[opensc-devel] OpenSC Windows minidriver reg file for the ePass2003
Dear all, Can anyone help me set the correct value for the ePass2003 mini driver registry:http://download.gooze.eu/pki/opensc/windows/minidriver/exported-ePass2003.reg The content of the file is: ** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards \OpenSC ePass2003 ECP] ATR=hex:3b,9f,95,81,31,fe,9f,00,66,46,53,05,01,00,11,71,df,00,00,03,6a,82,f8 ATRMask=hex,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff Crypto Provider=Microsoft Base Smart Card Crypto Provider Smart Card Key Storage Provider=Microsoft Smart Card Key Storage Provider 8001=opensc-minidriver.dll opensc-tool --atr Using reader with a card: Feitian ePass2003 00 00 3b:9f:95:81:31:fe:9f:00:66:46:53:05:01:00:11:71:df:00:00:03:6a:82:f8 What is missing in my reg file to make the mini-driver work? Kind regards, Jean-Michel POURE -- GOOZE - http://www.gooze.eu High quality cryptographic tools for GNU/Linux, Mac OS X and Windows POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 Registry: FR 527 672 448 00018 - VAT: FR54527672448 CAcert root certificate: http://www.cacert.org/index.php?id=3 ID PGP/GPG: 084F2584 smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC Windows minidriver reg file for the ePass2003
Hello, On Thu, Dec 20, 2012 at 12:20 PM, Jean-Michel Pouré - GOOZE jmpo...@gooze.eu wrote: Can anyone help me set the correct value for the ePass2003 mini driver registry: http://download.gooze.eu/pki/opensc/windows/minidriver/exported-ePass2003.reg The content of the file is: ** Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards \OpenSC ePass2003 ECP] ATR=hex:3b,9f,95,81,31,fe,9f,00,66,46,53,05,01,00,11,71,df,00,00,03,6a,82,f8 ATRMask=hex,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff The length of ATRMask has to be the same as the lengths of ATR. Crypto Provider=Microsoft Base Smart Card Crypto Provider Smart Card Key Storage Provider=Microsoft Smart Card Key Storage Provider 8001=opensc-minidriver.dll opensc-tool --atr Using reader with a card: Feitian ePass2003 00 00 3b:9f:95:81:31:fe:9f:00:66:46:53:05:01:00:11:71:df:00:00:03:6a:82:f8 What is missing in my reg file to make the mini-driver work? Kind regards, Jean-Michel POURE -- GOOZE - http://www.gooze.eu High quality cryptographic tools for GNU/Linux, Mac OS X and Windows POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 Registry: FR 527 672 448 00018 - VAT: FR54527672448 CAcert root certificate: http://www.cacert.org/index.php?id=3 ID PGP/GPG: 084F2584 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Openssl pkcs11-engine using s_client with PIV card
I'm trying to debug an SSL connection to a webserver utilizing my PIV Authentication Certificate and the associated private key on my card and I believe I've found a bug in mechanism.c I *think* I'm doing everything correctly, although documentation on the engine in openssl are *very* sparse. Here's how I'm setting up the connection. openssl engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit According to the opensc tools, my card is in slot 1 and my key is id 01. I'm fairly certain I'm using the -key and -keyform parameters correctly but I'm not sure of -cert and -certform. Should I instead be telling openssl how to pull the cert from my card instead of the local file (which corresponds with the key?) How do I do that? (I've tried a few ways.) This will prompt me for my pin, but then segfaults on line 428 of mechanism.c -- seemingly data is pointing to an address but has no member buffer_len (this could be wrong, my c and gdb experience is highly lacking) Found slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 Found token: PIV_II (PIV Card Holder pin) Found 4 certificates: 1Certificate for PIV Authentication 2Certificate for Digital Signature 3Certificate for Key Management 4Certificate for Card Authentication PKCS#11 token PIN: Found 4 keys: 1 P PIV AUTH key 2 P SIGN key 3 P KEY MAN key 4 P CARD AUTH key Program received signal SIGSEGV, Segmentation fault. 0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0, pSignature=0x7fffda30 , pulSignatureLen=0x0) at mechanism.c:428 428 sc_log(context, data length %li, data-buffer_len); (gdb) print data $1 = (struct signature_data *) 0x30 (gdb) print data-buffer_len Cannot access memory at address 0x248 (gdb) backtrace #0 0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0, pSignature=0x7fffda30 , pulSignatureLen=0x0) at mechanism.c:428 #1 0x2b036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0 #2 0x2b04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0 #3 0x2b03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0 #4 0x2b037203 in ENGINE_pkey_asn1_find_str () from /usr/lib/libcrypto.so.1.0.0 #5 0x2b071fa3 in EVP_PKEY_asn1_find_str () from /usr/lib/libcrypto.so.1.0.0 #6 0x2ad179d7 in ssl_create_cipher_list () from /usr/lib/libssl.so.1.0.0 #7 0x2ad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0 #8 0x0043d07e in ?? () #9 0x00419587 in ?? () #10 0x0041927d in ?? () #11 0x2b363725 in __libc_start_main () from /usr/lib/libc.so.6 #12 0x0041934d in ?? () #13 0x7fffe598 in ?? () #14 0x in ?? () Thanks for any advice/patches/help :) Matt ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Segmentation fault in pkcs11-tool
Hi Douglas, Something completely different to try is to test use your libPkcs11.so module with FireFox or Thunderbird: it runs fine under Firefox - it shows the slots and the slotInfo. Thunderbird I don't have so I didn't try it. Can you do a ldd pkcs11-tool and ldd libPkcs11.so yes, for some strange reason I get anna@anna:~/OpenSC/src/tools$ ldd pkcs11-tool not a dynamic executable That doesn't seem right. I try to find out what's going on. With my module: anna@anna:~/PKCS11_Project$ ldd libPkcs11.so linux-gate.so.1 = (0xb76f1000) libpcsclite.so.1 = /usr/local/lib/libpcsclite.so.1 (0xb73bd000) libstdc++.so.6 = /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb72d2000) librt.so.1 = /lib/i386-linux-gnu/librt.so.1 (0xb72c8000) libgcc_s.so.1 = /lib/i386-linux-gnu/libgcc_s.so.1 (0xb72aa000) libc.so.6 = /lib/i386-linux-gnu/libc.so.6 (0xb7128000) libpthread.so.0 = /lib/i386-linux-gnu/libpthread.so.0 (0xb710d000) libm.so.6 = /lib/i386-linux-gnu/libm.so.6 (0xb70e3000) /lib/ld-linux.so.2 (0xb76f2000) OK, then lets step back a bit, and set a breakpoint at C_LoadModule Its in OpenSC ./common/libpkcs11.c I made a debug log to show the steps I've done - it's in the attached file (I left some printouts in the code of a type Test text - please ignore that). So to summarize, I can access C_GetFunctionList and it appears I get the correct function list. The address of p11 in openSC is identical with the one in my module. C_Initialize in OpenSC and in my module are also identical. But I agree it could be a linking problem in my module, i just can't put my finger on it what am I dong wrong :-(. I'm getting kind of deperate on this. Thanks for staying in this with me! I try it with libtool as you suggested and let's see what happens. And tomorrow has to be the end of the world.. *sigh*.. this week is pretty bad :-(. Cheers, Anna On Wed, Dec 19, 2012 at 4:27 PM, Douglas E. Engert deeng...@anl.gov wrote: ldd pkcs11 pkcs11_debug.log Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Openssl pkcs11-engine using s_client with PIV card
On 12/20/2012 7:54 AM, Matthew Zimmerman wrote: I'm trying to debug an SSL connection to a webserver utilizing my PIV Authentication Certificate and the associated private key on my card and I believe I've found a bug in mechanism.c I *think* I'm doing everything correctly, although documentation on the engine in openssl are *very* sparse. Here's how I'm setting up the connection. openssl engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit According to the opensc tools, my card is in slot 1 and my key is id 01. I'm fairly certain I'm using the -key and -keyform parameters correctly but I'm not sure of -cert and -certform. Should I instead be telling openssl how to pull the cert from my card instead of the local file (which corresponds with the key?) How do I do that? (I've tried a few ways.) The OpenSC engine can pull the cert from the card, but it looks like the OpenSSL c_client does not support using an engine for the cert. It calls load_cert. Look at the load_cert (vs the load_key) routines in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE. So you have to get the cert off the card in a separate step: pkcs15-tool -r 01 cert.01.pem For the -key parameter, I have always used slot_1-id_01 for the auth cert. I had not looked to see if 1:01 works too. An examples: openssl EOT engine dynamic - -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:$OPENSC_PATH/opensc-pkcs11.so dgst -engine pkcs11 -keyform engine -sign slot_1-id_02 -c -out /tmp/test.ec.sig.out fake.ec.key/ec.msg.txt EOT This will prompt me for my pin, but then segfaults on line 428 of mechanism.c -- seemingly data is pointing to an address but has no member buffer_len (this could be wrong, my c and gdb experience is highly lacking) Found slot: Broadcom Corp 5880 [Contacted SmartCard] (0123456789ABCD) 00 00 Found token: PIV_II (PIV Card Holder pin) Found 4 certificates: 1Certificate for PIV Authentication 2Certificate for Digital Signature 3Certificate for Key Management 4Certificate for Card Authentication PKCS#11 token PIN: Found 4 keys: 1 P PIV AUTH key 2 P SIGN key 3 P KEY MAN key 4 P CARD AUTH key Program received signal SIGSEGV, Segmentation fault. 0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0, pSignature=0x7fffda30 , pulSignatureLen=0x0) at mechanism.c:428 428 sc_log(context, data length %li, data-buffer_len); (gdb) print data $1 = (struct signature_data *) 0x30 (gdb) print data-buffer_len Cannot access memory at address 0x248 (gdb) backtrace #0 0x2c155660 in sc_pkcs11_signature_final (operation=0x6cb7d0, pSignature=0x7fffda30 , pulSignatureLen=0x0) at mechanism.c:428 #1 0x2b036e3d in look_str_cb () from /usr/lib/libcrypto.so.1.0.0 #2 0x2b04722c in lh_doall_arg () from /usr/lib/libcrypto.so.1.0.0 #3 0x2b03565c in engine_table_doall () from /usr/lib/libcrypto.so.1.0.0 #4 0x2b037203 in ENGINE_pkey_asn1_find_str () from /usr/lib/libcrypto.so.1.0.0 #5 0x2b071fa3 in EVP_PKEY_asn1_find_str () from /usr/lib/libcrypto.so.1.0.0 #6 0x2ad179d7 in ssl_create_cipher_list () from /usr/lib/libssl.so.1.0.0 #7 0x2ad10964 in SSL_CTX_new () from /usr/lib/libssl.so.1.0.0 #8 0x0043d07e in ?? () #9 0x00419587 in ?? () #10 0x0041927d in ?? () #11 0x2b363725 in __libc_start_main () from /usr/lib/libc.so.6 #12 0x0041934d in ?? () #13 0x7fffe598 in ?? () #14 0x in ?? () Thanks for any advice/patches/help :) Matt ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Segmentation fault in pkcs11-tool
On 12/20/2012 8:04 AM, Anna Pavlova wrote: Hi Douglas, Something completely different to try is to test use your libPkcs11.so module with FireFox or Thunderbird: it runs fine under Firefox - it shows the slots and the slotInfo. Thunderbird I don't have so I didn't try it. Can you do a ldd pkcs11-tool and ldd libPkcs11.so yes, for some strange reason I get anna@anna:~/OpenSC/src/tools$ ldd pkcs11-tool not a dynamic executable You are running it out of the build directory? That may be a shell script. The install will get the real pkcs11-tool from src/tools/.libs/pkcs11-tool If you are building, can you use the OpenSC-0.13.0 On Wed, Dec 5, 2012 at 6:23 PM, Greg Troxel g...@ir.bbn.com wrote: https://github.com/OpenSC/OpenSC/tags https://sourceforge.net/projects/opensc/files/OpenSC/ https://opensc.fr/jenkins/ That doesn't seem right. I try to find out what's going on. With my module: anna@anna:~/PKCS11_Project$ ldd libPkcs11.so linux-gate.so.1 = (0xb76f1000) libpcsclite.so.1 = /usr/local/lib/libpcsclite.so.1 (0xb73bd000) libstdc++.so.6 = /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb72d2000) librt.so.1 = /lib/i386-linux-gnu/librt.so.1 (0xb72c8000) libgcc_s.so.1 = /lib/i386-linux-gnu/libgcc_s.so.1 (0xb72aa000) libc.so.6 = /lib/i386-linux-gnu/libc.so.6 (0xb7128000) libpthread.so.0 = /lib/i386-linux-gnu/libpthread.so.0 (0xb710d000) libm.so.6 = /lib/i386-linux-gnu/libm.so.6 (0xb70e3000) /lib/ld-linux.so.2 (0xb76f2000) OK, then lets step back a bit, and set a breakpoint at C_LoadModule Its in OpenSC ./common/libpkcs11.c I made a debug log to show the steps I've done - it's in the attached file (I left some printouts in the code of a type Test text - please ignore that). So to summarize, I can access C_GetFunctionList and it appears I get the correct function list. The address of p11 in openSC is identical with the one in my module. C_Initialize in OpenSC and in my module are also identical. But I agree it could be a linking problem in my module, i just can't put my finger on it what am I dong wrong :-(. I'm getting kind of deperate on this. Thanks for staying in this with me! You are using C++, are your functions declared as C? I use of the RTLD_LAZY vs RTLD_NOW may make a difference. Your C_GetFunctionList may be picking up something in the pkcs11-tool or one of its libraries, when it should be picking up the version in your library. I try it with libtool as you suggested and let's see what happens. And tomorrow has to be the end of the world.. *sigh*.. this week is pretty bad :-(. Cheers, Anna On Wed, Dec 19, 2012 at 4:27 PM, Douglas E. Engert deeng...@anl.gov mailto:deeng...@anl.gov wrote: ldd pkcs11 -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Openssl pkcs11-engine using s_client with PIV card
Doug, thanks, I got it working now. Turns out it was the -t I was throwing to the openssl engine command... I don't know where I saw that or what it even does, but if I don't use it there's no segfault and the connection succeeds! Now to figure out what's different in the TLS/SSL libraries that both Chromium and Firefox fail... engine - dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -state -cert cert.01.pem -key 1:01 -keyform engine On Thu, Dec 20, 2012 at 10:58 AM, Douglas E. Engert deeng...@anl.gov wrote: The OpenSC engine can pull the cert from the card, but it looks like the OpenSSL c_client does not support using an engine for the cert. It calls load_cert. Look at the load_cert (vs the load_key) routines in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE. Good to know as I kept thinking that it was where/how openssl was getting the cert that was the issue. For the -key parameter, I have always used slot_1-id_01 for the auth cert. I had not looked to see if 1:01 works too. I found that 1:01 works too! Matt ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel