[opensc-devel] scb 0.10 broken

[jari . heikkinen]

Hi, 

I got a batch of new axalto E Gate 32K cards and USB Shell token V2 
adapters. I tried also the old e-gate usb readers, the same result. 

First I tried to initialize the cards in ubuntu 7.10 and found out that 
openssl pkcs11 engine integration does not work. 

Then I tried the same on windows. I get the card initialized (after fixing 
the openssl.cnf I get past the library loading problems), but I get hit by 
"security status not satisfied". 

The same "security status not satisfied" occurs with pkcs11-tool. 

Has anyone got this working or know where the problem might be? 

Best Regards,

JARI HEIKKINEN

MODIRUM MDPAY
Mobile +358 40 555 0125 Fax +358 9 251 66100
Tel. +358 9 25123737, +372 644 4205, 
+1 650 557 2064, +44 20 8144 1540 , +852 8199 0064
skype: jari_heikkinen
Mannerheimintie 12 B, FIN-00100 Helsinki, FINLAND
[EMAIL PROTECTED] www.modirum.com

MDpay - the leading European 3-D Secure software
"Millions of cardholders, thousands of merchants and hundreds of card 
issuers utilize MDpay software"



C:\Program Files\Smart card bundle>pkcs15-init -E -C -P --pin 12341234 
--puk 098 
70987 -a 01 --no-so-pin -T 
C:\Program Files\Smart card bundle>pkcs15-init -G rsa/2048 -a 01 --pin 
12341234 
-u sign,decrypt 

C:\Program Files\Smart card bundle>pkcs15-tool --list-pins 
--list-public-keys -k 
 -c -C 
Private RSA Key [Private Key] 
        Com. Flags  : 3 
        Usage       : [0x22E], decrypt, sign, signRecover, unwrap, 
nonRepudiatio 
n 
        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, 
local 
        ModLength   : 2048 
        Key ref     : 0 
        Native      : yes 
        Path        : 3f0050154b0130450012 
        Auth ID     : 01 
        ID          : 45 

Public RSA Key [Public Key] 
        Com. Flags  : 2 
        Usage       : [0x2D1], encrypt, wrap, verify, verifyRecover, 
nonRepudiat 
ion 
        Access Flags: [0x0] 
        ModLength   : 2048 
        Key ref     : 0 
        Native      : no 
        Path        : 3f0050154445 
        Auth ID     : 
        ID          : 45 

PIN [] 
        Com. Flags: 0x3 
        ID        : 01 
        Flags     : [0x32], local, initialized, needs-padding 
        Length    : min_len:4, max_len:8, stored_len:8 
        Pad char  : 0x00 
        Reference : 1 
        Type      : ascii-numeric 
        Path      : 3f0050154b01 

C:\Program Files\Smart card bundle>openssl req -engine pkcs11 -new -key 
id_45 -k 
eyform engine -out req.pem -config my_openssl.cnf 
engine "pkcs11" set. 
PKCS#11 token PIN: 
You are about to be asked to enter information that will be incorporated 
into your certificate request. 
What you are about to enter is what is called a Distinguished Name or a 
DN. 
There are quite a few fields but you can leave some blank 
For some fields there will be a default value, 
If you enter '.', the field will be left blank. 
----- 
Country Name (2 letter code) [SE]:FI 
State or Province Name (full name) [Default_Here]: 
Locality Name (eg, city) [Default_Here]: 
Organization Name (eg, company) [Default_Here]: 
Organizational Unit Name (eg, section) []: 
Common Name (eg, YOUR name) []:jari 
Email Address [Default_Here]: 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 

C:\Program Files\Smart card bundle>type my_openssl.cnf 
openssl_conf = openssl_def 

[openssl_def] 
engines = engines 

[engines] 
pkcs11 = pkcs11_def 

[pkcs11_def] 
engine_id = pkcs11 
dynamic_path = C:/Program Files/Smart card bundle/engine_pkcs11.dll 
MODULE_PATH = C:/Program Files/Smart card bundle/opensc-pkcs11.dll 
init = 0 

[ca] 
default_ca = sc_ca 

[sc_ca] 
private_key = id_45 
certificate = ca.crt    # point to Base-64 encoded X.509 certificate taken 
off y 
our smart card 

ca_dir = c:/my_ca 
new_certs_dir   = $ca_dir/newcerts 
database        = $ca_dir/index.txt 
certs           = $ca_dir/certs 
crl_dir         = $ca_dir/crl 
serial          = $ca_dir/serial 
RANDFILE        = $ca_dir/private/.rand 

default_md      = sha1 
policy          = policy_match 

[ policy_match ] 
countryName             = match 
stateOrProvinceName     = match 
organizationName        = match 
organizationalUnitName  = optional 
commonName              = supplied 
emailAddress            = optional 

[req] 
distinguished_name      = req_distinguished_name 
[ req_distinguished_name ] 
countryName                     = Country Name (2 letter code) 
countryName_default             = SE 
countryName_min                 = 2 
countryName_max                 = 2 

stateOrProvinceName             = State or Province Name (full name) 
stateOrProvinceName_default     = Default_Here 

localityName                    = Locality Name (eg, city) 
localityName_default            = Default_Here 

0.organizationName              = Organization Name (eg, company) 
0.organizationName_default      = Default_Here 

organizationalUnitName          = Organizational Unit Name (eg, section) 
#organizationalUnitName_default = 

commonName                      = Common Name (eg, YOUR name) 
commonName_max                  = 64 

emailAddress                    = Email Address 
emailAddress_default            = Default_Here 
emailAddress_max                = 64 

C:\Program Files\Smart card bundle>pkcs11-tool --pin 12341234  -O 
Private Key Object; RSA 
  label:      Private Key 
  ID:         45 
  Usage:      decrypt, sign, unwrap 
Public Key Object; RSA 2048 bits 
  label:      Public Key 
  ID:         45 
  Usage:      encrypt, verify, wrap 

C:\Program Files\Smart card bundle>pkcs11-tool --pin 12341234  --id 45 -M 
Supported mechanisms: 
  SHA-1, digest 
  SHA256, digest 
  SHA384, digest 
  SHA512, digest 
  MD5, digest 
  RIPEMD160, digest 
  RSA-X-509, sign, verify, unwrap, decrypt 
  RSA-PKCS, sign, verify, unwrap, decrypt 
  SHA1-RSA-PKCS, sign, verify 
  MD5-RSA-PKCS, sign, verify 
  RIPEMD160-RSA-PKCS, sign, verify 
  RSA-PKCS-KEY-PAIR-GEN, keypairgen 

C:\Program Files\Smart card bundle>pkcs11-tool --test --pin 12341234 < 
in.tmp 
C_SeedRandom() and C_GenerateRandom(): 
  not implemented 
Digests: 
  all 4 digest functions seem to work 
  MD5: OK 
  SHA-1: OK 
  RIPEMD160: OK 
Signatures (currently only RSA signatures) 
  testing key 0 (Private Key) 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 

second try with so-pin 
================ 
C:\Program Files\Smart card bundle>pkcs15-init -E -C -P --pin 12341234 
--puk 098 
70987 -a 01 --so-pin 12341234 --so-puk 09870987 -T 

C:\Program Files\Smart card bundle>pkcs15-init -G rsa/2048 -a 01 --pin 
12341234 
--so-pin 12341234 -u sign,decrypt 

C:\Program Files\Smart card bundle>pkcs11-tool --test --pin 12341234 
--so-pin 12 
341234< in.tmp 
C_SeedRandom() and C_GenerateRandom(): 
  not implemented 
Digests: 
  all 4 digest functions seem to work 
  MD5: OK 
  SHA-1: OK 
  RIPEMD160: OK 
Signatures (currently only RSA signatures) 
  testing key 0 (Private Key) 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 
  all 4 signature functions seem to work 
Security status not satisfied 
[opensc-pkcs11] card-flex.c:1055:cryptoflex_compute_signature: Card 
returned err 
or: Security status not satisfied 
[opensc-pkcs11] sec.c:53:sc_compute_signature: returning with: Security 
status n 
ot satisfied 
[opensc-pkcs11] pkcs15-sec.c:273:sc_pkcs15_compute_signature: 
sc_compute_signatu 
re() failed: Security status not satisfied 
Best Regards,

JARI HEIKKINEN

MODIRUM MDPAY
Mobile +358 40 555 0125 Fax +358 9 251 66100
Tel. +358 9 25123737, +372 644 4205, 
+1 650 557 2064, +44 20 8144 1540 , +852 8199 0064
skype: jari_heikkinen
Mannerheimintie 12 B, FIN-00100 Helsinki, FINLAND
[EMAIL PROTECTED] www.modirum.com

MDpay - the leading European 3-D Secure software
"Millions of cardholders, thousands of merchants and hundreds of card 
issuers utilize MDpay software"


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel