Nelson Bolyard wrote: > The PKCS7 decoder and the ASN.1 decoder work together. The PKCS7 decoder > registers callback functions that are called by the ASN.1 decoder to > process portions of the message. It is possible for a message to be > correctly ASN.1 encoded but not correctly PKCS7 encoded, or vice versa. > So, it is possible to call the ASN.1 decoder, and get a PKCS7 error as a > result, even though there was no ASN.1 error. > > > Also, I tried to find the definition of error 12285 without success. > > http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1040292 > > Although this is an SSL error code, it is also used by NSS in non-SSL > functions. It seems to mean "certificate not found", such as when > trying to find a certificate on a token that goes with a private key. >
I have been asking opensc developers and this is what I got: ------------------------------------------------------------ <BEGIN> I wrote: ........ Also, while testing last opensc, a FINEID card and Mozilla, a weired thing occurrs: trying to sign data, it seems like opensc gets confused and use given pin with wrong file in the card (Stef Hoeben has already log files about this). They respond: ............. Yes, this looks weird. But as much as I hate to say so, I think it's a mozilla bug. I have here a FINEID test card which has a fairly similar layout as yours (i.e. key 45 -> auth ID 01 (@3F00), and key 46 -> auth ID 02 (@3F005015), and it works with pkcs11-tool. Also, if you look at the log files, you will notice that in both cases, it performs two C_Login calls to two different sessions/slots, with the same PIN: "allekirjoitustunnusluku" case C_Login: Login for session 2 (this is for slot 1, the one with key 46) sc_select_file: called with type 2, path 3F005015 sc_pin_cmd => 1234 pkcs15_login: PIN verification returned 0 C_Login: Login for session 1 (this is for slot 0, the one with key 45) sc_select_file: called with type 0, path 3F00 sc_pin_cmd => 1234 pkcs15_login: PIN verification returned -1214 "perustunnusluku" case C_Login: Login for session 2 sc_select_file: called with type 2, path 3F005015 sc_pin_cmd => 5678 pkcs15_login: PIN verification returned -1214 C_Login: Login for session 1 sc_select_file: called with type 0, path 3F00 sc_pin_cmd => 5678 pkcs15_login: PIN verification returned 0 So it's a Mozilla bug. It shouldn't use the same PIN for all sessions/slots. <END> I have observed that every time I try to sign, I am asked for pin code twice. And then, signature process fails. I have a password callback function that is called by cms stuff in NSS. To be sure that the function returns given pin code, I log it before the function returns. It seems to be ok. I attach opensc logs. Please, any ideas? Best regards, /
opensc_logs_13_agu.tgz
Description: GNU Zip compressed data
