I have the PKCS#11 importer in GNOME working. Just wanted to say thanks
to you guys for your help and patience. Here's a demo:
http://stef.thewalter.net/2011/10/importing-certificates-and-keys.html
This'll be in GNOME 3.4 and Seahorse.
Che
ementation.
In gnome-keyring we handle this case by printing a warning and then
falling back to use non-mlock() memory. We also have a
GNOME_KEYRING_PARANOID environment variable configured that prevents
this behavior.
If this fallback behavior is acceptable I'll create a p
Scratch that. My git master build was building without openssl. Now that
I've built with the openssl dependency, it recognizes the smart card.
Sorry for the noise.
Cheers,
Stef
On 2011-10-04 18:40, Stef Walter wrote:
> For some reason when building opensc from git master, it doesn&
ule I don't see any slots.
In both cases I use the newly built module. Strange.
[stef@stef-desktop gnome-keyring]$ pkcs11-tool --module
/data/build/opensc/lib/pkcs11/opensc-pkcs11.so --list-slots
Available slots:
Slot 0 (0x): Virtual hotplug slot
(empty)
Slot 1 (0x1): Feitian
via PKCS#11 until a key (from what I can tell: a matching
key) has been stored.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
reading something? In
>> card-entersafe.c in the sc_get_driver() function it sets both
>> ops.write_binary and ops.delete_file to NULL.
>
> Dear Stef,
>
> No support of delete operations is normal, it is a security measure to
> ensure that an object cannot be overwritten by a
PKCS#11 driver? Is this something that can be fixed, or are the cards
designed this way?
If it can't be fixed, then does anyone have any other recommendations
for cards that are well rounded OpenSC cards that I can develop against?
Cheers,
Stef
___
On 09/21/2011 10:57 AM, Ludovic Rousseau wrote:
> 2011/9/21 Stef Walter :
>> Is it normal for a Gooze Feitan ePass PKI Token to take over 60
>> seconds to initialize when used with PKCS#11?
>
> No. It is not normal. I guess you suffer from a libusb bug. See [1].
> The
sue.
This wait corresponds to the below call stack in the opensc PKCS#11
module. This is opensc git master, but the same problem occurs with
0.12.1 as well.
This is something that others (Phillip for example) have experienced as
well. Any ideas?
Cheers,
Stef
22 __select_nocancel()
/usr/src/d
rv = 0
current_pid =
As you can see the slot variable is set to NULL at line 254, and the
null pointer is dereferenced. Should I patch this by adding a check for
that?
Filed ticket here: https://www.opensc-project.org/opensc/ticket/383
Che
rhaps after
p11-kit has proved itself, and we see how this ends up being deployed in
practice, we can revisit further integration.
Cheers,
Stef
[1] http://p11-glue.freedesktop.org/doc/p11-kit/sharing-module.html
___
opensc-devel mailing list
opensc-de
same process uses a PKCS#11 module.
* Safe forking (pkcs11-helper already does this, but p11-kit
forking stuff integrates with the initialization refcounting).
Perhaps more? How do this sound?
Cheers,
Stef
___
opensc-devel mailing list
opensc-dev
onfig format is described here:
http://p11-glue.freedesktop.org/doc/p11-kit/config.html
Thanks for looking over this change. Let me know if I've sent this patch
to the wrong place.
Cheers,
Stef
[1] http://p11-glue.freedesktop.org/p11-kit.html
>From 3f4d94ed9acbf69079c670f9acb8e8bc4cb043
On 06/22/2011 12:22 PM, Nikos Mavrogiannopoulos wrote:
> On 06/21/2011 07:59 PM, Stef Walter wrote:
>
>>> I didn't like the pinfile attribute of pkcs11-urls much, because
>>> its semantics are undefined. I see it as an option that could cause
>>> compatibili
Sorry for taking so long to answer, was away for a week...
On 06/15/2011 11:28 PM, Nikos Mavrogiannopoulos wrote:
> On 06/13/2011 11:11 AM, Stef Walter wrote:
>> Since the PKCS#11 URI's say that the pinfile attribute of the URI
>> can be determined by the application, we
On 06/10/2011 07:08 PM, Martin Paljak wrote:
> On Jun 10, 2011, at 13:11 , Stef Walter wrote:
>> After sleeping on this idea, I realized it won't work in certain
>> cases. In particular when the key has CKA_ALWAYS_AUTHENTICATE and
>> requires C_Login with CKU_CONTEXT_SPEC
On 06/09/2011 09:37 PM, Stef Walter wrote:
> I'm working on integrating smart card support via PKCS#11 into glib and
> gcr (part of gnome-keyring). We're integrating with GnuTLS for TLS support.
