Re: [opensc-devel] libp11 engine_pkcs11 support for ECDSA keys
I've found where the problem is coming from. It is from OpenSSL's function * o2i_ECPublicKey*, that is used to convert the asn1 octet string from PKCS#11 *CKA_EC_POINT* attribute to internal OpenSSL stuff. This function is called, like you said, at the file src/p11_ec.c from function * pkcs11_get_ec_private*(). I've used *pkcs11-spy*, and it ouputs the following when calling * C_GetAttributeValue* with *CKA_EC_POINT* parameter from the public key object: 84: C_GetAttributeValue [in] hSession = 0x10002 [in] hObject = 0x3 [in] pTemplate[1]: CKA_EC_POINT requested with 136 buffer [out] pTemplate[1]: CKA_EC_POINT [size : 0x88 (136)] 04818504 017C713A 5A1ECAB3 0F7B0C54 35099B53 9AC9740A ED157D70 577D9AA3 3BB11767 95F02C07 9683AEA0 2C32422D DC9C7C9E 3BB9952B 7D692047 2F8B75D0 A23BB5EF CC3E01BE 240FFAFD 64A2F090 D2E8556F C108D251 4C9AD53C 270BE2AD CA829853 57D26AF3 A65806FD 82CE2011 58C02629 B8E90961 4C00887E DD4184C7 37CE192C 2AB5ED47 Returned: 0 CKR_OK *ec_pointlen* variable is, therefore, set to 136 bytes. After calling * o2i_ECPublicKey* OpenSSL puts the following error in its stack: *error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding* So we have some encoding problem. By the way, why we should increment the pointer by 2 before calling *o2i_ECPublicKey**? *Like you did in the following: ... /* PKCS#11 returns ASN1 octstring*/ const unsigned char * a; /* TODO we have asn1 octet string, need to strip off 04 len */ a = ec_point + 2; o2i_ECPublicKey(ec, a, ec_pointlen-2); ... 2011/9/7 Douglas E. Engert deeng...@anl.gov On 9/6/2011 4:53 PM, Felipe Blauth wrote: I've tested your mods and they work well =). I can sign and verify with most EC keys (I've tested with p-192, p-224, p-384 and p-521). However I cannot load public keys when using p-521 curves. It seems that I can load the private key and sign, but the public key is not loaded. I confess that I didn't look much at engine_pkcs11 source code, but if you could give me some appointments I can try to fix that. It is not clear where the error could be, it could be in the actual encoding of the public key, or the ASN1 decoding or in in some size limit. All the other keys are a multiple of 8 bits. The 521 is not, and thus the asn1 octet would need an extra byte. Look at the libp11 src/p11_ec.c and pkcs11_get_ec_private() and the ec_pointlen variable. Do you have a dump of the public key? If you are using OpenSC's PKCS#11, you could turn on the OpenSC debug, by adding to the opensc.conf someting like: debug = 7; debug_file = /tmp/opensc-debug.log; You could use the OpenSC pkcs11-spy.so to trace the PKCS#11 calls, that should show the public key being transfered. This can work with any PKCS#11 module including the opensc-pkcs11.so Set the environment variables: export PKCS11SPY=/path/to/your/pkcs11**.module.sohttp://pkcs11.module.so export PKCS11SPY_OUTPUT=/tmp/tb.spy.**txt OpenSSL error is the following, after loading the key: error:10067066:elliptic curve routines:ec_GFp_simple_**oct2point:invalid encoding Regards, 2011/8/13 Felipe Blauth f...@inf.ufsc.br mailto:f...@inf.ufsc.br Thank you, I'll check it out. 2011/8/12 Douglas E. Engert deeng...@anl.gov mailto:deeng...@anl.gov No it has not been incorporated because it requires an OpenSSL internal header file ecs_locl.h, thus making it impractical to compile in to any package. This is a known bug: http://rt.openssl.org/Ticket/**Display.html?id=2459user=** guestpass=guesthttp://rt.openssl.org/Ticket/Display.html?id=2459user=guestpass=guest http://rt.openssl.org/Ticket/**Display.html?id=2459user=** guestpass=guesthttp://rt.openssl.org/Ticket/Display.html?id=2459user=guestpass=guest It also appeared on the OpenSSL mailing list. The patch should still work. Please try it, and you can also add comments to the OpenSSL bug report. On 8/12/2011 2:12 PM, Felipe Blauth wrote: Hello. I've started using engine_pkcs11 to access PKCS #11 tokens from OpenSSL EVP_PKEY's trough ENGINE_load_key_type_key methods. It works very well with RSA keys, but it doesn't recognize ECDSA keys. Searching trough the web, I've found that Douglas had a patch for it at http://www.mail-archive.com/**opensc-devel@lists.opensc-** project.org/msg07785.htmlhttp://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html . Was that ever incorporated? I couldn't find in the latest snapshots. Thank you very much. -- Felipe Menegola Blauth __**_ opensc-devel mailing list opensc-devel@lists.opensc-**project.orgopensc-devel@lists.opensc-project.orgmailto: opensc-devel@lists.**opensc
