Re: [opensc-devel] Which libraries/APIs needed?
Use PKCS#15 to perform the card management, it can be done using a simple script as you outlined as it done once. Then use PKCS#11 to use the keys and perform the encryption/decryption as it is more standard API, and most likely you will be able to find a utility that does exactly as you need, refer to engine_pkcs11. Regards, Alon On Tue, Dec 4, 2012 at 9:56 PM, Markus Wernig liste...@wernig.net wrote: ould also be a network HSM) appear to be carried out by the pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] withdrawal of nsplugin?
nsplugins is not supported an more as far as I know. On Sun, Nov 25, 2012 at 6:47 PM, Greg Troxel g...@ir.bbn.com wrote: ner/plugins/opensc-signer.so lib/opensc-signer.la With 0.12.2, it fails because there is no trace of nsplugin/signer support. There's a Changelog entry from 2009 that indicates it was removed, but I can't find anything in NEWS. Is this functionality someplace else? Is it truly no longer useful, so the right thing for pkgsrc is just to drop the -signer package? (If so, is it because xulrunner/etc. has pkcs11 support, so there's no need for an opensc-specific plugin?) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Thu, Nov 22, 2012 at 11:49 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Thu, Nov 22, 2012 at 11:42 AM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/22 Alon Bar-Lev alon.bar...@gmail.com On Wed, Nov 21, 2012 at 4:52 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Hello, 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. I created a OpenCT maintainers team [1]. Alon Bar-Lev is the only member of the team but I can add others. Please do the same for pkcs11-helper, thanks! Thanks! Hi, You copied the repositories without tags. I fixed this for openct, pkcs11-helper, but I guess you should check all repositories moved, make sure we did not lose anything. Alon ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Fri, Nov 23, 2012 at 4:21 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/23 Alon Bar-Lev alon.bar...@gmail.com: You copied the repositories without tags. I fixed this for openct, pkcs11-helper, but I guess you should check all repositories moved, make sure we did not lose anything. Exact. svn2git did not get the tags for releases :-( I added them by hand for pam_pkcs11. I used git-svn which was great. Alon ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Thu, Nov 22, 2012 at 11:42 AM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/22 Alon Bar-Lev alon.bar...@gmail.com On Wed, Nov 21, 2012 at 4:52 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Hello, 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. I created a OpenCT maintainers team [1]. Alon Bar-Lev is the only member of the team but I can add others. Please do the same for pkcs11-helper, thanks! Thanks! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Wed, Nov 21, 2012 at 4:52 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Hello, 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. I created a OpenCT maintainers team [1]. Alon Bar-Lev is the only member of the team but I can add others. Alon, you should be able to push changes directly in OpenSC / openct If you need something else just ask the OpenSC owners (Martin, Viktor and myself for now). Bye [1] https://github.com/organizations/OpenSC/teams -- Dr. Ludovic Rousseau Please do the same for pkcs11-helper, thanks! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Sat, Nov 17, 2012 at 6:00 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/16 Alon Bar-Lev alon.bar...@gmail.com On Wed, Nov 14, 2012 at 10:22 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Ready: https://github.com/alonbl/openct Forked at https://github.com/OpenSC/openct No... it should not be forked it should be entire clone. From this one I should fork mine if I work on openct. Same for other projects opensc repos should be the master as they are formal upstream. Alon ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Sat, Nov 17, 2012 at 9:26 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 6:00 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/16 Alon Bar-Lev alon.bar...@gmail.com On Wed, Nov 14, 2012 at 10:22 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Ready: https://github.com/alonbl/openct Forked at https://github.com/OpenSC/openct No... it should not be forked it should be entire clone. From this one I should fork mine if I work on openct. Same for other projects opensc repos should be the master as they are formal upstream. OK. I deleted openct and pkcs11-helper to recreate them. You can now fork them on your side. Thanks. It would be lovely if you give me admin access to both of these. Alon ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Sat, Nov 17, 2012 at 11:54 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 9:26 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/17 Alon Bar-Lev alon.bar...@gmail.com: On Sat, Nov 17, 2012 at 6:00 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/16 Alon Bar-Lev alon.bar...@gmail.com On Wed, Nov 14, 2012 at 10:22 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Ready: https://github.com/alonbl/openct Forked at https://github.com/OpenSC/openct No... it should not be forked it should be entire clone. From this one I should fork mine if I work on openct. Same for other projects opensc repos should be the master as they are formal upstream. OK. I deleted openct and pkcs11-helper to recreate them. You can now fork them on your side. Thanks. It would be lovely if you give me admin access to both of these. I don't think I can give you admin access to only these 2 projects. I can add you as a member of the OpenSC organisation and you would have access to all the repositories. Yes you can, there are teams, each team can have admin/write/read access to specific repositories. The idea of git is to _not_ have to give access. Just send pull requests and I (or another admin) will pull your code. We return to the original question: what is the difference between people who previously had commit access and you. Same remark for Andreas and the OpenSC-java repository. Or am I wrong? Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Wed, Nov 14, 2012 at 10:22 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Ready: https://github.com/alonbl/openct ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new server hoster and adminstrator for opensc-project.org required
On Tue, Sep 18, 2012 at 11:33 AM, Jean-Michel Pouré - GOOZE jmpo...@gooze.eu wrote: Dear all, wouldn't it be better to move the remaining parts of the project to github ? Sorry if I did not catch this message before. I volunteer to take part in this project with the community. Migrating the platform would allow to clarify the community goals and participants. As written previously: * Community We need to extend the list of core hackers, to define the community and avoid that one person blocks or takes control of the hosting environment. * Cheap hosting Host a minimal web server with OpenSC page. I suggest a cheap http://www.kimsufi.com/fr/ * GIThub Migrate to GIThub the code repositories. Code issues and pull requests are enough to manage bugs and evolutions, provided that there is a clearly defined community in charge of GIThub main projects. * Build-farm Have separate builds farms coordinated by Jenkins. This is already the case of our build farm (Viktor and I). And we proved to run the farm 24x365. We run the farm on real computers. We can also provide backup. We recently bought a 12-core supermicro computer, to add to the build farm. We have received the motherboard, casing and processors and we still need the memory (around 96 Gb). This is meant to be a virtual server replacing my various computers in the build farm. It is also nice to have build farms running behind firewalls with very limited access to Internet using vlans. I suggest that we start with the political issues first, to design an informal community. Then we can host OpenSC safely on GIThub and start the migration. Kind regards, Jean-Michel POURE -- I think github provides a good service. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC Server Maintenance
On Tue, Jun 12, 2012 at 5:49 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: What else do we need? Wiki, mailing list, file-server, ... Bug tracker github already has bug tracker and wiki... :) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC Server Maintenance
Hello Andreas, GitHub is a great place... Already there, just need to migrate the wiki. The question is where Gerrit will be (if is used). And if there is a need to migrate the bugs as well... which may be difficult. Alon. On Mon, Jun 11, 2012 at 10:31 PM, Andreas Jellinghaus andr...@ionisiert.de wrote: Hi everyone, the software running opensc-project.org is getting very, very old. I didn't upgrade it when Martin had plans to rebuild the server on real hardware somewhere, but that didn't happen for years now, and the installation is getting older and older. Is anyone interested in working on this - building a new server somewhere? Or what is your suggestion to migrate the project to some hosting plattform? code.google.com, sourceforge, savannah, ...? It not urgent, but I wouldn't be supprised if things break, as the server gets little attention. Thus the better someone steps up to maintain it, the better. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SO pin in pkcs11-tool?
Hello, I think you have some confusion of what is PKCS#11 Admin PIN. The PKCS#11 Admin PIN is only usable to initialize a token, and optionally unlock the user PIN. It has no special privileges over the content of the card. So you are prompted by firefox for the user PIN, which is OK. Anyway, what you have done is correct as far as opensc, use the pkcs15 tools in order to initialize the card and use the card within pkcs11 environments. If that's working, I think you provided a great solution. Alon. On Wed, May 30, 2012 at 12:21 PM, Nguyễn Hồng Quân quanngu...@mbm.vn wrote: Hello all, As you may know, I'm trying to implement writing certificate to OpenPGP card via PKCS#11. I succeed with pkcs15-init tool but have difficulty with pkcs11-tool. When I import via pkcs15-init tool (Command: pkcs15-init --store-certificate quanngu...@mbm.vn.pem), the tool asks for Admin PIN and the work is done. But when I try with pkcs11-tool: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 the tool does not ask for PIN and the write cannot succeed (in OpenPGP card, writing certificate requires SO (Admin) PIN). I tried to provide the Admin PIN in the command, but still not successful: pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 -l --so-pin 12345678 pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -w quannguyen.crt -y cert --slot 2 --so-pin 12345678 I also researched and found that in pkcs15-init, a function to ask for PIN is implemented and added via sc_pkcs15init_set_callbacks(), but pkcs11-tool does not do so. The question is: - Not ask for PIN is intentional design of pkcs11-tool or a limitation? - What is the right way to provide Admin PIN to pkcs11-tool to allow to write data? - When I do import certificate in Firefox, the browser ask for a PIN. I expect it to ask for Admin PIN but not sure which PIN it actually asks for (user PIN, to login to slot, or admin PIN, to write data). Do you know how Firefox determines which PIN to ask? Does it always ask for user PIN of the slot, or smart enough to ask for right PIN? -- Regards, Quân ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
On Sun, May 27, 2012 at 7:38 PM, Peter Stuge pe...@stuge.se wrote: Ludovic Rousseau wrote: 2012/5/27 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Sufficient privileges in GIThub should be granted to a group of people. Trust is enough to agree on commits. FOAS means Free and Open. FOAS = ? I guess FOSS. The open does however not mean that the entire world must have write access, it's about read access. Trust is enough to agree on commits. makes no sense whatsoever to me. The closest that makes sense to me would be: Trust comes from agreeing on commits. Of course everyone has different priorities. It makes me sad that quality isn't the top priority for everyone in the project. Peter, quality is not absolute term. It can be mathematic definition of the best algorithm, which can lead to infinite theoretical discussion for each line of code. It might be physical definition of what is good enough, and even then, the border is also not absolute, as what good enough for one is not good enough to other. And it can be the service provided to users and the responsive to user's issues. I, personally, for (3), providing a great service and responsiveness while perfecting the code as 2nd priority (exception are interfaces). I think this approach was taken at opensc in the past. I also like the (2) approach, while trusting the active core developers to define what is good enough, and if someone thinks otherwise he is free to become core developer or show the code of his alternatives to the point it is accepted by the core developers. Agree on commits is not something that can become reality as without someone who can actually DECIDE, there can be non-ending arguments for each change. We have this exact issue at OpenVPN project, which also reached a complete stop as it does not have core developers and clear responsibility for subsystems. I am sad as this project (as it seems) reached a complete stop. Programming is human creative work, there can be N^^N ways to acquire a goal, very hard to evaluate what is correct or better in most of the cases, it depends on the people involved and the people who actually review at specific point in time... Same change can be accepted at week X and rejected at week Y as other people review. Because of that trust in the core developers of a project is essential, as it is the only constant factor in the process. Not sure what this discussion was, but I wanted to comment your statement. Regards, Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] FOSS development
On Sun, May 27, 2012 at 8:26 PM, Peter Stuge pe...@stuge.se wrote: Alon Bar-Lev wrote: Peter, quality is not absolute term. In computing I actually think it is; a high quality program does exactly what it is supposed to do and never anything else. Computers are very simple machines, so it is feasible for humans to create such programs. :) Well, this is similar to what I thought ~20 years ago... and I know you are not young either... Although I think I can reach to this point near the one you refer to, over the years I meet a lot of people that in my view reached a father point which was not perfect but good enough for the use case. Perfecting anything derives infinite resources or very talented resources. I prefer to invest resources in finding the segments where the potential of side effect is high, and manage these ones, well, unless I am the developer my-self :) best algorithm good enough service and responsive to user's issues I, personally, for (3), providing a great service and responsiveness while perfecting the code as 2nd priority (exception are interfaces). I think this approach was taken at opensc in the past. It doesn't work unless there's lots of feedback from users however. If nobody use the software, maybe the whole effort is void... I also like the (2) approach, while trusting the active core developers to define what is good enough, and if someone thinks otherwise he is free to become core developer or show the code of his alternatives to the point it is accepted by the core developers. Right, the real fun starts when the core developers actually don't agree on anything, or just have different areas of expertise. And pack mentality comes into play if the core developer pack is smaller than the opposition. Right. The core developers must be a group that shares the same vision and methods. If core developers do not agree, project should either fork or someone should resign. Ideally the core developer pack is large enough to assimilate and mentor opposition before any conflicts, but personally I prefer to focus on code over trying to educate someone who insists on doing things their own way in any case. I don't understand this statement. The code is only a mean to achieve a goal. If a group of people does not agree on the basics, such as modularity vs monolithic design, readability vs performance, customization vs pre-defined, interfaces methodology -- what help is in focusing at code? I do understand that there is value in focusing at code in stable maintenance mode, but I don't see this is possible when project need to evolve. Agree on commits is not something that can become reality as without someone who can actually DECIDE, there can be non-ending arguments for each change. The definition of agreement would be that multiple people decide the same thing. Right. And what if this cannot be achieved? For example, let's take OpenVPN case... a patch was submitted in order to support the Android platform. This is a good cause indeed, I think everyone agree that supporting Android is required. There are about 5 possible integration methods achieve this goal, the quick and dirty which adds the code within #ifdef, there is more conservative way to add the required features of this specific platform to the common linux platform, even if it is unique to the UI implementation of this platform, skipping some other, and there is a way to perform this as external plugin provided we delegate some more functionality to the plugin. So the question is not about the code, the submitted code can be perfect. The discussion is about methodology, maintenance costs, and flexibility to solve similar issues in future. How do you decide which group of people should agree on what? My solution is to divide core developers by subsystems and assign small number of core developers (2) to he project as a whole, to be able to decide on issues that cannot reach to agreement. Example: OpenSC is divided into [at least] the following subsystems: build, PKCS#11, PKCS#15 core, {reader} interface, {card} driver, windows. For each one core developer should be assigned as accounted to any change in the subsystem, bug or improvement. In one scenario it can be the same core developer for all, but I there is advantage of allowing delegation. So if core developer X is in charge of card driver GPG, it has the full permission (trust) from the community to perfect this driver as he see fit. As a result you have different quality level of different drivers, that's true, and this is acceptable cost for open source which is based on volunteers, the larger the user base, the large the developer base, the better quality that can eventually reached. We have this exact issue at OpenVPN project, which also reached a complete stop as it does not have core developers and clear responsibility for subsystems. I guess that perfect commits will still be included in the codebase? I tried
Re: [opensc-devel] Handling multiple USB tokens in IFD handler
On Tue, May 1, 2012 at 5:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: OpenCT was maintained by Andreas Jellinghaus. Andreas has now left the smart card world for other opportunities. Do not expect a new release of OpenCT anytime soon. There is no problem to release what we have... only minor changes were applied since last release. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC and multi-arch support
On Thu, Apr 12, 2012 at 11:12 AM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Le 11 avril 2012 16:43, Ludovic Rousseau ludovic.rouss...@gmail.com a écrit : Le 11 avril 2012 16:37, Douglas E. Engert deeng...@anl.gov a écrit : On 4/11/2012 8:16 AM, Frank Morgner wrote: Adjusting the loader to determine the architecture and recognizing architecture specific directories would be the more generic solution, I think. You can change LD_LIBRARY_PATH or edit /etc/ld.so.conf to do so. I think the OS should fix this. This would appear to be a common problem with many other packages using dlopen like pam. dlopen man page says: If filename contains a slash (/), then it is interpreted as a (relative or absolute) pathname. Otherwise, the dynamic linker searches for the library as follows (see ld.so(8) for further details): So can the default be just libpcsclite.so? The default is already libpcsclite.so.1 (do not forget the .1) withour any path. I will try to reproduce the Ubuntu bug. Maybe the problem is easy to solve. The bug is Ubuntu specific. See [1] for more details. The Ubuntu OpenSC package has been configured with --with-pcsc-provider=/lib/libpcsclite.so.1 This is because on Ubuntu libpcsclite.so.1 is/was in /lib and not in /usr/lib. See [2]. And now, with the multi arch change, the absolute lib filename is wrong. Right. We have nothing to change on OpenSC. dlopen(3) is doing its job correctly. Anyway, now that mingw64 is maintained and I guess the old pcsc-lite may not be supported any more (the one that broke some interface), it should be safe to link at compile time, change should not be significant. Bye [1] https://bugs.launchpad.net/ubuntu/+source/opensc/+bug/978974 [2] http://ludovicrousseau.blogspot.fr/2010/10/pcsc-lite-upgrade-and-ubuntu-special.html -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Latest build changes
Well, I lost it, there are changes committed, the interface of gerrit is very difficult for proper review. I hope these are working. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] removing libltdl?
On Sat, Mar 24, 2012 at 1:19 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: Le 24 mars 2012 12:05, Magosányi, Árpád m4g...@gmail.com a écrit : I guess you might want to discuss the pros and cons of removing libltdl dependency. There is a heap of changesets about it in gerrit. I do not remember why libltdl was needed in the first place. Alon, do you know/remember why libltdl was added? Is it related to OpenSC on Mac OS X 10.5 for PowerPC? I found a reference in [1]. Bye, [1] https://www.opensc-project.org/opensc/changeset/53c3c486af54a60e4ea09bdd7ce936a3b538f420/OpenSC Because at that time it was simpler to port to Windows using libtool. As I wrote in the origin post, currently there are almost none libtool usage. In Gentoo tree OpenSC was the last. I don't know any reason why it should be used. I should have removed it long ago. I already fixed the libp11 in similar manner, there I still can commit. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC and gerrit
On Thu, Mar 22, 2012 at 12:03 AM, Peter Stuge pe...@stuge.se wrote: Alon Bar-Lev wrote: I will try again. Thanks! It really helps! I am glad! Well, let's agree we do not agree... :) At no point in time I argue that the gerrit is not a good tool, I argue the methodology. Anyway, just last note I want to make... OpenSC is by far *NOT* a security project. Yes, that may sound surprising... :) OpenSC deals with security subject, that's true... hardware cryptography. But its origin mission was to provide access (USABILITY) to none Windows (+ none proprietary) users to hardware cryptography, PKCS#15 and partially by reverse engineering. If we want OpenSC to be security project, we should probably rewrite the whole thing from scratch. With different priorities, the code will probably be completely different feature set will be smaller, and the quality of the code will be higher, thus also the cost of implementation and maintenance. Few years back, when I tried to push OpenSC enabled tokens to enterprises, I found that I just cannot do that, mainly because of this reason. I don't see this happening without sponsor and some full time developers. Maybe this is another issue that differentiate our views. I think there is a great value in current state of OpenSC to allow people to [at least] use hardware cryptography, even if this is not the perfect implementation, keeping it flexible enough to enlarge the cycle of devices and users. Apart of the value of people can actually use their hardware, this implementation will allow in future the necessary low level details in order to do the rewrite. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC and gerrit
On Sun, Mar 18, 2012 at 2:17 AM, Peter Stuge pe...@stuge.se wrote: Alon Bar-Lev wrote: I think you are trying to make opensc something it is not. I am not trying to do a single thing beyond pointing out that there is alot of complaints and wasted time over no *actual* problem. First I want to write that I have no intention to manage this project, just to provide my own view regarding the process. The fact that I fail to present my argument so you understand is my own failure. I have no words beyond what I already wrote, but I will try again. The bureaucracy and lack of flexibility will inhibit contributions and healthy *SMALL* community. What bureaucracy do you mean? Requiring no build failure and review in gerrit? I think those are acceptable requirements. They're also not exactly unique for OpenSC. Yes. That's exactly what I mean. Sure it is not exactly unique for OpenSC, just that you compare it to different kind of dynamics, different stability requirement and different amount of available resources. What lack of flexibility do you mean? Anyone in the whole world can clone the gerrit repo, make changes, and push them back to gerrit for review. Right, then wait 3 months in order to have his changes reviewed and discussed, and only then continue, while doing about 10 times rebase and fix his 3 months old patch set. Look, the model should be entirely different for small projects without much resources, something that is more similar to what we had before. There are 3, 4 or 5 core developers, they can do whatever they like, commit, revert, fix - anything. Each commit is sent to the mailing list, so peers and guests can review changes and comment. As result of this post review, these people who are the trusted by the community and trust each other may progress much faster, even in the price of committing not-the-best solutions, while cooperating together based on each own free resources to achieve the-best solutions. Until now guests sent patches to mailing list for review, there was always the chance that the core developers missed specific patch or had no interest at that point in time. These patches were lost if the author did not resend it over and over until he got acknowledgment. The guests' process can be replaced by the gerrit solution, which is superior. Instead of sending patches to mailing list use the gerrit interface to keep track and review. This is a great improvement, which is unrelated to core developers process. What I basically saying is that in utopia you may be right, however, the reality requires flexibility, especially when the numbers are low (core developers, community size, allocated resources). That's true that it may eventually lead to more stable implementation, but the cost may be lack of progress, thus not able to achieve the stability goal as well. Quantity is IMO completely irrelevant without quality. Again, reality showed different behavior... There was a different process which worked and produced no less quality in releases. What the new process provides is a stable branch [most chances] at every given time - this is its advantage and is suitable for software that should be released in very short cycles, this is not the case of this project. Until now I did not notice gerrit to be so good solution that all other methods should be dropped for of it. I'm afraid I don't understand what exactly you mean by this. Gerrit helps track patches. I'm not sure that the current configuration is completely ideal, but it is also not in any way causing a critical problem for further development. No, I meant there are other alternatives and solution for software development. gerrit way (or patch way) is one of them. I don't rule out the others just because the current trend of developing the Linux kernel uses one. However, a proper build server with multiple platforms and configurations is something that is vary useful to have in order to test branches before merging. Of course there is no replacement for testing, but I really can not agree if you are arguing that being unable to extend jenkins is a critical problem for further development. No, I am arguing that it is more important than the whole patch method for core developers. I quite miss the previous method in which people could work on this project progressing (and may do mistakes), but invest their time in proactive way. What is stopping that? Please be specific. Just look at the history, see how we cooperated in partial solutions, reaching gradually to complete solution within the tree during periods of weeks and different developers for separate issues. I don't think that in current process I [or anyone similar] could have contributed whatever I've done before, so I don't think it is going to a good place. Why not? Please be specific. I tried to explain above. As summary, Peter, I think you took software development trend to the extreme
Re: [opensc-devel] where can I get a engine_pkcs11.dll
What do you mean not able to compile it? https://www.opensc-project.org/engine_pkcs11 On Sat, Mar 10, 2012 at 8:33 AM, Dan Peterson drpeter...@es.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I am not able to compile it - -- dan -BEGIN PGP SIGNATURE- Version: PGP Desktop 10.1.2 (Build 9) Charset: utf-8 wj8DBQFPWvXV5chTNtilRz8RAleKAJ9llgfxXo4zHR0WOe3plZP7U2nxlwCfRK9V tjTY8w+1/gE72MoRCCkQCN8= =kY3W -END PGP SIGNATURE- ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Wed, Dec 14, 2011 at 4:49 PM, Peter Stuge pe...@stuge.se wrote: Douglas E. Engert wrote: Is it possible to use: https://jenkins.opensc-project.org/ instead of https://www.opensc-project.org:/ https://www.opensc-project.org/autobuild/ https://gerrit.opensc-project.org/ instead of https://www.opensc-project.org:8881/ https://www.opensc-project.org/codereview/ .. So are you saying, I should get my network people to open ports 8881 and for me? No, you can use these URLs: https://www.opensc-project.org/autobuild/ https://www.opensc-project.org/codereview/ To access Jenkins and Gerrit respectively. This is great I succeed in login to gerrit using google account. How do I login to jenkins? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Wed, Dec 14, 2011 at 5:13 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: No, you can use these URLs: https://www.opensc-project.org/autobuild/ https://www.opensc-project.org/codereview/ To access Jenkins and Gerrit respectively. This is great I succeed in login to gerrit using google account. How do I login to jenkins? First experience for me in Gerrit... I cannot reach port 8881 nothing response there... And the http://www.opensc-project/codereview/p/OpenSC.git is also not working. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Wed, Dec 14, 2011 at 8:41 PM, Martin Paljak mar...@martinpaljak.net wrote: On 12/14/11 5:13 , Alon Bar-Lev wrote: This is great I succeed in login to gerrit using google account. How do I login to jenkins? Actually there is no similar SSO readily available for Jenkins, nor should it be necessary. Jenkins should work semi-automatically by building the branches/trees/changes it has to, like pre-building Gerrit changes or any other trees. The setup is manual, any repository is polled every X minutes, and builds created and uploaded as needed. Jenkins must be publicly available to see the status (green/red button) and any output (Gerrit can nicely cross-reference builds and Jenkins build results) Given that I have remotely recovered access to an otherwise disconnected linux host running the Windows VM-s (SSH tunneling) through a custom job on the Windows guest I'd prefer to keep the configurations under close inspection. If you have This is just great! I could not believe it! I posted pull request, automatically transfered to gerrit, and to jenkins to build, while result is reported back!!! Great work! And I thought I need to push to gerrit and handle the cycle... ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Thu, Dec 15, 2011 at 1:41 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Dec 14, 2011 at 8:41 PM, Martin Paljak mar...@martinpaljak.net wrote: On 12/14/11 5:13 , Alon Bar-Lev wrote: This is great I succeed in login to gerrit using google account. How do I login to jenkins? Actually there is no similar SSO readily available for Jenkins, nor should it be necessary. Jenkins should work semi-automatically by building the branches/trees/changes it has to, like pre-building Gerrit changes or any other trees. The setup is manual, any repository is polled every X minutes, and builds created and uploaded as needed. Jenkins must be publicly available to see the status (green/red button) and any output (Gerrit can nicely cross-reference builds and Jenkins build results) Given that I have remotely recovered access to an otherwise disconnected linux host running the Windows VM-s (SSH tunneling) through a custom job on the Windows guest I'd prefer to keep the configurations under close inspection. If you have This is just great! I could not believe it! I posted pull request, automatically transfered to gerrit, and to jenkins to build, while result is reported back!!! Great work! And I thought I need to push to gerrit and handle the cycle... Oh... I was so excited I missed some important issue. When submitting a patchset it should be tested for build as atomic unit. Currently the system tries to compile each changeset by it-self. Many times this will not work, as patchset is divided into logical sections suited for review not for build. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Thu, Dec 15, 2011 at 9:43 AM, Martin Paljak mar...@martinpaljak.net wrote: On 15/12/11 01:43, Alon Bar-Lev wrote: Oh... I was so excited I missed some important issue. When submitting a patchset it should be tested for build as atomic unit. Currently the system tries to compile each changeset by it-self. Many times this will not work, as patchset is divided into logical sections suited for review not for build. I'd prefer the opposite, given your exact sample: It would be best if not a single commit would break the build, on any platform. It is probably a bit harder for some structural changes, but most probably possible. As said, I'm working on figuring out how to make the Gerrit changes autobuilds happen on all platforms (Windows included) as at the moment it is a simple Linux tarball build (the Gerrit configuration seems to be tied to master) Splitting patches would make sense if it really was a huge change per se, but it is not. Use git rebase --interactive to merge all these into a single commit with a descriptive commit message before publishing (melding in all those single line messages would also help) The goal is to separate development (small things patched together until it works) from releasing (meaningful changes with enough documentation) Fixing Windows build after a change that broke it is meaningful to me as a developer but useless for normal people. Removing libltdl dependency is understandable to a wider audience. Martin Here we completely disagree. The whole point of sending changes to review is to allow humans to go over code without actually building or testing and get valid feedback. Doing so on large changesets is something that is almost impossible. It is much easer to guide reviewer at the process of changes by splitting the change into logical pieces. Think of it as the story of the change presented by the developers to the audience without verbal synchronous meeting. It is not that each line of code should be split, but the main building blocks. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
On Sat, Dec 10, 2011 at 10:39 AM, Peter Stuge pe...@stuge.se wrote: Ludovic Rousseau wrote: Can you set up standard ports so it passes firewalls? First choice: http / https Same question but to pass web proxies. git and ssh ports are not even available in some places. Note that Gerrit supports also HTTP push and pull, and http: is no longer significantly more inefficient than git:. (Since git 1.6.7 IIRC. I guess the services run in virtual machines, and that there is not an abundance of public IP addresses. This would make it neccessary to proxy all HTTP requests, which would suck because in the corresponding virtual machines it would be difficult to distinguish different connected clients. This matters not at all for using the services, but it does matter some for administration. :\ Never had this problem, you can always pass an header with the originating IP. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Moving master forward
Can you set up standard ports so it passes firewalls? First choice: http / https Second choice: git/ssh On Thu, Dec 8, 2011 at 9:32 PM, Martin Paljak mar...@martinpaljak.net wrote: Hello, Here is an overview of updates to opensc-project.org plumbing and Git. * Jenkins (build master) has been moved to opensc-project.org. opensc-project.org will move soonish (probably during the Christmas time) to a new bare metal home. This allows to run the builders close together on a decent machine. I'm thus consolidating all bits and pieces that are needed for running the site onto a single filesystem image for easy syncing before the IP address change. The new URL for Jenkins is: https://www.opensc-project.org:/ * Gerrit code review has been set up to manage the construction of the staging branch. All patches sent to Gerrit get automatically built and verified by Jenkins (currently on Linux only, unfortunately). Commits that don't build shall get Verified = - 1 automatically and should not be processed further. Gerrit uses OpenID for authentication (google.com has one, as do many other websites) thus no new passwords needed. Gerrit is accessible on: https://www.opensc-project.org:8881/ Go and log in/register, the existing list shall be included in the submitters group. * Github.com pull requests are automagically sent to Gerrit (polled every 5 minutes). This is a convenience method to get pull requests to a central location [1] [2], direct pushing to Gerrit's refs/for/staging should be preferred. * Because of Gerrit, the majority of Git plumbing is kept on opensc-project.org site. Github integration script makes sure that master and staging branches are available on github.com/OpenSC/OpenSC while picking up pull requests from Github. Github is thus acting more or less like off-site backup of source code. * Signing of OpenSC source releases I'm planning to sign the next release of OpenSC with GnuPG. OpenPGP v2.0 cards or the GPF CryptoStick token (supported by OpenSC to some extent) are currently the best RSA hardware readily available, supporting up to 4096bit keys. After some tweaking it is possible to use it with Thunderbird/PKCS#11 but co-operation (and initialization with OpenSC) requires some further work. * Removing password logins from opensc-project.org ? By relying on OpenID and SSH keys, opensc-project.org would be a much safer place as there are no secrets to guard on the site (except for internal passwords for databases etc) and it is also easier on users, as there are less things to remember. == Moving master forward, AKA how to create staging == Preparing the next master, please keep in mind: - the idea is to keep development separate from releasing, so to say. - to have meaningful changes with enough review and documentation go into the master release history. - git rebase --interactive can do miracles on development trees - commit messages are supposed to be meaningful. There is some ideas and links on DevelopmentPolicy wiki page. - have topic branches. Seriously. Many. I fed Viktor's secure-messaging branch in whole to Gerrit (and thus also Jenkins for building), and the reason why development must be separated from change proposals to master is obvious: https://www.opensc-project.org:/job/Gerrit_tarball_test/buildTimeTrend (or the unverified changes in Gerrit https://www.opensc-project.org:8881/#q,status:open,n,0019920500cf) Red parts of the graphic are commits that result in a stage where the tree does not build on Linux. Windows and OS X might probably be even more different (I'm working on getting Gerrit changes to be built and verified by default on Windows and OS X as well). While merging the tree in whole would result in a buildable state, it is not meaningful to have intermediate commits which are not meaningful enough or even put the tree in unstable state. git rebase --interactive / git commit --amend is the preferred method of fixing such issues. The NightlyBuilds machinery (meaning a tree per developer) is supposed to help by providing access to all released platforms to all developers in a convenient way in terms of building/packaging changes for testing. But the branch to be built is not even supposed to be be the main development branch. What I suggest: Have: master (master branch, from opensc-project.org, ff-only updates to this) staging (staging branch, from opensc-project.org, used to send patches to Gerrit and to rebase against staging on opensc-project.org. Used to build pre-releases) nightly (fed to Jenkins for building. reset/rebased/deleted as needed by a person. Constructed by merging topic branches as needed for distributing changes and testing building against the infrastructure) topic-a (to help separate a logical change and to help communicate it to others) topic-b (ditto) topic-c (ditto) More tomorrow. [1]
[opensc-devel] [PATCH 0/5] Remove libltdl
libltdl is linked against opensc long before I touched the build system. There are some minor advantages of using libltdl, the most relevant one is the common usage at Windows and *NIX. The other advantages relates to systems that do not support dynamic loading at all. I don't think that OpenSC is usable at systems which do not support dynamic loading. And the Windows advantage is neglectable. Some work had done (libscdl), but needs completion. I suggest the following patchset to completely remove libltdl. If this is accepted, we remove from libp11 as well which is the last one on Gentoo tree at least that uses ltdl. I tested building on Linux, mingw64. Untested MSVC, martin, you have the environment, right? Signed-off-by: Alon Bar-Lev alon.bar...@gmail.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] [PATCH 3/5] Remove libltdl: Use libscdl
Signed-off-by: Alon Bar-Lev alon.bar...@gmail.com --- src/common/Makefile.am |3 +-- src/libopensc/Makefile.am|1 + src/libopensc/ctx.c |1 + src/libopensc/internal.h |1 - src/libopensc/pkcs15-syn.c |1 + src/libopensc/pkcs15.c |1 + src/libopensc/reader-ctapi.c |1 + src/libopensc/reader-pcsc.c |1 + src/pkcs11/Makefile.am | 10 +++--- src/tests/Makefile.am|4 +++- src/tools/Makefile.am|6 -- 11 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/common/Makefile.am b/src/common/Makefile.am index b2e7e15..0b2fe9f 100644 --- a/src/common/Makefile.am +++ b/src/common/Makefile.am @@ -17,11 +17,10 @@ libcompat_la_SOURCES = \ compat_strlcpy.h compat_strlcpy.c \ compat_getpass.h compat_getpass.c \ compat_getopt.h compat_getopt.c \ - simclist.c simclist.h libscdl.c + simclist.c simclist.h compat_getopt_main_LDADD = libcompat.la libpkcs11_la_SOURCES = libpkcs11.c libpkcs11.h -libpkcs11_la_LIBADD = libscdl.la libscdl_la_SOURCES = libscdl.c libscdl.h diff --git a/src/libopensc/Makefile.am b/src/libopensc/Makefile.am index f50a002..eb1a627 100644 --- a/src/libopensc/Makefile.am +++ b/src/libopensc/Makefile.am @@ -53,6 +53,7 @@ libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \ $(OPTIONAL_ZLIB_LIBS) \ $(top_builddir)/src/pkcs15init/libpkcs15init.la \ $(top_builddir)/src/scconf/libscconf.la \ + $(top_builddir)/src/common/libscdl.la \ $(top_builddir)/src/common/libcompat.la if WIN32 libopensc_la_LIBADD += -lws2_32 diff --git a/src/libopensc/ctx.c b/src/libopensc/ctx.c index 92d015b..a62521f 100644 --- a/src/libopensc/ctx.c +++ b/src/libopensc/ctx.c @@ -33,6 +33,7 @@ #include winreg.h #endif +#include common/libscdl.h #include internal.h int _sc_add_reader(sc_context_t *ctx, sc_reader_t *reader) diff --git a/src/libopensc/internal.h b/src/libopensc/internal.h index 18e132c..85402ad 100644 --- a/src/libopensc/internal.h +++ b/src/libopensc/internal.h @@ -36,7 +36,6 @@ extern C { #endif #include common/simclist.h -#include common/libscdl.h #include libopensc/opensc.h #include libopensc/log.h #include libopensc/cards.h diff --git a/src/libopensc/pkcs15-syn.c b/src/libopensc/pkcs15-syn.c index 5c15a35..43e1218 100644 --- a/src/libopensc/pkcs15-syn.c +++ b/src/libopensc/pkcs15-syn.c @@ -26,6 +26,7 @@ #include stdio.h #include assert.h +#include common/libscdl.h #include internal.h #include asn1.h #include pkcs15.h diff --git a/src/libopensc/pkcs15.c b/src/libopensc/pkcs15.c index 96bad57..48ca642 100644 --- a/src/libopensc/pkcs15.c +++ b/src/libopensc/pkcs15.c @@ -27,6 +27,7 @@ #include stdio.h #include assert.h +#include common/libscdl.h #include cardctl.h #include internal.h #include pkcs15.h diff --git a/src/libopensc/reader-ctapi.c b/src/libopensc/reader-ctapi.c index 13948ec..6980b43 100644 --- a/src/libopensc/reader-ctapi.c +++ b/src/libopensc/reader-ctapi.c @@ -25,6 +25,7 @@ #include stdlib.h #include string.h +#include common/libscdl.h #include internal.h #include ctbcs.h diff --git a/src/libopensc/reader-pcsc.c b/src/libopensc/reader-pcsc.c index ab2f973..e232f48 100644 --- a/src/libopensc/reader-pcsc.c +++ b/src/libopensc/reader-pcsc.c @@ -33,6 +33,7 @@ #include arpa/inet.h #endif +#include common/libscdl.h #include internal.h #include internal-winscard.h diff --git a/src/pkcs11/Makefile.am b/src/pkcs11/Makefile.am index 624c594..d60b323 100644 --- a/src/pkcs11/Makefile.am +++ b/src/pkcs11/Makefile.am @@ -15,8 +15,9 @@ OPENSC_PKCS11_SRC = pkcs11-global.c pkcs11-session.c pkcs11-object.c misc.c slot framework-pkcs15init.c debug.c opensc-pkcs11.exports \ pkcs11-display.c pkcs11-display.h OPENSC_PKCS11_LIBS = $(OPTIONAL_OPENSSL_LIBS) $(PTHREAD_LIBS) \ - $(top_builddir)/src/common/libcompat.la \ - $(top_builddir)/src/libopensc/libopensc.la + $(top_builddir)/src/libopensc/libopensc.la \ + $(top_builddir)/src/common/libscdl.la \ + $(top_builddir)/src/common/libcompat.la opensc_pkcs11_la_SOURCES = $(OPENSC_PKCS11_SRC) $(OPENSC_PKCS11_INC) hack-disabled.c opensc_pkcs11_la_LIBADD = $(OPENSC_PKCS11_LIBS) @@ -31,7 +32,10 @@ onepin_opensc_pkcs11_la_LDFLAGS = $(AM_LDFLAGS) \ -module -shared -avoid-version -no-undefined pkcs11_spy_la_SOURCES = pkcs11-spy.c pkcs11-display.c pkcs11-display.h pkcs11-spy.exports -pkcs11_spy_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(top_builddir)/src/common/libpkcs11.la +pkcs11_spy_la_LIBADD = \ + $(top_builddir)/src/common/libpkcs11.la \ + $(top_builddir)/src/common/libscdl.la \ + $(OPTIONAL_OPENSSL_LIBS) pkcs11_spy_la_LDFLAGS = $(AM_LDFLAGS) \ -export-symbols $(srcdir)/pkcs11-spy.exports \ -module -shared -avoid-version -no-undefined diff --git a/src/tests/Makefile.am b/src/tests/Makefile.am index 941e1e3..48ac626 100644 --- a/src
[opensc-devel] [PATCH 4/5] Remove libltdl: Cleanup libscdl
Signed-off-by: Alon Bar-Lev alon.bar...@gmail.com --- src/common/libscdl.c |9 ++--- src/common/libscdl.h |3 +++ 2 files changed, 9 insertions(+), 3 deletions(-) diff --git a/src/common/libscdl.c b/src/common/libscdl.c index e4746ab..b66dbd5 100644 --- a/src/common/libscdl.c +++ b/src/common/libscdl.c @@ -18,11 +18,14 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ -#include config.h +#if HAVE_CONFIG_H +#include config.h +#endif #include libscdl.h #ifdef WIN32 +#include windows.h void *sc_dlopen(const char *filename) { return (void *)LoadLibrary(filename); @@ -30,7 +33,7 @@ void *sc_dlopen(const char *filename) void *sc_dlsym(void *handle, const char *symbol) { - return GetProcAddress(handle, symbol); + return GetProcAddress((HANDLE)handle, symbol); } const char *sc_dlerror() @@ -40,7 +43,7 @@ const char *sc_dlerror() int sc_dlclose(void *handle) { - return FreeLibrary(handle); + return FreeLibrary((HANDLE)handle); } #else #include dlfcn.h diff --git a/src/common/libscdl.h b/src/common/libscdl.h index aee5839..983683d 100644 --- a/src/common/libscdl.h +++ b/src/common/libscdl.h @@ -18,7 +18,10 @@ * Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA */ +#ifndef __LIBSCDL_H +#define __LIBSCDL_H void *sc_dlopen(const char *filename); void *sc_dlsym(void *handle, const char *symbol); int sc_dlclose(void *handle); const char *sc_dlerror(void); +#endif -- 1.7.3.4 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] [PATCH 1/5] Remove libltdl: Remove ltld references
Signed-off-by: Alon Bar-Lev alon.bar...@gmail.com --- configure.ac | 18 -- src/common/Makefile.am |1 - src/common/libpkcs11.c |6 src/common/libscdl.c | 57 +-- src/libopensc/Makefile.am |5 +-- src/libopensc/ctx.c| 13 -- src/minidriver/Makefile.am |2 +- src/pkcs11/Makefile.am |4 +- src/tools/Makefile.am |2 +- 9 files changed, 8 insertions(+), 100 deletions(-) diff --git a/configure.ac b/configure.ac index cf373c9..4e01231 100644 --- a/configure.ac +++ b/configure.ac @@ -267,22 +267,6 @@ AC_CHECK_LIB( ] ) -dnl check for libltdl. If libltdl is not found, native dlopen/LoadLibrary is used -AC_ARG_VAR([LTLIB_CFLAGS], [C compiler flags for libltdl]) -AC_ARG_VAR([LTLIB_LIBS], [linker flags for libltdl]) -if test -z ${LTLIB_LIBS}; then - AC_CHECK_LIB( - [ltdl], - [lt_dlopen], - [LTLIB_LIBS=-lltdl] - ) -fi - -saved_CFLAGS=${CFLAGS} -CFLAGS=${CFLAGS} ${LTLIB_CFLAGS} -AC_CHECK_HEADERS([ltdl.h]) -CFLAGS=${saved_CFLAGS} - if test ${WIN32} = no; then dnl Special check for pthread support. ACX_PTHREAD( @@ -635,8 +619,6 @@ Compiler flags: ${CFLAGS} Linker flags:${LDFLAGS} Libraries: ${LIBS} -LTLIB_CFLAGS:${LTLIB_CFLAGS} -LTLIB_LIBS: ${LTLIB_LIBS} READLINE_CFLAGS: ${READLINE_CFLAGS} READLINE_LIBS: ${READLINE_LIBS} ZLIB_CFLAGS: ${ZLIB_CFLAGS} diff --git a/src/common/Makefile.am b/src/common/Makefile.am index 95c915e..b2e7e15 100644 --- a/src/common/Makefile.am +++ b/src/common/Makefile.am @@ -9,7 +9,6 @@ dist_noinst_DATA = \ compat_getopt_main.c \ README.compat_strlcpy compat_strlcpy.3 -AM_CFLAGS = $(LTLIB_CFLAGS) INCLUDES = -I$(top_srcdir)/src libcompat_la_SOURCES = \ diff --git a/src/common/libpkcs11.c b/src/common/libpkcs11.c index 22f9bc8..35933fe 100644 --- a/src/common/libpkcs11.c +++ b/src/common/libpkcs11.c @@ -10,9 +10,6 @@ #include stdlib.h #include stdio.h #include string.h -#ifdef HAVE_LTDL_H -#include ltdl.h -#endif #include pkcs11/pkcs11.h @@ -36,9 +33,6 @@ C_LoadModule(const char *mspec, CK_FUNCTION_LIST_PTR_PTR funcs) { sc_pkcs11_module_t *mod; CK_RV rv, (*c_get_function_list)(CK_FUNCTION_LIST_PTR_PTR); -#ifdef HAVE_LTDL_H - lt_dlinit(); -#endif mod = calloc(1, sizeof(*mod)); mod-_magic = MAGIC; diff --git a/src/common/libscdl.c b/src/common/libscdl.c index a19ccf2..e4746ab 100644 --- a/src/common/libscdl.c +++ b/src/common/libscdl.c @@ -22,34 +22,7 @@ #include libscdl.h -#ifdef HAVE_LTDL_H -#include ltdl.h -/* libltdl is present, pass all calls to it */ - -void *sc_dlopen(const char *filename) -{ - return (void *)lt_dlopen(filename); -} - -void *sc_dlsym(void *handle, const char *symbol) -{ - return lt_dlsym((lt_dlhandle)handle, symbol); -} - -const char *sc_dlerror(void) -{ - return lt_dlerror(); -} - -int sc_dlclose(void *handle) -{ - return lt_dlclose((lt_dlhandle)handle); -} - -#else -/* Small wrappers for native functions, bypassing libltdl */ -#ifdef _WIN32 -/* Use Windows calls */ +#ifdef WIN32 void *sc_dlopen(const char *filename) { return (void *)LoadLibrary(filename); @@ -69,10 +42,8 @@ int sc_dlclose(void *handle) { return FreeLibrary(handle); } - -#elif defined(HAVE_DLFCN_H) +#else #include dlfcn.h -/* Use native interfaces */ void *sc_dlopen(const char *filename) { return dlopen(filename, RTLD_LAZY); @@ -92,28 +63,4 @@ int sc_dlclose(void *handle) { return dlclose(handle); } - -#else -/* Dynamic loading is not available */ -void *sc_dlopen(const char *filename) -{ - return NULL; -} - -void *sc_dlsym(void *handle, const char *symbol) -{ - return NULL; -} - -const char *sc_dlerror() -{ - return dlopen() functionality not available; -} - -int sc_dlclose(void *handle) -{ - return 0; -} - -#endif #endif diff --git a/src/libopensc/Makefile.am b/src/libopensc/Makefile.am index 722b861..f50a002 100644 --- a/src/libopensc/Makefile.am +++ b/src/libopensc/Makefile.am @@ -14,8 +14,7 @@ noinst_HEADERS = cards.h ctbcs.h internal.h esteid.h muscle.h muscle-filesystem. AM_CPPFLAGS = -DOPENSC_CONF_PATH=\$(sysconfdir)/opensc.conf\ AM_CFLAGS = $(OPTIONAL_OPENSSL_CFLAGS) $(OPTIONAL_OPENCT_CFLAGS) \ - $(OPTIONAL_PCSC_CFLAGS) $(OPTIONAL_ZLIB_CFLAGS) \ - $(LTLIB_CFLAGS) + $(OPTIONAL_PCSC_CFLAGS) $(OPTIONAL_ZLIB_CFLAGS) INCLUDES = -I$(top_srcdir)/src libopensc_la_SOURCES = \ @@ -51,7 +50,7 @@ if WIN32 libopensc_la_SOURCES += $(top_builddir)/win32/versioninfo.rc endif libopensc_la_LIBADD = $(OPTIONAL_OPENSSL_LIBS) $(OPTIONAL_OPENCT_LIBS) \ - $(OPTIONAL_ZLIB_LIBS) $(LTLIB_LIBS) \ + $(OPTIONAL_ZLIB_LIBS) \ $(top_builddir)/src/pkcs15init/libpkcs15init.la \ $(top_builddir
Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api?
Hello, You can't. pkcs11-helper targets developers who want to use smartcards without overhead of the actual card management. Well behaved smartcards should not allow export of private key. Why do you need the private key anyway? Alon. On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang weizhongqi...@gmail.com wrote: hi all, I tried to use pkcs11-helper api to retrieve X509 and private key from nss softtoken, wit the 1.09 version of pkcs11-helper. I can get X509 object, but the returned RSA object only includes public key, rather than private key. I paste the code as the following. Could anyone give me some hint about how to get private key? Thanks a lot, Weizhong Qiang pkcs11h_certificate_id_list_t issuers; pkcs11h_certificate_id_list_t certs; pkcs11h_certificate_id_t find = NULL; CK_RV rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, issuers, certs); if(rv != CKR_OK || certs == NULL) { PKCS11UtilLogger.msg(ERROR, Cannot enumerate certificates: %s, pkcs11h_getMessage(rv)); return false; } PKCS11UtilLogger.msg(INFO, Succeed to enumerate certificate); int i = 0; for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert = cert-next) { std::string label=cert-certificate_id-displayName; i++; PKCS11UtilLogger.msg(INFO, The name of the %d certficate is %s \n, i, label.c_str()); if(certname == label) { pkcs11h_certificate_duplicateCertificateId(find, cert-certificate_id); //TODO: probably it is need to deal with the case that multiple certificate with the same name exists. break; } } pkcs11h_certificate_freeCertificateIdList(issuers); pkcs11h_certificate_freeCertificateIdList(certs); if(find == NULL) { PKCS11UtilLogger.msg(ERROR, Could not find certificate with the name %s, certname.c_str()); return false; } pkcs11h_certificate_t certificate; rv = pkcs11h_certificate_create(find, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, certificate); if(rv != CKR_OK) { PKCS11UtilLogger.msg(ERROR, Can not read certificate: %s, pkcs11h_getMessage(rv)); pkcs11h_certificate_freeCertificateId(find); return false; } pkcs11h_certificate_freeCertificateId(find); pkcs11h_openssl_session_t openssl_session = NULL; if((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL) { PKCS11UtilLogger.msg(ERROR, Cannot initialize openssl session to retrieve X509 and RSA); pkcs11h_certificate_freeCertificate(certificate); } certificate = NULL; // the certificate object will be released by openssl_session bool ret; X509* x509_local; RSA* rsa_local; x509_local = pkcs11h_openssl_session_getX509(openssl_session); if(!x509_local) { PKCS11UtilLogger.msg(ERROR, Cannot get X509 object); ret = false; } rsa_local = pkcs11h_openssl_session_getRSA (openssl_session); if(!rsa_local) { PKCS11UtilLogger.msg(ERROR, Cannot get RSA object); ret = false; } ret = true; PKCS11UtilLogger.msg(INFO, Succeed to get X509 and RSA); *x509 = x509_local; *rsa = rsa_local; pkcs11h_openssl_freeSession (openssl_session); return ret; ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api?
Your whole concept is totally wrong. If you switch to hardware cryptography, and utilize its advantages, you do not have direct access to the private key. This what makes hardware cryptography better than software only solutions. OpenSSL is fully compatible with this approach, having RSA object that can be used for crypto operation without actually having the private key. This is done via the concept of engine which delegate the crypto calls to the hardware device. Try to perform private key operation using the RSA object and see that it works. Alon. On Thu, Nov 10, 2011 at 10:02 AM, weizhong qiang weizhongqi...@gmail.com wrote: hi Alon, On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote: Hello, You can't. pkcs11-helper targets developers who want to use smartcards without overhead of the actual card management. Well behaved smartcards should not allow export of private key. But it seems the pk12util can accomplish this task. https://developer.mozilla.org/en/NSS_reference/NSS_tools_:_pk12util Why do you need the private key anyway? My current code (based on openssl) is for grid computing usage. We use file-based EEC credential (cert.pem, key.pem) to generate a proxy certificate, and then use the proxy certificate to communicate with peer ends. Now we need to switch to pkcs11 to utilize pkcs11 for the storage of EEC credential, instead of the file-based storage, because pkcs11 provides more level of security. Why I need to retrieve private key is I need the X509 and private key for generating the proxy certificate. I see some piece of code here: http://codesearch.google.com/#RnTPnPMDu28/staticopenvpn/openvpn/pkcs11.cct=rccd=1q=SSL_CTX_use_pkcs11exact_package=git://github.com/spokn/lib.gitl=606 /**/ if ((rsa = pkcs11h_openssl_session_getRSA (openssl_session)) == NULL) { msg (M_WARN, PKCS#11: Unable get rsa object); goto cleanup; } if ((x509 = pkcs11h_openssl_session_getX509 (openssl_session)) == NULL) { msg (M_WARN, PKCS#11: Unable get certificate object); goto cleanup; } if (!SSL_CTX_use_RSAPrivateKey (ssl_ctx, rsa)) { msg (M_WARN, PKCS#11: Cannot set private key for openssl); goto cleanup; } if (!SSL_CTX_use_certificate (ssl_ctx, x509)) { msg (M_WARN, PKCS#11: Cannot set certificate for openssl); goto cleanup; } **/ From the above code, I concluded that it is possible to retrieve the private key. Maybe this piece of code will not work. Thanks for your kind help. Best Regards, Weizhong Qiang Alon. On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang weizhongqi...@gmail.com wrote: hi all, I tried to use pkcs11-helper api to retrieve X509 and private key from nss softtoken, wit the 1.09 version of pkcs11-helper. I can get X509 object, but the returned RSA object only includes public key, rather than private key. I paste the code as the following. Could anyone give me some hint about how to get private key? Thanks a lot, Weizhong Qiang pkcs11h_certificate_id_list_t issuers; pkcs11h_certificate_id_list_t certs; pkcs11h_certificate_id_t find = NULL; CK_RV rv = pkcs11h_certificate_enumCertificateIds(PKCS11H_ENUM_METHOD_CACHE, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, issuers, certs); if(rv != CKR_OK || certs == NULL) { PKCS11UtilLogger.msg(ERROR, Cannot enumerate certificates: %s, pkcs11h_getMessage(rv)); return false; } PKCS11UtilLogger.msg(INFO, Succeed to enumerate certificate); int i = 0; for(pkcs11h_certificate_id_list_t cert = certs; cert != NULL; cert = cert-next) { std::string label=cert-certificate_id-displayName; i++; PKCS11UtilLogger.msg(INFO, The name of the %d certficate is %s \n, i, label.c_str()); if(certname == label) { pkcs11h_certificate_duplicateCertificateId(find, cert-certificate_id); //TODO: probably it is need to deal with the case that multiple certificate with the same name exists. break; } } pkcs11h_certificate_freeCertificateIdList(issuers); pkcs11h_certificate_freeCertificateIdList(certs); if(find == NULL) { PKCS11UtilLogger.msg(ERROR, Could not find certificate with the name %s, certname.c_str()); return false; } pkcs11h_certificate_t certificate; rv = pkcs11h_certificate_create(find, NULL, PKCS11H_PROMPT_MASK_ALLOW_ALL, PKCS11H_PIN_CACHE_INFINITE, certificate); if(rv != CKR_OK) { PKCS11UtilLogger.msg(ERROR, Can not read certificate: %s, pkcs11h_getMessage(rv)); pkcs11h_certificate_freeCertificateId(find); return false; } pkcs11h_certificate_freeCertificateId(find); pkcs11h_openssl_session_t openssl_session = NULL; if((openssl_session = pkcs11h_openssl_createSession(certificate)) == NULL
Re: [opensc-devel] About OpenSC PKCS#11
On Wed, Nov 9, 2011 at 7:39 PM, Viktor Tarasov viktor.tara...@gmail.com wrote: Hello, I would like to 'touch' the PKCS#11 module of OpenSC and looking for your opinions/suggestions about: - removing of 'pkcs15init' framework; - configurable support of the multi on-card applications and multi-pins; - removing the 'one-pin' version of pkcs#11 module (or rather replacing it with particular case of the configuration); - no separate slot for public objects. 1. If you remove the pkcs#15 init how will you init the card? How will you create several PINs? 2. If you separate PINs into slot, you must expose the public object within the same slot of the private object. As application will look for the private object on the same slot with the same id of the public one. 3. The one-pin should have been removed long time ago in favor of configuration :) But as usual, I will keep reminding anyone that the most severe issue of OpenSC PKCS#11 is the require for lock reader since C_Login until eternity in order to achieve secured setup. As far as I know this has not been addressed. 1. It is explicitly violate PKCS#11 spec. 2. Disabling this lock_login=false exposes your card for other applications without authentication. 3. Default is disabled, which and back to (2). Regards, Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api?
On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang weizhongqi...@gmail.com wrote: OpenSSL is fully compatible with this approach, having RSA object that can be used for crypto operation without actually having the private key. This is done via the concept of engine which delegate the crypto calls to the hardware device. Should I installed the engine_pkcs11 to get the nss softoken work? Hmmm. What EXACTLY are you trying to do? Why do you use the NSS soft token and access it via OpenSSL? Either stick with NSS or use OpenSSL. Where is the hardware device? Which component's PKCS#11 are you trying to access? Try to perform private key operation using the RSA object and see that it works. Do you mean that I should use RSA_sign instead of X509_sign? Again, I am totally confused from the partial information you present. So I cannot know what is best for you, and even why you are using pkcs11-helper, as if I understand correctly you do not have hardware device at all. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api?
On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang weizhongqi...@gmail.com wrote: hi Alon, Sorry that I make you be confused. On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote: On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang weizhongqi...@gmail.com wrote: OpenSSL is fully compatible with this approach, having RSA object that can be used for crypto operation without actually having the private key. This is done via the concept of engine which delegate the crypto calls to the hardware device. Should I installed the engine_pkcs11 to get the nss softoken work? Hmmm. What EXACTLY are you trying to do? I need to use the credential in smart card to generate a proxy credential (which will not be inside the softoken) for the use case of Grid computing. (see RFC 3820 for the definition of proxy certificate) The current solution in Grid use case is that: the EEC credential is located as two files (e.g., usercert.pem, userkey.pem). We need to replace it because the smart card storage provide more security. Now we choose nss softoken rather than hardware smart card, because of two reasons: 1, in the development stage, we would choose nss softoken, because it provide the same interface as hardware device. 2, in the applications other than Grid, such as web applications, nss softoken is more general to be used. So we would like users switch from existing web applications to Grid, without the need to manage the two files: usercert.pem and userkey.pem Why do you use the NSS soft token and access it via OpenSSL? Our current code (such as the proxy credential generation, TLS communication, etc.) is based on OpenSSL. So for the purpose of minimizing the development effort, we still need to use OpenSSL. The reason why I asked how to retrieve private key out, is because with the X509 and private key out, I can reuse the current code to generating proxy certificate. Either stick with NSS or use OpenSSL. Where is the hardware device? There is no hardware currently. But I thought if my code can contact with nss softoken, it can also contact with hardware device, because of the pkcs11 standard. Which component's PKCS#11 are you trying to access? Currently only nss softoken. Thanks Weizhong Qiang Try to perform private key operation using the RSA object and see that it works. Do you mean that I should use RSA_sign instead of X509_sign? Again, I am totally confused from the partial information you present. So I cannot know what is best for you, and even why you are using pkcs11-helper, as if I understand correctly you do not have hardware device at all. Alon. OK, so now I understand. So you have standard OpenSSL application that uses X509, RSA for TLS. And you get these from pkcs11-helper, so what exactly is your problem? it should work. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] how can I retrieve private key by using pkcs11-helper api?
On Thu, Nov 10, 2011 at 5:12 PM, weizhong qiang weizhongqi...@gmail.com wrote: On Nov 10, 2011, at 3:40 PM, Alon Bar-Lev wrote: On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang weizhongqi...@gmail.com wrote: As I mentioned that I need to use EEC credential to generate a proxy credential (process is the same as you use CA credential to generate a EEC credential). The the generation step, I need to use X509_sign (int X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md)) which needs private key for signing a X509 certificate. That is the reason I need to take private key out. Could you tell me how to use pkcs11-helper lib to sign a certificate without taking the private key out? to use pkcs11h_certificate_sign? Thanks Weizhong Qiang No, you should use X509_sign(). Why not use EVP_PKEY_assign_RSA(pk,rsa) and use pk? This pk here assigned seems to be public key. Not sure but maybe X509_set_pubkey(x509,pk) will be needed. I need the private key to sign a X509 certificate, not the public key. X509 object represents the Certificate within you can find the public key., RSA object represents the private key, you can convert it to EVP_PKEY using the above code. This is not OpenSSL list, I guess you need to switch lists. Your question is: Provided I have X509 and RSA objects, how can I use X509_sign(). Maybe you find this[1] helpful. Alon. [1] http://src.gnu-darwin.org/src/crypto/openssl/demos/selfsign.c.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Hello business, The issue is probably within OpenSC, related to [1]. Will be fixed in next version. It would be great if you can provide OpenSC logs from your working configuration. Thanks, Alon. [1] http://www.opensc-project.org/opensc/ticket/162 On Wed, Oct 19, 2011 at 8:03 AM, busin...@reebs.org wrote: Hello Gents, just enquiring for a feedback. did you find something out on this issue? Seems something was brocken in never OpenSC / OpenVPN... Rgds, PR On Mon, 3 Oct 2011 15:09:28 +0200, Alon Bar-Lev alon.bar...@gmail.com wrote: Martin, I need your help here... On Fri, Sep 30, 2011 at 8:18 PM, busin...@reebs.org wrote: Here you go: C:\Program Files\OpenVPN\share\openvpn-win32\configpkcs15-tool --list-keys Using reader with a card: O2Micro CCID SC Reader 0 Private RSA Key [Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 0 (0x0) Native : yes Path : 3f0050154b0130450012 Auth ID : 01 ID : 45 C:\Program Files\OpenVPN\share\openvpn-win32\configpkcs15-tool --list-certificates Using reader with a card: O2Micro CCID SC Reader 0 X.509 Certificate [Certificate] Object Flags : [0x2], modifiable Authority : no Path : 3f0050154545 ID : 45 Encoded serial : 02 01 02 C:\Program Files\OpenVPN\share\openvpn-win32\config On Fri, 30 Sep 2011 18:45:31 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: --- 2011-09-30 12:05:15.330 [opensc-pkcs11] iso7816.c:103:iso7816_check_sw: Command incompatible with file structure 2011-09-30 12:05:15.330 [opensc-pkcs11] card-flex.c:1067:cryptoflex_compute_signature: Card returned error: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] sec.c:56:sc_compute_signature: returning with: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] card.c:330:sc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] pkcs15-sec.c:380:sc_pkcs15_compute_signature: sc_compute_signature() failed: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] card.c:330:sc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] framework-pkcs15.c:2721:pkcs15_prkey_sign: Sign complete. Result -1200. 2011-09-30 12:05:15.330 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] pkcs11-object.c:635:C_Sign: C_Sign() = CKR_GENERAL_ERROR --- What I also need is dump of the card content. Paste the output of pkcs15-tool --list-keys pkcs15-tool --list-certificates On Fri, Sep 30, 2011 at 1:16 PM, busin...@reebs.org wrote: Here is the log with verb 255 and the associated OpenVPN log verb 255. Rgrds On Thu, 29 Sep 2011 22:42:35 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: It should be opensc.conf somewhere that is pointed by registry. See the installation script. On Thu, Sep 29, 2011 at 10:34 PM, busin...@reebs.org wrote: Ok I will do this, however how would I enable this log using the Builds you provided?! Strange is also that while the first attempt, it asks twice for the PIN, for the second and following connection attempts (I aborded here not to loose start of log because of buffer limitations) it asks only once... On Thu, 29 Sep 2011 21:13:52 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: This is strange. The signature just fails I need opensc logs. It returns CKR_GENERAL_ERROR when tries to sign. On Thu, Sep 29, 2011 at 12:25 PM, busin...@reebs.org wrote: So finally I managed to get the log. For some reasons today it worked from command line allthough it did not in GUI. Probably some delay caused by management interface which is interferring with OpenVPN when log ammount is high... Anyway here is the file _(had to paste it from command prompt), hope that helps! On Thu, 29 Sep 2011 11:00:57 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Well, I need log to be able to help. If th ui canno handle this, try without ui. This UI uses the management interface in order to provide the passphrase at port 11196. You can telnet this port and see management-notes.txt of how to work with it. Or.. To open a bug within the ui so it be able to enable more logging. On Wed, Sep 28, 2011 at 7:01 PM, busin...@reebs.org wrote: This does not work. If I set Verb above 7 I get following loop under Command Line and GUI: http://imageshack.us/photo/my-images/829/unbenanntrg.jpg/ until it fails. If I set log filename.txt in the configuration file and run from CLI, it will go up to the point where pin is required but then fail as it cannot get pin from stdin (btw using
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Martin, I need your help here... On Fri, Sep 30, 2011 at 8:18 PM, busin...@reebs.org wrote: Here you go: C:\Program Files\OpenVPN\share\openvpn-win32\configpkcs15-tool --list-keys Using reader with a card: O2Micro CCID SC Reader 0 Private RSA Key [Private Key] Object Flags : [0x3], private, modifiable Usage : [0x4], sign Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 0 (0x0) Native : yes Path : 3f0050154b0130450012 Auth ID : 01 ID : 45 C:\Program Files\OpenVPN\share\openvpn-win32\configpkcs15-tool --list-certificates Using reader with a card: O2Micro CCID SC Reader 0 X.509 Certificate [Certificate] Object Flags : [0x2], modifiable Authority : no Path : 3f0050154545 ID : 45 Encoded serial : 02 01 02 C:\Program Files\OpenVPN\share\openvpn-win32\config On Fri, 30 Sep 2011 18:45:31 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: --- 2011-09-30 12:05:15.330 [opensc-pkcs11] iso7816.c:103:iso7816_check_sw: Command incompatible with file structure 2011-09-30 12:05:15.330 [opensc-pkcs11] card-flex.c:1067:cryptoflex_compute_signature: Card returned error: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] sec.c:56:sc_compute_signature: returning with: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] card.c:330:sc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] pkcs15-sec.c:380:sc_pkcs15_compute_signature: sc_compute_signature() failed: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] card.c:330:sc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called 2011-09-30 12:05:15.330 [opensc-pkcs11] framework-pkcs15.c:2721:pkcs15_prkey_sign: Sign complete. Result -1200. 2011-09-30 12:05:15.330 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1200 (Card command failed) 2011-09-30 12:05:15.330 [opensc-pkcs11] pkcs11-object.c:635:C_Sign: C_Sign() = CKR_GENERAL_ERROR --- What I also need is dump of the card content. Paste the output of pkcs15-tool --list-keys pkcs15-tool --list-certificates On Fri, Sep 30, 2011 at 1:16 PM, busin...@reebs.org wrote: Here is the log with verb 255 and the associated OpenVPN log verb 255. Rgrds On Thu, 29 Sep 2011 22:42:35 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: It should be opensc.conf somewhere that is pointed by registry. See the installation script. On Thu, Sep 29, 2011 at 10:34 PM, busin...@reebs.org wrote: Ok I will do this, however how would I enable this log using the Builds you provided?! Strange is also that while the first attempt, it asks twice for the PIN, for the second and following connection attempts (I aborded here not to loose start of log because of buffer limitations) it asks only once... On Thu, 29 Sep 2011 21:13:52 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: This is strange. The signature just fails I need opensc logs. It returns CKR_GENERAL_ERROR when tries to sign. On Thu, Sep 29, 2011 at 12:25 PM, busin...@reebs.org wrote: So finally I managed to get the log. For some reasons today it worked from command line allthough it did not in GUI. Probably some delay caused by management interface which is interferring with OpenVPN when log ammount is high... Anyway here is the file _(had to paste it from command prompt), hope that helps! On Thu, 29 Sep 2011 11:00:57 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Well, I need log to be able to help. If th ui canno handle this, try without ui. This UI uses the management interface in order to provide the passphrase at port 11196. You can telnet this port and see management-notes.txt of how to work with it. Or.. To open a bug within the ui so it be able to enable more logging. On Wed, Sep 28, 2011 at 7:01 PM, busin...@reebs.org wrote: This does not work. If I set Verb above 7 I get following loop under Command Line and GUI: http://imageshack.us/photo/my-images/829/unbenanntrg.jpg/ until it fails. If I set log filename.txt in the configuration file and run from CLI, it will go up to the point where pin is required but then fail as it cannot get pin from stdin (btw using win32 version on win Xp and card is former Cryptoflex from gemalto): On Wed, 28 Sep 2011 18:30:14 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM, busin...@reebs.org wrote: Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
us=796000 PKCS#11: Calling pin_prompt hook for 'OpenSC Card (xxx yyy)' Wed Sep 28 17:51:25 2011 us=796000 ERROR: could not not read OpenSC Card (xxx yyy) token password from stdin Wed Sep 28 17:51:25 2011 us=796000 Exiting Wed Sep 28 17:51:25 2011 us=796000 Closing Win32 semaphore 'openvpn_netcmd' On Wed, 28 Sep 2011 18:30:14 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM, busin...@reebs.org wrote: Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt 5- It asks for PIN and after I enter it it immediately fails and back to point no. 4 until I break Last working version is 009, 010 and 011 have very same issue. Here is the command line LOG (short form): On Wed, 28 Sep 2011 16:04:24 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
It should be opensc.conf somewhere that is pointed by registry. See the installation script. On Thu, Sep 29, 2011 at 10:34 PM, busin...@reebs.org wrote: Ok I will do this, however how would I enable this log using the Builds you provided?! Strange is also that while the first attempt, it asks twice for the PIN, for the second and following connection attempts (I aborded here not to loose start of log because of buffer limitations) it asks only once... On Thu, 29 Sep 2011 21:13:52 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: This is strange. The signature just fails I need opensc logs. It returns CKR_GENERAL_ERROR when tries to sign. On Thu, Sep 29, 2011 at 12:25 PM, busin...@reebs.org wrote: So finally I managed to get the log. For some reasons today it worked from command line allthough it did not in GUI. Probably some delay caused by management interface which is interferring with OpenVPN when log ammount is high... Anyway here is the file _(had to paste it from command prompt), hope that helps! On Thu, 29 Sep 2011 11:00:57 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Well, I need log to be able to help. If th ui canno handle this, try without ui. This UI uses the management interface in order to provide the passphrase at port 11196. You can telnet this port and see management-notes.txt of how to work with it. Or.. To open a bug within the ui so it be able to enable more logging. On Wed, Sep 28, 2011 at 7:01 PM, busin...@reebs.org wrote: This does not work. If I set Verb above 7 I get following loop under Command Line and GUI: http://imageshack.us/photo/my-images/829/unbenanntrg.jpg/ until it fails. If I set log filename.txt in the configuration file and run from CLI, it will go up to the point where pin is required but then fail as it cannot get pin from stdin (btw using win32 version on win Xp and card is former Cryptoflex from gemalto): On Wed, 28 Sep 2011 18:30:14 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM, busin...@reebs.org wrote: Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt 5- It asks for PIN and after I enter it it immediately fails and back to point no. 4 until I break Last working version is 009, 010 and 011 have very same issue. Here is the command line LOG (short form): On Wed, 28 Sep 2011 16:04:24 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: http://www.opensc-project.org/files/build.old/ (btw the link to the builds if any newer shall be available from this page is corrupt: http://www.opensc-project.org/opensc/wiki/build). When I use the 009 build then every thing is fine. However I'd like to use the latest version, and Alon had a few month ago made a newer build which I could not test until now. When trying the build 010 OpenVPN fails to connect. I get asked twice for PIN before it does something and then fails to connect and tries again/ask for PIN. By the way here: http://sites.google.com/site/alonbarlev/openssh-pkcs11 I found some info about PKCS11 and OpenSSL don't know if it may be related... Regards, PR Here is the OpenVPN log (did not find any OpenSC/OpenSSL log...?!): Sat Sep 24 14:52:10 2011 us=515000 Current Parameter Settings: Sat Sep 24 14:52:10 2011 us=515000 config = 'C:Program FilesOpenVPNshareopenvpn-win32configConfig.ovpn' Sat Sep 24 14:52:10 2011 us=515000 mode = 0 Sat Sep 24 14:52:10 2011 us=515000 show_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_digests = DISABLED Sat Sep 24 14:52:10 2011 us=515000 show_engines = DISABLED Sat Sep 24 14:52:10 2011 us=515000 genkey = DISABLED Sat Sep 24 14:52:10 2011 us=515000 key_pass_file = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 show_tls_ciphers = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles [default]: Sat Sep 24 14:52:10 2011 us=515000 proto = udp Sat Sep 24 14:52:10 2011 us=515000 local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 local_port = 0 Sat Sep 24 14:52:10 2011 us=515000 remote = 'vpn.reebs.org' Sat Sep 24 14:52:10 2011 us=515000 remote_port = 1194 Sat Sep 24 14:52:10 2011 us=515000 remote_float = ENABLED Sat Sep 24 14:52:10 2011 us=515000 bind_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 bind_local = DISABLED Sat Sep 24 14:52:10 2011 us=515000 connect_retry_seconds = 5 Sat Sep 24 14:52:10 2011 us=515000 connect_timeout = 10 Sat Sep 24 14:52:10 2011 us=515000 connect_retry_max = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_server = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_port = 0 Sat Sep 24 14:52:10 2011 us=515000 socks_proxy_retry = DISABLED Sat Sep 24 14:52:10 2011 us=515000 Connection profiles END Sat Sep 24 14:52:10 2011 us=515000 remote_random = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ipchange = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev = 'tap' Sat Sep 24 14:52:10 2011 us=515000 dev_type = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 dev_node = 'OpenVPN' Sat Sep 24 14:52:10 2011 us=515000 lladdr = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 topology = 1 Sat Sep 24 14:52:10 2011 us=515000 tun_ipv6 = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_local = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_remote_netmask = '[UNDEF]' Sat Sep 24 14:52:10 2011 us=515000 ifconfig_noexec = DISABLED Sat Sep 24 14:52:10 2011 us=515000 ifconfig_nowarn = DISABLED Sat Sep 24 14:52:10 2011 us=515000 shaper = 0 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 link_mtu = 1500 Sat Sep 24 14:52:10 2011 us=515000 link_mtu_defined = DISABLED Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra = 32 Sat Sep 24 14:52:10 2011 us=515000 tun_mtu_extra_defined = ENABLED Sat Sep 24 14:52:10 2011 us=515000 fragment = 0 Sat Sep 24 14:52:10 2011 us=515000 mtu_discover_type = -1 Sat Sep 24 14:52:10 2011 us=515000 mtu_test = 0 Sat Sep 24 14:52:10 2011 us=515000 mlock = DISABLED Sat Sep 24 14:52:10 2011 us=515000 keepalive_ping = 0 Sat Sep 24 14:52:10 2011 us=515000 keepalive_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 inactivity_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_send_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_rec_timeout_action = 0 Sat Sep 24 14:52:10 2011 us=515000 ping_timer_remote = DISABLED Sat Sep 24 14:52:10 2011 us=515000 remap_sigusr1 = 0 Sat Sep 24 14:52:10 2011 us=515000 explicit_exit_notification = 0 Sat Sep 24 14:52:10 2011 us=515000 persist_tun = ENABLED Sat Sep 24 14:52:10 2011 us=515000 persist_local_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_remote_ip = DISABLED Sat Sep 24 14:52:10 2011 us=515000 persist_key = ENABLED Sat Sep 24 14:52:10 2011 us=515000 mssfix = 1450 Sat Sep 24 14:52:10 2011 us=515000 resolve_retry_seconds = 10 Sat Sep 24 14:52:10 2011 us=515000 username =
Re: [opensc-devel] Problems with opensc+openvpn builds from Alon starting v10
set verb 255 and log to a file. On Wed, Sep 28, 2011 at 5:10 PM, busin...@reebs.org wrote: Yes now download works!!! However still not able to connect. I tried both command line and GUI. Same issue: 1- After it ask for PIN and I enter PIN it immediately asks for the PIN again 2- It then tries to connect, but nothing happens 3- After 60 seconde it times out 4- Start another connection attempt 5- It asks for PIN and after I enter it it immediately fails and back to point no. 4 until I break Last working version is 009, 010 and 011 have very same issue. Here is the command line LOG (short form): C:\Program Files\OpenVPN\share\openvpn-win32\config..\..\..\bin\openvpn --confi g Banzai.ovpn --pkcs11-id OpenSC\x20Project/PKCS\x2315/0001D049/OpenSC\x 20Card\x20\x28xxx\x20yyy\x29/45 Wed Sep 28 16:02:45 2011 OpenVPN 2.2.1 i686-w64-mingw32 [SSL] [LZO2] [PKCS11] bu ilt on Sep 28 2011 Wed Sep 28 16:02:45 2011 PKCS#11: Adding PKCS#11 provider 'C:\Program Files\Open VPN\bin\opensc-pkcs11.dll' Wed Sep 28 16:02:47 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:02:47 2011 Control Channel Authentication: using 'ta.key' as a Ope nVPN static key file Wed Sep 28 16:02:47 2011 LZO compression initialized Wed Sep 28 16:02:47 2011 UDPv4 link local: [undef] Wed Sep 28 16:02:47 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:03:47 2011 TLS Error: TLS key negotiation failed to occur within 6 0 seconds (check your network connectivity) Wed Sep 28 16:03:47 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:47 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:03:49 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:03:49 2011 Re-using SSL/TLS context Wed Sep 28 16:03:49 2011 LZO compression initialized Wed Sep 28 16:03:49 2011 UDPv4 link local: [undef] Wed Sep 28 16:03:49 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (xxx yyy) token Password: Wed Sep 28 16:03:59 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:03:59 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:03:59 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:03:59 2011 TLS Error: TLS handshake failed Wed Sep 28 16:03:59 2011 SIGUSR1[soft,tls-error] received, process restarting Wed Sep 28 16:04:01 2011 NOTE: OpenVPN 2.1 requires '--script-security 2' or hig her to call user-defined scripts or executables Wed Sep 28 16:04:01 2011 Re-using SSL/TLS context Wed Sep 28 16:04:01 2011 LZO compression initialized Wed Sep 28 16:04:01 2011 UDPv4 link local: [undef] Wed Sep 28 16:04:01 2011 UDPv4 link remote: 217.253.136.195:1194 Enter OpenSC Card (Patrick Reeb) token Password: Wed Sep 28 16:04:07 2011 PKCS#11: Cannot perform signature 6:'CKR_FUNCTION_FAILE D' Wed Sep 28 16:04:07 2011 TLS_ERROR: BIO read tls_read_plaintext error: error:140 99004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Wed Sep 28 16:04:07 2011 TLS Error: TLS object - incoming plaintext read error Wed Sep 28 16:04:07 2011 TLS Error: TLS handshake failed On Wed, 28 Sep 2011 16:04:24 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Now? On Wed, Sep 28, 2011 at 4:01 PM, busin...@reebs.org wrote: Alon, I believe there is a permission issue with the new files: Forbidden You don't have permission to access /downloads/users/alonbl/build/opensc- i686-w64-mingw32-011-engine_pkcs11.tar.bz2 on this server. Regards, On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev alon.bar...@gmail.com wrote: Use build-011 On Wed, Sep 28, 2011 at 1:39 PM, busin...@reebs.org wrote: Hi All, any clue what is wrong?! :( Rgds On Sun, 25 Sep 2011 18:38:39 +0200, busin...@reebs.org wrote: Hello All, Currently I am having troubles to get the latest build (32bit) of prebuild OpenVPN/OpenSC/OpenSSL to work alltogether. These are found here: ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Thanks for your report and testing! 2011/8/16 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote: Jonatan, Can you please try the attached patch and see if it helps? Thanks! ... seems to work fine, will continue testing during the day. This is on an AMD64 architecture if it makes any difference. So far i have only entered my PIN code once at startup of my vpn session, the session has renegotiated a few times now. /Jonatan Been using it for a day now and so far I haven't seen any problem. Works fine for me. /Jonatan ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pkcs11-helper-1.09 released
Hello, pkcs11-helper-1.09 is available. Fixed issue introduced in 1.08 related to OpenSSL engine signature. ChangeLog 2011-08-16 - Version 1.09 * Do not retry if CKR_BUFFER_TOO_SMALL and none NULL target. * Fixup OpenSSL engine's rsa_priv_enc to use RSA size output buffer. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
So Stef, How do you want to proceed? On Thu, Aug 4, 2011 at 7:58 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: 2011/8/4 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Rationale for Microsoft's MiniDriver
There had been always unified API: PKCS#11. Well, at Microsoft environment there was CryptoAPI Provider. The good about the CryptoAPI is that it allowed enough flexibility so that, for example, you could have created a generic CryptoAPI provider on-top of PKCS#11. In the MiniDriver, Microsoft advanced too far. It created a dependency between Microsoft specific data and on-card implementation. It also created a dependency between configuration and card content. So now, instead of providing a single API (PKCS#11) and a single bridge for Microsoft environment (CryptoAPI Provider-PKCS#11) you need to work much harder. Alon. On Sun, Aug 14, 2011 at 7:20 AM, Anders Rundgren anders.rundg...@telia.com wrote: Writing card drivers is quite difficult. That's why Microsoft introduced the MiniDriver. The driver model has been very successful for printers since printers have widely different characteristics. Cryptographic operations OTOH leave very little (if any) room for variations. Although cards may differ in features, using unified high-level APIs like the MiniDriver this will either be hard to access or more likely: Never be utilized. Open question: Since the MiniDriver gives a unified card API, wouldn't it be easier defining a FIXED API/DRIVER and rather let the cards adapt to that? Certifying a gazillion third-party drivers including multiple card versions doesn't appear to be a particularly swift project. With a fully unified card API you can target all cards with a fairly simple test-suite and delegate the certification to the card vendors. This should dramatically improve system reliability which always has been a weak point, particularly for consumer computers. Anders ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08
Jonatan, Can you please try the attached patch and see if it helps? Thanks! On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev alon.bar...@gmail.com wrote: Martin, The openssl engine is called with 0x24 buffer size and expect it to be encrypted by private key with same length. Prototype: --- static int __pkcs11h_openssl_enc ( IN int flen, IN const unsigned char *from, OUT unsigned char *to, IN OUT RSA *rsa, IN int padding ) { --- I may got this wrong. Will investigate. On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak mar...@martinpaljak.net wrote: Hello, 2011/8/11 Jonatan Åkerlind jonatan.akerl...@sgsstudentbostader.se: We have a setup using the Aladdin eToken PRO USB device for certificate storage using opensc/openct to interface it with openvpn. Works fine but with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn startup and then once at each renegotiation. Confirmed with various versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN caching seems ok and only asks for the pin code once at startup and no more) but with pkcs11-helper 1.08 the PIN caching does not work. Attached is a log from openvpn with verbosity 99 (gives a lot of info) using pkcs11-helper 1.08. It contains the startup and a couple of renegotiations filtered to only include lines with pkcs in them. This might be relevant: PKCS#11: __pkcs11h_certificate_doPrivateOperation entry certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0, source_size=0024, target=0x757936, *p_target_size=0024 the target size is the same as input size, which makes one of the operations fail with CKR_BUFFER_TOO_SMALL and will trigger another try, which will mean another PIN entry. Probably something else is fishy as well. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Index: lib/pkcs11h-openssl.c === --- lib/pkcs11h-openssl.c (revision 205) +++ lib/pkcs11h-openssl.c (revision 207) @@ -291,7 +291,7 @@ pkcs11h_certificate_t certificate = __pkcs11h_openssl_get_pkcs11h_certificate (rsa); PKCS11H_BOOL session_locked = FALSE; CK_RV rv = CKR_FUNCTION_FAILED; - size_t tlen = (size_t)flen; + size_t tlen; _PKCS11H_ASSERT (from!=NULL); _PKCS11H_ASSERT (to!=NULL); @@ -312,6 +312,8 @@ goto cleanup; } + tlen = (size_t)RSA_size(rsa); + if ((rv = pkcs11h_certificate_lockSession (certificate)) != CKR_OK) { goto cleanup; } Index: lib/pkcs11h-certificate.c === --- lib/pkcs11h-certificate.c (revision 205) +++ lib/pkcs11h-certificate.c (revision 207) @@ -961,16 +961,17 @@ rv ); + if (rv == CKR_BUFFER_TOO_SMALL op != __pkcs11h_private_op_unwrap) { + certificate-operation_active = TRUE; + } + if (target != NULL) { if (rv != CKR_OK) { goto retry; } } else { - if ( -rv == CKR_OK || -rv == CKR_BUFFER_TOO_SMALL - ) { + if (rv == CKR_OK) { if (op != __pkcs11h_private_op_unwrap) { certificate-operation_active = TRUE; } @@ -994,6 +995,10 @@ } if (!op_succeed) { + if (rv == CKR_BUFFER_TOO_SMALL) { +goto cleanup; + } + /* * OpenSC workaround * It still allows C_FindObjectsInit when ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
Hello Stef, I think that each project is targeting a different set of problems. I am fully opened for discussion, but this is how I see things: pkcs11-helper targets developers who like to introduce PKCS#11 into their application, especially for smartcard. It allows to minimize the user interaction and maximize the object reuse. While using the minimum set of the specification in order to allow application compatibility with most implementation. p11-kit designed to solve incompatibilities of modules and inappropriate implementation of application that use PKCS#11 by providing a baseline of the PKCS#11 spec module implementation that may proxy on or more providers. BTW: we should also outline the difference between p11-kit and NSS. Let's take your example and see where these fit: * Coordinating initialization and finalizing. You referencing a bad implemented application that is use PKCS#11 in two independent places. A practical solution is to fix the library implementation (such as GnuTLS) to provide some state information. However, a proxy baseline provider with reference count and such may indeed solve this issue. * A standard place to put configuration of which modules to load and how to load them. A PKCS#11 aware application should be expose to this information and not let some library to hide these. I also don't like libraries like NSS that have dependencies out side of the runtime environment the application is creating for them. * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. Same as above. I don't like these registries within a library (API). A proxy module may have its own configuration which is fine. * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. I written above, a different (applicative) solution should be applied. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). Yes, much of the work in pkcs11-helper was safe forking, in order to abstract the [complex] process from the developers. What do you think? Alon. On Mon, Aug 1, 2011 at 8:11 AM, Stef Walter st...@collabora.co.uk wrote: Hi Alon, Thanks for all the PKCS#11 integration work you've spearheaded across the community. You may have heard of p11-kit before. It tries to solve several problems with using PKCS#11 modules across the Desktop. In particular when multiple applications or libraries want to use the same PKCS#11 modules. Most importantly: * Coordinating initialization and finalizing. * A standard place to put configuration of which modules to load and how to load them. More documentation here: http://p11-glue.freedesktop.org/p11-kit.html p11-kit can be used as a PKCS#11 module, and as such will integrate out of the box into anything that supports PKCS#11. So pkcs11-helper can already use p11-kit. I'm interested in integrating p11-kit more closely into pkcs11-helper. But I figured I'd talk with you before hacking. Some areas where integration could take place: * Allowing pkcs11-helper to load modules from a standard location. Does pkcs11-helper have a concept of a module registry? If not, this could be a nice addition provided by p11-kit. * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). Perhaps more? How do this sound? Cheers, Stef ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Integrating p11-kit into pkcs11-helper?
2011/8/4 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit : * Initializing modules via p11-kit so that refcounting, and pInitArgs stuff works if more than one app/library in the same process uses a PKCS#11 module. * Safe forking (pkcs11-helper already does this, but p11-kit forking stuff integrates with the initialization refcounting). IMHO, the biggest stopper in the spread of OpenSC is the inability to handle several sessions on a smartcard reliably. I mean without special development in the application client side. So if p11-kit solves this multiple-access issue, this would great. Do you think p11-kit would solve the issues for: * OpenVPN * Iceweasel / Firefox This is core issue of OpenSC and should be solved within the core of OpenSC. Aka - stateless card access. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch for libp11 to fix compatibility with AET SafeSign PKCS#11 library
Right. But you forgot to free the memory. I've applied similar solution at r201. On Fri, Jun 17, 2011 at 2:55 PM, Jonathan Giannuzzi jonat...@giannuzzi.be wrote: Hello, When using libp11 to wrap around the AET SafeSign PKCS#11 library, C_GetInfo fails with CKR_MUTEX_BAD. This is because an empty CK_C_INITIALIZE_ARGS structure is passed to C_Initialize. I made a change in PKCS11_CTX_load so that when no init_args have been set, no CK_C_INITIALIZE_ARGS is given to C_Initialize. It should not break any other P11 library loading. Cheers, Jonathan ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[5567] pkcs11: framework-pkcs15: OpenSC specific ' non-repudiation' cryptoki attribute ...
OK. I think we have all facts. Thanks. On Thu, Jun 16, 2011 at 1:14 PM, Martin Paljak mar...@martinpaljak.net wrote: Hello, On Wed, Jun 15, 2011 at 14:28, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Jun 15, 2011 at 2:05 PM, Martin Paljak mar...@martinpaljak.net wrote: Given that in practice, CKA_ALWAYS_AUTHENTICATE is almost exclusively used with nonrepudiation signature keys and the fact that the usual creation of such keys through PKCS#11 is not a common operation, it sounds like a useful signaling channel. I disagree of the above statement. practice is not related to this. I use my authentication certificate as always authenticate... And I guess people also use this for decryption... It has nothing to do with legal, but for people customization and paranoia. So a much cleaner solution would be to use vendor provided attribute. Yes and no. OpenSC does a lot of translation. It translates non-ISO7816-4-ish commands to generic functions that are expected to behave like ISO7816-X to enable the PKCS#15 support (card drivers). It translates non-PKCS#15 cards into PKCS#15 terms (PKCS#15 emulation code), because that's what is used internally by OpenSC (whether it is the best or most optional abstraction is another question). It translates PKCS#15 into PKCS#11, because that is what applications want. It also translates PKCS#15 to Tokend/CDSA or CryptoAPI. Because there are so many layer in the real life PKI world, it is a nightmare. As always with translation - something gets lost and something gets added by the translator. But the goal of the translator is to be as exact and as close to the original as possible, but adopt the sentence so that it makes sense to the target audience. Like proverbs - you either translate them word by word (like I did) or you use an equivalent which is known to the native speakers of the target language in the given locality. PKCS#11 and CryptoAPI are not just another interfaces, they have different design philosophies and goals. It does not make sense to try to extend the PKCS#15 world to CryptoAPI or implement everything in PKCS#15 layer with only CryptoAPI usage in mind. Rather the best effort to translate in the spirit of target audience should be done (both directions) CKA_ALWAYS_AUTHENTICATE is a property of PKCS#11 which is most similar to userConsent property in PKCS#15. Disregarding the properties, eventually the actual card should behave like advertised. Do all card drivers support (and enforce) authentication before signature feature? I doubt it. Does OpenSC currently allow setting a configured userConsent value when generating keys? Will it be transferred to the card and enforced by the card? AFAIK not (at least not easily). What about userConsent 1? Will we disregard CKA_ALWAYS_AUTHENTICATE, which implies userConsent==1? Yes, some of them are shortcomings in OpenSC (and drivers and cards) and some could be improved (like using userConsent value for PIN cache TTL) and having explicit attributes would be more precise, but it would often only support a low value corner case for maybe a few but maybe zero users. Current CKA_ALWAYS_AUTHENTICATE (and related userConsent==1) relation comes from real life and has proven to be useful. DWIM is a powerful concept ;) You mean admitting that PKCS#11 is limited and making the PKCS#11 personalization mechanism more flexible by endorsing more properties to templates? I don't think it fixes the fundamental issue, that personalization really does not seem to be in the focus of PKCS#11... Right... so either we open libopensc again to allow personalization directly with PKCS#15 as it was before, or we provide some bridge between the two. I don't think that libopensc was actually used (publicly) for personalization. The reason for removing libopensc-dev was to eliminate the I need access to smart cards... google find OpenSC, think 'this is some smart card think, I'll link against it' habit. Up to the point of removing public headers, all users of libopensc should have either used PKCS#11, had already implemented PKCS#11 support or had the code to use libopensc long abandoned/not updated. The main reason of ditching development packages was to draw attention to the fact that libopensc is not the most appropriate interface for adding smart card support to enduser applications. Also, to get rid of the necessity to maintain a kitchen sink API and related ABI issues and focus on published API-s (PKCS#11, Minidriver, Tokend). If there was to become a new application which would focus on card *personalization* through libopensc, would help to sanitize the exported API of libopensc and work with that, it would be most welcome. But I don't know of any such effort or people who would be interested in it. Personalization is often a closed-group hobby or eagerly kept in house. As most enrollment applications are card
Re: [opensc-devel] Git build status.
