On Mon, Jun 12, 2006 at 08:52:17AM -0400, Edward M. Kutrzyba III wrote:
> So, muscleTool can talk to the card and verify my pin. My problem is
> with the libmusclepkcs11 library (/usr/lib/libmusclecard.so.1.0.0 ).
> The version that is available through Debian, will not install into
> Firefox OR Thunderbird. I downloaded the latest version with svn, and
> was able to compile and install into Firefox and Thunderbird, but the
> applications crash as soon as they try to talk to the CAC. Has anyone
> gotten past this? Any ideas to debug the problem?
I recently worked through this problem. I'm appending the part of my
notes that involves libmusclepkcs11. I have been discussing this with
some other Linux CAC users, so that we can have an out-of-the-box
solution in the future. Ludovic Rousseau has also been helpful, and I'm
hoping he can arrange a new release of libmusclepkcs11 with the required
fixes.
I'm curious about one thing you didn't mention in your message: Which
CAC reader are you using? The ActivCard USB Reader v2.0 seems to be the
standard where I work, however pcscd refuses to use it (due to a
firmware bug) without an override. Did you use this override, or do you
have a different reader, or is there some other reason you didn't have
this problem?
Andrew
In the following, "airborne" refers to
https://airborne.nrl.navy.mil/PKI/
7. muscleframework needs several patches:
diff -ur muscleframework-1.1.5/libmusclepkcs11/src/p11_sign.c
muscleframework-1.1.5.new/libmusclepkcs11/src/p11_sign.c
--- muscleframework-1.1.5/libmusclepkcs11/src/p11_sign.c 2006-05-27
19:02:17.000000000 -0700
+++ muscleframework-1.1.5.new/libmusclepkcs11/src/p11_sign.c 2006-05-27
14:12:53.000000000 -0700
@@ -117,7 +117,7 @@
rv = CKR_OPERATION_NOT_INITIALIZED;
else if (!USER_MODE)
rv = CKR_USER_NOT_LOGGED_IN;
- else if ((CK_ULONG)(key->msc_key->keySize / 8) > *pulSignatureLen)
+ else if ((CK_ULONG)(key->msc_key->keySize / 8) > (*pulSignatureLen +
1))
{
*pulSignatureLen = key->msc_key->keySize / 8;
rv = CKR_BUFFER_TOO_SMALL;
diff -ur muscleframework-1.1.5/libmusclepkcs11/src/p11_crypt.c
muscleframework-1.1.5.new/libmusclepkcs11/src/p11_crypt.c
--- muscleframework-1.1.5/libmusclepkcs11/src/p11_crypt.c 2006-05-27
19:02:17.000000000 -0700
+++ muscleframework-1.1.5.new/libmusclepkcs11/src/p11_crypt.c 2006-05-27
13:50:37.000000000 -0700
@@ -429,6 +429,7 @@
t_data1 = (CK_BYTE *)malloc(key->msc_key->keySize / 8);
t_data2 = (CK_BYTE *)malloc(key->msc_key->keySize / 8);
+ t_data2_len = key->msc_key->keySize / 8;
if (!t_data1 || !t_data2)
rv = CKR_HOST_MEMORY;
diff -ur muscleframework-1.1.5/libmusclepkcs11/src/p11x_thread.c
muscleframework-1.1.5.new/libmusclepkcs11/src/p11x_thread.c
--- muscleframework-1.1.5/libmusclepkcs11/src/p11x_thread.c 2006-05-27
19:02:17.000000000 -0700
+++ muscleframework-1.1.5.new/libmusclepkcs11/src/p11x_thread.c 2006-05-27
13:50:19.000000000 -0700
@@ -25,6 +25,26 @@
static CK_LOCKMUTEX p11_lockmutex = 0;
static CK_UNLOCKMUTEX p11_unlockmutex = 0;
+int SYS_MutexInit(PCSCLITE_MUTEX_T mMutex)
+{
+ return pthread_mutex_init(mMutex, NULL);
+}
+
+int SYS_MutexDestroy(PCSCLITE_MUTEX_T mMutex)
+{
+ return pthread_mutex_destroy(mMutex);
+}
+
+int SYS_MutexLock(PCSCLITE_MUTEX_T mMutex)
+{
+ return pthread_mutex_lock(mMutex);
+}
+
+int SYS_MutexUnLock(PCSCLITE_MUTEX_T mMutex)
+{
+ return pthread_mutex_unlock(mMutex);
+}
+
/******************************************************************************
** Function: thread_Initialize
**
The first hunk comes from airborne. The rest come from
http://archives.neohapsis.com/archives/dev/muscle/2006-q1/0253.html
http://archives.neohapsis.com/archives/dev/muscle/2006-q1/0269.html
The maintainer says that they are applied in an unreleased version,
but I didn't try that yet.
8. Double check that your new libraries (commonAccessCard and
libmusclepkcs11.so.0) link. I emphasize this step because 1. firefox
will give you a mysterious "unable to add module" message if they
don't; and 2. many sites advise checking by running "ldd" on the
library, which led me astray. A more thorough test is "ldd -d
libname", which will not only detect missing libraries, but missing
symbols as well.
9. Finally, go to firefox and add your new libmusclepkcs11.so.0 as
security device. If you have any errors, double-check your previous
work (you are using the version of libmusclepkcs11 you just built,
right?). Go to a CAC-protected site. Cheer.
If you get a mysterious error identified by a 5-6 digit number, you
failed the SSL handshake because certificate didn't work. I had this
problem until I applied the first patch in 7.
For further debugging, create a ~/.pkcs11rc containing
DebugLevel = LOW
LogFilename = /tmp/PKCS11.log
and try again. You might get some clues. See libmusclepkcs11/README
for more.
_______________________________________________
Muscle mailing list
[email protected]
http://lists.drizzle.com/mailman/listinfo/muscle