Re: [opensc-devel] libp11 engine_pkcs11 support for ECDSA keys
I've tested your mods and they work well =). I can sign and verify with most EC keys (I've tested with p-192, p-224, p-384 and p-521). However I cannot load public keys when using p-521 curves. It seems that I can load the private key and sign, but the public key is not loaded. I confess that I didn't look much at engine_pkcs11 source code, but if you could give me some appointments I can try to fix that. OpenSSL error is the following, after loading the key: error:10067066:elliptic curve routines:ec_GFp_simple_oct2point:invalid encoding Regards, 2011/8/13 Felipe Blauth f...@inf.ufsc.br Thank you, I'll check it out. 2011/8/12 Douglas E. Engert deeng...@anl.gov No it has not been incorporated because it requires an OpenSSL internal header file ecs_locl.h, thus making it impractical to compile in to any package. This is a known bug: http://rt.openssl.org/Ticket/Display.html?id=2459user=guestpass=guest It also appeared on the OpenSSL mailing list. The patch should still work. Please try it, and you can also add comments to the OpenSSL bug report. On 8/12/2011 2:12 PM, Felipe Blauth wrote: Hello. I've started using engine_pkcs11 to access PKCS #11 tokens from OpenSSL EVP_PKEY's trough ENGINE_load_key_type_key methods. It works very well with RSA keys, but it doesn't recognize ECDSA keys. Searching trough the web, I've found that Douglas had a patch for it at http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html . Was that ever incorporated? I couldn't find in the latest snapshots. Thank you very much. -- Felipe Menegola Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Felipe Menegola Blauth -- Felipe Menegola Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] engine_pkcs11 + libp11 leaking memory ?
Hello everyone. I'm playing around with engine_pkcs11 and libp11 and, maybe I'm doing something wrong, but I'm getting leaks regarding EVP_PKEY's. The following sample code just load a private key into an EVP_PKEY and then release it. I'm using Safenet pkcs11 implementation (libcryptoki.so) to work with an HSM. int main() { EVP_PKEY *p = NULL; OpenSSL_add_all_algorithms(); ENGINE_load_dynamic(); ENGINE *pkcs11_engine = ENGINE_by_id(dynamic); if (!ENGINE_ctrl_cmd_string(pkcs11_engine, SO_PATH, /usr/lib/engines/engine_pkcs11.so, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, LIST_ADD, 1, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, LOAD, NULL, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, MODULE_PATH, /opt/PTK/lib/libcryptoki.so, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, PIN, my_pin, 0)){ // error handling... } if (!ENGINE_ctrl_cmd_string(pkcs11_engine, VERBOSE, NULL, 0)){ // error handling... } if (!ENGINE_init(pkcs11_engine)) { // error handling... } ENGINE_set_default(pkcs11_engine, ENGINE_METHOD_ALL); p = ENGINE_load_private_key(pkcs11_engine, slot_0-label_rsa, NULL, NULL); EVP_PKEY_free(p); ENGINE_finish(pkcs11_engine); ENGINE_free(pkcs11_engine); EVP_cleanup(); return 0; } And here is valgrind output: ==22067== HEAP SUMMARY: ==22067== in use at exit: 21,519 bytes in 314 blocks ==22067== total heap usage: 2,638 allocs, 2,324 frees, 229,559 bytes allocated ==22067== ==22067== 144 bytes in 1 blocks are possibly lost in loss record 139 of 158 ==22067==at 0x4024F12: calloc (vg_replace_malloc.c:467) ==22067==by 0x40117CB: _dl_allocate_tls (dl-tls.c:300) ==22067==by 0x40906A9: pthread_create@@GLIBC_2.1 (allocatestack.c:570) ==22067==by 0x49104B5: InitMonitor (in /usr/lib/libethsm.so) ==22067==by 0x490ED80: TCP_Initialize (in /usr/lib/libethsm.so) ==22067==by 0x4907B22: MD_Initialize (in /usr/lib/libethsm.so) ==22067==by 0x48BA0E2: InitDevices (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067==by 0x48BA1C8: InitHostInterface (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067==by 0x48C1E02: C_Initialize (in /opt/ETcpsdk/lib/linux-i386/libcthsm.so) ==22067==by 0x4035DC6: PKCS11_CTX_load (p11_load.c:75) ==22067==by 0x402CE50: pkcs11_init (engine_pkcs11.c:177) ==22067==by 0x41394EC: engine_unlocked_init (in /lib/libcrypto.so.0.9.8) ==22067== ==22067== 4,211 (40 direct, 4,171 indirect) bytes in 1 blocks are definitely lost in loss record 158 of 158 ==22067==at 0x4025BD3: malloc (vg_replace_malloc.c:236) ==22067==by 0x40DD3FD: ??? (in /lib/libcrypto.so.0.9.8) ==22067==by 0x40DDA8B: CRYPTO_malloc (in /lib/libcrypto.so.0.9.8) ==22067==by 0x4036016: pkcs11_malloc (p11_misc.c:26) ==22067==by 0x4037B9C: PKCS11_enumerate_slots (p11_slot.c:61) ==22067==by 0x402D063: pkcs11_load_key (engine_pkcs11.c:585) ==22067==by 0x402DDD6: pkcs11_load_private_key (engine_pkcs11.c:812) ==22067==by 0x413AC46: ENGINE_load_private_key (in /lib/libcrypto.so.0.9.8) ==22067==by 0x8049429: main (pkcs11_engine_test.cpp:242) ==22067== ==22067== LEAK SUMMARY: ==22067==definitely lost: 40 bytes in 1 blocks ==22067==indirectly lost: 4,171 bytes in 55 blocks ==22067== possibly lost: 144 bytes in 1 blocks ==22067==still reachable: 17,164 bytes in 257 blocks ==22067== suppressed: 0 bytes in 0 blocks The still reachable should be because I'm not calling the correct OpenSSL cleanup stuff. But the direct lost is caused by the EVP_PKEY loading. By looking at libp11 and engine_pkcs11 code, the function PKCS11_enumerate_slots allocates a PKCS11_SLOT * list that is not beeing freed. I tryed to just freed it (without succes), but I think it is not the wat to go, because libp11 works in an OOP fashion by linking slot-token-keys,certs Am I doing something wrong (ie: not calling the correct methods to clean things) ?. I couldn't find where stuff get cleaned and how it is related to EVP_PKEY_free() method. Thank you. PS: Ive tryed with both OpenSSL 0.9.8o 01 Jun 2010 (default Ubuntu version) and OpenSSL 1.0.0d 8 Feb 2011 -- Felipe Menegola Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] libp11 engine_pkcs11 support for ECDSA keys
Hello. I've started using engine_pkcs11 to access PKCS #11 tokens from OpenSSL EVP_PKEY's trough ENGINE_load_key_type_key methods. It works very well with RSA keys, but it doesn't recognize ECDSA keys. Searching trough the web, I've found that Douglas had a patch for it at http://www.mail-archive.com/opensc-devel@lists.opensc-project.org/msg07785.html. Was that ever incorporated? I couldn't find in the latest snapshots. Thank you very much. -- Felipe Menegola Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
2011/8/2 NdK ndk.cla...@gmail.com Hi all! Maybe it's nearly OT, but I think it could be useful for other readers. I've found that a quite recurring problem in accessing tokens from java is the PKCS11 not found exception. Disabling hot plug support, as suggested in the past to another user, didn't work in my case. The -Djava.security.debug=sunpkcs11 'workaround' is quite unsatisfactory (really slows down startup), but I've found that using SunPKCS11 and a config file containing: -8-- name = smartcard library = /usr/lib/opensc-pkcs11.so slotListIndex=1 -8-- (so, specifying the slotListIndex) I can actually avoid that exception. But every user should determine his own slotListIndex (and, IIUC, it changes if there are certs under different PINs). What I still miss: - why can't I read certs out of the card even if they're publicly readable? Java Cryptographic is based on JCA/JCE arquitecture. The document at http://download.oracle.com/javase/1.5.0/docs/guide/security/p11guide.html , preety much explains everything you need