Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Mike Tancsa]

On 9/15/2011 9:54 AM, Mike Tancsa wrote:
 On 9/14/2011 10:28 PM, Mike Tancsa wrote:

 I have just run into the same problem on FreeBSD.  An older version
 works fine with this key below.  How do I create the debug logs to help
 narrow down this problem ?
 
 
 Full logs sent directly to Martin
 
 But things seem to go 'bad' right from the start. Doing a simple -E
 gives errors like below.  Perhaps the version of openct ?
 


OK, I narrowed it down a bit more. It seems the files in
/usr/local/share/opensc have changed.  If I use the files from the older
version it seems to mostly work.

Another thing I am not sure of is that I used to use the --split-key
option and thats no longer there ?

pkcs15-init -G rsa/2048 -a 01 --pin $DUMMYPIN --so-pin $DUMMYPIN -u
sign,decrypt --split-key


Not sure if its related to the fact that I cannot used the openssl
pkcs11_engine ?

OpenSSL req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem
-subj /C=CA/ST=ON/L=Hespeler/O=Sentex
Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca
engine pkcs11 set.
Invalid slot number: 0
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
80187:error:26096080:engine routines:ENGINE_load_private_key:failed
loading private
key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126:
unable to load Private Key
error in req
OpenSSL








Nothing really jumps out just yet, but

 pkcs15-id-style= mozilla;

from the pkcs15.profile

and

 diff -u ../opensc.fresh/cardos.profile cardos.profile
--- ../opensc.fresh/cardos.profile  2011-09-16 13:41:52.0 -0400
+++ cardos.profile  2009-05-27 13:46:44.0 -0400
@@ -18,7 +18,7 @@
 reference = 1;
 }
 PIN user-pin {
-attempts   = 3;
+attempts   = 8;
 }
 PIN user-puk {
 attempts   = 10;
@@ -34,21 +34,16 @@

# Prevent unauthorized updates of basic security
# objects via PUT DATA OCI.
-   # ACL = UPDATE=NEVER;
-   ACL = UPDATE=$SOPIN;
+   ACL = UPDATE=NEVER;

# Bump the size of the EF(PrKDF) - with split
# keys, we may need a little more room.
EF PKCS15-PrKDF {
-   size= 1024;
+   size= 384;
}

EF PKCS15-PuKDF {
-   size= 768;
-   }
-
-   EF PKCS15-CDF {
-   size= 1536;
+   size= 384;
}

# This template defines files for keys, certificates etc.
@@ -57,9 +52,11 @@
# combined with the last octet of the object's pkcs15 id
# to form a unique file ID.
template key-domain {
-   BSO private-key {
+   # This is a dummy entry - pkcs15-init insists that
+   # this is present
+   EF private-key {
+   file-id = ;
}
-
 EF public-key {
file-id = 3003;
structure   = transparent;




-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Mike Tancsa]

On 9/16/2011 2:48 PM, Mike Tancsa wrote:
 
 Not sure if its related to the fact that I cannot used the openssl
 pkcs11_engine ?
 
 OpenSSL req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem
 -subj /C=CA/ST=ON/L=Hespeler/O=Sentex
 Communications/OU=support/CN=mdtancsa-cage64/emailAddress=mdtancsa-cag...@sentex.ca
 engine pkcs11 set.
 Invalid slot number: 0
 PKCS11_get_private_key returned NULL
 cannot load Private Key from engine
 80187:error:26096080:engine routines:ENGINE_load_private_key:failed
 loading private
 key:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/engine/eng_pkey.c:126:
 unable to load Private Key
 error in req
 OpenSSL

A little closer. At least its prompting me for the PIN now.  With the verbose 
flag set in the engine, I get 


0(cage2)# openssl 
OpenSSL engine -t dynamic -pre SO_PATH:/usr/local/lib/engines/engine_pkcs11.so 
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre 
MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
(dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/engines/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
initializing engine
 [ available ]
OpenSSL req -engine pkcs11 -new -key slot_1-id_45 -keyform engine -out req.pem 
-subj /CN=mdtancsa-cage64 
 
initializing engine
engine pkcs11 set.
Looking in slot 1 for key: 45
Found 3 slots
[18446744073709551615] Virtual hotplug slot   no tok  
[1] Aladdin eToken PRO 64k login (mdtancsa-cage64 
(mdtancsa-cage64)
[5] OpenCT reader (detached)   no tok  
Found slot:  Aladdin eToken PRO 64k
Found token: mdtancsa-cage64 (mdtancsa-cage64
Found 0 certificate:
PKCS#11 token PIN: 
Found 1 key:
   1 P  Private Key
88558:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131:
88558:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP 
lib:/usr/src/secure/lib/libcrypto/../../../crypto/openssl/crypto/asn1/a_sign.c:281:
error in req
OpenSSL 

The key generated with 12.2 looks like

Private RSA Key [Private Key]
Object Flags   : [0x3], private, modifiable
Usage  : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength  : 2048
Key ref: 16 (0x10)
Native : yes
Path   : 3f005015
Auth ID: 01
ID : 45

Public RSA Key [Private Key]
Object Flags   : [0x2], modifiable
Usage  : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags   : [0x0]
ModLength  : 2048
Key ref: 0
Native : no
Path   : 3f0050153003
ID : 45

PIN [Security Officer PIN]
Object Flags   : [0x3], private, modifiable
ID : ff
Flags  : [0xB2], local, initialized, needs-padding, soPin
Length : min_len:6, max_len:8, stored_len:8
Pad char   : 0x00
Reference  : 1
Type   : ascii-numeric
Path   : 3f005015

PIN [mdtancsa-cage64]
Object Flags   : [0x3], private, modifiable
ID : 01
Flags  : [0x32], local, initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char   : 0x00
Reference  : 3
Type   : ascii-numeric
Path   : 3f005015


where as generated with 11.8,


Using reader with a card: Aladdin eToken PRO 64k
Private RSA Key [Private Key]
Com. Flags  : 3
Usage   : [0x22], decrypt, unwrap
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength   : 2048
Key ref : 16
Native  : yes
Path: 3f005015
Auth ID : 01
ID  : 45

Private RSA Key [Private Key]
Com. Flags  : 3
Usage   : [0x20C], sign, signRecover, nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength   : 2048
Key ref : 17
Native  : yes
Path: 3f005015
Auth ID : 01
ID  : 45

Public RSA Key [Public Key]
Com. Flags  : 2
Usage   : [0x4], sign
Access Flags: [0x0]
ModLength   : 2048
Key ref : 0
Native  : no
Path: 3f0050153048
Auth ID : 
ID  : 45

PIN [Security Officer PIN]
Com. Flags: 0x3
ID: ff
Flags : [0xB2], local, initialized, needs-padding, soPin
Length: min_len:6, max_len:8, stored_len:8
Pad char  : 0x00
Reference : 1
Type  : ascii-numeric
Path  : 3f005015

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Mike Tancsa]

On 9/14/2011 10:28 PM, Mike Tancsa wrote:
 
 I have just run into the same problem on FreeBSD.  An older version
 works fine with this key below.  How do I create the debug logs to help
 narrow down this problem ?


Full logs sent directly to Martin

But things seem to go 'bad' right from the start. Doing a simple -E
gives errors like below.  Perhaps the version of openct ?

works = opensc-0.11.8,openct-0.6.16) and

fail = opensc-0.12.2,openct-0.6.20

 pkcs15-init - -E
[pkcs15-init] reader-pcsc.c:1015:pcsc_detect_readers: returning with: No
readers found
[pkcs15-init] sc.c:196:sc_detect_card_presence: called
[pkcs15-init] reader-openct.c:194:openct_reader_detect_card_presence: called
[pkcs15-init] sc.c:201:sc_detect_card_presence: returning with: 1
Using reader with a card: Aladdin eToken PRO 64k
[pkcs15-init] sc.c:196:sc_detect_card_presence: called
[pkcs15-init] reader-openct.c:194:openct_reader_detect_card_presence: called
[pkcs15-init] sc.c:201:sc_detect_card_presence: returning with: 1
Connecting to card in reader Aladdin eToken PRO 64k...
[pkcs15-init] card.c:110:sc_connect_card: called
[pkcs15-init] reader-openct.c:218:openct_reader_connect: called
[pkcs15-init] card.c:140:sc_connect_card: matching configured ATRs
[pkcs15-init] card.c:182:sc_connect_card: matching built-in ATRs
[pkcs15-init] card.c:188:sc_connect_card: trying driver: rutoken
[pkcs15-init] card-rutoken.c:129:rutoken_match_card: called
[pkcs15-init] card-rutoken.c:135:rutoken_match_card: returning with: 0
[pkcs15-init] card.c:188:sc_connect_card: trying driver: cardos
[pkcs15-init] card-cardos.c:79:cardos_match_card: checking cardos
version ...
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] reader-openct.c:410:openct_reader_lock: called
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] reader-openct.c:437:openct_reader_unlock: called
[pkcs15-init] card-cardos.c:100:cardos_match_card: found cardos v4.2b
[pkcs15-init] card.c:196:sc_connect_card: matched: Siemens CardOS
[pkcs15-init] card.c:221:sc_connect_card: card info: CardOS M4, 1005, 0x0
[pkcs15-init] card.c:222:sc_connect_card: returning with: 0
Using card driver Siemens CardOS.
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] reader-openct.c:410:openct_reader_lock: called
[pkcs15-init] card.c:668:sc_card_ctl: called
[pkcs15-init] card-cardos.c:925:cardos_lifecycle_set: called
[pkcs15-init] card-cardos.c:879:cardos_lifecycle_get: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] card-cardos.c:913:cardos_lifecycle_get: returning with: 0
[pkcs15-init] card.c:678:sc_card_ctl: returning with: 0
[pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f0050154946
[pkcs15-init] card-cardos.c:431:cardos_select_file: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found
[pkcs15-init] iso7816.c:464:iso7816_select_file: returning with: -1201
[pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201
[pkcs15-init] card.c:554:sc_select_file: returning with: -1201
[pkcs15-init] profile.c:306:sc_profile_load: Using profile directory
'/usr/local/share/opensc'.
[pkcs15-init] profile.c:318:sc_profile_load: Trying profile file
/usr/local/share/opensc/pkcs15.profile
[pkcs15-init] profile.c:326:sc_profile_load: profile
/usr/local/share/opensc/pkcs15.profile loaded ok
[pkcs15-init] profile.c:306:sc_profile_load: Using profile directory
'/usr/local/share/opensc'.
[pkcs15-init] profile.c:318:sc_profile_load: Trying profile file
/usr/local/share/opensc/cardos.profile
[pkcs15-init] profile.c:326:sc_profile_load: profile
/usr/local/share/opensc/cardos.profile loaded ok
About to erase card.
[pkcs15-init] pkcs15.c:700:sc_pkcs15_bind: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f002f00
[pkcs15-init] card-cardos.c:431:cardos_select_file: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found
[pkcs15-init] iso7816.c:464:iso7816_select_file: returning with: -1201
[pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201
[pkcs15-init] card.c:554:sc_select_file: returning with: -1201
[pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f005015
[pkcs15-init] card-cardos.c:431:cardos_select_file: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] card-cardos.c:259:cardos_check_sw: file not found
[pkcs15-init] iso7816.c:459:iso7816_select_file: returning with: -1201
[pkcs15-init] card-cardos.c:435:cardos_select_file: returning with: -1201
[pkcs15-init] card.c:554:sc_select_file: returning with: -1201
[pkcs15-init] card.c:532:sc_select_file: called; type=2, path=3f005031
[pkcs15-init] card-cardos.c:431:cardos_select_file: called
[pkcs15-init] card.c:285:sc_lock: called

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Mike Tancsa]

On 9/7/2011 3:19 AM, Martin Paljak wrote:
 Hello,
 
 On Wed, Sep 7, 2011 at 09:10, Dan Peterson drpeter...@es.net wrote:
 Could be.
 I don't think the problem is same by nature.
 
 I have or can create debug logs if anyone is interested.
 I an looking into if this happens on the  MAC code base as well, I think it
 does but I am not sure
 
 I think it will behave the same. Please provide the logs for success
 (0.11) and failure(0.12) as well if possible.

I have just run into the same problem on FreeBSD.  An older version
works fine with this key below.  How do I create the debug logs to help
narrow down this problem ?


# cardos-tool -i
Using reader with a card: Aladdin eToken PRO 64k
3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
Info : CardOS V4.2B (C) Siemens AG 1994-2005
Chip type: 124
Serial number: 28 47 7f 11 0b 18
Full prom dump:
33 66 00 22 9A 9A 9A 9A 7C FF 28 47 7F 11 0B 18 3f.|.(G
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 
OS Version: 200.9 (that's CardOS M4.2B)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 128
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63
Free eeprom memory: 48845
System keys: PackageLoadKey (version 0xfe, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:


-- 
---
Mike Tancsa, tel +1 519 651 3400
Sentex Communications, m...@sentex.net
Providing Internet services since 1994 www.sentex.net
Cambridge, Ontario Canada   http://www.tancsa.com/
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Dan Peterson]

Could be.
I have or can create debug logs if anyone is interested. 
I an looking into if this happens on the  MAC code base as well, I think it
does but I am not sure
Once I init the token with the older 11.3 code then I can do some things
from the 12.2. release and the token.
--
Dan

-Original Message-
From: Thomas De Reyck [mailto:tho...@dereyck.eu] 
Sent: Tuesday, September 06, 2011 1:48 PM
To: drpeter...@es.net
Cc: opensc-devel@lists.opensc-project.org
Subject: Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2
Aladdin tokens no longer working?

Hello,

This seems very similar to what I was experiencing with my SmartCafe cards,
however, I haven't found a solution yet either. Perhaps the card detection
is broken for more than one card?

Kind regards,
Thomas

On 6-sep.-2011, at 18:54, Dan Peterson wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 I have not been able to get this message to get posted to the users 
 list so I thought I might post it here.
 Sorry if I am double posting
 
 - -
 
 I have been using the aladden Etokens for some time now 2-3 yrs.
 I have an older version of opensc (files are dated March 4th 2010) 
 installed on a windows 7 system and it works great I am doing things like:
 
 I recently installed the latest opensc for windows 0.12.2 However; I 
 am not able to create a pkcs15 container anymore (possibly other 
 things as well but I have not gotten there yet.)
 
 With the 0.12.2 code when I do: 
 C:\Program Files\OpenSC Project\OpenSC\toolspkcs15-init 
 --create-pkcs15
 - --use-default-transport-key Using reader with a card: AKS ifdh 0 
 Failed to read PIN: Not supported Failed to create PKCS #15 meta 
 structure: Generic
 PKCS#15 initialization error
 
 C:\Program Files\OpenSC Project\OpenSC\tools
 
 With 0.11.3 code:
 C:\Apps\opensc\binpkcs15-init --create-pkcs15 
 --use-default-transport-key Using reader with a card: AKS ifdh 0 New 
 Security Officer PIN (Optional - press return for no PIN).
 Please enter Security Officer PIN:
 Please type again to verify:
 Unblock Code for New User PIN (Optional - press return for no PIN).
 Please enter User unblocking PIN (PUK):
 Please type again to verify:
 
 C:\Apps\opensc\bin
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: PGP Desktop 10.1.2 (Build 9)
 Charset: us-ascii
 
 wj8DBQFOZlA+5chTNtilRz8RAu4qAKCvXEp9kS49A9L3vCjy9iRct7czYwCbBMAb
 wamcmbryzbQ/HyS3QOzoJdc=
 =9TOn
 -END PGP SIGNATURE-
 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel




PGP.sig
Description: PGP signature
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Martin Paljak]

Hello,

On Wed, Sep 7, 2011 at 09:10, Dan Peterson drpeter...@es.net wrote:
 Could be.
I don't think the problem is same by nature.

 I have or can create debug logs if anyone is interested.
 I an looking into if this happens on the  MAC code base as well, I think it
 does but I am not sure

I think it will behave the same. Please provide the logs for success
(0.11) and failure(0.12) as well if possible.

Best,
Martin
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Aladdin 64K 4.2B tokens and OpenSC 0.12.2 Aladdin tokens no longer working?

[Thomas De Reyck]

Hello,

This seems very similar to what I was experiencing with my SmartCafe cards, 
however, I haven't found a solution yet either… Perhaps the card detection is 
broken for more than one card?

Kind regards,
Thomas

On 6-sep.-2011, at 18:54, Dan Peterson wrote:

 -BEGIN PGP SIGNED MESSAGE-
 Hash: SHA1
 
 
 I have not been able to get this message to get posted to the users list so
 I thought I might post it here.
 Sorry if I am double posting
 
 - -
 
 I have been using the aladden Etokens for some time now 2-3 yrs.
 I have an older version of opensc (files are dated March 4th 2010) installed
 on a windows 7 system and it works great I am doing things like:
 
 I recently installed the latest opensc for windows 0.12.2 However; I am not
 able to create a pkcs15 container anymore (possibly other things as well but
 I have not gotten there yet.)
 
 With the 0.12.2 code when I do: 
 C:\Program Files\OpenSC Project\OpenSC\toolspkcs15-init --create-pkcs15
 - --use-default-transport-key Using reader with a card: AKS ifdh 0 Failed to
 read PIN: Not supported Failed to create PKCS #15 meta structure: Generic
 PKCS#15 initialization error 
 
 C:\Program Files\OpenSC Project\OpenSC\tools
 
 With 0.11.3 code:
 C:\Apps\opensc\binpkcs15-init --create-pkcs15 --use-default-transport-key
 Using reader with a card: AKS ifdh 0 New Security Officer PIN (Optional -
 press return for no PIN).
 Please enter Security Officer PIN:
 Please type again to verify:
 Unblock Code for New User PIN (Optional - press return for no PIN).
 Please enter User unblocking PIN (PUK):
 Please type again to verify:
 
 C:\Apps\opensc\bin
 
 
 
 -BEGIN PGP SIGNATURE-
 Version: PGP Desktop 10.1.2 (Build 9)
 Charset: us-ascii
 
 wj8DBQFOZlA+5chTNtilRz8RAu4qAKCvXEp9kS49A9L3vCjy9iRct7czYwCbBMAb
 wamcmbryzbQ/HyS3QOzoJdc=
 =9TOn
 -END PGP SIGNATURE-
 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel