I am trying to investigate my own defect report (#189). The
opensc-pkcs11.so module does not seem work with my PIV card. So what I
did to investigate the problem is to instrument the code with lots of
info to figure out exactly where it is breaking. I enabled debug in
opensc.conf and for the sake of brevity, the following is where the
failure occurs:
[opensc-pkcs11] card-piv.c:764:piv_handle_certificate_data: returning
with: 2308
[opensc-pkcs11] card-piv.c:924:piv_read_binary: returning with: 2308
[opensc-pkcs11] pkcs15-cert.c:115:sc_pkcs15_read_certificate: called
>From there, I traced the call into asn1.c, in the function
sc_asn1_read_tag, and the following is the code segment where the final
point of failure occurs:
/* parse length byte(s) */
len = *p & 0x7f;
if (*p++ & 0x80) {
unsigned int a = 0;
if (len > 4 || len > left)
return SC_ERROR_INVALID_ASN1_OBJECT;
left -= len;
for (i = 0; i < len; i++) {
a <<= 8;
a |= *p;
p++;
}
len = a;
}
if (len > left)
return SC_ERROR_INVALID_ASN1_OBJECT;
So it turns out that 'len' ends up being larger than 'left' and thus
returns SC_ERROR_INVALID_ASN1_OBJECT(-1401). It is really hard for me to
tell how this decoding function works based on the code itself.
Now, I can use the pkcs#11 module from ActivIdentity, which works
perfectly with my PIV card. I believe my PIV card complies with FIPS 201
and NIST Special Publication 800-73 and I was hoping that I could use an
alternative to ActivIdentity's pkcs#11 module and so it would be really
unfortunate if I can't use OpenSC. Anyone have any thoughts? I am going
to continue to work on it a little bit but I could use some help.
----------------------------------------
Christopher Boarman - Lockheed Martin
Information Systems And Global Services - Civil
Assured Identity Access and Secure Collaboration (AIASC)
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
