Re: [opensc-devel] PIN caching problems with pkcs11-helper 1.08

Thu, 11 Aug 2011 01:20:50 -0700 

Martin,

The openssl engine is called with 0x24 buffer size and expect it to be
encrypted by private key with same length.

Prototype:
---
static
int
__pkcs11h_openssl_enc (
        IN int flen,
        IN const unsigned char *from,
        OUT unsigned char *to,
        IN OUT RSA *rsa,
        IN int padding
) {
---

I may got this wrong.
Will investigate.

On Thu, Aug 11, 2011 at 10:38 AM, Martin Paljak <mar...@martinpaljak.net> wrote:
> Hello,
>
> 2011/8/11 Jonatan Åkerlind <jonatan.akerl...@sgsstudentbostader.se>:
>> We have a setup using the Aladdin eToken PRO USB device for certificate
>> storage using opensc/openct to interface it with openvpn. Works fine but
>> with pkcs11-helper 1.08 we need to enter the PIN code twice at openvpn
>> startup and then once at each renegotiation. Confirmed with various
>> versions of openvpn (2.1.4/2.2.1), opensc (0.11.13, 0.12.1) and openct
>> (0.6.20), common thing is that it works with pkcs11-helper 1.07 (the PIN
>> caching seems ok and only asks for the pin code once at startup and no
>> more) but with pkcs11-helper 1.08 the PIN caching does not work.
>>
>> Attached is a log from openvpn with verbosity 99 (gives a lot of info)
>> using pkcs11-helper 1.08. It contains the startup and a couple of
>> renegotiations filtered to only include lines with pkcs in them.
>
> This might be relevant:
>
> PKCS#11: __pkcs11h_certificate_doPrivateOperation entry
> certificate=0x72ebb0, op=0, mech_type=1, source=0x7fff40fa3be0,
>              source_size=0000000000000024, target=0x757936,
> *p_target_size=0000000000000024
>
> the target size is the same as input size, which makes one of the
> operations fail with CKR_BUFFER_TOO_SMALL and will trigger another
> try, which will mean another PIN entry. Probably something else is
> fishy as well.
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to