subject:"\[opensc\-devel\] new releases before xmas\?"

Re: [opensc-devel] new releases before xmas?

2008-12-19 Thread Pavel Volkovitskiy

Andreas Jellinghaus wrote:
 Hi,

 maybe I can find some time to at least put out some new releases
 of everything (that has changes). is this a good idea?

 are there any patches waiting for a merge?
 and show-stopper bugs we should fix before (or patched to undo
 if they don't work ok right now)? 
   
I tried to compile latest bits from svn and check how it works with rutoken

i get
error: PKCS11 function C_CreateObject failed: rv = 
CKR_ATTRIBUTE_VALUE_INVALID (0x13)
then i tried to write back signed cert

steps:

1) format card
$ pkcs15-init -E -p rutoken
Using reader with a card: ruToken driver

2) generate key pair
$ pkcs11-tool --keypairgen --key-type rsa:2048 --login --label user --id 1
Please enter User 
PIN:
Key pair 
generated:  
  

Private Key Object; 
RSA   
  label:  
user 

  ID: 
01   

  Usage:  decrypt, sign, 
unwrap   
Public Key Object; RSA 2048 
bits  
  label:  
user 

  ID: 
01   

  Usage:  encrypt, verify, wrap

3) generate csr and sign it
$ openssl req -engine pkcs11 -keyform engine -key 1 -new -text -out 
newcert.csr -subj /CN=User
engine pkcs11 
set.
   

PKCS#11 token PIN:

$ openssl x509 -req -days 365 -in newcert.csr -CA ca.crt -CAkey ca.key 
-set_serial 01 -out newcert.crt
Signature 
ok  
   

subject=/CN=User
 

Getting CA Private 
Key 
  


$ openssl x509 -in newcert.crt -outform der -out newcert.der

4) try to write it back
$ pkcs11-tool -w newcert.der --type cert --login --label user --id 1
Please enter User 
PIN:  
error: PKCS11 function C_CreateObject failed: rv = 
CKR_ATTRIBUTE_VALUE_INVALID (0x13)

Aborting.

last step with debug output:
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_TOKEN = TRUE
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_VALUE = 308203DA308201C2020101300D06092A864886F70D01010505003057310B3009
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_CLASS = CKO_CERTIFICATE
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_CERTIFICATE_TYPE = CKC_X_509
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_LABEL = user
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_ID = 01
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_SUBJECT = 300F310D300B0603550403130455736572
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_ISSUER = 
3057310B3009060355040613025255311330110603550408130A536F6D652D53
[opensc-pkcs11] pkcs11-object.c:43:C_CreateObject: C_CreateObject(): 
CKA_SERIAL_NUMBER = 020101
[opensc-pkcs11] card.c:285:sc_lock: called
[opensc-pkcs11] reader-openct.c:420:openct_reader_lock: called
[opensc-pkcs11] card.c:668:sc_card_ctl: called
[opensc-pkcs11] card-rutoken.c:1389:rutoken_card_ctl: called
[opensc-pkcs11] card-rutoken.c:1435:rutoken_card_ctl: 
SC_CARDCTL_LIFECYCLE_SET not supported
[opensc-pkcs11] card-rutoken.c:1436:rutoken_card_ctl: returning 
SC_ERROR_NOT_SUPPORTED
[opensc-pkcs11] card.c:675:sc_card_ctl: card_ctl(4) not supported
[opensc-pkcs11] card.c:532:sc_select_file: called; type=2, path=3f0050154946
[opensc-pkcs11] card-rutoken.c:383:rutoken_select_file: called
[opensc-pkcs11] card-rutoken.c:391:rutoken_select_file:
path =  3f 00 50 15 49 46
type = 2
[opensc-pkcs11] apdu.c:516:sc_transmit_apdu: called
[opensc-pkcs11] card.c:285:sc_lock: called
[opensc-pkcs11] card.c:312:sc_unlock: called
[opensc-pkcs11] card-rutoken.c:220:rutoken_check_sw: File (DO) not found
[opensc-pkcs11] card-rutoken.c:221:rutoken_check_sw: sw1 = 6a, sw2 = 82
[opensc-pkcs11] card-rutoken.c:469:rutoken_select_file: returning with: 
-1201
[opensc-pkcs11] card.c:554:sc_select_file: returning with: -1201
[opensc-pkcs11] profile.c:317:sc_profile_load: Trying profile file 
/usr/share/opensc/pkcs15.profile
[opensc-pkcs11] profile.c:325:sc_profile_load: profile 
/usr/share/opensc/pkcs15.profile loaded ok
[opensc-pkcs11]

Re: [opensc-devel] new releases before xmas?

2008-12-19 Thread Andreas Jellinghaus

Hi Pavel,

can you check with the rutoken authors?
not sure if they follow this mailing list.
I neither have a token nor documentation (nor time right now),
so I can't be of any help.

rutoken is a new driver, so if it is not working 100% so far,
that is not a show stopper for the next release. but of course
it would be much better, if it worked.

 *  card-rutoken.c: Support for Rutoken cards
 *
 * Copyright (C) 2007  Pavel Mironchik ruto...@rutoken.ru
 * Copyright (C) 2007  Eugene Hermann ruto...@rutoken.ru

I hope they can help!

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new releases before xmas?

2008-12-19 Thread Aktiv Co. Aleksey Samsonov


  not sure if they follow this mailing list.

pkcs11-tool for Rutoken S is not yet supported (have problems).
pkcs15-tool is supported (almost all options).


Andreas Jellinghaus:
 Hi Pavel,
 
 can you check with the rutoken authors?
 not sure if they follow this mailing list.
 I neither have a token nor documentation (nor time right now),
 so I can't be of any help.
 
 rutoken is a new driver, so if it is not working 100% so far,
 that is not a show stopper for the next release. but of course
 it would be much better, if it worked.
 
  *  card-rutoken.c: Support for Rutoken cards
  *
  * Copyright (C) 2007  Pavel Mironchik ruto...@rutoken.ru
  * Copyright (C) 2007  Eugene Hermann ruto...@rutoken.ru
 
 I hope they can help!
 
 Regards, Andreas
 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel
 

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] new releases before xmas?

2008-12-17 Thread Andreas Jellinghaus

Hi,

maybe I can find some time to at least put out some new releases
of everything (that has changes). is this a good idea?

are there any patches waiting for a merge?
and show-stopper bugs we should fix before (or patched to undo
if they don't work ok right now)? 

alon, can you check if trunk is building ok with mingw? thanks.

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new releases before xmas?

2008-12-17 Thread Andreas Jellinghaus

Am Mittwoch, 17. Dezember 2008 20:20:17 schrieb Alon Bar-Lev:
 Windows (32bit, 64bit) build is OK.

 As we discussed in the mailing list, I don't like the new addition
 martin added to pkcs11-tool, adding new standalone option
 --list-token-slots instead of modifier to --list-slots... No blocker,
 but change in interface of tools should be considered as static.

I have no opinion on this. Whatever code looks cleaner might be
a nice way to decide this?

 And there is the data object issue, which I think is a major security issue

1.) can someone check all profiles if this affects all cards?
2.) is this change in flex.profile good enought to fix new cryptoflex cards?
3.) is there a way we can fix old cryptoflex cards?

if 1) is not true, we need to fix the other cards as well.
it would be perfect if we could create a test procedure, and
ask each card maintainer to verify that. (e.g. initialize, store
data object with --private, find out the filename, use opensc-explorer
to read the card without entering a pin - if it works, there is a problem).

if that is the correct test procedure, we can use it to check 2.).

I have no clue about 3.). maybe a new option for some tool and a few lines
of code to read the ACL, and tell is wrong, insecure, then ask for the PIN,
verify it, and change the ACL. well in theory, don't know such code well...

also I wonder: is there any reason why the old situation is sane?
I would think if there is a pin, all data on every card is write-protected
by that pin (the only question is: user pin or SO pin?). and read should
be either public (for public object) or private (for private objects).

hmm, wait... what is the use for the 4600 directory? is it used for public
and private data objects, or for private data objects only? the later
would be ok - an embarrassing security bug, but easy to fix.  but if
we use the same directory for both types of data objects we have a problem:
that won't work with directory ACL only.

if the later:
a) can we change the system and have two separate directories?
that would be nice long term, but make it hard or impossible to
fix the situation for existing cards.
b) if we need to store those objects in the same directory,
but our implementation allows only directory level ACLs
(if we only used them so far, a change would affect each driver),
then we should dodge the bullet for now, and disable private
data objects (both in tools and pkcs#11), till we can properly
implement them.

in any case, we need to know what our situation exactly is.
I don't know cryptoflex well, don't know pkcs#15 well,
have no clue about the other drivers (only minor clue about
cardos and nothing else), don't know enough about opensc internals.
so please everyone help in getting a clear description about the
situation.

then we should
 - try to fix it for new cards
 - try to fix old cards with a tool if it is possible
 - create a patch containing these changes
 - write a security advisory with our analysis of the situations
   and the fixes
 - find people to proofread it and spell check it
 - create a new release
 - create new windows build and sca releases
 - publish the security advisory pointing to the new release and the patch
 - contact distributions, so they can update the binary packages for linux

did I forget something? any suggestions for a different procedure?

ugh. some work ahead. lots of work if we want to get this done before
xmas. ouch.

is my analysis and plan ok? as you can see, I need a lot of help with code
and analysis of our situation and the changes needed. I can try to help
by testing some cards I have and if someone posts the APDUs needed to fix
it, I can try writing some code doing that (but I have no clue about our
pin handling stuff, hope that isn't too hard). also I can create a release
and test etc. can you help with some of the items, so we can work together
to fix it?

thanks for your help everyone!

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new releases before xmas?

2008-12-17 Thread Alon Bar-Lev

On 12/17/08, Andreas Jellinghaus a...@dungeon.inka.de wrote:
   As we discussed in the mailing list, I don't like the new addition
   martin added to pkcs11-tool, adding new standalone option
   --list-token-slots instead of modifier to --list-slots... No blocker,
   but change in interface of tools should be considered as static.

 I have no opinion on this. Whatever code looks cleaner might be
  a nice way to decide this?

Well.. Apparently I am the only one with opinion... so I redraw.

   And there is the data object issue, which I think is a major security issue

 1.) can someone check all profiles if this affects all cards?

Except of oberthur.profile all profiles has one way or another:
EF data {
ACL = READ=NONE.*;
}

So it affects all the cards, I don't fully understand the oberthur...

  2.) is this change in flex.profile good enought to fix new cryptoflex cards?

If I understand correctly, this change will make all data objects
private. We do not want this. We want to support public and private
data objects.


snip

  in any case, we need to know what our situation exactly is.
  I don't know cryptoflex well, don't know pkcs#15 well,
  have no clue about the other drivers (only minor clue about
  cardos and nothing else), don't know enough about opensc internals.
  so please everyone help in getting a clear description about the
  situation.

My either... :(
I thought I will be able to invest some time to investigate this in
the near future.
But we need someone who knows PKCS#15 good enough to decide.

  then we should
   - try to fix it for new cards
   - try to fix old cards with a tool if it is possible
   - create a patch containing these changes
   - write a security advisory with our analysis of the situations
and the fixes

Well... is there any active PKCS#15 developer left in OpenSC domain?

   - find people to proofread it and spell check it

This I can do... :)
I have the same issue with asepcos.

   - create a new release
   - create new windows build and sca releases
   - publish the security advisory pointing to the new release and the patch
   - contact distributions, so they can update the binary packages for linux

The above is simple enough... :)

Thanks!
Alon.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new releases before xmas?

2008-12-17 Thread Martin Paljak

Hi.

I have a bunch of other code changes waiting to be sent for comments/ 
commiting before beginning of january but I've been pre-occupied with  
my 1st son who arrived (a bit early) a week ago, so the work has to  
wait a bit yet there is a deadline of 2nd of January.

The list-token thing of course should be reduced to -T only, which  
affects the related C_GetSlotList parameter (for all calls)

m.


On 17.12.2008, at 22:05, Andreas Jellinghaus wrote:

 Am Mittwoch, 17. Dezember 2008 20:20:17 schrieb Alon Bar-Lev:
 Windows (32bit, 64bit) build is OK.

 As we discussed in the mailing list, I don't like the new addition
 martin added to pkcs11-tool, adding new standalone option
 --list-token-slots instead of modifier to --list-slots... No blocker,
 but change in interface of tools should be considered as static.

 I have no opinion on this. Whatever code looks cleaner might be
 a nice way to decide this?

 And there is the data object issue, which I think is a major  
 security issue

 1.) can someone check all profiles if this affects all cards?
 2.) is this change in flex.profile good enought to fix new  
 cryptoflex cards?
 3.) is there a way we can fix old cryptoflex cards?

 if 1) is not true, we need to fix the other cards as well.
 it would be perfect if we could create a test procedure, and
 ask each card maintainer to verify that. (e.g. initialize, store
 data object with --private, find out the filename, use opensc-explorer
 to read the card without entering a pin - if it works, there is a  
 problem).

 if that is the correct test procedure, we can use it to check 2.).

 I have no clue about 3.). maybe a new option for some tool and a few  
 lines
 of code to read the ACL, and tell is wrong, insecure, then ask for  
 the PIN,
 verify it, and change the ACL. well in theory, don't know such code  
 well...

 also I wonder: is there any reason why the old situation is sane?
 I would think if there is a pin, all data on every card is write- 
 protected
 by that pin (the only question is: user pin or SO pin?). and read  
 should
 be either public (for public object) or private (for private objects).

 hmm, wait... what is the use for the 4600 directory? is it used for  
 public
 and private data objects, or for private data objects only? the later
 would be ok - an embarrassing security bug, but easy to fix.  but if
 we use the same directory for both types of data objects we have a  
 problem:
 that won't work with directory ACL only.

 if the later:
 a) can we change the system and have two separate directories?
 that would be nice long term, but make it hard or impossible to
 fix the situation for existing cards.
 b) if we need to store those objects in the same directory,
 but our implementation allows only directory level ACLs
 (if we only used them so far, a change would affect each driver),
 then we should dodge the bullet for now, and disable private
 data objects (both in tools and pkcs#11), till we can properly
 implement them.

 in any case, we need to know what our situation exactly is.
 I don't know cryptoflex well, don't know pkcs#15 well,
 have no clue about the other drivers (only minor clue about
 cardos and nothing else), don't know enough about opensc internals.
 so please everyone help in getting a clear description about the
 situation.

 then we should
 - try to fix it for new cards
 - try to fix old cards with a tool if it is possible
 - create a patch containing these changes
 - write a security advisory with our analysis of the situations
   and the fixes
 - find people to proofread it and spell check it
 - create a new release
 - create new windows build and sca releases
 - publish the security advisory pointing to the new release and the  
 patch
 - contact distributions, so they can update the binary packages for  
 linux

 did I forget something? any suggestions for a different procedure?

 ugh. some work ahead. lots of work if we want to get this done before
 xmas. ouch.

 is my analysis and plan ok? as you can see, I need a lot of help  
 with code
 and analysis of our situation and the changes needed. I can try to  
 help
 by testing some cards I have and if someone posts the APDUs needed  
 to fix
 it, I can try writing some code doing that (but I have no clue about  
 our
 pin handling stuff, hope that isn't too hard). also I can create a  
 release
 and test etc. can you help with some of the items, so we can work  
 together
 to fix it?

 thanks for your help everyone!

 Regards, Andreas
 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel

-- 
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495




___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new releases before xmas?

Re: [opensc-devel] new releases before xmas?

Re: [opensc-devel] new releases before xmas?

[opensc-devel] new releases before xmas?

Re: [opensc-devel] new releases before xmas?

Re: [opensc-devel] new releases before xmas?

Re: [opensc-devel] new releases before xmas?

7 matches

Site Navigation

Mail list logo

Footer information