Re: [opensc-devel] engine_pkcs11/libp11 slot identification issue
Stuart Northfield wrote:
> Hi,
>
> I'm working on a project which is using HSM stored keys via PKCS#11 in
> OpenSSL. The software 'stack' is:
>
> OpenSSL + engine_pkcs11 + libp11 + PKCS#11 module
>
> We have a situation where the OpenSSL configuration is specifying the
> private key to be used as : say 0:1234567890ABCDEF for
> example and the PIN for that slot is configured too.
>
> At the PKCS#11 provider level we are getting an incorrect PIN error,
> and diagnostics invoked on the module indicate that C_Login is being
> invoked on slot 1, which is certainly going to fail.
>
> After a certain amount of investigation, I have come to the conclusion
> that engine_pkcs11 makes some assumptions about the libp11 interface
> (and possibly the PKCS#11 interface under that) which are not valid.
>
> So, down to the hard evidence.
>
> In the routines PKCS11_load_cert() and PKCS11_load_key() in
> engine_pkcs11.c, both routines have some code which, if the private
> key has a slot number configured, do the following:
>
> } else if (slot_nr >= 0 && slot_nr < count)
> slot = slot_list + slot_nr;
> else {
>
> As you can see, slot_nr (parsed from the private key string) is
> assumed to be an index into the array of PKCS11_SLOTs returned from
> PKCS11_enumerate_slots() in libp11.
>
> All very well until, as in our situation, the PKCS#11 module has
> returned the slots out of order when C_GetSlotList() was invoked (it
> returns the IDs in the order 1, 0, 2). (NB the module is supplied as a
> binary and I have no way of changing this behaviour).
>
> Unfortunately, this means that the entry in slot_list[0] is actually
> for slot 1, and the entry in slot_list[1] is for slot 0. Thus the slot
> numbers get transposed when calling into C_Login() and the PKCS#11
> module correctly fails the login as the PIN for slot 0 appears to be
> being used against slot 1.
>
> So far I've looked in PKCS#11 and can't see anything which states that
> the slot array returned by C_GetSlotList() must be ordered. Nor can I
> find anything which suggests that PKCS11_enumerate_slots() in libp11
> is designed to return an ordered list, but then again, as a client
> application of libp11, there's no way to work out which is which, as
> libp11 hides the slot id as private data inside the PKCS11_SLOT
> structure.
>
> So, without changing the libp11 interface, the only simple solution I
> can see is that in libp11, PKCS11_enumerate_slots() should order the
> array of PKCS11_SLOTs it builds by slot id, which, given it already
> maps from one array to another, just requires the trivial change of
> the existing code:
>
> for (n = 0; n < nslots; n++) {
> if (pkcs11_init_slot(ctx, &slots[n], slotid[n])) {
> while (n--)
> pkcs11_release_slot(ctx, slots + n);
> OPENSSL_free(slotid);
> OPENSSL_free(slots);
> return -1;
> }
> }
>
> to
>
> for (n = 0; n < nslots; n++) {
> if (pkcs11_init_slot(ctx, &slots[slotid[n]], slotid[n])) {
> while (n--)
> pkcs11_release_slot(ctx, slots + slotid[n]);
> OPENSSL_free(slotid);
> OPENSSL_free(slots);
> return -1;
> }
> }
>
> Then the indexing assumption made in engine_pkcs11 is valid and
> everything works.
>
> Or have I missed something obvious?
I don't see any requirement in PKCS#11 standards that the CK_SLOT_IDs
have to be consecutive. And C_GetSlotList can return a subset of
slots i.e. slots with tokenPresent.
I would not reorder the list, as this is only a partial solution.
It appears that PKCS11_enumerate_slots has introduced an indirect
mapping of slot numbers to be indexes into its array of PKCS11_slot_st.
What it should be doing is saving the CK_SLOT_ID returned from
C_GetSlotList as it copies the output of C_GetSlotInfo into its
PKCS11_slot_st
PKCS11_slot_st should also include the CK_SLOT_ID which would be set by
PKCS11_enumerate_slots.
Then the code you first sited above would be a for loop comparing the
slot_nr to the slot number in PKCS11_slot_st to find the slot.
> Hoping that as both engine_pkcs11
> and libp11 belong to the OpenSC project, someone here might be able to
> clarify matters...
>
> Regards
>
> Stu
>
--
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] OpenSC SCA and PKCS#11
I'm trying to link our (the OpenDNSSEC project's) HSM/PKCS#11 tools (http://svn.opendnssec.se/trunk/hsm-toolkit/ ) with OpenSC's pkcs11 library (installed from MacOSX SCA), but it just doesn't link. example: gcc -o hsm-toolkit -O3 -W -Wall -Werror -g -I. -L/usr/local/lib \ /Library/OpenSC/lib/opensc-pkcs11.so hsm-toolkit.c ld: in /Library/OpenSC/lib/opensc-pkcs11.so, can't link with bundle (MH_BUNDLE) only dylibs (MH_DYLIB) collect2: ld returned 1 exit status anyone have an idea what might be wrong? (and perhaps how to solve it?) jakob ps. please cc'd me, since I'm not subscribed to the list. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] PAM_PKCS11..
Hi, 1) I've been trying to use http://www.opensc-project.org/files/pam_pkcs11/snapshots/pam_pkcs11-0.6.0.tar.gz and also http://www.opensc-project.org/files/pam_pkcs11/pam_pkcs11-0.6.0.tar.gz Is it so that you have to download secutil.h from: http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/secutil.h and also add a line saying ”secutil.h” in this file: http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/Makefile.am before compiling? (I am using Fedora 10) 2) I have trouble making sure to have all the mappers installed. I would like to use ms_mapper but the file ms_mapper.so isn't installed. I have tried to edit this file: http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/mappers/Makefile.am But I probably do something wrong. How should it be done? Regards, Jonas -- View this message in context: http://www.nabble.com/PAM_PKCS11..-tp22562046p22562046.html Sent from the OpenSC - Dev mailing list archive at Nabble.com. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Mac Tokend PIN Rejection
On Mar 22, 2009, at 11:36 AM, Henry B. Hotz wrote: > > On Mar 21, 2009, at 2:26 AM, Martin Paljak wrote: > >> On 21.03.2009, at 2:34, Henry B. Hotz wrote: >> >> >>> I'm willing to do some debugging, if someone will tell me what to >>> look at. Maybe where to put syslog calls in a custom build? >> >> You can run the PIV tokend in debug mode but that won't help you, as >> there is no way you can modify the PIV tokend. > > > How do I run the OpenSC tokend in "debug mode"? I just found a log > file in /tmp that seems relevant, but it doesn't seem to contain > anything that looks like a smoking gun. Should I look more > carefully? Maybe truncate it before the relevant test? Been looking at /tmp/opensc-tokend.log some. When I just try to unlock the card from the keychain icon in the menu bar it shows this: In OpenSCToken::getAcl() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) DB read for a reference key object is always OK auth_id for PIN: 01, pinNum = 1 retuning 2 ACL entries In OpenSCKeyHandle:: OpenSCKeyHandle() In OpenSCToken::getAcl() ...which gives no errors, but doesn't change any of the lock icons. When I try to use it to log in it shows this: In OpenSCToken::getAcl() In OpenSCToken::verifyPIN(1) In OpenSCToken::_verifyPIN(), PIN num is: 1 sc_pkcs15_get_objects(pin_id=01): 2 In OpenSCToken::verify returned -1304 for pin 1 In OpenSCToken::getAcl() In OpenSCToken::getAcl() In OpenSCToken::verifyPIN(1) In OpenSCToken::_verifyPIN(), PIN num is: 1 sc_pkcs15_get_objects(pin_id=01): 2 In OpenSCToken::verify returned 0 for pin 1 About to call BEGIN() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) DB read for a reference key object is always OK auth_id for PIN: 01, pinNum = 1 retuning 2 ACL entries In OpenSCKeyHandle:: OpenSCKeyHandle() In OpenSCKeyRecord::getOwner() In OpenSCKeyRecord::getAcl, tag is: (null) retuning 2 ACL entries In OpenSCToken::getAcl() In OpenSCKeyHandle::generateSignature() type == CSSM_ALGCLASS_SIGNATURE algorithm == CSSM_ALGID_RSA Using SHA1, length is 20 PKCS#1 padding sc_pkcs15_compute_signature(): rv = -1303 In OpenSCToken::getAcl() ...which is different. Login fails and it shakes the dialog box. The debug security log info is: Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: token inserted into reader SCM SCR 331 00 00 Mar 22 20:40:25 laphotz com.apple.SecurityServer[24]: reader SCM