to know. It says, for example, that only trusted certificates or pairs (key, certificates) are listed as aliases from a Java perspective. - once I can read a cert, how could I determine which slot I should authenticate against to use the corresponding private key? The slot is fixed at the properties file. SUNPKCS #11 demands that you use diferent properties files for diferent slots. - should I avoid SunPKCS11 and base my program on simple PC/SC? I would say no. If you can code in C, it is better to use pure C PKCS #11 (or some helper like libp11 or pkcs11-helper), since working with APDU's is not easy (nor necessary). If you need to stick to Java, maybe JNI is the answer. Tks, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Cheers, -- Felipe Menegola Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Unwrap, with openssl, a key wrapped inside Smart Card
Hello to all, Simple question: Is it possible, using openssl, to unwrap a key wraped inside a Smart Card with C_Wrap function? Thank you. __ Felipe Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with starcos spk 2.4 and opensc-pkcs11.so
Hello guys. Following Viktor advice, I managed to make the card compatible with PKCS#11 interface. I've found two ways to make it work: 1) First is initalizing the card as Viktor said: #pkcs15-init -C --profile pkcs15+onepin 2) Second is intializing like that: #pkcs15-init -C --no-so-pin By doing that, I can call most of PKCS#11 interface functions. The only thing I've missed is the C_InitToken and C_InitPin functions, that are not supported. I think there's a strong reason for that tough. 2011/3/21 Martin Paljak mar...@martinpaljak.net Hello, On Mar 19, 2011, at 11:12 PM, Felipe Blauth wrote: However, I still can't generate a key pair neither coding directly against PKCS#11 API (with opensc-pkcs11.so) nor using pkcs11-tool (I get CKR_GENERAL_ERROR). a) have you tried with OpenSC 0.12.0? Yes, I did. But the behavior didn't change. b) can you provide the debug log? If still necessary, I can. c) whre can the spk2.4 cards be bought online? I actually don't know. I'm still in school and the laboratory I work already had those cards, the University bought them... Regards, Felipe Blauth. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problems with starcos spk 2.4 and opensc-pkcs11.so
You were right Viktor, by using: #pkcs15-init -G rsa/1024 --auth-id 01 --label My Private Key --public-key-label My Public Key Solved the problem of beeing unable to sign data with the generated keys, thank you for that. However, I still can't generate a key pair neither coding directly against PKCS#11 API (with opensc-pkcs11.so) nor using pkcs11-tool (I get CKR_GENERAL_ERROR). Maybe I need to do something before calling C_GenerateKeyPair? Regards, Felipe Blauth. 2011/3/18 Viktor TARASOV viktor.tara...@opentrust.com On 17.03.2011 16:14, Felipe Blauth wrote: Hello everyone, Currently, I'm having some trouble with usage of starcos spk 2.4 cards and opensc. I used to have no problem, and I don't know where exactly the problem is. Here what's happening: I have an aplicattion that use's pkcs15-init to initialize cards and then it codes directly against PKCS#11 API (and opensc-pkcs11.so module) to use the card (generete keys, sign, etc). I have no problems with the initialization (I use system calls): #pkcs15-init -C (ok) #pkcs15-init --store-pin --auth-id 01 --label some-label (ok) And then, if I try to generate keys through PKCS#11 API (with C_GenerateKeyPair), I get CKR_GENERAL_ERROR. The weird thing is that everything used to work in the past =p. Also, if I try to generate keys using pkcs11-tool, I get the same error. For example, if I do: #pkcs11-tool --login -k (error: PKCS11 function C_GenerateKeyPair failed: rv = CKR_GENERAL_ERROR (0x5)) On the other side, if I use pkcs15-init to generate a key pair: #pkcs15-init -G rsa/1024 --auth-id ff --label My Private Key --public-key-label My Public Key It does generate the key-pair. However, if I try to do something with