www.cendio.com
Bug 2533 - problem with deep keys with opensc
: problem with deep keys with opensc
Status: CLOSED FIXED
: ThinLinc
Smart card
: pre-1.0
: PC Linux
: P2 Normal
: 4.2.0
Assigned To:
:
:
:
:
  Show dependency treegraph
 
Reported: 2007-10-08 14:50 by
Modified: 2014-04-16 15:44 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From cendio 2007-10-08 14:50:56
OpenSC has trouble using keys stored several subdirs down on the card. Telia's
eID is one card with this structure.

A bug has been filed in OpenSC's trac:

https://www.opensc-project.org/opensc/ticket/162
------- Comment #1 From cendio 2013-12-04 13:51:03 -------
"Implementation" of this bug consists of checking that we have a recent enough
version of OpenSC, and verifying that it is indeed fixed.
------- Comment #2 From cendio 2014-03-12 08:04:46 -------
The issue indicates that fixes are included in version 0.12.3 and our tarball
vendordrop used in client is 0.12.2
------- Comment #3 From cendio 2014-03-12 08:09:29 -------
(In reply to comment #2)
> The issue indicates that fixes are included in version 0.12.3 and our tarball
> vendordrop used in client is 0.12.2

Next stable release available after 0.12.2 is 0.13.0
------- Comment #4 From cendio 2014-03-12 15:15:21 -------
Release 1.3.0 has two problems that makes it fail:

1. Size for certificate is wrong which makes out libtasn parser to
   fail. Fedora have a backported fix for this regression which works fine.

  
http://pkgs.fedoraproject.org/cgit/opensc.git/tree/0001-pkcs15-regression-in-e35febe-compute-cert-length.patch

2. A config file needs to be present to initialize default values.
   If not present only first certificate/key slot is available.
   Fix is in PR upstream: https://github.com/OpenSC/OpenSC/pull/223
------- Comment #5 From cendio 2014-03-13 11:29:05 -------
(In reply to comment #4)

Upgrade opensc to version 0.13.0 in vendordrop commit r28604.

> 1. Size for certificate is wrong which makes out libtasn parser to
>    fail. Fedora have a backported fix for this regression which works fine.
> 
>   
> http://pkgs.fedoraproject.org/cgit/opensc.git/tree/0001-pkcs15-regression-in-e35febe-compute-cert-length.patch

Applied patch in commit r28605.

> 2. A config file needs to be present to initialize default values.
>    If not present only first certificate/key slot is available.
>    Fix is in PR upstream: https://github.com/OpenSC/OpenSC/pull/223

Applied patch in commit r28607.


Commit r28606 will bring unlock of pin functionality back to vendordrop which
was excluded from merge due to heavy conflicts..
------- Comment #6 From cendio 2014-03-13 12:32:38 -------
Cross compile using mingw fails with following error:

Creating library file: .libs/opensc-pkcs11.dll.a
.libs/framework-pkcs15.o: In function `pkcs15_skey_destroy':
framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object'
collect2: ld returned 1 exit status
make[6]: *** [opensc-pkcs11.la] Error 1
------- Comment #7 From cendio 2014-03-13 12:44:56 -------
(In reply to comment #6)
> Cross compile using mingw fails with following error:
> 
> Creating library file: .libs/opensc-pkcs11.dll.a
> .libs/framework-pkcs15.o: In function `pkcs15_skey_destroy':
> framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object'
> collect2: ld returned 1 exit status
> make[6]: *** [opensc-pkcs11.la] Error 1

Upstream commit 9a05414f fixes this problem, lets back port it.
------- Comment #8 From cendio 2014-03-13 12:50:00 -------
Windows build fails with:

pkcs11-tool.o: In function `main':
pkcs11-tool.c:392: undefined reference to `_set_fmode'
collect2: ld returned 1 exit status
make[4]: *** [pkcs11-tool.exe] Error 1
------- Comment #9 From cendio 2014-03-13 12:58:42 -------
(In reply to comment #7)
> (In reply to comment #6)
> > Cross compile using mingw fails with following error:
> > 
> > Creating library file: .libs/opensc-pkcs11.dll.a
> > .libs/framework-pkcs15.o: In function `pkcs15_skey_destroy':
> > framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object'
> > collect2: ld returned 1 exit status
> > make[6]: *** [opensc-pkcs11.la] Error 1
> 
> Upstream commit 9a05414f fixes this problem, lets back port it.

Fixed in commit 28609
------- Comment #10 From cendio 2014-03-13 13:37:21 -------
(In reply to comment #8)
> Windows build fails with:
> 
> pkcs11-tool.o: In function `main':
> pkcs11-tool.c:392: undefined reference to `_set_fmode'
> collect2: ld returned 1 exit status
> make[4]: *** [pkcs11-tool.exe] Error 1

set_fmode is a msvc specific function and does not exists in gcc/mingw.
Commit 28610 solves the issue setting _fmode explicitly when using mingw.

Upstream has change this code to use _setmode on stdin/stdout which shoudl work
with both msvc and mingw...
------- Comment #11 From cendio 2014-03-13 13:45:13 -------
Tested with both x86_64 and win32 build of opensc-pkcs11.so/dll and it works as
expected.
------- Comment #12 From cendio 2014-03-14 06:57:35 -------
Build for OSX fails with the following message:

>  CCLD     pkcs11-tool
>/usr/lib/gcc/i686-apple-darwin8/4.5.4/../../../../i686-apple-darwin8/bin/ld: Undefined symbols:
>_EVP_sha256
>collect2: ld returned 1 exit status
>make[7]: *** [pkcs11-tool] Error 1
------- Comment #13 From cendio 2014-03-14 09:54:51 -------
(In reply to comment #12)
> Build for OSX fails with the following message:
> 
> >  CCLD     pkcs11-tool
> >/usr/lib/gcc/i686-apple-darwin8/4.5.4/../../../../i686-apple-darwin8/bin/ld: Undefined symbols:
> >_EVP_sha256
> >collect2: ld returned 1 exit status
> >make[7]: *** [pkcs11-tool] Error 1

Fixed in commit r28615.
------- Comment #14 From cendio 2014-03-14 09:55:24 -------
Build fails on solaris...

iasecc-sm.c:30:2: error: #error "Need OpenSSL"
  CC       pkcs15-infocamere.lo
iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used
iasecc-sm.c:131:1: warning: 'sm_release' defined but not used
iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but
not used
iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used
iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used
make[7]: *** [iasecc-sm.lo] Error 1
------- Comment #15 From cendio 2014-03-14 10:08:39 -------
(In reply to comment #14)
> Build fails on solaris...
> 
> iasecc-sm.c:30:2: error: #error "Need OpenSSL"
>   CC       pkcs15-infocamere.lo
> iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used
> iasecc-sm.c:131:1: warning: 'sm_release' defined but not used
> iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but
> not used
> iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used
> iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used
> make[7]: *** [iasecc-sm.lo] Error 1

Looks like this has been fixed upstream, backport of fix is needed.
------- Comment #16 From cendio 2014-03-14 10:12:07 -------
(In reply to comment #15)
> (In reply to comment #14)
> > Build fails on solaris...
> > 
> > iasecc-sm.c:30:2: error: #error "Need OpenSSL"
> >   CC       pkcs15-infocamere.lo
> > iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used
> > iasecc-sm.c:131:1: warning: 'sm_release' defined but not used
> > iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but
> > not used
> > iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used
> > iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used
> > make[7]: *** [iasecc-sm.lo] Error 1
> 
> Looks like this has been fixed upstream, backport of fix is needed.

Fixed in commit 28617.
------- Comment #17 From cendio 2014-03-14 14:33:19 -------
OSX build cant read smartcard.
------- Comment #18 From cendio 2014-03-17 08:17:43 -------
(In reply to comment #17)
> OSX build cant read smartcard.

Diffing debug log of OSX and linux Client I found the point were it breaks.
Just after decoding the TokenInfo ASN and where a slot should be created, OSX
version fails with:

0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind:
cannot register mechanisms; CKR 0x70
0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan
3121 00 00: cannot bind Telia EID IP5a token.
0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan
3121 00 00: Binding Telia EID IP5a-Sign token.
0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind:
Bind PKCS#15 'Telia EID IP5a-Sign' application
0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called
0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind:
application(aid:'A000000167455349474E')

And the rest of the log will differ from this point...
------- Comment #19 From cendio 2014-03-17 08:26:14 -------
(In reply to comment #18)
> (In reply to comment #17)
> > OSX build cant read smartcard.
> 
> Diffing debug log of OSX and linux Client I found the point were it breaks.
> Just after decoding the TokenInfo ASN and where a slot should be created, OSX
> version fails with:
> 
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind:
> cannot register mechanisms; CKR 0x70
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan
> 3121 00 00: cannot bind Telia EID IP5a token.
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan
> 3121 00 00: Binding Telia EID IP5a-Sign token.
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind:
> Bind PKCS#15 'Telia EID IP5a-Sign' application
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called
> 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind:
> application(aid:'A000000167455349474E')
> 
> And the rest of the log will differ from this point...

CKR 0x70 == CKR_MECHANISM_INVALID
------- Comment #20 From cendio 2014-03-17 08:43:30 -------
(In reply to comment #19)
> (In reply to comment #18)
> > (In reply to comment #17)
> > > OSX build cant read smartcard.
> > 
> > Diffing debug log of OSX and linux Client I found the point were it breaks.
> > Just after decoding the TokenInfo ASN and where a slot should be created, OSX
> > version fails with:
> > 
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind:
> > cannot register mechanisms; CKR 0x70
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan
> > 3121 00 00: cannot bind Telia EID IP5a token.
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan
> > 3121 00 00: Binding Telia EID IP5a-Sign token.
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind:
> > Bind PKCS#15 'Telia EID IP5a-Sign' application
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called
> > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind:
> > application(aid:'A000000167455349474E')
> > 
> > And the rest of the log will differ from this point...
> 
> CKR 0x70 == CKR_MECHANISM_INVALID

Fixed in commit 28643.
------- Comment #21 From cendio 2014-04-16 15:44:19 -------
Verified using my Telia e-leg. With 4.1.1, I was not able to authenticate with
the signing certificate. With build 4325, this works perfectly fine. I've
verified that the PIN for this cert is located in a deeper path:

PIN [legitimering]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:6, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 129 (0x81)
        Type           : ascii-numeric
        Path           : 3f00

PIN [underskrift]
        Object Flags   : [0x3], private, modifiable
        ID             : 02
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:6, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 130 (0x82)
        Type           : ascii-numeric
        Path           : 3f005016