Am Dienstag, den 08.12.2009, 14:49 +0100 schrieb Andreas Jellinghaus: > Am Dienstag 08 Dezember 2009 13:39:29 schrieb Dominik Fischer: > > Why do I think it should work: Under RHEL5 it works with the same card and > > the following software versions: * opensc-0.11.1 > > * ccid-1.0.1 > > * pcsc-lite-1.3.1-7 > > > > Are there any changes (since these versions) regarding signing or > > card-handling that could explain the error? > > hmm, then it looks like an error in opensc (since there is no > large APDU or strange reader or communication error, it is unlikely > an openct vs. pcsclite+ccid issue). > > opensc 0.11.1 is from 2007, so lots of code changed in total, so it > isn't easy to find what the cause is. changes to starcos driver itself are > very small, so those are unlikely. > > do you still have that RHEL5 machine? if you had a debug log from it too, > that could help in seeing what changed. the interesting parts start with > the first "C_Sign" line. > > I don't know much about starcos, but with most cards you need to > call "VERIFY" first to authenticate, and then run some signing > function. > > 6f 05 means (starcos spk 2.4 manual): no security environment > or security environment invalid. > > that last APDU is the signing command, and before it is the > "manage security environment" command, but I don't understand > the parameters (03 80 01 01) look strange. > > the code in card-statcos.c (look for "COMPUTE SIGNATURE" > looks like it placesthe env->algorith_ref in there, > so that looks wrong. > > why don't you run pkcs11-tool with the proper "-m" argument > for MD5 (I think MD5 has a 56 bit hash, so that would fit > your 7 bytes). "pkcs11-tool -M" will show all mechanism, > so you can pick the right one. > > maybe that helps?
Yes, I have a RHEL5 System at hand. I will test it and collect debug-output. Meanwhile the results of my "-m" tests. As I want to sign, I only tested the mechanisms which support signing: ----8<-----8<--- $ pkcs11-tool -M |grep sign RSA-PKCS, sign, verify, unwrap, decrypt SHA1-RSA-PKCS, sign, verify MD5-RSA-PKCS, sign, verify RIPEMD160-RSA-PKCS, sign, verify ----8<-----8<--- All of them fail: ----8<-----8<--- $ echo "foobar" | pkcs11-tool -m RSA-PKCS -s Please enter User PIN: error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. $ echo "foobar" | pkcs11-tool -m SHA1-RSA-PKCS -s Please enter User PIN: error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. $ echo "foobar" | pkcs11-tool -m MD5-RSA-PKCS -s Please enter User PIN: error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. $ echo "foobar" | pkcs11-tool -m RIPEMD160-RSA-PKCS -s Please enter User PIN: error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. ----8<-----8<--- I think the error is not only limited to the use of "pkcs11-tool -s". Even the tests of pkcs11-tool don't work: ----8<----8<---- $ pkcs11-tool -t -l Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (Private Key) error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. ----8<----8<---- We are also using openssl with the openssl-engine of opensc. The error occurs there too. If it helps: I can provide you with a smartcard to reproduce this error. You can contact me via personal mail to change contact data if you wish. Kind regards, Dominik Fischer _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