SCR 331 00 00 inserted token "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) subservice 4 using driver com.apple.tokend.opensc Mar 22 20:40:26 laphotz SecurityAgent[62517]: Showing Login Window Mar 22 20:40:30 laphotz SecurityAgent[62517]: User info context values set for hotz Mar 22 20:40:30 laphotz com.apple.SecurityServer[24]: securityd ignoring SIGPIPE received Mar 22 20:40:30 laphotz authorizationhost[62516]: failed to sign data (-2147416054) Mar 22 20:40:32 laphotz com.apple.SecurityServer[24]: reader SCM SCR 331 00 00 removed token "PIV_II" (PIV_IId08210d84144ed90a11315a1685835e67286a2a1808289d7ed) subservice 4 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Software Token
Hi, I'm an openSC user and in order to perform tests without breaking smartcards I'm looking for a pkcs#11 software token. To my knowledge their is at least 3 suitable implementations : - soft pkcs#11 : but it just can do anything - gpkcs#11 : that seems to be abandoned, since last changes was in 2000. I compile it with the last version of GCC and so I need to modify few lines of C code. When I finally succeed to compile it, the resulting pkcs#11 library does'nt work very well : I can list slots and mechanisms using pkcs11-tool but that's all, when I try to generate or create key it fails : seg fault :-( . I try to contact the developpers last week unsuccessfully. - NSS soft-token that is a part of mozilla project. However it doesn't work with standard PKCS#11 applications such as pkcs11-tool since C_initialize must be called using particular parameters : see https://developer.mozilla.org/en/FC_Initialize So today I think that there is no software token that can be used with opensc. So to solve this problem their is at least 3 solutions : -1 add an option to pkcs11-tool to allow NSS softtoken to be loaded -2 make gpkcs#11 working and integrate it into openSC -3 create a new project of soft-token inside openSC project (maybe by reusing some parts of gpkcs11 code) I can help to modify pkcs11-tool for the first solution. But I think that is not a good solution since mozilla project is a big project and building only the soft-token seems pretty difficult. So it is not easy to modify the code of the soft token. I can help also on gpkcs#11 if you think it should be integrated into openSC. Best regards Benoît Badrignans ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Gelmato Classic TPC
Hi, Sir I have bough a few Gelmalto Classic TPC and try to run on opensc for PKCS15, openvpn purpose. But, it seem not compatible. For my information, I thought any PKI card that comply to PKCS15, and 11 will be able to execute the similar operation. Am I right? Please advise. C.W.AW ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] support CAPI (CSP)
Hi! I am sorry for my English :) Whether is planned in your application the support CAPI (CSP)? Thank ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] G&D Starkey 3580 Support
Hi, all, I'm trying to use starkey 350 usb card under linux but opensc-tools doesn't acess some data such as the card serial. It uses Starcos 3.1.2 token, and I think it isn't supported, is it? What do you suggest me to do? PCSC deamon correctly recognizes the insertion/removal events, so I think it's a problem with opensc. When I try to get serial, I get this error message: opensc-tool --serial sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed Thanks, -- Bruno Nunes ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] BSD ifd_sysdep_usb_poll_presensce() incorrect
Hi, When running OpenCT on OpenBSD the kernel output a "ugenpoll: no edesc" every second to the main console. This seems to be caused by the fact that ugen doesn't support polling on a control endpoint. Normally this is harmless except that the log is spammed, but if the kernel isn't compiled with diagnostics enabled this will lead to a NULL pointer dereference. The ifd_sysdep_usb_poll_presence() function in src/ifd/sys-bsd.c caused the mainloop to poll on a control endpoint. Therefor I modified this function to use an ioctl instead to determine if the device is still presence. Tested with OpenBSD 4.3 and a Omnikey 6121. David bsd_poll.patch Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Request for help in minidriver
Dear sir I want to develop a sc minidriver for windows-based systems. I have read some documents about it but I need a sample code. Have you written a sample? Can you send it for me please? Best regards Rezaei ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Mac Tokend PIN Rejection
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, i'm not too sure wether mailman will be able to attach this message to the thread i am referring to, so i'll add a link to it: http://www.opensc-project.org/pipermail/opensc-devel/2009-April/012052.html i just wanted to add a thumbs up for this patch, it works perfectly. please consider including it in the sca distribution's opensc.tokend! thanks, hugh! fake P.S.: please cc me on direct replies, as i am offlist. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (Darwin) iEYEARECAAYFAkonqwsACgkQbn9Le/ypmpGlhQCfUBs+W6w61iql5IFIg/iTtflT PmcAniPJTSxtjpTXmCMpackTi0N6WcMT =LxZW -END PGP SIGNATURE- ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Software Token
You could also try SoftHSM from the OpenDNSSEC-project. It is in our svn. See www.opendnssec.org // Rickard 10 jun 2009 kl. 17.15 skrev "Benoit Badrignans" : > Hi, > > I'm an openSC user and in order to perform tests without breaking > smartcards I'm looking for a pkcs#11 software token. > > To my knowledge their is at least 3 suitable implementations : > - soft pkcs#11 : but it just can do anything > - gpkcs#11 : that seems to be abandoned, since last changes was in > 2000. > I compile it with the last version of GCC and so I need to modify few > lines of C code. When I finally succeed to compile it, the resulting > pkcs#11 library does'nt work very well : I can list slots and > mechanisms > using pkcs11-tool but that's all, when I try to generate or create key > it fails : seg fault :-( . I try to contact the developpers last week > unsuccessfully. > - NSS soft-token that is a part of mozilla project. However it doesn't > work with standard PKCS#11 applications such as pkcs11-tool since > C_initialize must be called using particular parameters : see > https://developer.mozilla.org/en/FC_Initialize > > So today I think that there is no software token that can be used with > opensc. > So to solve this problem their is at least 3 solutions : > -1 add an option to pkcs11-tool to allow NSS softtoken to be loaded > -2 make gpkcs#11 working and integrate it into openSC > -3 create a new project of soft-token inside openSC project (maybe by > reusing some parts of gpkcs11 code) > > I can help to modify pkcs11-tool for the first solution. But I think > that is not a good solution since mozilla project is a big project and > building only the soft-token seems pretty difficult. So it is not easy > to modify the code of the soft token. > I can help also on gpkcs#11 if you think it should be integrated into > openSC. > > Best regards > > Benoît Badrignans > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] engine_pkcs11/libp11 slot identification issue
Here is a revised version of the note I sent earlier with a patch to libp11
and one to engine_pkcs11.
Stuart Northfield wrote:
Hi,
I'm working on a project which is using HSM stored keys via PKCS#11 in
OpenSSL. The software 'stack' is:
OpenSSL + engine_pkcs11 + libp11 + PKCS#11 module
We have a situation where the OpenSSL configuration is specifying the
private key to be used as : say 0:1234567890ABCDEF for
example and the PIN for that slot is configured too.
At the PKCS#11 provider level we are getting an incorrect PIN error,
and diagnostics invoked on the module indicate that C_Login is being
invoked on slot 1, which is certainly going to fail.
After a certain amount of investigation, I have come to the conclusion
that engine_pkcs11 makes some assumptions about the libp11 interface
(and possibly the PKCS#11 interface under that) which are not valid.
So, down to the hard evidence.
In the routines PKCS11_load_cert() and PKCS11_load_key() in
engine_pkcs11.c, both routines have some code which, if the private
key has a slot number configured, do the following:
} else if (slot_nr >= 0 && slot_nr < count)
slot = slot_list + slot_nr;
else {
As you can see, slot_nr (parsed from the private key string) is
assumed to be an index into the array of PKCS11_SLOTs returned from
PKCS11_enumerate_slots() in libp11.
