[opensc-devel] Status installing and using opensc + minidriver on win7 x64

Rien Broekstra Sun, 17 Apr 2011 14:00:22 -0700

Hi everyone,

I tried to get windows smartcardlogon, and ssh login with putty to work 
with my feitian pki smartcard on x64 Windows 7, and decided to try 
opensc's minidriver using latest nightly build (5352, to be precise). 
I'm posting my findings here, as per request of mrtn, who helped me out 
a lot today. My findings so far:


- The installer puts the registry settings about where to find its 
cardprofiles and configfile in an incorrect location: 
(HKLM\Software\OpenSC Project\OpenSC (64bit)\ instead of 
HKLM\Software\OpenSC Project\OpenSC\), resulting in the tools not being 
able to find the profiles and configuration files. Changing the keyname 
in the registry to "OpenSC" solves this.

- Furthermore, using pkcs15-init with more than one -v flag crashes the 
tool immediately.

- Also, trying to erase the card with pkcs15-init -E crashes the tool, 
regardless wether the card was blank or previously initialized. The 
crash seems to happen after the card is erased though, because it is 
empty afterwards.

- Initializing the card and uploading keys and certificates seems to work:

---------------------------8<----------------------
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init --create-pkcs15 
--profile pkcs15+onepin  --use-default-transport-key --pin xxxx --puk 
xxxx --label "Rien Broekstra"
Using reader with a card: OMNIKEY CardMan 3x21 0

C:\Program Files\OpenSC Project\OpenSC\tools>
---------------------------8<----------------------

---------------------------8<----------------------
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init.exe 
--store-private-key c:\Users\Rien\Documents\key.pem --auth-id 01
Using reader with a card: OMNIKEY CardMan 3x21 0
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\toos>
---------------------------8<----------------------

---------------------------8<----------------------
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init.exe 
--store-certificate c:\Users\Rien\Documents\cert.pem --auth-id 01
Using reader with a card: OMNIKEY CardMan 3x21 0
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\tools>

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
Using reader with a card: OMNIKEY CardMan 3x21 0
X.509 Certificate [Certificate]
         Object Flags   : [0x2], modifiable
         Authority      : no
         Path           : 3f0050153100
         ID             : fd76dfb49faccbcc5afac5d06c04d230b4756cfc
         GUID           : {fd76dfb4-9fac-cbcc-5afa-c5d06c04d230}
         Encoded serial : 02 01 01


C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -k
Using reader with a card: OMNIKEY CardMan 3x21 0
Private RSA Key [Private Key]
         Object Flags   : [0x3], private, modifiable
         Usage          : [0x4], sign
         Access Flags   : [0x0]
         ModLength      : 2048
         Key ref        : 1 (0x1)
         Native         : yes
         Path           : 3f005015
         Auth ID        : 01
         ID             : fd76dfb49faccbcc5afac5d06c04d230b4756cfc
         GUID           : {fd76dfb4-9fac-cbcc-5afa-c5d06c04d230}
---------------------------8<----------------------

- Something seems to be off with the location to the pkcs11 dll, because 
pkcs11-tool.exe can't load the module unless I explicitly specify its 
location (this may be expected behaviour though?):
---------------------------8<----------------------
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module 
C:\windows
\system32\opensc-pkcs11.dll --test --login
Using slot 1 with a present token (0x1)
Logging in to "Rien Broekstra (User PIN)".
Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (Private Key)
   all 4 signature functions seem to work
   testing signature mechanisms:
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
   testing key 0 (Private Key)
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
   testing key 0 (Private Key)  -- can't be used to decrypt, skipping
No errors
---------------------------8<----------------------

- Furthermore, when I try to access the card via CSP (EIDAuthenticator) 
it is able to find the certificates on the card. However, whenever I try 
to login with them it will yield an error that the presented PIN is 
incorrect, while I'm sure I entered the correct PIN. A snippet from the 
debug log:

---------------------------8<----------------------
2011-04-17 22:27:09.456 [cardmod] card.c:330:sc_unlock: called
2011-04-17 22:27:09.456 Verify rv:0
2011-04-17 22:27:09.456 [cardmod] 
card-entersafe.c:992:entersafe_pin_cmd: returning with: 0 (Success)
2011-04-17 22:27:09.456 [cardmod] sec.c:204:sc_pin_cmd: returning with: 
0 (Success)
2011-04-17 22:27:09.456 [cardmod] 
pkcs15-pin.c:496:sc_pkcs15_pincache_add: called
2011-04-17 22:27:09.456 PIN(User PIN) cached
2011-04-17 22:27:09.456 [cardmod] card.c:330:sc_unlock: called
2011-04-17 22:27:09.457 [cardmod] pkcs15-pin.c:289:sc_pkcs15_verify_pin: 
returning with: 0 (Success)
2011-04-17 22:27:09.457 Pin code correct.
2011-04-17 22:27:09.457 PinsFreshness = 2
2011-04-17 22:27:09.457
P:564 T:604 pCardData:0000000001B436F0
2011-04-17 22:27:09.457 CardRSADecrypt
2011-04-17 22:27:09.457 check_reader_status
2011-04-17 22:27:09.457 pCardData->hSCardCtx:0x00000001 hScard:0x00000000
2011-04-17 22:27:09.457 [cardmod] sc.c:185:sc_detect_card_presence: called
2011-04-17 22:27:09.457 [cardmod] 
reader-pcsc.c:361:pcsc_detect_card_presence: called
2011-04-17 22:27:09.457 OMNIKEY CardMan 3x21 0 check
2011-04-17 22:27:09.457 current  state: 0x00030122
2011-04-17 22:27:09.457 previous state: 0x00030122
2011-04-17 22:27:09.457 card present
2011-04-17 22:27:09.457 [cardmod] 
reader-pcsc.c:366:pcsc_detect_card_presence: returning with: 5
2011-04-17 22:27:09.457 [cardmod] sc.c:190:sc_detect_card_presence: 
returning with: 5
2011-04-17 22:27:09.457 check_reader_status r=5 flags 0x00000005
2011-04-17 22:27:09.457 CardRSADecrypt dwVersion=1, 
bContainerIndex=0,dwKeySpec=1 pbData=0000000001BA65E0, cbData=256
2011-04-17 22:27:09.457 [cardmod] pkcs15-sec.c:83:sc_pkcs15_decipher: called
2011-04-17 22:27:09.457 [cardmod] pkcs15-sec.c:96:sc_pkcs15_decipher: 
This key cannot be used for decryption: -1209 (Not allowed)
2011-04-17 22:27:09.457 sc_pkcs15_decipher return -1209
2011-04-17 22:27:09.457 sc_pkcs15_decipher erreur Not allowed
---------------------------8<----------------------

And, lastly, puttysc refuses to accept opensc-pkcs11.dll as a pkcs11 
library. Maybe because puttysc is built for 32bit windows and the 
library is 64?

Greetings,
--
Rien Broekstra
r...@rename-it.nl


_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] Status installing and using opensc + minidriver on win7 x64

Reply via email to