Re: [opensc-devel] D-TRUST-2048-Bit card .. Compute signature failed: Internal error

Douglas E. Engert Wed, 14 Mar 2007 06:11:06 -0800

I wonder if this is one of the cards/readers that can not handle
the default max_send_size/max_recv_size = 256.



Can you try this again with the opensc.conf with these
reader_driver openct {
 max_send_size = 252;
 max_send_size = 252;

Or try 248 that was the old *_CHOP_*

Have you tried with the pcsc driver?

I do see that "ModLength" is 2048, so the RSA signature will be
256 bytes long, and the reader/card will have to deal with this
by using a smaller buffer, or chaining the input and output.



Simon Eisenmann wrote:

Here is the debug output to add some more details for this issue:

...
card-cardos.c:714:cardos_set_security_env: returning with: 0
sec.c:67:sc_set_security_env: returning with: 0
sec.c:49:sc_compute_signature: called
card-cardos.c:761:cardos_compute_signature: called
card-cardos.c:775:cardos_compute_signature: trying RSA_PURE_SIG (padded
DigestInfo)
apdu.c:516:sc_transmit_apdu: called
card.c:285:sc_lock: called

apdu.c:184:sc_apdu_log:Outgoing APDU data [ 265 bytes] =====================================

00 2A 9E 9A 00 01 00 30 30 30 30 30 30 30 30 30 .*.....000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 01 00                      0000000..
======================================================================
reader-openct.c:339:openct_reader_transmit: unable to transmit
apdu.c:394:do_single_transmit: unable to transmit APDU
card.c:312:sc_unlock: called
card-cardos.c:742:do_compute_signature: APDU transmit failed: Generic
reader error
card-cardos.c:782:cardos_compute_signature: trying RSA_SIG (just the
DigestInfo)
apdu.c:516:sc_transmit_apdu: called
card.c:285:sc_lock: called

apdu.c:184:sc_apdu_log:Outgoing APDU data [ 267 bytes] =====================================

00 2A 9E 9A 00 01 02 30 30 30 30 30 30 30 30 30 .*.....000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 0000000000000000
30 30 30 30 30 30 30 0C 00 01 00                0000000....
======================================================================
reader-openct.c:339:openct_reader_transmit: unable to transmit
apdu.c:394:do_single_transmit: unable to transmit APDU
card.c:312:sc_unlock: called
card-cardos.c:742:do_compute_signature: APDU transmit failed: Generic
reader error
card-cardos.c:803:cardos_compute_signature: trying to sign raw hash
value
card-cardos.c:806:cardos_compute_signature: returning with: Internal
error
sec.c:53:sc_compute_signature: returning with: Internal error
card.c:312:sc_unlock: called
pkcs15-sec.c:248:sc_pkcs15_compute_signature: sc_compute_signature()
failed: Internal error
Compute signature failed: Internal error
pkcs15.c:775:sc_pkcs15_unbind: called
card.c:312:sc_unlock: called
reader-openct.c:458:openct_reader_unlock: called
card.c:236:sc_disconnect_card: called
reader-openct.c:280:openct_reader_disconnect: called
card.c:251:sc_disconnect_card: returning with: 0
ctx.c:738:sc_release_context: called
reader-openct.c:180:openct_reader_release: called
reader-openct.c:180:openct_reader_release: called
reader-openct.c:180:openct_reader_release: called
reader-openct.c:180:openct_reader_release: called
reader-openct.c:180:openct_reader_release: called
reader-openct.c:165:openct_reader_finish: called



Am Dienstag, den 13.03.2007, 22:17 +0100 schrieb Andreas Jellinghaus:

Am Dienstag, 13. März 2007 17:40 schrieb Simon Eisenmann:

i today recieved the PINs for my ne D-TRUST 2048 Bit signature card
which seems to use Siemens CardOS 4.3B. I can read the certificates and
keys from the card using opensc tools perfectly.

Though there is a problem when creating a signature (opensc svn trunk).

a) which version of trunk exactly? what card reader are you using?
we did some changes recently that might break things - but I think
it only affects cards that can only do t=0 with some readers, so it shouldn't
be a problem for you.

so my wild guess is: can that key be used for both signing and decryption

(check with pkcs11-tool or pkcs15-tool) ?

cardos doesn't allow that for some stupid reason. in real world it is needed.
so there are two hacks for this:
a) the opensc hack: store the private key twice - once with key usage sign
and once with key usage decrypt, and then choose the right one.
b) the siemens hack: store the key as decrypt key and use raw rsa decryption
for signing.

we haven't implemented b) yet, but we should add it for compatibility.

note: When using opensc 0.11.1 the card is not recognized as cardos (ATR
not in the list of cardos implementation).

yes. we added that atr after 0.11.1.

Regards, Andreas

------------------------------------------------------------------------

_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel


--

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] D-TRUST-2048-Bit card .. Compute signature failed: Internal error

Reply via email to