[opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Hi! I have the same issue with 0.11.11 version.. just traced the problem to the same place. Any ideas what is wrong? Regards, Toni -Original Message- From: François Leblanc I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... François. -Message d'origine- De : Aventra development [mailto:developm...@aventra.fi] Envoyé : mercredi 18 novembre 2009 15:13 À : 'opensc-devel (opensc-devel)' Cc : François Leblanc Objet : RE: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key . Hi! I have the same issue with 0.11.11 version.. just traced the problem to the same place. Any ideas what is wrong? Regards, Toni -Original Message- From: François Leblanc I try to use more pkcs11-tool since I guess pkcs11 will be the standard way for use opensc and I can't generate key with pkcs11. I notice that pkcs15-init call 'sc_pkcs15init_set_callbacks' and pkcs11-tool not and is why do_get_and_verify_secret fails later. Does someone use pkcs11-tool to generate key pairs on cards without so-pin, and does it works? François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
On 18.11.2009, at 16:53, François Leblanc wrote: Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. For the trunk branch, I don't know if the comment to changeset 3784 is OK: https://www.opensc-project.org/opensc/changeset/3784 This can't affect 0.11. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
Martin Paljak wrote: On 18.11.2009, at 16:53, François Leblanc wrote: Hum, my first idea it's to add 'sc_pkcs15init_set_callbacks' somewhere in opensc-pkcs11.dll (in framework-pkcs15.c for example)... but like I'm not a specialist of pkcs11 I'd rather wait to have opinion of someone who know what he do. So for the moment I hope pkcs11 expert to have a look. For the trunk branch, I don't know if the comment to changeset 3784 is OK: https://www.opensc-project.org/opensc/changeset/3784 This can't affect 0.11. 'pkcs15-init' provide it's own function to get pin and ask for pin when necessary, for opensc-pkcs11 the pin is given by application so we can't provide function to ask pin. I think we can cache pin at login and call 'sc_pkcs15init_set_callbacks' to set functions to retrieve pin back but what about security and so-pin... There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . I've seen in docs If the token has a protected authentication path, as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. Or the user might not even use a PIN-authentication could be achieved by some fingerprint-reading device, for example. To log into a token with a protected authentication path, the pPin parameter to C_Login should be NULL_PTR. When C_Login returns, whatever authentication method supported by the token will have been performed; a return value of CKR_OK means that the user was successfully authenticated, and a return value of CKR_PIN_INCORRECT means that the user was denied access. for target 2 it will be ok, after provided CKF_PROTECTED_AUTHENTICATION_PATH for pinpad readers, so for target 1 and 2 we can call 'sc_pkcs15init_set_callbacks' and give a function witch return p15card-pin_cache[] value if not null, ask on pinpad readers if it's a pinpad reader and error elsewhere. What do you think? François. -- Viktor Tarasov viktor.tara...@opentrust.com ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Difference betwen pkcs15-init/pkcs11-tool generate key .
François Leblanc wrote: There are two targets: 1. If a PIN is entered via software, cache it in a single location, usable by all layers above libopensc by same mechanism 2. Allow to personalize a card with all PIN-s going through a pinpad. 1. is possible, but 2 via PKCS#11 might be a problem, if a card requires several times a PIN for a single operation... Actually: - C_Login() caches PIN in one of the p15card-pin_cache[] entries ; - sc_pkcs15init_authenticate() (in fact do_get_and_verify_secret()) do not look for PIN in this cache, but in a global cache (static 'secret *' and 'named_pin' in keycache.c) . What is the reason of co-existence of these two caches? Maybe sc_pkcs15init_authenticate() should look for the PIN in p15card-pin_cache[] also ? IMHO, at least, it will solve the problem for the 'target 1.', and will not change the situation for 'target 2.' . I've seen in docs If the token has a protected authentication path, as indicated by the CKF_PROTECTED_AUTHENTICATION_PATH flag in its CK_TOKEN_INFO being set, then that means that there is some way for a user to be authenticated to the token without having the application send a PIN through the Cryptoki library. One such possibility is that the user enters a PIN on a PINpad on the token itself, or on the slot device. Or the user might not even use a PIN-authentication could be achieved by some fingerprint-reading device, for example. To log into a token with a protected authentication path, the pPin parameter to C_Login should be NULL_PTR. When C_Login returns, whatever authentication method supported by the token will have been performed; a return value of CKR_OK means that the user was successfully authenticated, and a return value of CKR_PIN_INCORRECT means that the user was denied access. for target 2 it will be ok, after provided CKF_PROTECTED_AUTHENTICATION_PATH for pinpad readers, so for target 1 and 2 we can call 'sc_pkcs15init_set_callbacks' and give a function witch return p15card-pin_cache[] value if not null, ask on pinpad readers if it's a pinpad reader and error elsewhere. What do you think? François. I have no answer; do not tried to use pinpad with the actual OpenSC version. In my 'local OpenSC' I modified do_get_and_verify_secret() to not return an error if there was no PIN value obtained (from cache or callback) and if there is CKF_PROTECTED_AUTHENTICATION_PATH. Then PIN-pad is managed at the libopensc card specific level . Don't know if it's generally acceptable. Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