All very well until, as in our situation, the PKCS#11 module has
returned the slots out of order when C_GetSlotList() was invoked (it
returns the IDs in the order 1, 0, 2). (NB the module is supplied as a
binary and I have no way of changing this behaviour).
Unfortunately, this means that the entry in slot_list[0] is actually
for slot 1, and the entry in slot_list[1] is for slot 0. Thus the slot
numbers get transposed when calling into C_Login() and the PKCS#11
module correctly fails the login as the PIN for slot 0 appears to be
being used against slot 1.
So far I've looked in PKCS#11 and can't see anything which states that
the slot array returned by C_GetSlotList() must be ordered. Nor can I
find anything which suggests that PKCS11_enumerate_slots() in libp11
is designed to return an ordered list, but then again, as a client
application of libp11, there's no way to work out which is which, as
libp11 hides the slot id as private data inside the PKCS11_SLOT
structure.
So, without changing the libp11 interface, the only simple solution I
can see is that in libp11, PKCS11_enumerate_slots() should order the
array of PKCS11_SLOTs it builds by slot id, which, given it already
maps from one array to another, just requires the trivial change of
the existing code:
for (n = 0; n < nslots; n++) {
if (pkcs11_init_slot(ctx, &slots[n], slotid[n])) {
while (n--)
pkcs11_release_slot(ctx, slots + n);
OPENSSL_free(slotid);
OPENSSL_free(slots);
return -1;
}
}
to
for (n = 0; n < nslots; n++) {
if (pkcs11_init_slot(ctx, &slots[slotid[n]], slotid[n])) {
while (n--)
pkcs11_release_slot(ctx, slots + slotid[n]);
OPENSSL_free(slotid);
OPENSSL_free(slots);
return -1;
}
}
Then the indexing assumption made in engine_pkcs11 is valid and
everything works.
Or have I missed something obvious?
I don't see any requirement in PKCS#11 standards that the CK_SLOT_IDs
have to be consecutive. And C_GetSlotList can return a subset of
slots i.e. slots with tokenPresent.
I would not reorder the list, as this is only a partial solution.
It appears that PKCS11_enumerate_slots has introduced an indirect
mapping of slot numbers to be indexes into its array of PKCS11_SLOTs.
I think this is a bug.
What it should be doing is saving the CK_SLOT_ID returned from
C_GetSlotList as it copies the output of C_GetSlotInfo into its
PKCS11_SLOT. It does save it but in the private area.
Attached are two untested patches, one to libp11 to expose a new
routine to return the slot id from the private area.
The other to engine_pkcs11 to compare the slot requested with what
is returned by the new routine.
With these, the sizeof(PKCS11_SLOT) stays the same, so old versions engine
will continue to work with the new libp11 as they have before. New version
of engine_pkcs11 will find the slot as returned by PKCS#11.
Hope this helps.
Hoping that as both engine_pkcs11
and libp11 belong to the OpenSC project, someone here might be able to
clarify matters...
Regards
Stu
--
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ./libp11-0.2.4/src/,p11_slot.c Thu Jul 31 07:06:24 2008
+++ ./libp11-0.2.4/src/p11_slot.c Wed Jun 10 14:
Re: [opensc-devel] OpenSC SCA and PKCS#11
Hej Jakob, Jakob Schlyter wrote: > gcc -o hsm-toolkit -O3 -W -Wall -Werror -g -I. -L/usr/local/lib \ > /Library/OpenSC/lib/opensc-pkcs11.so hsm-toolkit.c > ld: in /Library/OpenSC/lib/opensc-pkcs11.so, can't link with bundle > (MH_BUNDLE) only dylibs (MH_DYLIB) > collect2: ld returned 1 exit status > > anyone have an idea what might be wrong? > (and perhaps how to solve it?) The canonical way of using opensc-pkcs11.so is to dlopen() it, I don't think direct linking of the .so will work so well. Maybe you can use pkcs11-helper or libp11 as your PKCS#11 access method? Or just dlopen() the .so. > ps. please cc'd me, since I'm not subscribed to the list. You can help automate this with a Mail-Followup-To header containing both the list and your address in your outgoing messages. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