pkcs11-tool, with the generated key, like A bit strange, you are generating key with the reference to SOPIN ('--auth-id FF') . You have created User PIN with the reference '--auth-id 01' and you should use this one. #pkcs11-tool --sign -i i_file -o signature I get the following erros: ... error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN (0x101) Probably can be explained by the fact that the private key do not references the 'User PIN' authentication object. If problem persists, please, send us the logs with the debug level 8 . Kind wishes, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Securing pin while it travels to the Smart Card
Thank you for the answers. 2010/9/23 Viktor TARASOV viktor.tara...@opentrust.com Douglas E. Engert wrote: On 9/22/2010 1:04 PM, Felipe Blauth wrote: Hello to all. Do you know any way of secure pin while it travels from the computer to the card? More precisely, I have two cryptographic perimeters, one is an HSM, and the other is the Smart Card. The HSM communicates with the Smart Card trough a normal USB reader, using OpensSC and PCSCD. (the HSM runs a freeBSD inside it, so we normally install OpenSC and PCSCD). The problem here is that the pin needed to log in the Smart Card travels in an insecure way, while it goes trough the wire from the HSM to the Smart Card. I've been trying to create a protocol in which I could make a key agreement before sending the pin, but I didn't find any way to do it without having do log in inside a token (slot - token). Any ideas would be very apreciated. (I assume that a PIN Pad reader is not what you are looking for.) Look for Secure Messaging. http://www.cardwerk.com/smartcards/smartcard_standard_ISO7816-4_annex-f.aspx YOu would have to see if your cards support this. I have not looked at what support OpenSC has for Secure Messaging. In the IAS/ECC branch SM is supported for the AuthentIC v3 (Global Platform SCP01) and IAS/ECC cards. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Securing pin while it travels to the Smart Card
Hello to all. Do you know any way of secure pin while it travels from the computer to the card? More precisely, I have two cryptographic perimeters, one is an HSM, and the other is the Smart Card. The HSM communicates with the Smart Card trough a normal USB reader, using OpensSC and PCSCD. (the HSM runs a freeBSD inside it, so we normally install OpenSC and PCSCD). The problem here is that the pin needed to log in the Smart Card travels in an insecure way, while it goes trough the wire from the HSM to the Smart Card. I've been trying to create a protocol in which I could make a key agreement before sending the pin, but I didn't find any way to do it without having do log in inside a token (slot - token). Any ideas would be very apreciated. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] How to Initialize a token using C_InitToken() from PKCS#11 interface?
I think my last message got cut because of too many attached files, so I'm resending with links to the files. Also, please enable debugging (set to 9 and uncomment debug_file in opensc.conf) and send the generated log file. This file (opensc-debug.loghttp://www.inf.ufsc.br/%7Efmb/log/opensc-debug.log) contains the output of my program running with the debug set to 9. I'm not sure, but I suspect that changing hide_empty_tokens = false; in opensc.conf can have a difference in the initialization case, as otherwise tokens will not be created if there are no user PIN codes. Please try with this option enabled as well. The second file ( opensc-debug-hide_empty_tokens_false.loghttp://www.inf.ufsc.br/%7Efmb/log/opensc-debug-hide_empty_tokens_false.log) contains the output of the same program running with hide_empty_tokens = false uncomented. This time, the error was not CKR_TOKEN_NOT_PRESENT but, instead, the ouput was 0x54 which means CKR_FUNCTION_NOT_SUPORTED. Regards. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] How to Initialize a token using C_InitToken() from PKCS#11 interface?
Hello, Here is My question again, now in the correct list and complete: First of all, the environment I'm running this program is: OS : Ubuntu 10.04 Opensc version : opensc 0.11.12 [gcc 4.4.3] (version from ubuntu repository) Smart Card reader: Gemplus GemPC Twin 00 00 Smart Card: GD STARCOS SPK 2.4 This is a test card, so it is ereasable. Thus, the first command I've sent was: fel...@labsec:~$ pkcs15-init --erase-card After that, to initialize a pkcs#15 structure I've ran the command: fel...@labsec:~$ pkcs15-init --create-pkcs15 And I've fill both the SO pin and the PUK with the values 00. After that, I've written the following simple code, in C programming language: #include opensc/pkcs11.h #include stdio.h #include stdlib.h #include string.h int main() { CK_RV rv; CK_SLOT_ID_PTR pSlotList; CK_ULONG ulSlotCount; CK_UTF8CHAR SOPin[6] = {0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; CK_UTF8CHAR tokenLabel[32]; CK_ULONG PinLen; //Cryptoki initialization rv = C_Initialize(NULL_PTR); if (rv != CKR_OK) { printf(error initializing PKCS#11 library\n); exit(EXIT_FAILURE); } //getting the size of the buffer to alocate a list with all slots available rv = C_GetSlotList( CK_FALSE, NULL_PTR, ulSlotCount); //alocating memory for the buffer pSlotList = (CK_SLOT_ID_PTR) malloc (ulSlotCount * sizeof(CK_SLOT_ID)); // now, populate the list pSlotList with the slots rv = C_GetSlotList (CK_FALSE, pSlotList, ulSlotCount); if (rv != CKR_OK) { printf(error populating the list of slots \n); free(pSlotList); exit(EXIT_FAILURE); } //setting the tokenLabel memory space memset(tokenLabel,' ',sizeof(tokenLabel)); memcpy(tokenLabel, My Token, strlen(My Token)); //setting the PinLen size PinLen = (CK_ULONG) sizeof(SOPin); //calling C_InitToken to initialize first token rv = C_InitToken(pSlotList[0],SOPin, PinLen, tokenLabel); if (rv != CKR_OK) { if (rv == CKR_TOKEN_NOT_PRESENT) { printf(token not present\n); } printf(error initializing token\n); free(pSlotList); exit(EXIT_FAILURE); } free(pSlotList); return 0; } And I've compiled it with gcc (Ubuntu 4.4.3-4ubuntu5) 4.4.3 with Eclipse defaults (-O0 -g3 -Wall -c -fmessage-length=0) linking with opensc-pkcs11.so (which I renamed to libopenscpkcs11.so for easier using) fel...@labsec:~/workspace-C/testeParaEmail$ gcc simpleTest.c -O0 -g3 -Wall -fmessage-length=0 -lopenscpkcs11 -o simpleTest Then I've ran the program and the output showed: * token not present error initializing token* That shows that the error is CKR_TOKEN_NOT_PRESENT. By testing myself, I realized that what is missing is what is made by pkcs15-init --store-pin args because, if I run this command, the token becomes visible in that slot and I'm able to login in it and do stuff. What becomes unclear is if it is possible to do what the command pkcs15-init --store-pin argsdoes with pkcs#11 code. Regards, Felipe Blauth ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Help with project that demands interoperability betewen cards
Hello, thanks for the reply. What functionality is missing from libp11? A function to delete objects, such as keys and certificates. Why not use PKCS#11 directly, without additional layers between your application and the PKCS#11 library? Actually I am still avaliating the best way to go. Since I'm still not a strong C developer ( I've been using Java for years ) and the project demands to be written in C, I tought using a helper would be nice. Do you think PKCS#11 directly is the best way? Have you checked the other PKCS#11 related libraries [1] in the wiki? Going to check it out. 2) My second approach, and maybe harder, is to work directly with winscard interface, using pcsc-lite implementations. I think I will stuck in this approach because, as far as I know, there are some default APDU's that work with every card, but there's a lot that differ from card to card. My main question is: if I initialize a PKCS#15 structure using pkcs15-init --create-pkcs15 will I have a default set of APDU's? No, not really. That's why OpenSC is a collection of different card drivers. PKCS#15 only defines the structure, not the commands to retrieve them. [1] http://www.opensc-project.org/opensc/wiki/DeveloperInformation#Toolsandlibraries -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Help with project that demands interoperability betewen cards
Hello again. I'm going to start a project in wich I need to have interoperability between smart cards. Since not all cards are supported by OpenSC I would like some advice on the ideas I already have: 1) I've been studying PKCS#11 interface and it's interation with LIBP11 and I find out a good starting point there. Since I need more functions that are implemented by LIBP11 and opensc-pkcs11.so (like destruction of objects, keys and certificates) my idea is to extend LIBP11 with new functions and use private implementations of PKCS#11, since LIBP11 already provide an easy way to load PKCS#11 modules. By doing so, after a card is inserted, I could load and try a set of modules and find the correct one for the card inserted and use it. I've tested the LIBP11 examples with libaetpkss.so (the PKCS#11 module of starcos cards) and worked well. If I do that I might contribute with LIBP11 project by adding new functions to it. 2) My second approach, and maybe harder, is to work directly with winscard interface, using pcsc-lite implementations. I think I will stuck in this approach because, as far as I know, there are some default APDU's that work with every card, but there's a lot that differ from card to card. My main question is: if I initialize a PKCS#15 structure using pkcs15-init --create-pkcs15 will I have a default set of APDU's? Regards ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel