Viktor TARASOV wrote: > Hello Ludovic, > > > Ludovic Rousseau wrote: > >> 2010/5/11 Viktor TARASOV <[email protected]>: >> >> >>> Ludovic Rousseau wrote: >>> >>> >>>> 2010/5/11 Viktor TARASOV <[email protected]>: >>>> >>>> >>>> >>>>>> I can send an OpenSC log file level=99 (200 KB uncompressed) if needed. >>>>>> I use the current SVN version of OpenSC. >>>>>> >>>>>> >>>>>> >>>>> Please, do it. >>>>> >>>>> >>>>> >>>> Attached. bzip2 compressed. >>>> >>>> I have a Feitian smart card and use the entersafe card driver. >>>> >>>> It may be an entersafe card driver bug. >>>> log says: >>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11] >>>> iso7816.c:102:iso7816_check_sw: Security status not satisfied >>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11] >>>> card-entersafe.c:900:entersafe_compute_with_prkey: internal set >>>> security env failed: Security status not satisfied >>>> 0xb7b476b0 16:40:59.112 [opensc-pkcs11] sec.c:56:sc_compute_signature: >>>> returning with: -1211 >>>> >>>> >>>> >>> OK, thanks. >>> >>> I have this card and I'll look it before the end of >>> this week (with 'Gemalto PC PinPad Reader'). >>> >>> >> I think you will need this patch to use the Gemalto pinpad: >> >> Index: src/libopensc/card-entersafe.c >> =================================================================== >> --- src/libopensc/card-entersafe.c (revision 4340) >> +++ src/libopensc/card-entersafe.c (working copy) >> @@ -938,7 +938,7 @@ >> { >> pin->encoding = SC_PIN_ENCODING_ASCII; >> pin->min_length = 4; >> - pin->max_length = 16; >> + pin->max_length = 8; >> pin->pad_length = 16; >> pin->offset = 5 + num * 16; >> pin->pad_char = 0x00; >> >> The reader does not accept PIN longer than 8. I willl write about that >> on my blog [1] later. >> >> > > Using actual trunk I cannot sign with Feitian card neither with > conventional reader nor with pin pad. > The reason, afais, in both cases is the same -- after user PIN was > validated, the signing key parent DF is selected by full path. Feitian > UserPIN is local one, and so its 'validated' flag is lost. (Still to be > looked for -- why PKCS#15 pin cache is not working here.) > > In fact, there is no real need to select key DF -- it's already selected > by the previous operations, > but the card->cache (that keeps current path) is invalidated and > 'compute signature' procedure has to other way to ensure sign key's DF > then re-selection. > > To keep valid card->cache (and current path) I'll do two small changes > to trunk: > - in entersafe profile for the user PIN add flag 'local' (in fact it's > really 'local', but actual profile has no this flag); > - set default value of 'lock_login' to 'true' (as it stated by the > comments in opensc.conf, but not in reality) . > > After these changes, the card->cache->current_path will be properly > filled up when verifying PKCS#15 PIN, > and card->cache will not be invalidated between 'C_Login' and 'C_Sign'. >
It 'works for me' in trunk r4346 with 'Gemalto PC Pinpad Reader'. > >> Bye >> >> [1] http://ludovicrousseau.blogspot.com/ >> >> > > Kind wishes, > Viktor. > > -- Viktor Tarasov <[email protected]> _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
