Re: [opensc-devel] Opensc and SetCOS.

Mon, 30 Aug 2010 03:58:57 -0700 

Hello again,
Just to clarify before posting fully debuglogs, we have our private certificates on these cards. But those are not exportable right ? And by posting fully opensc(debug 99) logs here i wont expose those in any way right ? 

/Patrik Martinsson



On 08/27/2010 01:37 PM, Patrik Martinsson wrote:

Hi again guys,


Thanks your input. I've been away for a couple of days, that's why 
I've haven't been able to answer.


I feel i need to explain a little, just so we are on the same page here,

Running this on my rhel 6 system.

OpenSc, checked out revision 4654, configured and build. (patched with 
the earlier attached patch from Andre Zepezauer.

pam_pkcs11, checked out revision 447, confured with _nss_ and build.

Pcsc-lite, using version that came with rhel6, 
pcsc-lite-1.5.2-5.el6.x86_64.
Cardreader, OmniKey 3121, driver by their homepage. (tried with the 
one that comes with rhel too, but same issue)


What I'm trying to accomplish,
Get our ~100+ clients to be able to login through their smartcard.

Cards are delivered by a company called secmaker, is suppose to have 
setcos 4.4.1, cards delivered by gemalto.


$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS

$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00

$ opensc-tool -R
Configured reader drivers:
  pcsc             PC/SC reader

$ opensc-tool -D
Configured card drivers:
  cardos           Siemens CardOS
  cardos           Siemens CardOS
  flex             Schlumberger Multiflex/Cryptoflex
  cyberflex        Schlumberger Cyberflex
  gpk              Gemplus GPK
  gemsafeV1        driver for the Gemplus GemSAFE V1 applet
  miocos           MioCOS 1.1
  mcrd             MICARDO 2.1
  asepcos          Athena ASEPCOS
  starcos          STARCOS SPK 2.3/2.4
  tcos             TCOS 3.0
  openpgp          OpenPGP card
  jcop             JCOP cards with BlueZ PKCS#15 applet
  oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
  belpic           Belpic cards
  ias              IAS
  incrypto34       Incard Incripto34
  acos5            ACS ACOS5 card
  akis             TUBITAK UEKAE AKIS
  entersafe        entersafe
  rutoken          Rutoken driver
  rutoken_ecp      Rutoken ECP driver
  westcos          WESTCOS compatible cards
  myeid            MyEID cards with PKCS#15 applet
  setcos           Setec cards
  muscle           MuscleApplet
  atrust-acos      A-Trust ACOS cards
  piv              PIV-II  for multiple cards
  itacns           Italian CNS
  javacard         JavaCard (without supported applet)
  default          Default driver for unknown cards


$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added 
opensc module like with this, /usr/bin/modutil -force -dbdir 
/etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so)

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB

  2. OpenSC
    library name: /usr/local/lib/opensc-pkcs11.so
     slots: 5 slots attached
    status: loaded

     slot: Virtual hotplug slot
    token:

     slot: OMNIKEY CardMan 3x21 00 00
    token: Instant EID IP8 (identification)

     slot: OMNIKEY CardMan 3x21 00 00
    token: Instant EID IP8 (signature)

     slot: OMNIKEY CardMan 3x21 00 00
    token: Instant EID IP8

     slot: OMNIKEY CardMan 3x21 00 00
    token:

$ pkcs11_inspect
PIN for token:
Printing data for mapper cn:
user


So.. to me everything seems to work quite well, however I've one 
problem left and that's the pkcs11_eventmgr.


$ pkcs11_eventmgr debug nodaemon  (card in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...

DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, 
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" 
name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so

DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting

$ pkcs11_eventmgr debug nodaemon  (card NOT in reader)

DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...

DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, 
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" 
name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so

DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting







All the verbose logs are attached, the verbosity level is set to 2. 
Tell me if i need to increase it, however I'm a bit concerned about 
mailing out my certificate and username and that kind of stuff (which 
is included in level 3),  doesn't feel quite right, but maybe I'm wrong ?

I've also attached my configfiles.


Basically i want this working so gdm can recognize inserts / removals. 
I talked to the gdm devolopers and they fixed some bugs with 
smartcards in later releases which is cool, but as long as 
pkcs11_evengtmgr wont work with nss i dont think gdm will work either. 
(gdm uses nss default)


Btw.
I've also tried card_evengtmgr, and that one works as expected.

So it seems somethings getting fishy when nss is involved.


Again, thanks for any kind of help, and tell me what kind of debug 
info you need and I'll fix it.


/Patrik Martinsson,
Sweden.










On 08/25/2010 02:14 PM, Martin Paljak wrote:

Helo,
On Aug 25, 2010, at 2:55 PM, Ludovic Rousseau wrote:


   

2010/8/25 Martin Paljak<mar...@paljak.pri.ee>:

     

If everything is working fine, there's nothing to worry about. If not, then it 
can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If 
you can sniff the correct APDU for this (or if you have the manual) would be 
great. Or something in pkcs11_inspect should be fixed to not depend on the 
smart card module C_GenerateRandom().

       

I could not find any use of C_GenerateRandom() by pam_pkcs11. So I am
not sure the culprit is pkcs11_inspect or another part of pam_pkcs11.

     

pam_sm_authenticate in src/pam_pkcs11/pam_pkcs11.c [1] calls get_random_value 
[2] which has two implementations in src/common/pkcs11_lib.c:
- one that uses C_GenerateRandom [3]
- one that uses /dev/random [4]


I think this is the "main" authentication callback of pam_pkcs11?
The two different implementations seem to come from NSS vs no NSS.

[1]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L173
[2]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L597
[3]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L834
[4]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L1754


   



_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel






















					Reply via email to