>
> I'd like to be able to do a C_Login in my code, and then pass off the
&g
vider in lock mode [secured] will
> behave...
I'm not familiar with that. Is this an extension to the PKCS#11 spec?
Cheers,
Stef
[1] http://p11-glue.freedesktop.org/p11-kit.html
[2] http://p11-glue.freedesktop.org/doc/p11-kit/sharing.html
___
opensc
ore than one session in the same application.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
On 04/25/11 10:20, Martin Paljak wrote:
> Hello, On Apr 25, 2011, at 11:09 , Stef Walter wrote:
>
>> I've heard that openct may not be that relevant any more, but in
>> any case here's an OpenCT patch to add support for the smart card
>> reader in my laptop.
>
I've heard that openct may not be that relevant any more, but in any
case here's an OpenCT patch to add support for the smart card reader in
my laptop.
Should I put this in the opensc trac, or does it go somewhere else?
Cheers,
Stef
Index: etc/open
On 04/23/11 09:59, Jean-Michel Pouré - GOOZE wrote:
> Le vendredi 22 avril 2011 à 16:56 +0200, Stef Walter a écrit :
>>
>> Is there an openct git repository somewhere? I couldn't find it at the
>> 'Subversion Repository' page [1] I'm fiddling with my Broadc
Hi guys,
Is there an openct git repository somewhere? I couldn't find it at the
'Subversion Repository' page [1] I'm fiddling with my Broadcom 5880
smart card reader, and want to whip up a small patch.
Cheers,
Stef
[1] http://www.opensc-project.org/opensc/wiki/
http://p11-glue.freedesktop.org/doc/p11-kit/index.html
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
//p11-glue.freedesktop.org/
Mailing list:
http://lists.freedesktop.org/mailman/listinfo/p11-glue
If you're interested in this stuff, please go ahead and subscribe. Or
clone p11-kit and play with the proxy module. All comments and
discussion welcome.
Replies to p11-g...@lists.freedesktop.org please :)
Che
On 02/28/2011 10:42 AM, Martin Paljak wrote:
> Hello, On Feb 23, 2011, at 10:14 AM, Stef Walter wrote:
>
>> Hi guys. As a follow up from the security devroom at FOSDEM, I'm
>> working out hosting and mailing lists for the PKCS#11 glue stuff
>> [1] that I talked abo
[1] http://thewalter.net/stef/misc/trust-assertion-notes.ps
[2] https://bugs.freedesktop.org/show_bug.cgi?id=34408
[3] http://thewalter.net/git/cgit.cgi/p11-kit/
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-pro
c.conf in the case of OpenSC.
>
> Why would you need this?
I noticed it in NSS. Not sure of all the reasons behind it.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
chain
> validation is not the same as trust. It will depend on your business
> sector as well, if you work in the CA business or military sector you
> probably would think differently ;)
Thanks! Much appreciated. And if you feel at any point like you'd like
to get involved, please join in.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
On 2010-07-18 13:34, Anders Rundgren wrote:
> On 2010-07-18 18:49, Stef Walter wrote:
>
>>
>> The missing piece is a common standard for specifying which PKCS#11
>> modules for an application to load.
>
> This is not what Microsoft and Apple offers.
>
> They
On 2010-07-18 10:27, Andreas Jellinghaus wrote:
> Am Sonntag 18 Juli 2010, um 00:16:15 schrieb Stef Walter:
>> Is there a spec around for specifying to applications which PKCS#11
>> modules to load and how to initialize them?
>>
>> I'm thinking something along th
h
NSS is a big player, and have put a lot of solid work into their crypto
library, they're not the only one in use.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
On 2010-07-17 18:10, Peter Stuge wrote:
> Stef Walter wrote:
>> Is there a spec around for specifying to applications which PKCS#11
>> modules to load
>
> That's application specific.
>
>> I'm thinking something along the lines of PAM conf files, wh
GNOME, and rather than coming
up with something like this on our own, perhaps someone has already
given this some thought?
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
of a lack
of GUI).
Check out http://homes.esat.kuleuven.be/~decockd/wiki/bin/view.cgi
for more info.
Cheers,
Stef
> -Original Message-
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On
> Behalf Of Douglas E. Engert
> Sent: 22-May-2007 16:07
> To: OpenSC-de
er to add an --info option to pkcs15-init?
Cheers,
Stef
Index: framework-pkcs15.c
===
--- framework-pkcs15.c (revision 3045)
+++ framework-pkcs15.c (working copy)
@@ -2506,7 +2506,10 @@
return CKR_ATTRIBUTE_TYPE_IN
Nils Larsch wrote:
Stef Hoeben wrote:
Hi,
+void ulong2bebytes(u8 *buf, unsigned long x)
+{
+buf[3] = (u8) (x % 256);
+x /= 256;
+buf[2] = (u8) (x % 256);
+x /= 256;
+buf[1] = (u8) (x % 256);
+buf[0] = (u8) (x / 256);
+}
I would prefer
#define ULONG2BEBYTES(p, x
s fine for me to change it into a macro.
as this are ancillary functions they should be better placed in
an internal header file.
Okay, so in internal.h
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.ope
, &(the unsigned long), 4)
It's nicer/simpler to make a function that does both,
pls. see the attached patch.
Cheers,
Stef
Ludovic Rousseau wrote:
Hello,
On 20/06/06, Andreas Jellinghaus <[EMAIL PROTECTED]> wrote:
hmm, I don't know how the code looks right now or would look af
this way; unless someone has a better
idea I'll so it in the WE?
Cheers,
Stef
Ludovic Rousseau wrote:
On 16/06/06, Martin Paljak <[EMAIL PROTECTED]> wrote:
To build on intel mac attached patch was needed for me (endian.h
portability from google gives more insight and alternatives)
Hi Thomas,
OK, patch applied, thanks.
For Wiki access, you should ask Andreas.
Or otherwise send the info to me then I'll put it the Wiki.
Cheers,
Stef
Thomas Harning wrote:
On Mon, 12 Jun 2006 22:37:05 +0200
Stef Hoeben <[EMAIL PROTECTED]> wrote:
Hi,
the MuscleCard appl
Hi Martin,
indeed, things don't build on Mac.
You'll commit, or want me to do so?
Cheers,
Stef
Martin Paljak wrote:
To build on intel mac attached patch was needed for me (endian.h
portability from google gives more insight and alternatives)
Also removed are some unused header
INs?
A little remark: if you enter a wrong PIN, go get "Card command failed"
while it would be nicer to get back an SC_ERROR_PIN_CODE_INCORRECT
or SC_ERROR_AUTH_METHOD_BLOCKED.
Best regards,
Stef
___
opensc-devel mailing list
opensc-
0 --puk -p pkcs15+onepin
Unspecified PIN [reference 1] required.
Please enter Unspecified PIN [reference 1]:
Failed to create PKCS #15 meta structure: Card memory failure
B0 5A 00 00 0E 50 15 00 00 01 00 00 00 02 00 02 00 02 00
9C 01 ..
Cheers,
Stef
Thomas Harning wr
e reason...
Just some info, I don't know how to make things more conforming, or even if
that would be desired...
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
o is used, in which key with have to pre-pend the 'SHA-1
AID'
(30 21 30 09 ... 00 04 14) before the SHA-1 hash (29 B0 .. C1 00). So
you could
also use the pkcs1+SHA-1 algo (algo ref = 2) directly: 00 22 41 B6 05 04
80 02 84 82
and then 00 2A 9E 9A 14 29 B0 E7 ... 0B C1 00
TIA and
*would* be interesting.
Yes, that would be nice indeed.
I guess there's
not much for that at least partly because OpenSSL didn't support it so
well until 0.9.8? Is anyone looking at adding support now?
Guess not. So feel free:-)
Cheers,
Stef
__
Nils Larsch wrote:
Stef Hoeben wrote:
Hi,
there seem to be 2 problems:
- protect_certificates = false by default -> nasty security bug IMHO,
this is fixed in profile.c
It's certainly a bug but I don't think this is a real security problem
(unless you can you describe a pra
nce to the user PIN is given with "pkcs15-init -X", which causes
sc_pkcs15_init_fixup_file() to set the corresponding ACs to NONE (!)
It looks rather nasty but I'm afraid of shacking it up so I just added
a reference
to the first user PIN in case it's not set -> comment
r ask on that mailing
list.
We only built a tokend, but never used the KeyChain API or CDSA directly.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
ere size_t != usigned long), the later is
POSIX and C99-portable, and thus maybe not working on
very old compilers/OS.
does %zu work on the os from redmond ?
Nope: running
printf("%zu\n", (size_t) 1234);
gives
zu
%lu does work
Hi Ludovic,
you have a GTK project file? That way it might be easy
to get it built on Windows.
Also: guess there's no separate GUI for asking PINs
(that could be called from within libopensc or so)?
Cheers,
Stef
Ludovic Rousseau wrote:
Hello,
Identity Alliance donated the gt
ption, pls. let me know. If not I'm
probably mistaken and will add the option now.
Cheers,
Stef
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
53 matches
Mail list logo