[opensc-devel] Fwd: Re: [Muscle] pcscd / firefox / ubuntu on android
Another user testing 0.13.0pre1 ... Original Message Subject: Re: [Muscle] pcscd / firefox / ubuntu on android Date: Fri, 19 Oct 2012 16:30:50 -0400 From: James Southwell Reply-To: ja...@thesouthwells.com To: Douglas E. Engert Downloaded 0.13pre1 last night and compiled. Email certs work as stated with work around. Thank you. I have one last issue, but it is Citrix related. Jim On Thu, Oct 18, 2012 at 10:59 PM, Douglas E. Engert wrote: > Ask on the opensc-mail list. there is a 0.13.0-rc1 available. > > > On 10/18/2012 7:40 PM, James Southwell wrote: >> >> When is opensc 0.13 going to be released? >> >> Thanks >> ___ >> Muscle mailing list >> mus...@lists.musclecard.com >> http://lists.drizzle.com/mailman/listinfo/muscle >> >> > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN not sent to card before signing
On 10/19/2012 8:02 AM, Mathias Tausig wrote: > Hello! > > I am writing a PKCS#15 application for a (cardos v4.4) smartcard which > references an external signature application. The RSA key and the PIN are > stored in that external application, the PIN needs to be verified upon every > key usage. > > To accomplish this, I have set the userConsent value in the > PrivateKeyDictionaryFile to 1. > > Here is the content of the PrkDF (output from openssl): > > 0:d=0 hl=2 l= 67 cons: SEQUENCE > 2:d=1 hl=2 l= 30 cons: SEQUENCE > 4:d=2 hl=2 l= 18 prim: UTF8STRING:Signaturschlüssel > 24:d=2 hl=2 l= 2 prim: BIT STRING > - 07 80 .. > 28:d=2 hl=2 l= 1 prim: OCTET STRING > - 11. > 31:d=2 hl=2 l= 1 prim: INTEGER :01 > 34:d=1 hl=2 l= 14 cons: SEQUENCE > 36:d=2 hl=2 l= 1 prim: OCTET STRING :B > 39:d=2 hl=2 l= 2 prim: BIT STRING > - 05. >0002 - > 43:d=2 hl=2 l= 2 prim: BIT STRING > - 03 b8 .. > 47:d=2 hl=2 l= 1 prim: INTEGER :02 > 50:d=1 hl=2 l= 17 cons: cont [ 1 ] > 52:d=2 hl=2 l= 15 cons: SEQUENCE > 54:d=3 hl=2 l= 6 cons:SEQUENCE > 56:d=4 hl=2 l= 4 prim: OCTET STRING > - 3f 00 1f ff ?... > 62:d=3 hl=2 l= 2 prim:INTEGER :0400 > 66:d=3 hl=2 l= 1 prim:INTEGER :14 > 69:d=0 hl=2 l= 0 prim: EOC > > The problem is, that when I try to use the card with pkcs11-tool (either with > the --test option or with a --sign command), it doesn't verify the pin before > signing. Here is the relevant part of the APDU output: > > Oct 19 14:40:20 off17 pcscd[4590]: 6755 APDU: 00 A4 08 00 02 1F FF > Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 1410 APDU: 00 20 00 81 06 31 32 33 34 > 35 > 36 > Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 5039 APDU: 00 A4 08 00 02 50 15 > Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 1737 APDU: 00 A4 08 00 02 1F FF > Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 0164 APDU: 00 22 01 B6 03 83 01 02 > Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 0185 APDU: 00 2A 9E 9A 80 00 01 FF FF > FF > FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 > 1A 05 00 04 14 04 75 9 > 5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80 > Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82 > > In the first two commands the signature DF (1fff) is entered and the PIN > verified, thant it switches back to the PKCS#15 DF without doing anything > there > (APDU#3). Than the signature DF is reentered and a signing command is tried > without prior authentication. > > Is this a bug, is the userConsent field not heeded, or am I missing something? > It sounds like a bug, in that, the opensc-pkcs11 will support the PKCS#11 CKA_ALWAYS_AUTHENTICATE flag i.e. PKCS15 user_consent, but the pkcs11-tool does not test for it, and prompt for the pin again or use the pin from the command line again. It would not take too much to add the code to pkcs11-tool. Can you run your test using the pkcs11-spy.so as the module with pkcs11-tool? (Mozilla NSS used by TB and FF have the same issue.) OpenSC 0.13.0-rc1 has a new option in the opensc.conf to allow the pin to be cached for uses be applications that do not yet support CKA_ALWAYS_AUTHENTICATE. > cheers > Mathias > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] PIN not sent to card before signing
Hello! I am writing a PKCS#15 application for a (cardos v4.4) smartcard which references an external signature application. The RSA key and the PIN are stored in that external application, the PIN needs to be verified upon every key usage. To accomplish this, I have set the userConsent value in the PrivateKeyDictionaryFile to 1. Here is the content of the PrkDF (output from openssl): 0:d=0 hl=2 l= 67 cons: SEQUENCE 2:d=1 hl=2 l= 30 cons: SEQUENCE 4:d=2 hl=2 l= 18 prim: UTF8STRING:Signaturschlüssel 24:d=2 hl=2 l= 2 prim: BIT STRING - 07 80 .. 28:d=2 hl=2 l= 1 prim: OCTET STRING - 11. 31:d=2 hl=2 l= 1 prim: INTEGER :01 34:d=1 hl=2 l= 14 cons: SEQUENCE 36:d=2 hl=2 l= 1 prim: OCTET STRING :B 39:d=2 hl=2 l= 2 prim: BIT STRING - 05. 0002 - 43:d=2 hl=2 l= 2 prim: BIT STRING - 03 b8 .. 47:d=2 hl=2 l= 1 prim: INTEGER :02 50:d=1 hl=2 l= 17 cons: cont [ 1 ] 52:d=2 hl=2 l= 15 cons: SEQUENCE 54:d=3 hl=2 l= 6 cons:SEQUENCE 56:d=4 hl=2 l= 4 prim: OCTET STRING - 3f 00 1f ff ?... 62:d=3 hl=2 l= 2 prim:INTEGER :0400 66:d=3 hl=2 l= 1 prim:INTEGER :14 69:d=0 hl=2 l= 0 prim: EOC The problem is, that when I try to use the card with pkcs11-tool (either with the --test option or with a --sign command), it doesn't verify the pin before signing. Here is the relevant part of the APDU output: Oct 19 14:40:20 off17 pcscd[4590]: 6755 APDU: 00 A4 08 00 02 1F FF Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00 Oct 19 14:40:20 off17 pcscd[4590]: 1410 APDU: 00 20 00 81 06 31 32 33 34 35 36 Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00 Oct 19 14:40:20 off17 pcscd[4590]: 5039 APDU: 00 A4 08 00 02 50 15 Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00 Oct 19 14:40:20 off17 pcscd[4590]: 1737 APDU: 00 A4 08 00 02 1F FF Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00 Oct 19 14:40:20 off17 pcscd[4590]: 0164 APDU: 00 22 01 B6 03 83 01 02 Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00 Oct 19 14:40:20 off17 pcscd[4590]: 0185 APDU: 00 2A 9E 9A 80 00 01 FF FF FF FF FF FF FF FF FF F F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 04 75 9 5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80 Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82 In the first two commands the signature DF (1fff) is entered and the PIN verified, thant it switches back to the PKCS#15 DF without doing anything there (APDU#3). Than the signature DF is reentered and a signing command is tried without prior authentication. Is this a bug, is the userConsent field not heeded, or am I missing something? cheers Mathias ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel