Re: [opensc-devel] opensc-pkcs11.so displaying certs differently?since opensc 0.11.10?
Found some time to look at this again, was working with
opensc 0.11.9 last days in my setup here.
On Thu, Feb 04, 2010 at 11:23:20AM +0100, Andreas Jellinghaus wrote:
> Am Donnerstag 04 Februar 2010 10:20:37 schrieb Christian Horn:
>
> > Also the nonworking opensc-rev hands out my personalized cert when
> > asking for id 46 with
> > pkcs15-tool -r 46|openssl x509 -noout -subject
>
> you have two certificates with id 46.
> which one is presented to you?
The one with my name in the subject, so the personalized one.
> or are two certificates shown with old opensc?
Output of 'pkcs15-tool -c' is the same with working/nonworking
opensc.
> does "opensc-tool -f" show the content of all files, including
> the certificates (file id in the pkcs15-tool --dump).
Yes, shows both df0143b1 (the cert i want) and df01c200 (the cert
that is now handed out by strongswan).
> or can you try downloading those certificate files with
> opensc-explorer? ("cd" to the directory (first 4 bytes),
> then "get" the file (the next four bytes of the pathname)).
> ("cd 3f00" gets you to the main folder / top directory...)
I can get both certs that way, and bot working/nonworking opensc
give me the same contents.
> first I guess strongswan wants to authenticate to the remote.
Yes.
> why does it try to use a CKA_ID 46 cert which is for encryption?
> strange. but maybe that certificate was placed on the remote site
> for some reason.
certid 46 is what i configured, its what i need to authenticate
with. The remote site apparently also checks the subject of the
cert that is used.
> > This is a personoalization-procedure done for the cards here.
>
> so your software for some reason created two certs with the same
> ID and now opensc need to sort out the mess :)
Yes, at a time in the past also pkcs15-tool did hand out the other
cert. By that time we patched opensc, later the code here was
changed to the other cert was handed out - and this is still the
behaviour of pkcs15-tool: pkcs15-tool -r 46 hands me out the cert
i really want, the personalized one.
> > Correct sig of the wrong cert i suspect..
>
> well, signatures are created with rsa keys, not certificates.
> and there is only one rsa key with ID 45, so it has to be the
> right one.
I think the cert is also checked on the remote side of the
vpn-connection here.
> can your somehow find all certificates, find out which is the
> right one, and which is the wrong one, and check if strongswan
> delivers the right or wrong file to the other side? maybe it
> shows the old certificate and then gets a signature with the
> RSA key (which is meant for the new certificate)?
Doing 'ipsec listcards' in strongswan gives me different results
with working/nonworking opensc:
working one shows my name in subject, nonworking one shows
subject: 'C=DE, ND=1, CN=NKS 08 A 78205', both for id 46.
> oh, and does the remote strongswan site show any errors
> that might show what is going on? again, I think it might
> be a strongswan issue...
Some proprietary stuff on the other side, hard to reach responsable
people there for debugging..
> btw: does the old and new ID 46 certificate contain the same
> rsa public key or do they differ? this would be interesting
> to know, if you can get to those files somehow.
No clue how to see this, just see 'id 46' as the link to what
rsa-key is to be used - and thats id 46 for both certs.
> > In the beginning also 'pkcs15-tool' spit out the other cert, we
> > started to fix this with internal patches, later it was properly
> > fixed in opensc-code.
>
> so worst case you can dig out an old version of opensc, to see
> what the old certificates are about?
I dont know what you mean by that. I noticed editing the paths to
the certs in pkcs15-tcos.c doesnt help me this time as it did in
the really old time bevore opensc was modified to hand out the
personalized cert when id 46 is requested.
> this whole situation with two certificates with the same ID
> confuses me a lot.
>
> maybe it is simple and some flag is used to disable the old ones,
> but I'm no expert here (and the asn.1 debugging code doesn't show
> values, so even if I knew what to look for, it wouldn't be in the
> log).
Would rather guess that the windows-software here is just coded
in such a way to deal with this.
Its also using a 'global pin' for everything instead of local ones.
> so maybe peter or pierre can help.
> other than that, I think it might be a strongswan issue.
> or at least getting the error from strongswan could help,
So any other ideas how pkcs11 could again perform with the
old behaviour?
> btw: you could extract the value to be signed and the sign
Re: [opensc-devel] opensc-pkcs11.so displaying certs differently?since opensc 0.11.10?
On Thu, Feb 04, 2010 at 10:01:43AM +0100, Andreas Jellinghaus wrote: > > chistian: you could post a "pkcs15-tool --dump" to show in detail > how the card looks like. http://fluxcoil.net/files/openscdebug/pkcs15-tool_dump_ok That output is the same for working/nonworking opensc revision. Also the nonworking opensc-rev hands out my personalized cert when asking for id 46 with pkcs15-tool -r 46|openssl x509 -noout -subject 'pkcs11-tool -L'-outputs are also the same.. but my guess is the wrong cert is accessed by strongswan. > Usualy these cards have one certificate per RSA key. > (I didn't manualy decode the log files to check.) > so the new code is more correct than the old code: > slot 1 has two rsa private keys associated with it, > and it finds these two certificates to match those. > > slot 2 has one private key associated to me, and > one certificate is associated with it. > > so that looks fine. also the old code found two certificates > when looking for one with ID 46. that looks bad, the new > code finds only one, which seems correct. > > but, if the certificate was renewed, and the old certificate > was not overwritten, but simply a new certificate added with > the same CKA_ID (so it matches the same private key), then > the old code might have shown the correct result. This is a personoalization-procedure done for the cards here. > no idea if something like this is legal and how opensc should > behave in such situations. I hope peter and pierre can help > here. > but in both cases: the logs clearly show a signature is correclty > created. so I guess you have an application error here. Correct sig of the wrong cert i suspect.. > maybe old opensc was buggy, and strongswan implemented a workaround. > and now that opensc was fixed, the workaround no longer works? only > a theory. In the beginning also 'pkcs15-tool' spit out the other cert, we started to fix this with internal patches, later it was properly fixed in opensc-code. Lets see.. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] opensc-pkcs11.so displaying certs differently since opensc 0.11.10?
On Wed, Feb 03, 2010 at 04:46:02PM +0100, Andreas Jellinghaus wrote: > Am Mittwoch 03 Februar 2010 16:02:22 schrieb Christian Horn: > > > pinned down to rev3784, thats the last one working. > > doesn't help much. 3785 is a huge merge of trunk into branches/martin/0.12. Maybe this helps in nearing the problemcode down: # wget http://fluxcoil.net/files/openscdebug/trunk_3784_plus21okpatchedfiles_ok.tar.gz this is the last version working, rev3784 plus 21patched files, so the main- changes from rev3784 to rev3785. As soon as http://fluxcoil.net/files/openscdebug/trunk_3784_plus21okpatchedfiles_to_bad_version.patch is applied to the directory from above one has a plain rev3785 which isnt working for me. > your log files differ with pkcs11-object.c C_FindObjectsInit, > but that function and that file was not changed. the logs have > no context before that, so we can't see what the information > is that opensc read before. so there is not much we can do with > those log files. Ok, created these. With a working opensc i start Strongswan and get http://fluxcoil.net/files/openscdebug/debugopensc_ipsecstart_ok_anon and when starting the tunnel i get http://fluxcoil.net/files/openscdebug/debugopensc_tunstart_ok . With nonworking opensc Strongswan-start gives http://fluxcoil.net/files/openscdebug/debugopensc_ipsecstart_notok_anon and on attempt to setup the tunnel http://fluxcoil.net/files/openscdebug/debugopensc_tunstart_notok . > ... > > gives you the last working version, > ... > > gives the broken one. > ok, so I generated the diff that breaks things from that, attached. Should be same as http://fluxcoil.net/files/openscdebug/trunk_3784_plus21okpatchedfiles_to_bad_version.patch then.. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] opensc-pkcs11.so displaying certs differently since opensc 0.11.10?
On Wed, Feb 03, 2010 at 10:56:01AM +0100, Andreas Jellinghaus wrote: > > if opensc 0.11.12 doesn't work, does an older version of opensc work? 0.11.9 works, 0.11.10 is broken for this. pinned down to rev3784, thats the last one working. Ontop everything but 3 files can be applied to still have it working, so: # svn co -r 3784 http://www.opensc-project.org:9123/svn/opensc/trunk \ # trunk_3784_plus_partcommit # cd trunk_3784_plus_partcommit # wget http://fluxcoil.net/files/openscdebug/svn_diff_3784_3875.patch_leaving_3pkcs11_files_out_ok # patch -p1 http://www.opensc-project.org:9123/svn/opensc/trunk \ # trunk_3785_bad gives the broken one. > can you create log files with both versions to see the differences. > for example > - pkcs11-spy log files Couldnt get output here; setting PKCS11SPY=/usr/local/lib/opensc-pkcs11.so or PKCS11SPY=opensc-pkcs11.so i get no output, both with PKCS11SPY_OUTPUT set to a file or not set to get stderr output. > - opensc-debug.log (debug=10) http://fluxcoil.net/files/openscdebug/debugopensc_tunstart_ok http://fluxcoil.net/files/openscdebug/debugopensc_tunstart_notok > svn revision 3785 is a big merge, not sure how we can access > the old trunk before it was merged and remove and replaced > by the feature trunk. Did just compare it to 3784 for testing here. > warning: those log files will contain PINs etc. so please use > a test card if you have. Just seen the pin in opensc-debug, only lines i changed. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] opensc-pkcs11.so displaying certs differently since opensc 0.11.10?
On Wed, Feb 03, 2010 at 12:04:11PM +0200, Martin Paljak wrote: > On Feb 3, 2010, at 11:15 , Christian Horn wrote: > > > > i use strongswan ontop of opensc to authenticate to firewalls for vpn- > > connections. > > All strongswan-versions have problems using opensc-pkcs11.so of opensc > > after rev3784 to authenticate with the firewall. > > opensc 0.11.12 also doesnt work. > > > Please provide pkcs11-tool -L with a functioning and non-functioning pkcs11 > module. Attached. The output is the same for working and non-working opensc. > The logic how objects are grouped together has changed but this > should not affect the end result. I suspect it does: if i do a 'ipsec listcerts' then the calls differ between working/nonworking opensc under it. The difference is that with the nonworking opensc openswan is listing 2 more certs with subjects like "C=DE, ND=1, CN=NKS ...". This looks like the machine-generated certs for me, having strongswan presenting this to the firewall makes sense i can not authorize properly. > How does strongswan look for the keys it wants to use? > With certificate subjects? No, one can just refer onto 'slots' or ids, '%smartcard:46' is what i use, '%smartcard#1' is the same in my case, that syntax here also only works with rev3784 . Christian Available slots: Slot 0 O2 Micro Oz776 00 00 token label: NetKey Card (PIN) token manuf: TeleSec GmbH token model: PKCS#15 emulated token flags: readonly, login required, PIN initialized, token initialized serial num : 9017230002457244 Slot 1 O2 Micro Oz776 00 00 token label: NetKey Card (NetKey PIN0) token manuf: TeleSec GmbH token model: PKCS#15 emulated token flags: readonly, login required, PIN initialized, token initialized serial num : 9017230002457244 Slot 2 O2 Micro Oz776 00 00 token label: NetKey Card (NetKey PIN1) token manuf: TeleSec GmbH token model: PKCS#15 emulated token flags: readonly, login required, PIN initialized, token initialized serial num : 9017230002457244 Slot 3 O2 Micro Oz776 00 00 token label: NetKey Card (SigG PIN) token manuf: TeleSec GmbH token model: PKCS#15 emulated token flags: readonly, login required, PIN initialized, token initialized serial num : 9017230002457244 Slot 4 (empty) Slot 5 (empty) Slot 6 (empty) Slot 7 (empty) Slot 8 (empty) Slot 9 (empty) Slot 10 (empty) Slot 11 (empty) Slot 12 (empty) Slot 13 (empty) Slot 14 (empty) Slot 15 (empty) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] opensc-pkcs11.so displaying certs differently since opensc 0.11.10?
Hi, i use strongswan ontop of opensc to authenticate to firewalls for vpn- connections. All strongswan-versions have problems using opensc-pkcs11.so of opensc after rev3784 to authenticate with the firewall. opensc 0.11.12 also doesnt work. Installing rev3784 i can establish the connection, with rev3785 not. With that commit 25 files were changed, the problem came in with patching the three files in src/pkcs11/ directory. Apparently strongswan is using a different cert with rev3785. 'pkcs15-tool -c' shows same results with rev3784 and rev3785. for i in 45 46 47 49; do pkcs15-tool -r $i|openssl x509 -noout -subject; done outputs the same subjects with both revisions. Setting 'debug = 10' i see rev3785 apparently hands out other certs than rev3784. We already had such problems in the past, they were fixed with newer opensc and still fixed for pkcs15-tool, but appeared now with opensc-pkcs11.so . The card used is netkey, tcos. In first step of production private-keys and certs are stored on it, with a later step personalized (persons name appears in subject) certs are written onto the card. opensc-pkcs11.so is as i see it now handing out the first cert. Any suggestions? I could look into just changing the 'paths' to the certs for netkey-cards, but thats just a hack. Just using 0.11.9 for now renders everything working, but thats no longterm solution.. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Re: [Muscle] Live CD with smart card tools
On Thu, Dec 28, 2006 at 08:42:03PM +0100, Ludovic Rousseau wrote: > On 28/12/06, Damien Sauveron <[EMAIL PROTECTED]> wrote: > >- pcsc-lite > >- generic ccid driver > >- other drivers for other readers > >- GlobalPlatform library and GPShell > >- pcsc-perl > >- pcsc-tools > >- Muscle > >- openSC > >- jdk and java card toolkit > >- etc > > No but that would be nice to have. > > I made a custom Knoppix CD with pam_pkcs11, mozilla configure with a > smart card PKCS11, etc. It required a lot of manpower to setup. Exactly, i provide a remastered live-cd for smartcard-use in our corporation. Adding drivers that involve compiling kernel-modules makes it harder, my remastering-chain involves booting the topppix- livecd in vmware, editing and remastering, burning it on cdrw an testing on a laptop. > It may be a better idea to use something like live-package [1] to > automate the build and update with newer package versions (but would > require the softwares are available as Debian packages). When i.e. packages with card-drivers add proper rules to udev for driverloading it could work to provide no complete remastered livecd but just addon-packages that have to be installed after booting up the livecd, but obviously this destroys the 'everything on one cd' idea. There could also be license-issues when delivering sun-java etc. on the livecd. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new pages for software list etc?
On Mon, Nov 27, 2006 at 05:35:30PM +0200, Alon Bar-Lev wrote: > 1. You don't expect application to require the user to store the PIN > hard coded in configuration file... > [...] > 3. If the user removes and inserts his card, the application should > reprompt for PIN when private object is accessed. > [...] > 4. If the user removes the card from one reader and insert it to > another reader, the application should detect that it is the same > card, and not prompt the user for credentials again. > [...] > 7. If application uses persistence connection, such as VPN or SSL > session which initiated by smartcard operation, the session should be > disconnected (if requested by user) once the smartcard is removed. You have 2 sides requesting stuff there: - the application/application-provider-side, trying to enforce some security-measures (i.e. enter pin for every single operation, take service down immediately on removal of card) - the user: wants to work without beeing bugged. IMHO the application can suggest such behaviour but the user should be the one able to configure the behaviour. To enforce i.e. that the service is taken down (lets take a VPN) you can enforce rekeyings that need the key on the card all five minutes and get the service down that way. Was just reading out from your suggestions the card-managementlayer like opensc could enforce this, that wouldnt work. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new pages for software list etc?
On Sun, Nov 26, 2006 at 11:19:04PM +0100, Andreas Jellinghaus wrote: > list > each software, describe what it does, link to it etc? maybe also > list which distribution ships what (currently we track that > in some wikis in the OperatingSystem page). Would be nice, but keeping track of versions that are currently shipped with linux-distributions or os's is much work maybe/constantly changing. > also general overview pages - everything that describes how all > components work together - could be placed in such a wiki? I imagine that as a picture, also this wouldnt change too often. Just as layers what relies on what, cardreader, pcscd/openct, opensc, the other libs and mayor apps accessing those. > not sure if wiki is the best technology for that, but it is something > I have experience with (see all our trac wikis for each project), Guess it fits best, docbook is more portable (pdf), but takes much more effort than a wiki. Also shipping this directly with the opesc etc. is nice. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Netkey-card with multiple certs per private key
Hi, On Tue, Oct 31, 2006 at 07:11:19PM +0100, Andreas Steffen wrote: > Try strongSwan from http://www.strongswan.org which has a regular > PKCS#11 smartcard interface and allows to select certificates > according to position e.g. > > leftcert=%smartcard#4 > > which is the fourth certificate in the enumeration shown by > > ipsec listcards Finally came to try it out, - strongswan 2.8.0 doesnt build on fc6 at the moment, 2.5.7 is the last one compiling without problems there - 2.8.0 compiles on debian/unstable However ineed the klips-usage that OpenSwan offers with 2.6 kernel, until klips/netkey are merged i need OpenSwan. Also i had to patch out some checks if the ID of the tunnelendpoint matches the subject of the cert its sending. Thanks for noting, ill have a look at strongswan again after the merge of netkey/klips. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Netkey-card with multiple certs per private key
On Mon, Oct 30, 2006 at 10:52:03PM +0100, Peter Koch wrote: > > Sounds like a nice solution, but its currently not implemented: > > the certs with id 47 are looked up in files df01c200 and df0143b1 > > so OpenSwan grabs the first one but i need the latter one. > > It was a suggestion only. Seems that you are interested, so I > will implement this tomorrow. Thanks a lot, works great! greetings, Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Netkey-card with multiple certs per private key
Hi, On Mon, Oct 30, 2006 at 10:52:03PM +0100, Peter Koch wrote: > I like to hear from people that use my TCOS emulation :-) Some people use it here, with the modification we can use stock OpenSC, OpenCT/pcscd and have only to patch one application. > > Sounds like a nice solution, but its currently not implemented: > > the certs with id 47 are looked up in files df01c200 and df0143b1 > > so OpenSwan grabs the first one but i need the latter one. > > It was a suggestion only. Seems that you are interested, so I > will implement this tomorrow. Would be great! > Since OpenSwan selects the cert by an non-unique criteria > (i.e. its key-id) OpenSC must pick one and it selects the > first one it finds. So the only way to get the right one > is to make sure it's the first one in OpenSCs list. Currently some certs have the same id, so only describing the exact file on the card (i.e. df0143b1) one wants to use would be an option to the application as i see it. If the opensc-interface lets the app do it. And this woulnt be a nice abstraction of the card-usage to the app. > Your patch always loads the user cert first even with cards that do > not have such a cert. If the (optional) user-cert is missing no > cert will be loaded at all. So plain TeleSec cards without > user-certs won't work anymore. I will take care of that. Uh, doing that would be a bad thing, agreed. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Netkey-card with multiple certs per private key
On Sun, Oct 29, 2006 at 03:35:54PM +0100, Christian Horn wrote:
>
> Sounds like a nice solution, but its currently not implemented:
> the certs with id 47 are looked up in files df01c200 and df0143b1
> so OpenSwan grabs the first one but i need the latter one.
A patch like the one attached would help me. Unfortunatelly i
didnt figure out what card-type, the first field there ist about,
so didnt change it.
greetings, Christian
diff -Naur ./src/libopensc/pkcs15-tcos.c
../opensc_svn_r3042_patched/src/libopensc/pkcs15-tcos.c
--- ./src/libopensc/pkcs15-tcos.c 2006-10-30 11:38:36.0 +0100
+++ ../opensc_svn_r3042_patched/src/libopensc/pkcs15-tcos.c 2006-10-30
12:37:49.0 +0100
@@ -52,15 +52,15 @@
const char *path;
const char *label;
} certlist[]={
- { 1, 0x45, 0, "DF01C000", "Telesec Signatur Zertifikat"},
- {-1, 0x45, 1, "DF014331", "Signatur Zertifikat 1"},
+ { 1, 0x45, 0, "DF014331", "Signatur Zertifikat 1"},
{-1, 0x45, 1, "DF014332", "Signatur Zertifikat 2"},
+ {-1, 0x45, 1, "DF01C000", "Telesec Signatur Zertifikat"},
{-1, 0x46, 0, "DF01C100", "Telesec Authentifizierungs
Zertifikat"},
{-1, 0x46, 1, "DF014371", "Authentifizierungs Zertifikat
1"},
{-1, 0x46, 1, "DF014372", "Authentifizierungs Zertifikat
2"},
- {-1, 0x47, 0, "DF01C200", "Telesec Verschluesselungs
Zertifikat"},
- {-1, 0x47, 1, "DF0143B1", "Verschluesselungs Zertifikat 1"},
+ {-1, 0x47, 0, "DF0143B1", "Verschluesselungs Zertifikat 1"},
{-1, 0x47, 1, "DF0143B2", "Verschluesselungs Zertifikat 2"},
+ {-1, 0x47, 1, "DF01C200", "Telesec Verschluesselungs
Zertifikat"},
{-1, 0x48, 1, "41014352", "W2K Logon Zertifikat"},
{ 2, 0x45, 1, "8000DF01C000", "SignTrust Signatur Zertifikat"},
{-2, 0x46, 1, "800082008220", "SignTrust Verschluesselungs
Zertifikat"},
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Netkey-card with multiple certs per private key
Hi, sorry to bug you again with this issue, but i want to clean stuff up here. Using a Netkey-card that speaks TCOS2 i authenticate to firewalls with OpenSwan as application. The card has 4 keys (id 45-48) and 6 certs (id 45,45,46,47,47,48). Accessing the key with id 47 from OpenSwan (using libopensc) the first cert with id 47 is used, file df01c200 on the card. The one needed is df0143b1. Last conversation regarding this was: > Actually nobody wants to use those non-personalized > certificates that TeleSec puts on their cards. > > Here's what I might do: I could reorder the certificates in the > Netkey emulation such that the user-certificates will be > the first to be loaded (if they exist). And the TeleSeec > certificate will be loaded last. Sounds like a nice solution, but its currently not implemented: the certs with id 47 are looked up in files df01c200 and df0143b1 so OpenSwan grabs the first one but i need the latter one. Is there a better way to do this? greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pictures of linuxtag added to web page
On Sun, May 07, 2006 at 08:10:54PM +0200, Andreas Jellinghaus wrote: > warning: 1600x1200 or something like that. > can anyone recommend a software to create smaller versions a tool from imagegagick does this for me: convert $file -resize 640x480 small_$file Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs
On Tue, Feb 07, 2006 at 09:54:19PM +0100, Nils Larsch wrote: > > what did you exaclty try to do ? Tried to sign other than binary-md5-data and it failed, creating that hash with openssl and signing it creates output and no error now. 'pkcs15-crypt -k 1 -i -o out.txt --pkcs1 -p 1234567 -v' creates no error or file out.txt . Im unable to read something useful from the opensc-log in debug-level 255. pkcs15-crypt gets no hits in the wiki when searching, may be i got its use wrong. Guess this belongs to @users, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs
On Mon, Feb 06, 2006 at 07:36:06PM +0100, Nils Larsch wrote: > Christian Horn wrote: > ... > >>If yes - how is pkcs15-tool -r supposed to work if the given > >>ID is non-unique. > > > >Looks like one would need an other vector/number to describe, i.e. > >ising ID 1.1 or something. > > > > > >I have an idea for a different implementation: leave the current counting > >of certs as it is. When an application tries to use cert with an ID that > >has no private key with the same ID decrease the ID until we hit the ID > >of an existing private key. That way i could still address all certs on > >the card, which is a problem at the moment with the dirty hack. > >OpenSwan should a) ask for the cert with ID 2 and get it, and b) ask > >for privatekey ID 2 and get it. > > this would require a changes in every application using libopensc > (including pkcs11), hence not a good idea :) Please make me understand how they would break :) As i see it the only change would be in OpenSC. Just bevore returning a 'could not find private-key with the ID you requested' it would try to get the private-key ID-1 and return that if possible. This would help with OpenSwan for my kind of smartcard. Downsides i see are - applications expecting to get a 'no private-key of that ID there' - making this workaround for a probably low number of cases - the cardtype the workaround is for isnt even fitting into PKCS#11-recommendations Just discovered that signing/encrypting with pkcs15-crypt gives me 'Compute signature failed: Buffer too small' / no message at all, and no output-file, grmpf. Greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs
Hi, >This kind of card contains more then one certificate that correspond >to the same private key and now all this certificates will be given the >same ID (namely the ID of the corresponding private key). >IS THAT CORRECT BEHAVIOUR There are no papers describing the NetkeyE4-standart in this detail? So we are just concluding on it from seeing it implemented? May be the cards here to not follow NetkeyE4 correctly, how would we notice? I wonder how you will conclude on the correct private-key from looking at the cert. >If yes - how is pkcs15-tool -r supposed to work if the given >ID is non-unique. Looks like one would need an other vector/number to describe, i.e. ising ID 1.1 or something. I have an idea for a different implementation: leave the current counting of certs as it is. When an application tries to use cert with an ID that has no private key with the same ID decrease the ID until we hit the ID of an existing private key. That way i could still address all certs on the card, which is a problem at the moment with the dirty hack. OpenSwan should a) ask for the cert with ID 2 and get it, and b) ask for privatekey ID 2 and get it. I have no clue about smartcards, dont take me too serious ;) Greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] configure opensc to deliver an other cert as the one requested
Hi, > That's a quick (and dirty) hack. Yes, but seems to do what i want. If more people need this and i have overseen an official way to configure this it could be implemented i.e. using opensc.conf . > Could you please supply more details > what exactly you are trying to do. I want to run OpenSwan. Using clean opensc when using key 1 on the card cert 1 is used, modified opensc now uses cert 2. Havent seen a way to configure this in OpenSwan. The correct cert should be in use now, the other end of the tunnel (Checkpoint FW-1) sends some '[23] unknown user', will have to look at the firewall-debuglogs for that. > A NetKey card has 3 keys, 3 read-only > certificates and 6 empty certificate files where you can store your > own certificates. It's quite normal that a card has more than one > certificate per key so you normally don't have a one-to-one mapping > between key-ids and cert-ids. http://fluxcoil.net/files/netkey_e4_dump.txt shows the output of pkcs15-tool . > What happens very often is that your card does not contain public > keys. In this case the public key corresponding to private key X > will be extracted from certificate X. This means that for each > private key there must exist either a public key or a certificate > with the same ID. Only certs on the card. > Your software should be able to use a certificate even if the private > key that corresponds to your certificate has a different id. If > you want to use the private key that corresponds to a certificate > with a certain id do NOT assume that this private key has the > same id. Didnt see this config-option in OpenSwan. Greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] configure opensc to deliver an other cert as the one requested
On Mon, Jan 30, 2006 at 09:05:45PM +0100, Nils Larsch wrote: > >The problem is this: the usual case seems to be someone tells the > >application to use private-key with ID 1, and the application also > >uses the cert with ID 1 for that communication. Due to a different > >use of certs in this card here that doesnt work out: i have to use > >private-key with ID 1 and in the same operation the cert with ID 2. > > doesn't the cert with the id 1 belong to the private key with the > id 1 (or what is the exactly problem) ? Yes, that was the problem here. > >Ive had a look at the debugging-output that gets generated from > >'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite > >the path to the cert-file that is read out. > > the binding between the certs and keys is defined in pkcs15-tcos.c > ( in src/libopensc/ ) as this is most likely not a pkcs15 compliant > card. Thanks a lot! That worked, pkcs15-tool gives me now the cert i need, not the that is requested, libopensc appears to behave the same way now. Unfortunatelly the other side of the OpenSwan-connection still doesnt accept my authentication, but OpenSwan-debugging show now the cert with the right subject is used. On OpenSC-side everything looks good now, guess i will have to look at the firewall-debug-logs now. Greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] configure opensc to deliver an other cert as the one requested
Hi, i am unable to use the keys on this smartcard labeled "TeleSec NetKey Card" here. Using pcsc-lite 1.2.9beta9 / openct 0.6.6 / opensc 0.10.0 the card is accessed as a TCOS-card by opensc. Reading certs and accessing private-keys from the card seems to work, global/local-pin-problems are solved. The problem is this: the usual case seems to be someone tells the application to use private-key with ID 1, and the application also uses the cert with ID 1 for that communication. Due to a different use of certs in this card here that doesnt work out: i have to use private-key with ID 1 and in the same operation the cert with ID 2. I tried to bend this over in the OpenSwan-code but a) id didnt work out and b) it doesnt seem to be the right way, as for using the card with s/mime pgp would have to be modified.. How hard is it to let OpenSC do this? Ive had a look at the debugging-output that gets generated from 'pkcs15-tool -r'eading certs, but didnt find the hook to overwrite the path to the cert-file that is read out. Any comments appreciated, Greetings, Christian. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
