Re: [opensc-devel] sc_reset
Josep Monés Teixidor wrote: Hello Nils, On Tue, 2006-03-21 at 20:38 +0100, Nils Larsch wrote: SC_SUCCESS is better than 0 [] if the reader doesn't support this operation this function MUST return a error like SC_ERROR_NOT_SUPPORTED (and of course applications using this features must be able to handle this return value). Just for the record: this patch intended to mimic sc_lock and sc_unlock functions, which use 0 and don't return SC_ERROR_NOT_SUPPORTED if pointer is not initialized. the reason why I insist on this function to return an error when the reset operation isn't supported by the reader driver is that this function might be used to invalidate user credentials and in this case it's important to know whether the operation succeeded or simple did nothing. I include your suggestions in a second try. actually one should _never_ ignore return values ;-) well... this actually was different than sc_lock and sc_unlock, because these functions overwrite r if there has been an error because they assign sc_unlock result to it (which looks like a bug to me). I don't believe on such maximalisms, but if you really need this is a security library, we can't be pedantic enough :) sc_mutex_unlock's error, then i think it's better to return reset error if both fail (which will be more explanatory). Do you agree? yep, although a better solution would be have a (thread specific) error stack ... I guess this should be implemented in 0.12 It should be mentioned that this function is not always implemented (depending on the used reader driver used). I hope someone who interfaces a reader using CT-API or OpenCT will be willing to add this for those backends ;) I've included a comment following your suggestion in the meanwhile. I hope you like this second try. slightly modified and applied. Please test a recent snapshot. Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] "lock_login = true" in opensc.conf
Hi, Martin said that he would like to set "lock_login" to true as the default value in our opensc.conf. Are there any objections against this (incl. security concerns) ? Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] feature freeze for 0.11
unless someone has something extremly important that needs to be included in the upcoming 0.11 release I would like to announce a feature freeze for 0.11. Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] User Pin not initialized
Hi Eddy,
sorry for the delayed response
StartCom Ltd. wrote:
Hi Nils,
When using pam_pkcs11 it fails to login because of "open_pkcs11_login()
failed: C_Login() failed: 102"
Looking up the code for 102 points me to CKR_USER_PIN_NOT_INITIALIZED
Am I right with this so far? Now the question is why?
Function pkcs11_login in pkcs11_lib.c makes this call:
rv = h->fl->C_Login(h->session, CKU_USER, (unsigned char*)password,
strlen(password));
if (rv != CKR_OK) {
And fails currently with code 102Nils, could you confirm, that this
is the right code and the user pin is not initialized at this point?
Than we just have to find out whyBTW, I could nowhere find the
C_Login function...from where is it? Opensc module?
it should be src/pkcs11/pkcs11-session.c but I think the problem
is in pkcs15_login (framework-pkcs15.c same dir).
could you send me the "pkcs15-tool --dump" output ?
Cheers,
Nils
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
On Wednesday 22 March 2006 13:57, Nils Larsch wrote: > unless someone has something extremly important that needs > to be included in the upcoming 0.11 release I would like > to announce a feature freeze for 0.11. I'd really like to get my eutron card working in the next version. What's the schedule? Is it practical for starcos 2.4 support to be part of the frozen features? Note: openct also needs to be updated, but I think that is mostly solved. -Justin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
Justin Karneges wrote: On Wednesday 22 March 2006 13:57, Nils Larsch wrote: unless someone has something extremly important that needs to be included in the upcoming 0.11 release I would like to announce a feature freeze for 0.11. I'd really like to get my eutron card working in the next version. What's the schedule? Is it practical for starcos 2.4 support to be part of the frozen features? starcos 2.4 should already work (perhaps except for a missing ATR but adding a new ATR is trivial and harmless change) as afaik the differences between starcos spk 2.3 and starcos spk 2.4 are negligible as far as opensc is concerned. Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
On Wednesday 22 March 2006 15:05, you wrote: > starcos 2.4 should already work (perhaps except for a missing ATR > but adding a new ATR is trivial and harmless change) as afaik the > differences between starcos spk 2.3 and starcos spk 2.4 are > negligible as far as opensc is concerned. I've added the ATR to the table. The basic stuff works: # opensc-tool --atr 3b:b7:18:00:c0:3e:31:fe:65:53:50:4b:32:34:90:00:25 # opensc-tool --serial 04 90 50 55 00 18 2B 1D ..PU..+. # opensc-tool --name STARCOS SPK 2.3 But --list-files does not: # opensc-tool - --list-files [snip] card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes): 00 A4 00 00 02 3F 00 00 .?.. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=62 SW2=84) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 7 bytes (resp. 258 bytes): 00 A4 00 0C 02 3F 00 .?. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00) card-starcos.c:356:starcos_select_fid: returning with: 0 card.c:770:sc_select_file: returning with: 0 3f00 type: DF, size: 0 select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A] list[N/A] card.c:571:sc_list_files: called card.c:573:sc_list_files: returning with: Not supported sc_list_files() failed: Not supported [snip] What is to blame here? -Justin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
--On Wednesday, March 22, 2006 03:52:20 PM -0800 Justin Karneges <[EMAIL PROTECTED]> wrote: On Wednesday 22 March 2006 15:05, you wrote: But --list-files does not: # opensc-tool - --list-files card.c:571:sc_list_files: called card.c:573:sc_list_files: returning with: Not supported sc_list_files() failed: Not supported [snip] What is to blame here? It appears from the source, that starcos doesn't support list_files. That isn't too surprising, as file listing is not standardized in 7816-4 (or any other part of 7816, IIRC). run opensc-explorer, and try the following sequence: info get 2f00 cd 5015 info get 5031 get 5032 get 4401 (the 2f00 and 4401 parts might fail, the others shouldn't) you can also see if pkcs15-tool --list-pins (or keys or certificates) works p7sHBuMwIp8Oo.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
On Wednesday 22 March 2006 16:45, Chaskiel M Grundman wrote: > --On Wednesday, March 22, 2006 03:52:20 PM -0800 Justin Karneges > > <[EMAIL PROTECTED]> wrote: > > On Wednesday 22 March 2006 15:05, you wrote: > > > > But --list-files does not: > > > ># opensc-tool - --list-files > > card.c:571:sc_list_files: called > > card.c:573:sc_list_files: returning with: Not supported > > sc_list_files() failed: Not supported > > [snip] > > > > What is to blame here? > > It appears from the source, that starcos doesn't support list_files. That > isn't too surprising, as file listing is not standardized in 7816-4 (or any > other part of 7816, IIRC). Ah hah. > run opensc-explorer, and try the following sequence: > > info > get 2f00 > cd 5015 > info > get 5031 > get 5032 > get 4401 > > (the 2f00 and 4401 parts might fail, the others shouldn't) > you can also see if pkcs15-tool --list-pins (or keys or certificates) works Log below. Doesn't look good. Could these problems be related to the openct driver, or are we done with that? It would be nice to cross something off the list... -Justin # opensc-explorer - OpenSC Explorer version 0.10.1 sc.c:140:sc_detect_card_presence: called reader-openct.c:208:openct_reader_detect_card_presence: called sc.c:145:sc_detect_card_presence: returning with: 1 card.c:372:sc_connect_card: called reader-openct.c:232:openct_reader_connect: called card.c:402:sc_connect_card: matching configured ATRs card.c:447:sc_connect_card: matching built-in ATRs [snip] card.c:453:sc_connect_card: trying driver: starcos card.c:961:match_atr_table: ATR : 3b:b7:18:00:c0:3e:31:fe:65:53:50:4b:32:34:90:00:25 card.c:969:match_atr_table: ATR try : 3B:B7:94:00:c0:24:31:fe:65:53:50:4b:32:33:90:00:b4 card.c:969:match_atr_table: ATR try : 3B:B7:94:00:81:31:fe:65:53:50:4b:32:33:90:00:d1 card.c:969:match_atr_table: ATR try : 3B:B7:18:00:C0:3E:31:FE:65:53:50:4B:32:34:90:00:25 card.c:459:sc_connect_card: matched: STARCOS SPK 2.3 card.c:487:sc_connect_card: card info: STARCOS SPK 2.3, 7001, 0x0 card.c:488:sc_connect_card: returning with: 0 card.c:525:sc_lock: called reader-openct.c:388:openct_reader_lock: called card.c:748:sc_select_file: called; type=2, path=3f00 card-starcos.c:367:starcos_select_file: called card-starcos.c:374:starcos_select_file: current path (path, valid): (len: 0) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes): 00 A4 00 00 02 3F 00 00 .?.. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=62 SW2=84) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 7 bytes (resp. 258 bytes): 00 A4 00 0C 02 3F 00 .?. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00) card-starcos.c:356:starcos_select_fid: returning with: 0 card.c:770:sc_select_file: returning with: 0 OpenSC [3F00]> info Dedicated File ID 3F00 File path: 3F00 File size: 0 bytes ACL for SELECT: N/A ACL for LOCK:N/A ACL for DELETE: N/A ACL for CREATE: N/A ACL for REHABILITATE:N/A ACL for INVALIDATE: N/A ACL for LIST FILES: N/A OpenSC [3F00]> get 2f00 card.c:748:sc_select_file: called; type=2, path=3f002f00 card-starcos.c:367:starcos_select_file: called card-starcos.c:374:starcos_select_file: current path (path, valid): 3f00 (len: 2) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes): 00 A4 00 00 02 2F 00 00 ./.. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=6A SW2=82) card-starcos.c:1238:starcos_check_sw: sw1 = 0x6a, sw2 = 0x82 iso7816.c:98:iso7816_check_sw: File not found card-starcos.c:312:starcos_select_fid: returning with: File not found card.c:770:sc_select_file: returning with: File not found unable to select file: File not found OpenSC [3F00]> cd 5015 card.c:748:sc_select_file: called; type=2, path=3f005015 card-starcos.c:367:starcos_select_file: called card-starcos.c:374:starcos_select_file: current path (path, valid): 3f00 (len: 2) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 8 bytes (resp. 258 bytes): 00 A4 00 00 02 50 15 00 .P.. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=62 SW2=84) card.c:254:sc_transmit_apdu: called card.c:221:sc_transceive: Sending 7 bytes (resp. 258 bytes): 00 A4 00 0C 02 50 15 .P. card.c:274:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00) card-starcos.c:356:starcos_select_fid: returning with: 0 card.c:770:sc_select_file: returning with: 0 OpenSC [3F00/5015]> info Dedicated File ID 5015 File path: 3F00/5015 File size: 0 bytes ACL for SELECT: N/A ACL for LOCK:N/A ACL for DELETE: N/A ACL for CREATE: N/A ACL for REHABILITATE:N/A ACL for INVALIDATE: N/A ACL for LIST FILES: N/A OpenSC [3F00/5015]> get 5031 card.c:748:sc_select_file: called; type=2, path=3f0050155031 card-starcos.c:367:starcos_select_file: called card-starcos.c:374:starcos_select_file: current path (path, valid): 3f0050
Re: [opensc-devel] feature freeze for 0.11
--On Wednesday, March 22, 2006 05:19:06 PM -0800 Justin Karneges <[EMAIL PROTECTED]> wrote: Could these problems be related to the openct driver, or are we done with that? It would be nice to cross something off the list... looks like openct to me. I think we need to go back to ifdhandler traces. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] feature freeze for 0.11
On Wednesday 22 March 2006 17:41, Chaskiel M Grundman wrote: > --On Wednesday, March 22, 2006 05:19:06 PM -0800 Justin Karneges > > <[EMAIL PROTECTED]> wrote: > > Could these problems be related to the openct driver, or are we done with > > that? It would be nice to cross something off the list... > > looks like openct to me. I think we need to go back to ifdhandler traces. Well, alright. Here we are: --> run opensc-explorer send: ff 11 14 fa recv: ff 01 fe send: 00 00 08 00 a4 00 00 02 3f 00 00 91 recv: 00 00 02 62 84 e4 send: 00 40 07 00 a4 00 0c 02 3f 00 d2 recv: 00 40 02 90 00 d2 --> info --> get 2f00 send: 00 00 08 00 a4 00 00 02 2f 00 00 81 recv: 00 00 02 6a 82 ea --> cd 5015 send: 00 40 08 00 a4 00 00 02 50 15 00 ab recv: 00 40 02 62 84 a4 send: 00 00 07 00 a4 00 0c 02 50 15 e8 recv: 00 00 02 90 00 92 --> info --> get 5031 send: 00 40 08 00 a4 00 00 02 50 31 00 8f recv: 00 40 0b 6f 07 80 02 00 30 82 01 01 90 00 83 send: 00 00 05 00 b0 00 00 01 b4 recv: 00 00 03 a0 90 00 33 send: 00 40 05 00 b0 00 00 30 c5 --> get 5032 --> get 4401 --> quit I don't get replies near the end, I guess it breaks. -Justin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] "lock_login = true" in opensc.conf
On 22.03.2006, at 23:57, Nils Larsch wrote: Martin said that he would like to set "lock_login" to true as the default value in our opensc.conf. I'd like it to be default *false* in the code (pkcs11/misc.c line 338) (And commented out in the config file) So that several applications could in default configuration / no config file use the module at the same time. m. -- Martin Paljak / [EMAIL PROTECTED] martin.paljak.pri.ee / ideelabor.ee +372 515 64 95 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
