r/2008-July/002561.html
http://www.opensc-project.org/mailman/private/opensc-internal/2008-June/000335.html
Discussion with Nils 5/2008, a prototype option, we agreed this is
fundemental problem of the project, but neither had resources to
actually solve it.
Regards,
Alon Bar-Lev.
1. Firefox behaves correctly, it opens long living session with crypto
token, in order to reduce the number of times user is prompted for
passphrase.
2. Firefox monitors slots, to be able to detect new certificate
availability so it can prompt the user for one if requested. It is
true that it can
On Sat, May 7, 2011 at 10:57 PM, Peter Stuge wrote:
> Alon Bar-Lev wrote:
>> However, there are some advanced cards that can generate
>> authentication token, so you can actually authenticate once using
>> PIN get authentication token out of the card (many can be available
&
This is a matter of interpretation.
Either is not constant and user is not suppose to know of.
Apart of the special case of having a single slot, so you expect 0 I presume.
You can check which slot is what simply by using:
pkcs11-tool --list-slots --module /usr/lib/pkcs11/
On Mon, May 9, 2011
2011/5/9 Jean-Michel Pouré - GOOZE :
> Dear Alon,
>
> Could you comment the alternative, where OpenSC would behave as a
> client-server application pooling access requests from applications and
> locking the card in exclusive mode, i.e. work as a proxy.
>
> Kind regards,
Hi,
This had been raised l
On Tue, May 10, 2011 at 1:18 PM, Giuliano Bertoletti wrote:
> I pointed out the slot_id matter instead because it is just wrong to start
> from the assumption that the user knows it and it won't change between
> multiple executions.
Same for index.
Sorry, I still cannot see your point.
Had you ar
Use this[1] to build using cross compiler.
[1] https://www.opensc-project.org/build
On Tue, May 10, 2011 at 10:36 AM, Giuliano Bertoletti wrote:
>
> Hello,
>
> unfortunatelly I'm still fighting with the compiler to rebuild the
> engine_pkcs11 library (under Windows / Mingw or Visual C++).
> Once
lot by slot
> description (or better the token by token description) is the safest way to
> locate the proper container where crypto material is held.
>
> Giulio.
>
>
>
> Il 10/05/2011 14.38, Alon Bar-Lev ha scritto:
>>
>> On Tue, May 10, 2011 at 1:18 PM, Giul
This will break many of people's usages.
Until now it was assumed that if --module is not specified the opensc
provider is loaded.
And as pkcs11-tool is part of opensc, I know many who did not specify this.
I know that something was broken recently with finding the default
module, however, do you r
On Thu, May 19, 2011 at 1:22 PM, Martin Paljak wrote:
> Hello,
>
> On Mon, May 9, 2011 at 23:22, Alon Bar-Lev wrote:
>> This had been raised long ago.
>> Create a proxy PKCS#11 that uses another PKCS#11.
> p11-kit might be the right tool for this kind of things?
Hi,
This is only for MSC build, not for mingw.
But as this project is going to MSC release anyway...
On Sat, May 28, 2011 at 11:07 PM, Viktor Tarasov
wrote:
>
> Hello,
>
> I would like to link statically the PKCS#11 module for Windows,
> or at least to include the static version of this module into t
On Sat, May 28, 2011 at 11:47 PM, Viktor Tarasov
wrote:
> Le 28/05/2011 22:17, Alon Bar-Lev a écrit :
>>
>> This is only for MSC build, not for mingw.
>> But as this project is going to MSC release anyway...
>
> I'm looking to have this static module in MSI.
> D
On Wed, Jun 8, 2011 at 2:18 PM, Martin Paljak wrote:
>> Trac sends emails about new tickets, can you convert that into RSS?
> RSS has *always* been available from Trac timelines and other pages, most
> browsers these days display a RSS button that reveals this. Cutting off
> things from opensc-c
On Thu, Jun 9, 2011 at 10:33 AM, Martin Paljak wrote:
>
> On Jun 8, 2011, at 21:12 , Alon Bar-Lev wrote:
>
>> On Wed, Jun 8, 2011 at 2:18 PM, Martin Paljak
>> wrote:
>>>> Trac sends emails about new tickets, can you convert that into RSS?
>>> RSS has *
Yes.
Most [usable] providers support this.
Although there are different issues to solve in your case, such as
calling twice to C_Initialize, not calling C_Finalize if C_Initialize
returned with already initialized.
Also, some implementations will treat authentication state same for
all sessions,
On Sun, Jun 12, 2011 at 6:29 AM, Douglas E. Engert wrote:
> The application should not depend on the flags in PKCS#15, but only depend on
> the certificate or other signed objects that can be read from the card and
> the ability
> of the card to do the crypto.
Right.
Only authenticated fields (s
On Mon, Jun 13, 2011 at 6:56 PM, Viktor Tarasov
wrote:
> It's going about defining the OpenSC vendor specific attribute.
> In complete accordance with the PKCS#11.
> Vendor defined CKA_ attribute fits the PKCS#11 specification.
I don't like adding vendor specific CKA_ attributes into opensc
On Tue, Jun 14, 2011 at 5:15 PM, Viktor Tarasov
wrote:
> So, if no objections,
> in the framework-pkcs15 I will set the 'nonRepudiation' PKCS#15 flag, if the
> key 'create-object' template contains the CKA_ALWAYS_AUTHENTICATE and CKA_SIGN
> attributes. Thus there is no more need of the vendor spe
On Wed, Jun 15, 2011 at 12:14 PM, Viktor Tarasov
wrote:
> Douglas proposed to associate the CKA_ALWAYS_AUTHENTICATE together with
> CKA_SIGN attributes on the PKCS#11 side,
> with the 'nonRepudiation' flags on the PKCS#15 side.
> Imho, it's legitimate solution -- 'ALWAYS_AUTHENTICATE' is quite c
On Wed, Jun 15, 2011 at 2:05 PM, Martin Paljak wrote:
> Given that in practice, CKA_ALWAYS_AUTHENTICATE is almost exclusively used
> with nonrepudiation signature keys and the fact that the usual creation of
> such keys through PKCS#11 is not a common operation, it sounds like a useful
> signal
OK.
I think we have all facts.
Thanks.
On Thu, Jun 16, 2011 at 1:14 PM, Martin Paljak wrote:
>
> Hello,
>
> On Wed, Jun 15, 2011 at 14:28, Alon Bar-Lev wrote:
> > On Wed, Jun 15, 2011 at 2:05 PM, Martin Paljak
> > wrote:
> >> Given that in practice,
Right.
But you forgot to free the memory.
I've applied similar solution at r201.
On Fri, Jun 17, 2011 at 2:55 PM, Jonathan Giannuzzi
wrote:
> Hello,
> When using libp11 to wrap around the AET SafeSign PKCS#11 library, C_GetInfo
> fails with CKR_MUTEX_BAD. This is because an empty CK_C_INITIALIZE_
Hello Stef,
I think that each project is targeting a different set of problems.
I am fully opened for discussion, but this is how I see things:
pkcs11-helper targets developers who like to introduce PKCS#11 into
their application, especially for smartcard. It allows to minimize the
user interact
2011/8/4 Jean-Michel Pouré - GOOZE :
> Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit :
>> * Initializing modules via p11-kit so that refcounting, and
>> pInitArgs stuff works if more than one app/library in the
>> same process uses a PKCS#11 module.
>>
>> * Safe forking (pkcs11-h
Martin,
The openssl engine is called with 0x24 buffer size and expect it to be
encrypted by private key with same length.
Prototype:
---
static
int
__pkcs11h_openssl_enc (
IN int flen,
IN const unsigned char *from,
OUT unsigned char *to,
IN OUT RSA *rsa,
IN
Jonatan,
Can you please try the attached patch and see if it helps?
Thanks!
On Thu, Aug 11, 2011 at 11:20 AM, Alon Bar-Lev wrote:
>
> Martin,
>
> The openssl engine is called with 0x24 buffer size and expect it to be
> encrypted by private key with same length.
>
> Prot
There had been always unified API: PKCS#11.
Well, at Microsoft environment there was CryptoAPI Provider.
The good about the CryptoAPI is that it allowed enough flexibility so
that, for example, you could have created a generic CryptoAPI provider
on-top of PKCS#11.
In the MiniDriver, Microsoft adva
So Stef,
How do you want to proceed?
On Thu, Aug 4, 2011 at 7:58 PM, Alon Bar-Lev wrote:
> 2011/8/4 Jean-Michel Pouré - GOOZE :
>> Le lundi 01 août 2011 à 14:11 +0200, Stef Walter a écrit :
>>> * Initializing modules via p11-kit so that refcounting, and
>>> pInitAr
Thanks for your report and testing!
2011/8/16 Jonatan Åkerlind :
> On fre, 2011-08-12 at 23:20 +0300, Alon Bar-Lev wrote:
>> Jonatan,
>> Can you please try the attached patch and see if it helps?
>> Thanks!
> ...
>>
>> seems to work fine, will continue test
Hello,
pkcs11-helper-1.09 is available.
Fixed issue introduced in 1.08 related to OpenSSL engine signature.
ChangeLog
2011-08-16 - Version 1.09
* Do not retry if CKR_BUFFER_TOO_SMALL and none NULL target.
* Fixup OpenSSL engine's rsa_priv_enc to use RSA size output buffer.
__
2 on this server.
>
> Regards,
>
> On Wed, 28 Sep 2011 15:40:00 +0300, Alon Bar-Lev
> wrote:
>> Use build-011
>>
>> On Wed, Sep 28, 2011 at 1:39 PM, wrote:
>>>
>>> Hi All,
>>>
>>> any clue what is wrong?! :(
>>>
>>
Use build-011
On Wed, Sep 28, 2011 at 1:39 PM, wrote:
>
> Hi All,
>
> any clue what is wrong?! :(
>
> Rgds
>
> On Sun, 25 Sep 2011 18:38:39 +0200, wrote:
> > Hello All,
> >
> > Currently I am having troubles to get the latest build (32bit) of
> > prebuild OpenVPN/OpenSC/OpenSSL to work alltogeth
2011 UDPv4 link remote: 217.253.136.195:1194
> Enter OpenSC Card (Patrick Reeb) token Password:
> Wed Sep 28 16:04:07 2011 PKCS#11: Cannot perform signature
> 6:'CKR_FUNCTION_FAILE
> D'
> Wed Sep 28 16:04:07 2011 TLS_ERROR: BIO read tls_read_plaintext error:
> error:
:51:25 2011 us=796000 PKCS#11: _pkcs11h_session_reset
> return rv=0-'CKR_OK', *p_slot=1
> Wed Sep 28 17:51:25 2011 us=796000 PKCS#11: Calling pin_prompt hook for
> 'OpenSC Card (xxx yyy)'
> Wed Sep 28 17:51:25 2011 us=796000 ERROR: could not not read OpenSC
> Card
ks twice for the
> PIN, for the second and following connection attempts (I aborded here
> not to loose start of log because of buffer limitations) it asks only
> once...
>
> On Thu, 29 Sep 2011 21:13:52 +0300, Alon Bar-Lev
> wrote:
>> This is strange.
>> The signature
ject Flags : [0x2], modifiable
> Authority : no
> Path : 3f0050154545
> ID : 45
> Encoded serial : 02 01 02
>
>
> C:\Program Files\OpenVPN\share\openvpn-win32\config>
>
>
> On Fri, 30 Sep 2011 18:45:31 +0300
:
> Hello Gents,
>
> just enquiring for a feedback. did you find something out on this
> issue? Seems something was brocken in never OpenSC / OpenVPN...
>
> Rgds, PR
>
> On Mon, 3 Oct 2011 15:09:28 +0200, Alon Bar-Lev
> wrote:
>> Martin,
>> I need your help here..
Hello,
You can't.
pkcs11-helper targets developers who want to use smartcards without
overhead of the actual card management.
Well behaved smartcards should not allow export of private key.
Why do you need the private key anyway?
Alon.
On Thu, Nov 10, 2011 at 3:27 AM, weizhong qiang wrote:
> h
t 10:02 AM, weizhong qiang
wrote:
> hi Alon,
>
> On Nov 10, 2011, at 8:24 AM, Alon Bar-Lev wrote:
>
> Hello,
>
> You can't.
> pkcs11-helper targets developers who want to use smartcards without
> overhead of the actual card management.
> Well behaved smartcards shoul
On Wed, Nov 9, 2011 at 7:39 PM, Viktor Tarasov wrote:
> Hello,
>
> I would like to 'touch' the PKCS#11 module of OpenSC and looking for your
> opinions/suggestions about:
> - removing of 'pkcs15init' framework;
> - configurable support of the multi on-card applications and multi-pins;
> - removin
On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang wrote:
>> OpenSSL is fully compatible with this approach, having RSA object that
>> can be used for crypto operation without actually having the private
>> key. This is done via the concept of "engine" which delegate the
>> crypto calls to the hardwa
On Thu, Nov 10, 2011 at 3:10 PM, weizhong qiang wrote:
> hi Alon,
> Sorry that I make you be confused.
>
> On Nov 10, 2011, at 1:20 PM, Alon Bar-Lev wrote:
>
>> On Thu, Nov 10, 2011 at 2:08 PM, weizhong qiang
>> wrote:
>>>> OpenSSL is fully compatible wit
On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang wrote:
> As I mentioned that I need to use EEC credential to generate a proxy
> credential (process is the same as you use CA credential to generate a EEC
> credential).
> The the generation step, I need to use X509_sign (int X509_sign(X509 *x,
> EVP
On Thu, Nov 10, 2011 at 5:12 PM, weizhong qiang wrote:
>
> On Nov 10, 2011, at 3:40 PM, Alon Bar-Lev wrote:
>
>> On Thu, Nov 10, 2011 at 4:06 PM, weizhong qiang
>> wrote:
>>> As I mentioned that I need to use EEC credential to generate a proxy
>>> creden
601 - 644 of 644 matches
Mail list logo
