 us=515000 mtu_discover_type = -1 Sat Sep 24 14:52:10 2011 us=515000 mtu_test = 0 Sat Sep 24 14:52:10 2011 us=515000 mlock = DISABLED Sat Sep 24 14:52:10 2011 us=515000 keepalive_ping = 0 Sat Sep 24 14:52:10 2011 us=515000 keepalive_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 inactivity_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_send_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout_action = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_timer_remote = DISABLED Sat Sep 24 14:52:10 2011 us=515000 remap_sigusr1 = 0 Sat Sep 24 14:52:10 2011 us=515000 explicit_exit_notification = 0 Sat Sep 24 14:52:10 2011 us=515000 persist_tun = ENABLED Sat Sep 24 14:52:10 2011 us=515000 persist_local_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_remote_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_key = ENABLED Sat Sep 24 14:52:10 2011 us=515000 mssfix = 1450 Sat Sep 24 14:52:10 2011 us=515000 resolve_retry_seconds = 10 Sat Sep 24 14:52:10 2011 us=515000 username =
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt 5- It asks for PIN and after I enter it it immediately fails and back to point no. 4 until I break Last working version is 009, 010 and 011 have very same issue. Here is the command line LOG (short form): C:\Program Files\OpenVPN\share\openvpn-win32\config..\..\..\bin\openvpn --confi g Banzai.ovpn --pkcs11-id OpenSC\x20Project/PKCS\x2315/0001D049/OpenSC\x 20Card\x20\x28xxx\x20yyy\x29/45 Wed Sep 28 16:02:45 2011 OpenVPN 2.2.1 i686-w64-mingw32 [SSL] [LZO2] [PKCS11] bu ilt on Sep 28 2011 Wed Sep 28 16:02:45 2011 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\Open VPN\bin\opensc-pkcs11.dll' Wed Sep 28 16:02:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:02:47 2011 Control Channel Authentication: using 'ta.key' as a Ope nVPN static key file Wed Sep 28 16:02:47 2011 LZO compression initialized Wed Sep 28 16:02:47 2011 UDPv4 link local: [undef] Wed Sep 28 16:02:47 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:03:47 2011 TLS Error: TLS key negotiation failed to occur within 6 0 seconds (check your network connectivity) Wed Sep 28 16:03:47 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:47 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:03:49 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:03:49 2011 Re-using SSL/TLS context Wed Sep 28 16:03:49 2011 LZO compression initialized Wed Sep 28 16:03:49 2011 UDPv4 link local: [undef] Wed Sep 28 16:03:49 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (xxx yyy) token Password: Wed Sep 28 16:03:59 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:03:59 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:03:59 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:03:59 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:59 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:04:01 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:04:01 2011 Re-using SSL/TLS context Wed Sep 28 16:04:01 2011 LZO compression initialized Wed Sep 28 16:04:01 2011 UDPv4 link local: [undef] Wed Sep 28 16:04:01 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:04:07 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:04:07 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:04:07 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:04:07 2011 TLS Error: TLS handshake failed On Wed, 28 Sep 2011 16:04:24 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Entersafe driver has no write support?
On 9/28/2011 3:07 AM, Stef Walter wrote: On 09/28/2011 08:11 AM, Jean-Michel Pouré - GOOZE wrote: However I was surprised by getting back CKR_FUNCTION_NOT_SUPPORTED when calling the PKCS#11 C_CreateObject method. It looks like the Entersafe driver doesn't support write operations. Am I misreading something? In card-entersafe.c in the sc_get_driver() function it sets both ops.write_binary and ops.delete_file to NULL. Dear Stef, No support of delete operations is normal, it is a security measure to ensure that an object cannot be overwritten by an attacker. But PKCS#11 C interface should support writing objects. For example, Firefox manager allows importing of entersafe objects using PKCS#11. I found the source of the problem. We first have to perform C_CreateObject for the CKO_PRIVATE_KEY and then running C_CreateObject for a matching certificate will work. Is this fragility necessary, or is it something that we should try to fix in opensc? Its not an OpenSC issue. You can have PKCS#11 private key objects independent of any cert objects. So the PKCS#11 caller needs to do two operations. Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM, busin...@reebs.org wrote: Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt 5- It asks for PIN and after I enter it it immediately fails and back to point no. 4 until I break Last working version is 009, 010 and 011 have very same issue. Here is the command line LOG (short form): C:\Program Files\OpenVPN\share\openvpn-win32\config..\..\..\bin\openvpn --confi g Banzai.ovpn --pkcs11-id OpenSC\x20Project/PKCS\x2315/0001D049/OpenSC\x 20Card\x20\x28xxx\x20yyy\x29/45 Wed Sep 28 16:02:45 2011 OpenVPN 2.2.1 i686-w64-mingw32 [SSL] [LZO2] [PKCS11] bu ilt on Sep 28 2011 Wed Sep 28 16:02:45 2011 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\Open VPN\bin\opensc-pkcs11.dll' Wed Sep 28 16:02:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:02:47 2011 Control Channel Authentication: using 'ta.key' as a Ope nVPN static key file Wed Sep 28 16:02:47 2011 LZO compression initialized Wed Sep 28 16:02:47 2011 UDPv4 link local: [undef] Wed Sep 28 16:02:47 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:03:47 2011 TLS Error: TLS key negotiation failed to occur within 6 0 seconds (check your network connectivity) Wed Sep 28 16:03:47 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:47 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:03:49 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:03:49 2011 Re-using SSL/TLS context Wed Sep 28 16:03:49 2011 LZO compression initialized Wed Sep 28 16:03:49 2011 UDPv4 link local: [undef] Wed Sep 28 16:03:49 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (xxx yyy) token Password: Wed Sep 28 16:03:59 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:03:59 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:03:59 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:03:59 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:59 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:04:01 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:04:01 2011 Re-using SSL/TLS context Wed Sep 28 16:04:01 2011 LZO compression initialized Wed Sep 28 16:04:01 2011 UDPv4 link local: [undef] Wed Sep 28 16:04:01 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:04:07 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:04:07 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:04:07 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:04:07 2011 TLS Error: TLS handshake failed On Wed, 28 Sep 2011 16:04:24 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
This does not work. If I set Verb above 7 I get following loop under Command Line and GUI: http://imageshack.us/photo/my-images/829/unbenanntrg.jpg/ until it fails. If I set log filename.txt in the configuration file and run from CLI, it will go up to the point where pin is required but then fail as it cannot get pin from stdin (btw using win32 version on win Xp and card is former Cryptoflex from gemalto): [END OF LOGFILE]: Wed Sep 28 17:51:24 2011 us=984000 SSL state (connect): SSLv3 read server certificate request A Wed Sep 28 17:51:24 2011 us=984000 SSL state (connect): SSLv3 read server done A Wed Sep 28 17:51:24 2011 us=984000 SSL state (connect): SSLv3 write client certificate A Wed Sep 28 17:51:25 2011 us=796000 SSL state (connect): SSLv3 write client key exchange A Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: __pkcs11h_openssl_enc entered - flen=36, from=0022F080, to=00DAF33E, rsa=00D5CAA8, padding=1 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: Performing signature Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: pkcs11h_certificate_signAny entry certificate=00D5E088, mech_type=1, source=0022F080, source_size=0024, target=00DAF33E, *p_target_size=0100 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: Getting key attributes Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: __pkcs11h_certificate_getKeyAttributes entry certificate=00D5E088 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0022EEA0, count=4 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_freeObjectAttributes return Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: Get private key attributes failed: 130:'CKR_OBJECT_HANDLE_INVALID' Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_certificate_resetSession entry certificate=00D5E088, public_only=0, session_mutex_locked=1 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_getObjectById entry session=00D6AD10, class=3, id=00D6AD00, id_size=0001, p_handle=00D5E098 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_validate entry session=00D6AD10 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_validate session-pin_expire_time=0, time=1317225085 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK' Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_findObjects entry session=00D6AD10, filter=0022EDC0, filter_attrs=2, p_objects=0022EDDC, p_objects_found=0022EDD8 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=0 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_getObjectById return rv=512-'CKR_FUNCTION_REJECTED', *p_handle= Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_login entry session=00D6AD10, is_publicOnly=0, readonly=1, user_data=, mask_prompt=0003 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_logout entry session=00D6AD10 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_logout return Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_reset entry session=00D6AD10, user_data=, mask_prompt=0003, p_slot=0022EDDC Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='OpenSC Project' model='PKCS#15', serialNumber='0001D049', label='OpenSC Card (xxx yyy)' Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_getSlotList entry provider=00D63DD0, token_present=1, pSlotList=0022E96C, pulCount=0022E968 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0022E964 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0022E85C Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=00DA9728 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=00DA9728 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_reset Found token manufacturerID='OpenSC Project' model='PKCS#15', serialNumber='0001D049', label='OpenSC Card (xxx yyy)' Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=00DA9728 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: pkcs11h_token_freeTokenId return Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=1 Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: Calling pin_prompt hook for 'OpenSC Card (xxx yyy)' Wed Sep 28 17:51:25 2011 us=796000 ERROR: could not not read OpenSC Card (xxx yyy) token password from stdin Wed Sep 28 17:51:25 2011 us=796000 Exiting Wed Sep 28 17:51:25 2011 us=796000 Closing Win32 semaphore 'openvpn_netcmd' On Wed, 28 Sep 2011 18:30:14 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM,
Re: [opensc-devel] Entersafe driver has no write support?
On 09/28/2011 04:14 PM, Douglas E. Engert wrote: Its not an OpenSC issue. You can have PKCS#11 private key objects independent of any cert objects. So the PKCS#11 caller needs to do two operations. Right, obviously. What I meant was that currently you can't store a certificate via PKCS#11 until a key (from what I can tell: a matching key) has been stored. Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