On Thu, Jun 9, 2011 at 10:33 AM, Martin Paljak mar...@martinpaljak.net wrote: On Jun 8, 2011, at 21:12 , Alon Bar-Lev wrote: On Wed, Jun 8, 2011 at 2:18 PM, Martin Paljak mar...@martinpaljak.net wrote: Trac sends emails about new tickets, can you convert that into RSS? RSS has *always* been available from Trac timelines and other pages, most browsers these days display a RSS button that reveals this. Cutting off things from opensc-commits is not the target at the moment, compensating similar services with Git is the question at the moment. Maybe, if deemed suitable, the scope of opensc-commits can be shrinked, if most subscribers can stay in the loop with other means (like RSS) I don't think RSS is a replacement for emails management, classifications and discussion. The commit mails are very useful. Agreed. That's why I said that the question right now is how to have functionality as close to current as possible with Git as well. The distributed nature of Git makes it a bit different, but at least the master commits should continue to flow to opensc-commits, but it would be nice to pull in other changes and events as well. But IMHO the *real* purpose of opensc-commits is making sure that people keep their hand on the pulse of the project and review what is happening. I'll write about it separately. I think opensc-commits to master should be sufficient. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Static link for opensc-pkcs11.dll
This is only for MSC build, not for mingw. But as this project is going to MSC release anyway... On Sat, May 28, 2011 at 11:07 PM, Viktor Tarasov viktor.tara...@gmail.com wrote: Hello, I would like to link statically the PKCS#11 module for Windows, or at least to include the static version of this module into the MSI . Here in attachment there in the diff for the build procedure (it presumes the change of link mode for the actual PKCS#11 module dll). Have you any objections, please? Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[5447] pkcs11-tool: move --module to the first position in help text and make it mandatory.
This will break many of people's usages. Until now it was assumed that if --module is not specified the opensc provider is loaded. And as pkcs11-tool is part of opensc, I know many who did not specify this. I know that something was broken recently with finding the default module, however, do you really want to change existing behavior? On Tue, May 17, 2011 at 4:27 PM, webmas...@opensc-project.org wrote: Revision: 5447 Author: martin Date: 2011-05-17 13:27:09 + (Tue, 17 May 2011) Log Message: --- pkcs11-tool: move --module to the first position in help text and make it mandatory. Modified Paths: -- trunk/src/tools/pkcs11-tool.c Modified: trunk/src/tools/pkcs11-tool.c === --- trunk/src/tools/pkcs11-tool.c 2011-05-16 08:32:07 UTC (rev 5446) +++ trunk/src/tools/pkcs11-tool.c 2011-05-17 13:27:09 UTC (rev 5447) @@ -76,6 +76,7 @@ }; static const struct option options[] = { + { module, 1, NULL, OPT_MODULE }, { show-info, 0, NULL, 'I' }, { list-slots, 0, NULL, 'L' }, { list-token-slots, 0, NULL, 'T' }, @@ -113,7 +114,6 @@ { attr-from, 1, NULL, OPT_ATTR_FROM }, { input-file, 1, NULL, 'i' }, { output-file, 1, NULL, 'o' }, - { module, 1, NULL, OPT_MODULE }, { test, 0, NULL, 't' }, { test-hotplug, 0, NULL, OPT_TEST_HOTPLUG }, @@ -125,6 +125,7 @@ }; static const char *option_help[] = { + Specify the module to load (mandatory), Show global token information, List available slots, List slots with tokens, @@ -162,7 +163,6 @@ Use arg to create some attributes when writing an object, Specify the input file, Specify the output file, - Specify the module to load, Test (best used with the --login or --pin option), Test hotplug capabilities (C_GetSlotList + C_WaitForSlotEvent), @@ -544,6 +544,10 @@ util_print_usage_and_die(app_name, options, option_help); } } + + if (opt_module == NULL) + util_print_usage_and_die(app_name, options, option_help); + if (action_count == 0) util_print_usage_and_die(app_name, options, option_help); ___ opensc-commits mailing list opensc-comm...@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-commits ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Bug in engine_pkcs11
On Tue, May 10, 2011 at 1:18 PM, Giuliano Bertoletti g...@symbolic.it wrote: I pointed out the slot_id matter instead because it is just wrong to start from the assumption that the user knows it and it won't change between multiple executions. Same for index. Sorry, I still cannot see your point. Had you argued that you wish to use slot description I would have understood. However, both id and index are generated at runtime and can change at any point in time. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Bug in engine_pkcs11
Use this[1] to build using cross compiler. [1] https://www.opensc-project.org/build On Tue, May 10, 2011 at 10:36 AM, Giuliano Bertoletti g...@symbolic.it wrote: Hello, unfortunatelly I'm still fighting with the compiler to rebuild the engine_pkcs11 library (under Windows / Mingw or Visual C++). Once I get it to work, I would be happy to supply the patch (shouldn't take too long to patch). To be more accurate I cannot link the OpenSSL libraries to libp11 because mingw produced a libcrypto.a while libtool expects a .lo object. Giulio. Il 10/05/2011 9.24, Martin Paljak ha scritto: Hello, On May 10, 2011, at 10:02 , Giuliano Bertoletti wrote: A list of CK_SLOT_IDs is returned by C_GetSlotList. A priori, any value of CK_SLOT_ID can be a valid slot identifier—in particular, a system may have a slot identified by the value 0. It need not have such a slot, however. Notice also that by matching the supplied value against slot_index you won't loose anything in case slot_index = slot_id. For real life use, both fixed slot ID-s and fixed slot indexes seem to be necessary (have a look at pkcs11-tool) To make it simple: do you have a patch, that fixes both cases (so that a slot index and a hardcoded slot ID can be used)? -- Giuliano Bertoletti Pre-Sales Engineer - Technological Dept. Symbolic S.p.A. Viale Mentana, 29 I-43121 - Parma Tel. +39 0521 708811 Mob. +39 346 8749890 Fax +39 0521 776190 g...@symbolic.it www.symbolic.it ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Bug in engine_pkcs11
This is a matter of interpretation. Either is not constant and user is not suppose to know of. Apart of the special case of having a single slot, so you expect 0 I presume. You can check which slot is what simply by using: pkcs11-tool --list-slots --module /usr/lib/pkcs11/ On Mon, May 9, 2011 at 7:51 PM, Giuliano Bertoletti g...@symbolic.it wrote: Hello, I think I've found a bug in the OpenSSL engine_pkcs11. The slot_index supplied from the command line to OpenSSL and actually directed to engine_pkcs11, is incorrectly parsed by the latter which treats it as if it were the slot_id. Most pkcs#11 implementations assume slot_index = slot_id, so there're no issues in these cases. However some implementations (for example the nCipher Hardware Security Modules product line I'm working with) do not follow such convention (the pkcs#11 does not require that). For example to access slot#0 with such devices, I need to issue something like: openssl req -config ./openssl.cnf -new -out ncipher.pem -days 365 -engine pkcs11 -keyform engine -key slot_761406613 because nCipher's C_GetSlotList adds a constant before filling the array returned by C_GetSlotList: i.e.: slot_id[index] = 761406613 + index. That could be easily corrected in engine_pkcs11 by checking the slot_index supplied against the array index rather than the array value returned by C_GetSlotList. Consider that in no way, the user is supposed to know the slot_ids. They're internal values to be treated as opaque pointers that the library gives to the driving application and that the application is supposed to later return as they are: (i.e. typically for accessing slots with C_OpenSession or C_GetSlotInfo) Kind Regards, Giuliano Bertoletti -- Giuliano Bertoletti Pre-Sales Engineer - Technological Dept. Symbolic S.p.A. Viale Mentana, 29 I-43121 - Parma Tel. +39 0521 708811 Mob. +39 346 8749890 Fax +39 0521 776190 g...@symbolic.it www.symbolic.it ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
1. Firefox behaves correctly, it opens long living session with crypto token, in order to reduce the number of times user is prompted for passphrase. 2. Firefox monitors slots, to be able to detect new certificate availability so it can prompt the user for one if requested. It is true that it can be done each time a signature operation is required, however, it would be much slower to do so. 3. Firefox may use the monitor (I almost sure it is not implemented) in order to disconnect TLS/SSL sessions once token is removed. --- What PKCS#11 provider should do is to allow single authentication of application while authenticating each transaction with card, aka stateless operation. This approach is problematic with PINPAD readers, as user will be required to enter PIN each operation. However, there are some advanced cards that can generate authentication token, so you can actually authenticate once using PIN get authentication token out of the card (many can be available at same time), then each transaction is authenticated using these tokens. This approach solves the PINPAD issue and BIO issues. Alon. On Sat, May 7, 2011 at 7:08 PM, Juan Antonio Martinez jons...@terra.es wrote: El sáb, 07-05-2011 a las 08:01 +0200, Frank Morgner escribió: Hi! [...] In your example, Juan, you say that Firefox calls C_Init to initialize the card for pkcs11. I'm not an expert for p11, but is it really needed to actually lock the card on initialization and keep an established connection? Neither I am an expert :-), but my feeling is not: Traces on Firefox shows this flow: - At starting FF C_Initialize C_GetInfo - Then ff enters in an infinite loop of: C_GetSlotList C_GetSlotInfo C_WaitForSlotEvent - When card is inserted: C_OpenSession C_GetSessionInfo And returns to previou loop At exit: C_CloseAllSessions C_Finalize I can't see a real reason to do any lock for just a simple polling task nor problem for a concurrent p11 session at this stage Moreover, I don't understand why ff needs to monitorize slots when no p11 task is requested/needed. In fact google says about many links against this feature Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On Sat, May 7, 2011 at 10:57 PM, Peter Stuge pe...@stuge.se wrote: Alon Bar-Lev wrote: However, there are some advanced cards that can generate authentication token, so you can actually authenticate once using PIN get authentication token out of the card (many can be available at same time), then each transaction is authenticated using these tokens. This approach solves the PINPAD issue and BIO issues. And this works because the p11 library stores these cookies associated with each incoming p11 user? One to one corresponding with C_Login(). This also has the advantage of not locking the card when PIN is changed. If PKCS#11 library caches the PIN, and use it each time to perform card transactions. You have for example Firefox, OpenVPN, GnuPG running. You change the PIN via cmd-line, then each application attempts to sign, each bails out at 1st failure, but after the 3rd accumulative attempt the card is locked. To solve this, the PKCS#11 provider may use some file in /var/tmp to notify all instances when this event occurs so all instances may drop the current PIN. However, this will not work if one use remote sessions, such as remote desktop with PC/SC channel. The authentication cookie solves above, PINPAD, BIO efficiently, however it requires card to support it. You get a cookie out of PIN/PINPAD operation/BIO match. The cookie is valid as long as card is powered on and policy permits. Policy may state that once PIN is changed all cookies are invalidated or not. You may use the cookie instead of PIN in all object access operations, so you can use stateless transactions, while never lock the card by mistake, minimize the user interaction required during PINPAD/BIO operations. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC shared mode
On Fri, May 6, 2011 at 5:24 PM, Martin Paljak mar...@martinpaljak.net wrote: Hello, On May 6, 2011, at 17:16 , Jean-Michel Pouré - GOOZE wrote: I wonder if there is not a problem in shared more or if we should not ask users to use exclusive mode only. For the sake of usability, exclusive mode should only be used *if needed*. From security perspective, it does not really matter, because if your host is compromised, such software tricks are worthless. But daily smart card usage usually means using different applications. This is incorrect. Computer may be compromised in so many levels. It is true that if someone has total (root) control over the computer, he may do whatever. However, other none privileged user MUST NOT be able to gain access to resources used by other users. Well, you can argue: if I modify the access to readers to a specific user, then no other user can access the device anyway. If this is enough for users, let it be. I don't think it is enough, as this state is not much different than using file based cryptographic. I know we do not agree on this, but I have never seen hardware cryptography using any similar assumption. Some References: http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg05689.html http://www.opensc-project.org/opensc/ticket/186 http://www.opensc-project.org/pipermail/opensc-devel/2008-December/011525.html http://www.opensc-project.org/pipermail/opensc-user/2008-July/002561.html http://www.opensc-project.org/mailman/private/opensc-internal/2008-June/000335.html Discussion with Nils 5/2008, a prototype option, we agreed this is fundemental problem of the project, but neither had resources to actually solve it. Regards, Alon Bar-Lev. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] usb p11 token
On Tue, Apr 26, 2011 at 1:23 PM, Peter Stuge pe...@stuge.se wrote: Alon Bar-Lev wrote: it would be better to emulate some standard interface, such as serial over USB. Absolutely not. I would not dismiss this entirely... Serial over USB has the advantage to work on all modern operating systems, including Windows (PKCS#11 only not mini CSP). While implementing all logic within userspace. The same is true for a vendor specific USB interface thanks to libusb. Most importantly, the vendor specific interface allows to take full advantage of the packet based nature of USB and built-in structured communication. The protocol comes for free and does not need to be implemented on top of a idiotic stream emulation on top of a packet protocol. I don't think a device that won't work in Windows, or will force writing kernel level driver is something that is usable. Also using libusb is much more difficult than using a plain tty. I really see a lot of advantages of using the most primitive channel for communication. For example, the exact same protocol may be used over TCP/SSH socket. Or can be proxied to remote ssh session. While direct usage of libusb forces local communications. Serial over USB has also the potential to be a very secured implementation. That's BS. No device class is more or less secure than any other. The only purpose of device classes are to bind a common driver to the device. In this case there exists no fitting driver, so vendor specific is the only correct choice. The security is derived from the complexity of the implementation. Adding libusb dependency (on both sides) and more complex code of handling the device allocation, makes the probability of security issues higher. Or maybe you suggest exposing a PKCS#15 filesystem using MSC? I thought about exposing the device using standard interfaces. Yes, accessing the file system can be done using MSC. Performing private key operations can be done using serial. However, I do not recommend of using MSC as it won't allow to proxy the device into a remote location. And need to deal with channel encryption secured messaging is not this strong... Encrypt away. No problem. I did not find a decent solution for this, mind to share your view? How can two parties can communicate with each other while have nothing common? PGP/SSH like manual key exchange may be used, but it is too complex for most users. After solving the above, it is all about PKCS#11 API serialization. Most of the PKCS#11 objects may be loaded into the host computer. Only private key operations should be serialized and sent to device in runtime. Proper definition of the communication interface of the device will enable people to provide compatible hardware. Which would be great. I basically have PKCS#11 over USB in mind. There may need to be a few tweaks, but not too many I think. PKCS#11 is API not a protocol... In order to share the device and in order to perform device authentication you need to define a protocol. What I have in mind is to pull all objects from the device into main computer and implement PKCS#11 locally, while delegating only private key operations to the device. This way you have much faster implementation, and a very simple protocol implementation. However, this protocol has little to do with PKCS#11... Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] usb p11 token
Just wanted to note that exposing such device to IP stack makes it a target to hack, packaging is much more difficult. Also, that in crypto caching is not a problem as 99.99% of time the content of the crypto device is constant. About using USB directly, well, I disagree... I see this much like GPS device, with a simple optional multiplexer for applications (local and remote). We discussed PKCS#11 forwarding some time ago [1] and some time before. Implementation of hardware independent stream protocol will allow using crypto in many scenarios (serial, USB, unix sockets, tcp, ssh) with the PKCS#11 forwarding features built-in. Just a though... but any implementation will do. [1] http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg01733.html On Tue, Apr 26, 2011 at 3:44 PM, NdK ndk.cla...@gmail.com wrote: Il 26/04/2011 11:28, Alon Bar-Lev ha scritto: Since speed is quite critical, I was thinking to use something like G20 Fox Board ( http://acmesystems.com/ ). It's surely not cheap (anyway it can be WAY cheaper than other solutions), but it's tiny, fast (400MHz ARM9), can work as USB device (and host, maybe to keep a master key on a standard smart card used only once at boot time), can accomodate a (small) display and many keys, and there's a module with an FPGA if you want/need to implement some crypto acceleration in HW. There's even an Ethernet port (better not to use it... :) ). Too bad USB runs at most at 12Mbps, but that shouldn't be an issue. There is no reference for this board in the link you sent. Ops! Sorry: http://acmesystems.it ! Translated first level domain too :( It would be a great solution if the device will be very small and run Linux! It would be lovely to have PIN keypad and BIO reader on board as-well. There are a lot of IO lines available. Just don't count too much on serial (UART) interfaces: known to have some speed problems (should be fixed soon, BTW). However, I want to raise some issues. Developing an implementation that directly accesses the USB device impose fundamental security issue. As it requires the user to have special privilege. It is true that on modern linux, udev can deal with some device privilege settings, but it would be better to emulate some standard interface, such as serial over USB. Possible, but I'm sure we can come to something better :) Encapsulating too many protocols one inside the other always gives troubles. [...] Then you need to deal with device sharing. Stateless implementation (connect, operate, disconnect) would solve this, while creating some authentication cookie with the device. I'm usually not for stateless implementations for stateful devices. To avoid DoS attacks, state can be kept (for a reasonable time) by client, in encrypted form. And need to deal with channel encryption secured messaging is not this strong... Since it's a completely new device with its own protocol, it's even possible to do something like: - get device's cert (or public key) together with an encrypted nonce - send it your cert (or public key) and another nonce - get first nonce's decryption key, encrypted under your public key and signed by device - setup session key as an hash of the two nonces - use this session key for the rest of the session But maybe it's a bit overkill: USB is enough point-to point (much more than standard card interface, that could be received from a certain distance by its interferences...). And last, power management should be applied, so device will be able to be powered down while inactive. This should be simple if stateless mode is used and if authentication cookies are stored in non-volatile memory. That's one of the last problems... It consumes so little (and aims a target where power saving is not really a priority) that you can simply use internal powersaving. Even if it gets detached, it's like if you detach a smart card while in use. After solving the above, it is all about PKCS#11 API serialization. Most of the PKCS#11 objects may be loaded into the host computer. Only private key operations should be serialized and sent to device in runtime. Well, since you can have up to *16GB* memory (SDHC) on that device, storing objects is not a real problem :) BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Broadcom 5880 in openct.conf
Although I am in favor of improving openct, I agree with Martin in this case. The most CCID compliant library we have is libccid, first work out the problem with libccid. It may be that openct's CCID implementation works for you as it much simpler and use smaller set of features. On Mon, Apr 25, 2011 at 11:20 AM, Martin Paljak mar...@martinpaljak.net wrote: Hello, On Apr 25, 2011, at 11:09 , Stef Walter wrote: I've heard that openct may not be that relevant any more, but in any case here's an OpenCT patch to add support for the smart card reader in my laptop. Should I put this in the opensc trac, or does it go somewhere else? The device you have should be CCID [1], but with issues. Maybe your firmware is newer and/or the reported problem is already fixed now. Check the descriptor to be sure [2]. As most applications (including OpenSC) want to talk PC/SC to your reader by default, you would save yourself some trouble by using pcsc-lite+libccid instead. I don't know if maintaining a separate, smaller and not so well checked list of CCID devices in openct.conf is a very good idea. There's one maintained by Ludovic [3] and I believe it is the most comprehensive list available. Cheers, Martin [1] http://pcsclite.alioth.debian.org/ccid/unsupported.html#0x0A5C0x5801 [2] http://pcsclite.alioth.debian.org/ccid.html#CCID_compliant [3] http://pcsclite.alioth.debian.org/ccid/section.html -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] make maintainer-clean patch
Applied. Thanks. On Mon, Apr 25, 2011 at 12:39 PM, jons...@terra.es jons...@terra.es wrote: Seems that make maintainer-clean forgets to delete trunk/MacOSX/Makefile.in file This patch does the work: --- ../trunk/MacOSX/Makefile.am 2011-04-21 11:33:09.0 +0200 +++ mine/MacOSX/Makefile.am 2011-04-25 11:26:32.0 +0200 @@ -1,3 +1,4 @@ +MAINTAINERCLEANFILES = $(srcdir)/Makefile.in EXTRA_DIST = build build-package.in libtool-bundle opensc-uninstall \ 10.5/resources \ 10.5/resources/background.jpg \ Juan Antonio ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenCT source repository
Should be same as opensc just openct. On 4/22/11, Stef Walter st...@collabora.co.uk wrote: Hi guys, Is there an openct git repository somewhere? I couldn't find it at the 'Subversion Repository' page [1] I'm fiddling with my Broadcom 5880 smart card reader, and want to whip up a small patch. Cheers, Stef [1] http://www.opensc-project.org/opensc/wiki/SubversionRepository ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Compiling for windows in Fedora 14
On Thu, Mar 31, 2011 at 1:34 PM, Martin Paljak mar...@martinpaljak.net wrote: 2- In building process an strip error found: - i686-pc-mingw32-strip: unable to copy file '/home/jantonio/work/dnie/opendnie/opensc-opendnie/trunk/win32/build/image/opensc/lib/engines/gosteay32.dll'; reason: Permission denied Seems that openssl lib files are created with 0555 permissions, so cannot be stripped. ¿is this normal? Probably not. But it is harmless IMO. Harmless, and expected in some cases. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn build changed[112] Update openvpn patch
To be able to built it using a cross compiler. Submitted to upstream several times. 2011/3/8 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Le vendredi 04 mars 2011 à 21:02 +, webmas...@opensc-project.org a écrit : trunk/patches/openvpn-001-windows.patch Sorry to ask a silly question, but what is this OpenVPN patch for? -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11-helper and pkcs11h_logout
OK. Thanks. I added similar solution. On Wed, Feb 23, 2011 at 12:41 PM, Jan Just Keijser janj...@nikhef.nl wrote: hi all, there's an OpenVPN bug report that is traced back to an issue with pkcs11h_logout; it seems that if you call this function before initializing the pkcs11 libs then it segfaults. I've added a line pkcs11h_logout() to the tests/test-basic/test-basic.c file from the pkcs11-helper 1.07 tree and can reproduce this behaviour. The offending pieceof code is 1058 CK_RV 1059 pkcs11h_logout (void) { 1060 _pkcs11h_session_t current_session = NULL; 1061 CK_RV rv = CKR_OK; 1062 1063 _PKCS11H_DEBUG ( 1064 PKCS11H_LOG_DEBUG2, 1065 PKCS#11: pkcs11h_logout entry 1066 ); 1067 1068 for ( 1069 current_session = _g_pkcs11h_data-sessions; 1070 current_session != NULL; 1071 current_session = current_session-next 1072 ) { 1073 CK_RV _rv; A simple pointer check solves the issue: --- pkcs11-helper-1.07/lib/pkcs11h-core.c 2009-02-27 04:04:36.0 +0100 +++ pkcs11-helper-1.07jjk/lib/pkcs11h-core.c 2011-02-23 11:39:14.0 +0100 @@ -1065,6 +1065,10 @@ PKCS#11: pkcs11h_logout entry ); + if (_g_pkcs11h_data == NULL) { + return rv; + } + for ( current_session = _g_pkcs11h_data-sessions; current_session != NULL; I hope someone can incorporate this patch into the pkcs11-helper sources. thx, JJK / Jan Just Keijser ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11-helper and pkcs11h_logout
Today? On Wed, Feb 23, 2011 at 1:32 PM, Jan Just Keijser janj...@nikhef.nl wrote: Alon Bar-Lev wrote: OK. Thanks. I added similar solution. Excellent, thanks. Any idea when the next version of pkcs11-helper is released? cheers, JJK / Jan Just Keijser On Wed, Feb 23, 2011 at 12:41 PM, Jan Just Keijser janj...@nikhef.nl wrote: hi all, there's an OpenVPN bug report that is traced back to an issue with pkcs11h_logout; it seems that if you call this function before initializing the pkcs11 libs then it segfaults. I've added a line pkcs11h_logout() to the tests/test-basic/test-basic.c file from the pkcs11-helper 1.07 tree and can reproduce this behaviour. The offending pieceof code is 1058 CK_RV 1059 pkcs11h_logout (void) { 1060 _pkcs11h_session_t current_session = NULL; 1061 CK_RV rv = CKR_OK; 1062 1063 _PKCS11H_DEBUG ( 1064 PKCS11H_LOG_DEBUG2, 1065 PKCS#11: pkcs11h_logout entry 1066 ); 1067 1068 for ( 1069 current_session = _g_pkcs11h_data-sessions; 1070 current_session != NULL; 1071 current_session = current_session-next 1072 ) { 1073 CK_RV _rv; A simple pointer check solves the issue: --- pkcs11-helper-1.07/lib/pkcs11h-core.c 2009-02-27 04:04:36.0 +0100 +++ pkcs11-helper-1.07jjk/lib/pkcs11h-core.c 2011-02-23 11:39:14.0 +0100 @@ -1065,6 +1065,10 @@ PKCS#11: pkcs11h_logout entry ); + if (_g_pkcs11h_data == NULL) { + return rv; + } + for ( current_session = _g_pkcs11h_data-sessions; current_session != NULL; I hope someone can incorporate this patch into the pkcs11-helper sources. thx, JJK / Jan Just Keijser ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pkcs11-helper and pkcs11h_logout
OK. Released. Please test, there was a change in the usage of openssl engine. On Wed, Feb 23, 2011 at 1:45 PM, Jan Just Keijser janj...@nikhef.nl wrote: Alon Bar-Lev wrote: Today? Wow - that is far quicker than I expected. Again, many thanks for such a quick response. cheers, JJK / Jan Just Keijser On Wed, Feb 23, 2011 at 1:32 PM, Jan Just Keijser janj...@nikhef.nl wrote: Alon Bar-Lev wrote: OK. Thanks. I added similar solution. Excellent, thanks. Any idea when the next version of pkcs11-helper is released? cheers, JJK / Jan Just Keijser On Wed, Feb 23, 2011 at 12:41 PM, Jan Just Keijser janj...@nikhef.nl wrote: hi all, there's an OpenVPN bug report that is traced back to an issue with pkcs11h_logout; it seems that if you call this function before initializing the pkcs11 libs then it segfaults. I've added a line pkcs11h_logout() to the tests/test-basic/test-basic.c file from the pkcs11-helper 1.07 tree and can reproduce this behaviour. The offending pieceof code is 1058 CK_RV 1059 pkcs11h_logout (void) { 1060 _pkcs11h_session_t current_session = NULL; 1061 CK_RV rv = CKR_OK; 1062 1063 _PKCS11H_DEBUG ( 1064 PKCS11H_LOG_DEBUG2, 1065 PKCS#11: pkcs11h_logout entry 1066 ); 1067 1068 for ( 1069 current_session = _g_pkcs11h_data-sessions; 1070 current_session != NULL; 1071 current_session = current_session-next 1072 ) { 1073 CK_RV _rv; A simple pointer check solves the issue: --- pkcs11-helper-1.07/lib/pkcs11h-core.c 2009-02-27 04:04:36.0 +0100 +++ pkcs11-helper-1.07jjk/lib/pkcs11h-core.c 2011-02-23 11:39:14.0 +0100 @@ -1065,6 +1065,10 @@ PKCS#11: pkcs11h_logout entry ); + if (_g_pkcs11h_data == NULL) { + return rv; + } + for ( current_session = _g_pkcs11h_data-sessions; current_session != NULL; I hope someone can incorporate this patch into the pkcs11-helper sources. thx, JJK / Jan Just Keijser ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Building cardmod Mindriver using Build environment
At build script there is a comment: # Disable until we solve license issue # if [ -n ${BUILD_FOR_WINDOWS} ]; then # extra_opensc=${extra_opensc} --enable-cardmod # fi I have modified cardmod.h to meet mingw, but was remove at revision 101 due to license issue. 2011/1/14 Douglas E. Engert deeng...@anl.gov: I am trying to build the cardmod Windows Minidriver using the http://www.opensc-project.org/opensc/wiki/MiniDriver and http://www.opensc-project.org/build/ and an svn checkout of the build trunk. François sent me a prebuilt package last night that I may also try. But I have some questions about the version of the cngsdk.msi to be used. Build environment: Ubuntu Lucid 32 bit gcc-mingw32 4.4.2-3 mingw32-binutils 2.20-0.1 nsis 2.46-1 Test environment: Vista 32 bit Build command: IMAGEROOT=`pwd`/image-win32 CHOST=i586-mingw32msvc CBUILD=x86_64-pc-linux-gnu ./build Without cardmod the OpenSC package builds opensc-i586-mingw32msvc-010-setup.exe This installs on Vista, and pkcs11-tool appears to work as expected with my PIV cards. One minor change was needed to build.vars: -OPENSC_VERSION=${OPENSC_VERSION:-0.12} +OPENSC_VERSION=${OPENSC_VERSION:-0.12.0} But to get cardmod to build, required some additional changes to the build script (and it needs some more) but that is not the main point of this note. As instructed to do in the opensc/wiki/MiniDriver pages, I copied SCardErr.h, WinSCard.h, WinSmCrd.h from Microsoft SDK v5.0 and (renamed to lowercase) and the cardmod.h from the cnsgk.msi Version 2.0.0 published 4/27/2009 Is this the version of the cngsgk.msi to use? I see there may be a 1.3.0 version also available? With the 2.0.0 version I also need to copy the bcrypt.h file, and the compiler was having errors with the cardmod.h and bcrypt.h So I hacked the cardmod.h as it was doubling defining CARD_DATA, *PCARD_DATA and commented out the #include bcrypt.h and copied 4 lines from bcrypt.h to cardmod-mingw-compat.h to define BCRYPT_PKCS1_PADDING_INFO. Is there some issue with the compiler I am using that requires the changes to the cardmod.h file? Does the 1.3.0 cardmod.h have the same issues? The build/nsis scripts did not include cardmod.dll or the registry files which I have not looked at yet. -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Building cardmod Mindriver using Build environment
2011/1/14 Douglas E. Engert deeng...@anl.gov: If the license issues can not be addressed, then maybe cardmod could be built as a separate package by the user. On perfect world, it would have been possible to write cardmod that uses PKCS#11 interface, to enable any PKCS#11 provider to be used by CryptoAPI. The problem is that Microsoft specification is faulty, so changes within the opensc core is needed. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
Martin, Waiting for your decision. On Mon, Sep 27, 2010 at 1:34 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Mon, Sep 27, 2010 at 1:07 PM, Martin Paljak mar...@paljak.pri.ee wrote: But... the only dependency we require is xsltproc, so maybe we can rethink this... Provided you agree that building the package with --enable-doc or --enable-man requires xsltproc available on build machine, we can remove all this useless generation and hacks. I think it is not a huge problem to require xsltproc, it is quite common and small. What bothers me more is docbook-xsl. But the target audience of people who run make dist and who run make install is different. But maybe there's more in the autotools philosophy that I don't fully get. OK I will modify the build so that the file will be generated on builder. Much simpler! Will this get rid of the symlink magic, and allow: make dist: require xsltproc, docbook-xsl, don't require playing with symlinks (assumes/requires running from version control checkout) make dist *WILL NOT* require xsltproc, docbook-xsl. It will actually only distribute the sources, no generation of files. make, make install: don't require xsltproc and docbook-xsl, use the pre-generated man files. make *WILL* require xsltproc and docbook-xsl if and only if --enable-man and/or --enable-doc is specified at configure. If you want to avoid xsltproc dependency from make install, we back to square one (current trunk). As the only documentation other than man pages is tools.html (should that be placed on the website somewhere?) one of --enable-doc or --enable-man is redundant. I do not follow... Do you want to remove the tools.html from build? Or install both man and htmls using one option? I don't think that installing to mandir and htmldir should be enforced as single option. I did not notice that the tools.html is distributed (dist_html_DATA). But does it make sense to install two competing copies of tool usage options? If you use the tools, you use the command line, thus using man should be a known activity. If using a web browser, wiki has much more detailed information than in the htmlified man pages copy. Your call... :) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Tue, Oct 5, 2010 at 7:12 PM, Martin Paljak mar...@paljak.pri.ee wrote: Personally I don't mind simplicity in build files. 99% of people run binaries or packages, 99% of people who don't run binary packages on Linux know what they are doing. Or won't mind downloading an extra few packages or not having the man pages. Don't really have a preference. It's your call :) OK... So I prefer to remove all the hacks. Doing this now. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Mon, Sep 27, 2010 at 7:52 AM, Martin Paljak mar...@paljak.pri.ee wrote: But it is working correctly, that patch was incorrect. Leaving the possible changed logic for ChangeLog generation aside, what was incorrect in that patch? The changes in the docs, exactly what you request next. Please explain in some more details what is the problem with current trunk, so I can fix it. I'd like to clean up doc directory, the api directory and the symlinking in doc/Makefile.am are not needed for manpage generation. That was one of the changes in my original patch that actually triggered the distcheck problem, removing wiki dumping was not a problem. If you could also fix my original root cause would be great. I worked very hard to make it work in the past, I do not think there is a simpler shorter way to do this. The problem is that automake assume you seldom provide generated files within the source tarball, as you can always generate the files when you build the package. What we are trying to do is to provide pre-generated document files within the tarball, I don't like it, but this was the requirement. Doing so, when we need to support separate build directory is somewhat complex, as we cannot make the source directory dirty. But... the only dependency we require is xsltproc, so maybe we can rethink this... Provided you agree that building the package with --enable-doc or --enable-man requires xsltproc available on build machine, we can remove all this useless generation and hacks. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Mon, Sep 27, 2010 at 12:34 PM, Martin Paljak mar...@paljak.pri.ee wrote: Does this actually break anything in real life, other than make distcheck? Yes. Whatever broken during distcheck will probably break somewhere. Major check of distcheck is separate build directory, this is used by many builders. But... the only dependency we require is xsltproc, so maybe we can rethink this... Provided you agree that building the package with --enable-doc or --enable-man requires xsltproc available on build machine, we can remove all this useless generation and hacks. I think it is not a huge problem to require xsltproc, it is quite common and small. What bothers me more is docbook-xsl. But the target audience of people who run make dist and who run make install is different. But maybe there's more in the autotools philosophy that I don't fully get. OK I will modify the build so that the file will be generated on builder. Much simpler! As the only documentation other than man pages is tools.html (should that be placed on the website somewhere?) one of --enable-doc or --enable-man is redundant. I do not follow... Do you want to remove the tools.html from build? Or install both man and htmls using one option? I don't think that installing to mandir and htmldir should be enforced as single option. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Mon, Sep 27, 2010 at 1:07 PM, Martin Paljak mar...@paljak.pri.ee wrote: But... the only dependency we require is xsltproc, so maybe we can rethink this... Provided you agree that building the package with --enable-doc or --enable-man requires xsltproc available on build machine, we can remove all this useless generation and hacks. I think it is not a huge problem to require xsltproc, it is quite common and small. What bothers me more is docbook-xsl. But the target audience of people who run make dist and who run make install is different. But maybe there's more in the autotools philosophy that I don't fully get. OK I will modify the build so that the file will be generated on builder. Much simpler! Will this get rid of the symlink magic, and allow: make dist: require xsltproc, docbook-xsl, don't require playing with symlinks (assumes/requires running from version control checkout) make dist *WILL NOT* require xsltproc, docbook-xsl. It will actually only distribute the sources, no generation of files. make, make install: don't require xsltproc and docbook-xsl, use the pre-generated man files. make *WILL* require xsltproc and docbook-xsl if and only if --enable-man and/or --enable-doc is specified at configure. If you want to avoid xsltproc dependency from make install, we back to square one (current trunk). As the only documentation other than man pages is tools.html (should that be placed on the website somewhere?) one of --enable-doc or --enable-man is redundant. I do not follow... Do you want to remove the tools.html from build? Or install both man and htmls using one option? I don't think that installing to mandir and htmldir should be enforced as single option. I did not notice that the tools.html is distributed (dist_html_DATA). But does it make sense to install two competing copies of tool usage options? If you use the tools, you use the command line, thus using man should be a known activity. If using a web browser, wiki has much more detailed information than in the htmlified man pages copy. Your call... :) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Sun, Sep 26, 2010 at 11:51 PM, Martin Paljak mar...@paljak.pri.ee wrote: But this does not remove the api.out/api.tmp/api.work voodoo, what was one of my goals and what caused problems in my original change patch. I knew only the goal was to remove the wiki stuff... Can you explain why do you want to add? Which voodoo you referring? Also, would it not make sense to re-generate changelog whenever make dist is run inside a svn checkout? If people work with none formal checkouts, they should not be forced for internet connection. The detailed commit log is something you want when you release a new version. So the only one who will use the Generate-ChangeLog is you... :) This previous mechanism also worked on fresh checkout only, once the ChangeLog was created it was never refreshed. Alon. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4776] Don't dump wiki content into distribution package.
On Mon, Sep 27, 2010 at 7:15 AM, Martin Paljak mar...@paljak.pri.ee wrote: On Sep 27, 2010, at 1:42 AM, Alon Bar-Lev wrote: On Sun, Sep 26, 2010 at 11:51 PM, Martin Paljak mar...@paljak.pri.ee wrote: But this does not remove the api.out/api.tmp/api.work voodoo, what was one of my goals and what caused problems in my original change patch. I knew only the goal was to remove the wiki stuff... Can you explain why do you want to add? Which voodoo you referring? There was a link to a patch [1] in my original e-mail [2] which had a problem with make distcheck: (cd doc make top_distdir=../opensc-0.12.0-svn distdir=../opensc-0.12.0-svn/doc \ am__remove_distdir=: am__skip_length_check=: am__skip_mode_fix=: distdir) make[2]: *** No rule to make target `man/*.1', needed by `distdir'. Stop. make[1]: *** [distdir] Error 1 make: *** [distcheck] Error 1 Compare current doc/Makefile.am with the shorter one for the voodoo. [1] http://pastebin.com/iZLrBywD [2] http://www.opensc-project.org/pipermail/opensc-devel/2010-September/015014.html But it is working correctly, that patch was incorrect. Please explain in some more details what is the problem with current trunk, so I can fix it. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Don't dump wiki content into distribution package.
We discussed this a few years ago. Building a package should not access the web. Once you checkout a fresh checkout, you should be able to build distribution tarball even if you have no access to internet. What I recommended, and still am, is to split the tarballs into two. open...@package_version@.tar.gz opensc-do...@package_version@.tar.gz Making the opensc package be pure standard package, without the complexity introduced from fetching stuff from the web. I can do this if you like. Alon. On Fri, Sep 24, 2010 at 2:35 PM, Martin Paljak mar...@paljak.pri.ee wrote: Hello, I tried to simplify the way documentation (that is, manpages) is built and removed the trickery that was used to dump the wiki content to the source tarball. Unfortunately make distcheck fails in doc directory and I can't figure out why. Could anyone with better autotools-fu skills have a look? The patch against current trunk is available online [1] at pastebin. [1] http://pastebin.com/iZLrBywD -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSSL 1.0 on windows
What was the problem? We should report this to upstream... 0.9.8 does not support cross compile so it is unusable unless building differently. But better help fixing openssl. On Tue, Sep 14, 2010 at 7:59 PM, Andreas Jellinghaus a...@dungeon.inka.de wrote: I got very bad results with OpenSSL 1.0.0 (and 1.0.0a) on Windows in Server Environment: stability issues that couldn't be tracked down. The same code works well with 0.9.8o. So maybe you too want to go back to the last 0.9.8* release, until OpenSSL releases a stable 1.0.* version? (I saw the changes for the build project using openssl 1.0.0a now...) Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 0.12.0 windows installer = 64bit?
I try to compile now. 2010/9/13 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu Based on Google, visitors to opensc-project.org consist of ~60% Windows users, ~30% Linux users and ~10% Mac OS X users (57%, 27%, 12%), which is not a scientific fact or result of a study, but still shows something. Dear all, A user is asking us for a Windows 7 64bit OpenSC 0.12 installer: http://www.gooze.eu/forums/support/installation/getting-feitian-pki-card-working-win7-x64 OpenSC experimental installer seems to be for 32bit Windows: http://www.opensc-project.org/files/contrib/OpenSC-0.12.0.exe Alonb did provide a Windows64 experimental installer, but it rather old: http://www.opensc-project.org/downloads/users/alonbl/temp/opensc-x86_64-w64-mingw32-010-setup.exe Is there a way to get an OpenSC 0.12 installer for Windows 7? Kind regards, Jean-Michel -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 0.12.0 windows installer = 64bit?
Is opensc-0.12 released? Or should I use trunk? On Mon, Sep 13, 2010 at 4:40 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: I try to compile now. 2010/9/13 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu Based on Google, visitors to opensc-project.org consist of ~60% Windows users, ~30% Linux users and ~10% Mac OS X users (57%, 27%, 12%), which is not a scientific fact or result of a study, but still shows something. Dear all, A user is asking us for a Windows 7 64bit OpenSC 0.12 installer: http://www.gooze.eu/forums/support/installation/getting-feitian-pki-card-working-win7-x64 OpenSC experimental installer seems to be for 32bit Windows: http://www.opensc-project.org/files/contrib/OpenSC-0.12.0.exe Alonb did provide a Windows64 experimental installer, but it rather old: http://www.opensc-project.org/downloads/users/alonbl/temp/opensc-x86_64-w64-mingw32-010-setup.exe Is there a way to get an OpenSC 0.12 installer for Windows 7? Kind regards, Jean-Michel -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 0.12.0 windows installer = 64bit?
OK. I have the images, hope it is working. But using the svn to upload these takes forever, if someone has ssh account somewhere I will send it to him much quickly. On Mon, Sep 13, 2010 at 5:20 PM, Martin Paljak mar...@martinpaljak.net wrote: On Sep 13, 2010, at 6:02 PM, Alon Bar-Lev wrote: Is opensc-0.12 released? Or should I use trunk? You should use trunk. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 0.12.0 windows installer = 64bit?
Available: http://www.opensc-project.org/downloads/users/alonbl/temp/opensc-i686-w64-mingw32-010-setup.exe http://www.opensc-project.org/downloads/users/alonbl/temp/opensc-x86_64-w64-mingw32-010-setup.exe On Mon, Sep 13, 2010 at 6:45 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: OK. I have the images, hope it is working. But using the svn to upload these takes forever, if someone has ssh account somewhere I will send it to him much quickly. On Mon, Sep 13, 2010 at 5:20 PM, Martin Paljak mar...@martinpaljak.net wrote: On Sep 13, 2010, at 6:02 PM, Alon Bar-Lev wrote: Is opensc-0.12 released? Or should I use trunk? You should use trunk. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Encoding of CKA_SERIAL_NUMBER
Yes, good catch. But I don't know any application that actually uses this attribute... :) On Mon, May 24, 2010 at 8:05 PM, Viktor TARASOV viktor.tara...@opentrust.com wrote: Hello, according to PKCS#11 specification the CKA_SERIAL_NUMBER is DER-encoded value. Actually OpenSC PKCS#11 module returns a non-encoded octet string as a value of this attribute. Should it be changed? Kind wishes, Viktor. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4359] pkcs11: by default do not lock login
For a security product, I don't think it is wise to have default of none secure behavior, especially such that allows everyone to use the private objects once authenticated. On Wed, May 19, 2010 at 11:17 AM, webmas...@opensc-project.org wrote: Revision: 4359 Author: viktor.tarasov Date: 2010-05-19 08:17:53 + (Wed, 19 May 2010) Log Message: --- pkcs11: by default do not lock login Modified Paths: -- trunk/etc/opensc.conf.in trunk/src/pkcs11/misc.c Modified: trunk/etc/opensc.conf.in === --- trunk/etc/opensc.conf.in 2010-05-18 14:39:53 UTC (rev 4358) +++ trunk/etc/opensc.conf.in 2010-05-19 08:17:53 UTC (rev 4359) @@ -341,30 +341,32 @@ # Default: true # hide_empty_tokens = false; - # By default, the OpenSC PKCS#11 module will lock your card - # once you authenticate to the card via C_Login. - # This is to prevent other users or other applications + # By default, the OpenSC PKCS#11 module will not lock your card + # once you authenticate to the card via C_Login. + # + # Thus the other users or other applications is not prevented # from connecting to the card and perform crypto operations # (which may be possible because you have already authenticated - # with the card). Thus this setting is very secure. + # with the card). This setting is not very secure. # - # This behavior is a known violation of PKCS#11 specification, - # and is forced due to limitation of the OpenSC framework. + # Also, if your card is not locked, you can enconter problems + # due to limitation of the OpenSC framework, that still is not + # thoroughly tested in the multi threads environment. # - # However now once one application has started using your - # card with C_Login, no other application can use it, until - # the first is done and calls C_Logout or C_Finalize. - # In the case of many PKCS#11 application this does not happen - # until you exit the application. + # Your settings will be more secure if you choose to lock your + # card. Nevertheless this behavior is a known violation of PKCS#11 + # specification. Now once one application has started using your + # card with C_Login, no other application can use it, until + # the first is done and calls C_Logout or C_Finalize. In the case + # of many PKCS#11 application this does not happen until you exit + # the application. + # Thus it is impossible to use several smart card aware applications + # at the same time, e.g. you cannot run both Firefox and Thunderbird at + # the same time, if both are configured to use your smart card. # - # Thus it is impossible to use several smart card aware - # applications at the same time, e.g. you cannot run both - # Firefox and Thunderbird at the same time, if both are - # configured to use your smart card. - # - # Default: true - # lock_login = false; - # + # Default: false + # lock_login = true; + # Set this value to true if you want to allow off-card # keypair generation (in software on your pc) # Modified: trunk/src/pkcs11/misc.c === --- trunk/src/pkcs11/misc.c 2010-05-18 14:39:53 UTC (rev 4358) +++ trunk/src/pkcs11/misc.c 2010-05-19 08:17:53 UTC (rev 4359) @@ -289,7 +289,7 @@ conf-max_virtual_slots = 16; conf-slots_per_card = 4; conf-hide_empty_tokens = 1; - conf-lock_login = 1; + conf-lock_login = 0; conf-soft_keygen_allowed = 0; conf-pin_unblock_style = SC_PKCS11_PIN_UNBLOCK_NOT_ALLOWED; conf-create_puk_slot = 0; ___ opensc-commits mailing list opensc-comm...@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-commits ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] openct windows
It cannot run under Windows. It is harder to access USB devices under Windows... But it should be somewhat simple to port it with serial port only. On Wed, May 12, 2010 at 12:03 PM, Bart Vanherck b...@twixel.be wrote: Hello, Can openct be run on windows ? How to build with for example mingw ? Just with msys like in linux versions? Regards, Bart ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4268] tools: thanks to Andreas; for win32 'get password' procedure uses _getch() instead of getchar()
And what about ./src/common/compat_getpass.c do we still need it? On Tue, Apr 27, 2010 at 10:53 AM, Viktor TARASOV viktor.tara...@opentrust.com wrote: Alon Bar-Lev wrote: Shouldn't you include conio.h? Agree, 'it worked for me' compiled with Visual Studio 8.0, and I missed it. On Tue, Apr 27, 2010 at 10:30 AM, webmas...@opensc-project.org wrote: Revision: 4268 Author: viktor.tarasov Date: 2010-04-27 07:30:38 + (Tue, 27 Apr 2010) Log Message: --- tools: thanks to Andreas; for win32 'get password' procedure uses _getch() instead of getchar() Modified Paths: -- trunk/src/tools/util.c Modified: trunk/src/tools/util.c === --- trunk/src/tools/util.c 2010-04-26 12:29:44 UTC (rev 4267) +++ trunk/src/tools/util.c 2010-04-27 07:30:38 UTC (rev 4268) @@ -295,8 +295,7 @@ return -1; for (i = 0; i MAX_PASS_SIZE - 1; i++) { - /* buf[i] = _getch(); */ - buf[i] = getchar(); + buf[i] = _getch(); if (buf[i] == 0 || buf[i] == 3) return -1; if (buf[i] == '\n' || buf[i] == '\r') ___ opensc-commits mailing list opensc-comm...@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-commits -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed[4268] tools: thanks to Andreas; for win32 'get password' procedure uses _getch() instead of getchar()
Shouldn't you include conio.h? On Tue, Apr 27, 2010 at 10:30 AM, webmas...@opensc-project.org wrote: Revision: 4268 Author: viktor.tarasov Date: 2010-04-27 07:30:38 + (Tue, 27 Apr 2010) Log Message: --- tools: thanks to Andreas; for win32 'get password' procedure uses _getch() instead of getchar() Modified Paths: -- trunk/src/tools/util.c Modified: trunk/src/tools/util.c === --- trunk/src/tools/util.c 2010-04-26 12:29:44 UTC (rev 4267) +++ trunk/src/tools/util.c 2010-04-27 07:30:38 UTC (rev 4268) @@ -295,8 +295,7 @@ return -1; for (i = 0; i MAX_PASS_SIZE - 1; i++) { - /* buf[i] = _getch(); */ - buf[i] = getchar(); + buf[i] = _getch(); if (buf[i] == 0 || buf[i] == 3) return -1; if (buf[i] == '\n' || buf[i] == '\r') ___ opensc-commits mailing list opensc-comm...@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-commits ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Compilation error
You compiling with openct while not have openct on your system? 2010/4/14 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: Dear friends, There seems to be a small compilation error in latest SVN sources: make[2]: Entering directory `/home/jmpoure/logiciels/opensc/opensc/src/libopensc' /bin/bash ../../libtool --tag=CC --mode=compile gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src -DOPENSC_CONF_PATH=\/etc/opensc/opensc.conf\ -I/usr/include/PCSC -fno-strict-aliasing -g -O2 -MT reader-openct.lo -MD -MP -MF .deps/reader-openct.Tpo -c -o reader-openct.lo reader-openct.c libtool: compile: gcc -DHAVE_CONFIG_H -I. -I../.. -I../../src -DOPENSC_CONF_PATH=\/etc/opensc/opensc.conf\ -I/usr/include/PCSC -fno-strict-aliasing -g -O2 -MT reader-openct.lo -MD -MP -MF .deps/reader-openct.Tpo -c reader-openct.c -fPIC -DPIC -o .libs/reader-openct.o reader-openct.c:21:27: error: openct/openct.h: No such file or directory reader-openct.c:22:28: error: openct/logging.h: No such file or directory reader-openct.c:23:26: error: openct/error.h: No such file or directory reader-openct.c:29: error: expected declaration specifiers or ‘...’ before ‘ct_info_t’ reader-openct.c:52: error: expected specifier-qualifier-list before ‘ct_handle’ reader-openct.c: In function ‘openct_reader_init’: reader-openct.c:80: error: ‘OPENCT_MAX_READERS’ undeclared (first use in this function) reader-openct.c:80: error: (Each undeclared identifier is reported only once reader-openct.c:80: error: for each function it appears in.) reader-openct.c:81: error: ‘ct_info_t’ undeclared (first use in this function) reader-openct.c:81: error: expected ‘;’ before ‘info’ reader-openct.c:83: error: ‘info’ undeclared (first use in this function) reader-openct.c:84: error: too many arguments to function ‘openct_add_reader’ reader-openct.c:86: error: too many arguments to function ‘openct_add_reader’ reader-openct.c: At top level: reader-openct.c:94: error: expected declaration specifiers or ‘...’ before ‘ct_info_t’ reader-openct.c: In function ‘openct_add_reader’: reader-openct.c:107: error: ‘info’ undeclared (first use in this function) reader-openct.c:108: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:110: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:111: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:113: error: ‘struct driver_data’ has no member named ‘num’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:118: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:127: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c:129: error: ‘struct driver_data’ has no member named ‘info’ reader-openct.c: In function ‘openct_reader_release’: reader-openct.c:155: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:156: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c: In function ‘openct_reader_detect_card_presence’: reader-openct.c:176: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:176: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:176: error: ‘struct driver_data’ has no member named ‘num’ reader-openct.c:179: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:179: error: ‘struct driver_data’ has no member named ‘slot’ reader-openct.c:182: error: ‘IFD_CARD_PRESENT’ undeclared (first use in this function) reader-openct.c:184: error: ‘IFD_CARD_STATUS_CHANGED’ undeclared (first use in this function) reader-openct.c: In function ‘openct_reader_connect’: reader-openct.c:198: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:199: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:201: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:201: error: ‘struct driver_data’ has no member named ‘num’ reader-openct.c:206: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:206: error: ‘struct driver_data’ has no member named ‘slot’ reader-openct.c: In function ‘openct_reader_reconnect’: reader-openct.c:230: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c: In function ‘openct_reader_disconnect’: reader-openct.c:243: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:244: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c:245: error: ‘struct driver_data’ has no member named ‘h’ reader-openct.c: In function ‘openct_reader_internal_transmit’:
Re: [opensc-devel] New project coordinator: Martin Paljak
On Mon, Apr 12, 2010 at 1:59 PM, Martin Paljak mar...@paljak.pri.ee wrote: My main goals and improvement areas in OpenSC are: snip 1. Make OpenSC secured? The fact that OpenSC locks the reader for its own use for the duration of the session is the most critical issue OpenSC has. As a result two applications that uses PKCS#11 at the same time either cannot work at the same time, or can access the card without authentication. A stateless mode should be implemented... [1], it has nothing to do with the card features, but credential caching. As for PINPAD readers, there are some cards that has a feature of authentication cookie that is given after initial authentication, this cookie is valid as long as there is power to the card. So the algorithm is as follows: Lock reader, authenticate using PINPAD, acquire cookie, unlock reader. After that a normal sequence of stateless operation can be executed while the cookie is the authentication credential. Because of the lack of this feature I could not offer OpenSC to any enterprise. 2. Support biometrics match-on-card? This feature is missing from open source and Linux drivers. If you go toward java cards, an applet can be implemented in order to do so, maybe using libfprint [2]. Alon. [1] http://www.opensc-project.org/opensc/ticket/186 [2] http://reactivated.net/fprint/wiki/Libfprint ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] New project coordinator: Martin Paljak
Thank you for your efforts in the past years! Good luck Martin! On Sun, Apr 11, 2010 at 9:48 AM, Andreas Jellinghaus a...@dungeon.inka.de wrote: Dear all, for several years I have coordinated the OpenSC, OpenCT, Libp11, Pam_p11 and Engine_PKCS11 projects: Created new releases, fixed some bugs, helped many users with questions, applied patches from developers all around the world, written some documentation, tested our software and the packaging by distributions, kept our server alive and up-to-date and done whatever else was necessary to keep the projects going. Still most work was done by everyone else, I only had to fill some gaps and start some processes to keep the projects going. Recently however I started a new job and at least right now I have little time available for these open source projects. Thus I'm very happy to announce Martin Paljak has agreed to take over as project coordinator for these projects. Martin is a long time contributer and very active developer to OpenSC. He has already taken care of several parts of OpenSC in the past and improved and maintained them, such as the PC/SC reader driver with a focus on the PIN-pad input system, or driver for estonian national ID cards. Also he has been co-administrator of our server for several years and very active on the mailing list, helping users and developers, and recently started to reorganize and greatly improve our wiki pages. I'd like to thank everyone for the support and encouragement I got as project coordinator and would like you to give the same to Martin Paljak as new project coordinator too. Of course I will continue to work on OpenSC and related projects to improve them and help users and all that, but I'm happy to pass the role of project coordinator to Martin, so the projects won't be held back by my recent time constrains. With kind regards Andreas Jellinghaus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC experimental installer ?
Now? 2010/4/1 Jean-Michel Pouré - GOOZE jmpo...@gooze.eu: On Thu, 2010-04-01 at 07:25 +0300, Alon Bar-Lev wrote: [1] http://www.opensc-project.org/downloads/users/alonbl/temp/ Forbidden You don't have permission to access /downloads/users/alonbl/temp/opensc-i686-w64-mingw32-010-setup.exe on this server. Apache Server at www.opensc-project.org Port 80 Kind regards, -- Jean-Michel Pouré - jmpo...@gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel