Re: [opensc-devel] pkcs11-tool -O
On 9/18/2011 6:08 PM, Martin Paljak wrote: Hello, The included patch [1] fixes the usage text and also the man page to reflect the fact that specifying the module is mandatory. Not the most elegant one (abuses app_name) but works. [1] https://github.com/martinpaljak/OpenSC/commit/dca75429d69da7de956d3b2a74706d6956d59cfa Thanks! That does indeed work # pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -v -O Using slot 1 with a present token (0x1) Public Key Object; RSA 2048 bits label: Private Key ID: 45 Usage: encrypt, verify, wrap ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] MiniDriver in Mobile Phones
On 9/18/2011 5:57 AM, Martin Paljak wrote: But I'm still no believer for the TC/TPM field, in consumer products (like Windows, maybe for Apple ;)) How come ? ---Mike -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?
On 9/15/2011 9:54 AM, Mike Tancsa wrote:
On 9/14/2011 10:28 PM, Mike Tancsa wrote:
I have just run into the same problem on FreeBSD. An older version
works fine with this key below. How do I create the debug logs to help
narrow down this problem ?
Full logs sent directly to Martin
But things seem to go 'bad' right from the start. Doing a simple -E
gives errors like below. Perhaps the version of openct ?
OK, I narrowed it down a bit more. It seems the files in
/usr/local/share/opensc have changed. If I use the files from the older
version it seems to mostly work.
Another thing I am not sure of is that I used to use the --split-key
option and thats no longer there ?
pkcs15-init -G rsa/2048 -a 01 --pin $DUMMYPIN --so-pin $DUMMYPIN -u
sign,decrypt --split-key
Not sure if its related to the fact that I cannot used the openssl
pkcs11_engine ?
OpenSSL req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem
-subj /C=CA/ST=ON/L=Hespeler/O=Sentex
Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca
engine pkcs11 set.
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
80187:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private
key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126:
unable to load Private Key
error in req
OpenSSL
Nothing really jumps out just yet, but
pkcs15-id-style= mozilla;
from the pkcs15.profile
and
diff -u ../opensc.fresh/cardos.profile cardos.profile
--- ../opensc.fresh/cardos.profile 2011-09-16 13:41:52.0 -0400
+++ cardos.profile 2009-05-27 13:46:44.0 -0400
@@ -18,7 +18,7 @@
reference = 1;
}
PIN user-pin {
-attempts = 3;
+attempts = 8;
}
PIN user-puk {
attempts = 10;
@@ -34,21 +34,16 @@
# Prevent unauthorized updates of basic security
# objects via PUT DATA OCI.
- # ACL = UPDATE=NEVER;
- ACL = UPDATE=$SOPIN;
+ ACL = UPDATE=NEVER;
# Bump the size of the EF(PrKDF) - with split
# keys, we may need a little more room.
EF PKCS15-PrKDF {
- size= 1024;
+ size= 384;
}
EF PKCS15-PuKDF {
- size= 768;
- }
-
- EF PKCS15-CDF {
- size= 1536;
+ size= 384;
}
# This template defines files for keys, certificates etc.
@@ -57,9 +52,11 @@
# combined with the last octet of the object's pkcs15 id
# to form a unique file ID.
template key-domain {
- BSO private-key {
+ # This is a dummy entry - pkcs15-init insists that
+ # this is present
+ EF private-key {
+ file-id = ;
}
-
EF public-key {
file-id = 3003;
structure = transparent;
--
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada http://www.tancsa.com/
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pkcs11-tool -O
For some reason, this does not work on 12.x ? It just comes up with a usage error. eg on 11.8 # pkcs11-tool -v -O [opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found [opensc-pkcs11] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found Certificate Object, type = X.509 cert label: Certificate ID: 45 Public Key Object; RSA 2048 bits label: Public Key ID: 45 Usage: none and on 12.x # pkcs11-tool -v -O Usage: pkcs11-tool [OPTIONS] Options: --module argSpecify the module to load (mandatory) --show-info, -I Show global token information --list-slots, -L List available slots --list-token-slots, -TList slots with tokens -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?
On 9/16/2011 2:48 PM, Mike Tancsa wrote: Not sure if its related to the fact that I cannot used the openssl pkcs11_engine ? OpenSSL req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -subj /C=CA/ST=ON/L=Hespeler/O=Sentex Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca engine pkcs11 set. Invalid slot number: 0 PKCS11_get_private_key returned NULL cannot load Private Key from engine 80187:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126: unable to load Private Key error in req OpenSSL A little closer. At least its prompting me for the PIN now. With the verbose flag set in the engine, I get 0(cage2)# openssl OpenSSL engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/opensc-pkcs11.so (dynamic) Dynamic engine loading support [Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so [Success]: ID:pkcs11 [Success]: LIST_ADD:1 [Success]: LOAD [Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so Loaded: (pkcs11) pkcs11 engine initializing engine [ available ] OpenSSL req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -out req.pem -subj /CN=mdtancsa-cage64 initializing engine engine pkcs11 set. Looking in slot 1 for key: 45 Found 3 slots [18446744073709551615] Virtual hotplug slot no tok [1] Aladdin eToken PRO 64k login (mdtancsa-cage64 (mdtancsa-cage64) [5] OpenCT reader (detached) no tok Found slot: Aladdin eToken PRO 64k Found token: mdtancsa-cage64 (mdtancsa-cage64 Found 0 certificate: PKCS#11 token PIN: Found 1 key: 1 P Private Key 88558:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 88558:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_sign.c:281: error in req OpenSSL The key generated with 12.2 looks like Private RSA Key [Private Key] Object Flags : [0x3], private, modifiable Usage : [0x2E], decrypt, sign, signRecover, unwrap Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref: 16 (0x10) Native : yes Path : 3f005015 Auth ID: 01 ID : 45 Public RSA Key [Private Key] Object Flags : [0x2], modifiable Usage : [0xD1], encrypt, wrap, verify, verifyRecover Access Flags : [0x0] ModLength : 2048 Key ref: 0 Native : no Path : 3f0050153003 ID : 45 PIN [Security Officer PIN] Object Flags : [0x3], private, modifiable ID : ff Flags : [0xB2], local, initialized, needs-padding, soPin Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015 PIN [mdtancsa-cage64] Object Flags : [0x3], private, modifiable ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad char : 0x00 Reference : 3 Type : ascii-numeric Path : 3f005015 where as generated with 11.8, Using reader with a card: Aladdin eToken PRO 64k Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x22], decrypt, unwrap Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 16 Native : yes Path: 3f005015 Auth ID : 01 ID : 45 Private RSA Key [Private Key] Com. Flags : 3 Usage : [0x20C], sign, signRecover, nonRepudiation Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local ModLength : 2048 Key ref : 17 Native : yes Path: 3f005015 Auth ID : 01 ID : 45 Public RSA Key [Public Key] Com. Flags : 2 Usage : [0x4], sign Access Flags: [0x0] ModLength : 2048 Key ref : 0 Native : no Path: 3f0050153048 Auth ID : ID : 45 PIN [Security Officer PIN] Com. Flags: 0x3 ID: ff Flags : [0xB2], local, initialized, needs-padding, soPin Length: min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 1 Type : ascii-numeric Path : 3f005015
Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?
On 9/14/2011 10:28 PM, Mike Tancsa wrote: I have just run into the same problem on FreeBSD. An older version works fine with this key below. How do I create the debug logs to help narrow down this problem ? Full logs sent directly to Martin But things seem to go 'bad' right from the start. Doing a simple -E gives errors like below. Perhaps the version of openct ? works = opensc-0.11.8,openct-0.6.16) and fail = opensc-0.12.2,openct-0.6.20 pkcs15-init - -E [pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No readers found [pkcs15-init] sc.c:196:sc_detect_card_presence: called [pkcs15-init] reader-openct.c:194:openct_reader_detect_card_presence: called [pkcs15-init] sc.c:201:sc_detect_card_presence: returning with: 1 Using reader with a card: Aladdin eToken PRO 64k [pkcs15-init] sc.c:196:sc_detect_card_presence: called [pkcs15-init] reader-openct.c:194:openct_reader_detect_card_presence: called [pkcs15-init] sc.c:201:sc_detect_card_presence: returning with: 1 Connecting to card in reader Aladdin eToken PRO 64k... [pkcs15-init] card.c:110:sc_connect_card: called [pkcs15-init] reader-openct.c:218:openct_reader_connect: called [pkcs15-init] card.c:140:sc_connect_card: matching configured ATRs [pkcs15-init] card.c:182:sc_connect_card: matching built-in ATRs [pkcs15-init] card.c:188:sc_connect_card: trying driver: rutoken [pkcs15-init] card-rutoken.c:129:rutoken_match_card: called [pkcs15-init] card-rutoken.c:135:rutoken_match_card: returning with: 0 [pkcs15-init] card.c:188:sc_connect_card: trying driver: cardos [pkcs15-init] card-cardos.c:79:cardos_match_card: checking cardos version ... [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] reader-openct.c:410:openct_reader_lock: called [pkcs15-init] card.c:312:sc_unlock: called [pkcs15-init] reader-openct.c:437:openct_reader_unlock: called [pkcs15-init] card-cardos.c:100:cardos_match_card: found cardos v4.2b [pkcs15-init] card.c:196:sc_connect_card: matched: Siemens CardOS [pkcs15-init] card.c:221:sc_connect_card: card info: CardOS M4, 1005, 0x0 [pkcs15-init] card.c:222:sc_connect_card: returning with: 0 Using card driver Siemens CardOS. [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] reader-openct.c:410:openct_reader_lock: called [pkcs15-init] card.c:668:sc_card_ctl: called [pkcs15-init] card-cardos.c:925:cardos_lifecycle_set: called [pkcs15-init] card-cardos.c:879:cardos_lifecycle_get: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] card.c:312:sc_unlock: called [pkcs15-init] card-cardos.c:913:cardos_lifecycle_get: returning with: 0 [pkcs15-init] card.c:678:sc_card_ctl: returning with: 0 [pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f0050154946 [pkcs15-init] card-cardos.c:431:cardos_select_file: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] card.c:312:sc_unlock: called [pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found [pkcs15-init] iso7816.c:464:iso7816_select_file: returning with: -1201 [pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201 [pkcs15-init] card.c:554:sc_select_file: returning with: -1201 [pkcs15-init] profile.c:306:sc_profile_load: Using profile directory '/usr/local/share/opensc'. [pkcs15-init] profile.c:318:sc_profile_load: Trying profile file /usr/local/share/opensc/pkcs15.profile [pkcs15-init] profile.c:326:sc_profile_load: profile /usr/local/share/opensc/pkcs15.profile loaded ok [pkcs15-init] profile.c:306:sc_profile_load: Using profile directory '/usr/local/share/opensc'. [pkcs15-init] profile.c:318:sc_profile_load: Trying profile file /usr/local/share/opensc/cardos.profile [pkcs15-init] profile.c:326:sc_profile_load: profile /usr/local/share/opensc/cardos.profile loaded ok About to erase card. [pkcs15-init] pkcs15.c:700:sc_pkcs15_bind: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f002f00 [pkcs15-init] card-cardos.c:431:cardos_select_file: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] card.c:312:sc_unlock: called [pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found [pkcs15-init] iso7816.c:464:iso7816_select_file: returning with: -1201 [pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201 [pkcs15-init] card.c:554:sc_select_file: returning with: -1201 [pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f005015 [pkcs15-init] card-cardos.c:431:cardos_select_file: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15-init] card.c:312:sc_unlock: called [pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found [pkcs15-init] iso7816.c:459:iso7816_select_file: returning with: -1201 [pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201 [pkcs15-init] card.c:554:sc_select_file: returning with: -1201 [pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f005031 [pkcs15-init] card-cardos.c:431:cardos_select_file: called [pkcs15-init] card.c:285:sc_lock: called [pkcs15
Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?
On 9/7/2011 3:19 AM, Martin Paljak wrote: Hello, On Wed, Sep 7, 2011 at 09:10, Dan Peterson drpeter...@es.net wrote: Could be. I don't think the problem is same by nature. I have or can create debug logs if anyone is interested. I an looking into if this happens on the MAC code base as well, I think it does but I am not sure I think it will behave the same. Please provide the logs for success (0.11) and failure(0.12) as well if possible. I have just run into the same problem on FreeBSD. An older version works fine with this key below. How do I create the debug logs to help narrow down this problem ? # cardos-tool -i Using reader with a card: Aladdin eToken PRO 64k 3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75 Info : CardOS V4.2B (C) Siemens AG 1994-2005 Chip type: 124 Serial number: 28 47 7f 11 0b 18 Full prom dump: 33 66 00 22 9A 9A 9A 9A 7C FF 28 47 7F 11 0B 18 3f.|.(G 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.9 (that's CardOS M4.2B) Current life cycle: 32 (administration) Security Status of current DF: Free memory : 128 ATR Status: 0x0 ROM-ATR Packages installed: Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom memory: 48845 System keys: PackageLoadKey (version 0xfe, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: -- --- Mike Tancsa, tel +1 519 651 3400 Sentex Communications, m...@sentex.net Providing Internet services since 1994 www.sentex.net Cambridge, Ontario Canada http://www.tancsa.com/ ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
