David Corcoran has been helping me debug a problem that I'm experiencing with the following configuration:
- Fresh installation of Red Hat 8.0 with only bare minimum added to support muscle libraries - GemPC Twin reader - GemXpresso Pro 64K card - pcsclite 1.2.9beta5 - CCID driver 0.9.1 - MCardPlugin that came with muscleframework 1.1.5 - libmusclepkcs11 that came with muscleframework 1.1.5 I ran testpcsc to get the card's ATR and put it in /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist. The problem is that while the card is still inserted, the ATR that is being found for the card changes while the card remains inserted. After it changes, pcsclite says there are no tokens in the reader because it doesn't recognize the ATR. Without removing the card, I get the following behavior: [EMAIL PROTECTED] carl]$ muscleTool MuscleCard Shell - type help for help muscle > tokens 1. MuscleCard Applet muscle > connect 1 muscle [MuscleCard Applet] > verify 1 00000000 PIN Verify Successful muscle [MuscleCard Applet] > exit Bye [EMAIL PROTECTED] carl]$ muscleTool MuscleCard Shell - type help for help muscle > tokens No Valid Tokens Found If I had removed and inserted the card between these operations, the "tokens" listing would have been successful on both tries. After this problem occurs, I can "reset" the ATR by removing and reinserting the card. Here is some more verbose output that I got from turning on debug messages in musclecard.c: [EMAIL PROTECTED] pcsc-lite-1.2.9-beta5]$ muscleTool MuscleCard Shell - type help for help muscle > tokens winscard_clnt.c:243:SCardEstablishContextTH Server is protocol version 2:0 tokenfactory.c:191:TPSearchBundlesForAtr ATR comparison: FILE: /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist tokenfactory.c:192:TPSearchBundlesForAtr ATR comparison: Target Match: 3B7B9400008065B08301017483009000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B751300009C02020102 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B7B9400008065B08301017483009000 tokenfactory.c:217:TPSearchBundlesForAtr Match found at ATR alias 1 tokenfactory.c:240:TPSearchBundlesForAtr Product name: MuscleCard Applet tokenfactory.c:299:TPSearchBundlesForAtr Default AID name: A00000000101 tokenfactory.c:191:TPSearchBundlesForAtr ATR comparison: FILE: /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist tokenfactory.c:192:TPSearchBundlesForAtr ATR comparison: Target Match: 3B7B9400008065B08301017483009000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B751300009C02020102 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B7B9400008065B08301017483009000 tokenfactory.c:217:TPSearchBundlesForAtr Match found at ATR alias 1 tokenfactory.c:240:TPSearchBundlesForAtr Product name: MuscleCard Applet tokenfactory.c:299:TPSearchBundlesForAtr Default AID name: A00000000101 1. MuscleCard Applet muscle > connect 1 musclecard.c:343:MSCEstablishConnection SCardConnect returns Command successful. musclecard.c:376:MSCEstablishConnection SCardStatus returns Command successful. tokenfactory.c:191:TPSearchBundlesForAtr ATR comparison: FILE: /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist tokenfactory.c:192:TPSearchBundlesForAtr ATR comparison: Target Match: 3B7B9400008065B08301017483009000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B751300009C02020102 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B7B9400008065B08301017483009000 tokenfactory.c:217:TPSearchBundlesForAtr Match found at ATR alias 1 tokenfactory.c:240:TPSearchBundlesForAtr Product name: MuscleCard Applet tokenfactory.c:299:TPSearchBundlesForAtr Default AID name: A00000000101 tokenfactory.c:399:TPLoadToken Loading service library /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Linux/mscMuscleCard musclecard.c:418:MSCEstablishConnection TPLoadToken returns Command successful. musclecard.c:490:MSCEstablishConnection MSCIdentifyToken returns Successful muscle [MuscleCard Applet] > verify 1 00000000 PIN Verify Successful muscle [MuscleCard Applet] > exit Bye [EMAIL PROTECTED] pcsc-lite-1.2.9-beta5]$ muscleTool MuscleCard Shell - type help for help muscle > tokens winscard_clnt.c:243:SCardEstablishContextTH Server is protocol version 2:0 tokenfactory.c:191:TPSearchBundlesForAtr ATR comparison: FILE: /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist tokenfactory.c:192:TPSearchBundlesForAtr ATR comparison: Target Match: 3B6B00008065B08301017483009000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B751300009C02020102 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B7B9400008065B08301017483009000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B6500009C02020102 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3B3B94008065AF030D0174830F9000 tokenfactory.c:205:TPSearchBundlesForAtr ATR comparison: Source: 3F6D000080318065B00501025E83009000 No Valid Tokens Found muscle > I tried this on two identical readers with the same result. My quick and dirty fix for this problem was to add the second ATR to /usr/local/pcsc/services/mscMuscleCard.bundle/Contents/Info.plist. However, this did not solve all of my problems. I still can't import PKCS12 keystores in Mozilla. Here are the steps I try to do: 1) Open Mozilla (after all instances have been closed) 2) Choose Edit -> Preferences... 3) Choose Privacy and Security -> Certificates 4) Click Manage Certificates 5) It pauses for a second or so and then a prompt comes up asking for the Musclecard Applet master password. 6) I enter 00000000 and click OK. 7) The Certificate Manager comes up. 8) I click on Import 9) I choose my p12 cert store and click OK. 10) It prompts me which device to use. I choose Musclecard Applet and click OK. 11) At this point, if I look at /tmp/PKCS11.log, I can see that the CKR_TOKEN_NOT_RECOGNIZED and CKR_SESSION_HANDLE_INVALID errors have already occurred. 12) It prompts me for the Musclecard Applet master password again. I enter it and click OK. It returns me to the Certificate Manager immediately, and I can see that nothing has occurred in the log since the errors were returned. Interestingly enough, when I look at the place in the code where the first error occurs (p11x_slot.c line 249) , it has a comment right above it that says: /* Fixme: If Netscape does not see a token present, it may mark the slot as bad and never use it */ I will try to re-perform these steps and get the full error log. In the mean time, perhaps this information can be helpful. Thanks, and especially thanks to Dave for all his help. Carl _______________________________________________ Muscle mailing list [EMAIL PROTECTED] http://lists.drizzle.com/mailman/listinfo/muscle
