I wonder if this is one of the cards/readers that can not
handle
the default max_send_size/max_recv_size = 256.
Can you try this again with the opensc.conf with these
reader_driver openct {
max_send_size = 252;
max_send_size = 252;
Or try 248 that was the old *_CHOP_*
Have you tried with the pcsc driver?
I do see that "ModLength" is 2048, so the RSA
signature will be
256 bytes long, and the reader/card will have to deal with
this
by using a smaller buffer, or chaining the input and
output.
Simon Eisenmann wrote:
> Here is the debug output to add some more details for
this issue:
>
> ...
> card-cardos.c:714:cardos_set_security_env: returning
with: 0
> sec.c:67:sc_set_security_env: returning with: 0
> sec.c:49:sc_compute_signature: called
> card-cardos.c:761:cardos_compute_signature: called
> card-cardos.c:775:cardos_compute_signature: trying
RSA_PURE_SIG (padded
> DigestInfo)
> apdu.c:516:sc_transmit_apdu: called
> card.c:285:sc_lock: called
> apdu.c:184:sc_apdu_log:
> Outgoing APDU data [ 265 bytes]
=====================================
> 00 2A 9E 9A 00 01 00 30 30 30 30 30 30 30 30 30
.*.....000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 01 00
0000000..
>
============================================================
==========
> reader-openct.c:339:openct_reader_transmit: unable to
transmit
> apdu.c:394:do_single_transmit: unable to transmit APDU
> card.c:312:sc_unlock: called
> card-cardos.c:742:do_compute_signature: APDU transmit
failed: Generic
> reader error
> card-cardos.c:782:cardos_compute_signature: trying
RSA_SIG (just the
> DigestInfo)
> apdu.c:516:sc_transmit_apdu: called
> card.c:285:sc_lock: called
> apdu.c:184:sc_apdu_log:
> Outgoing APDU data [ 267 bytes]
=====================================
> 00 2A 9E 9A 00 01 02 30 30 30 30 30 30 30 30 30
.*.....000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30 30
0000000000000000
> 30 30 30 30 30 30 30 0C 00 01 00
0000000....
>
============================================================
==========
> reader-openct.c:339:openct_reader_transmit: unable to
transmit
> apdu.c:394:do_single_transmit: unable to transmit APDU
> card.c:312:sc_unlock: called
> card-cardos.c:742:do_compute_signature: APDU transmit
failed: Generic
> reader error
> card-cardos.c:803:cardos_compute_signature: trying to
sign raw hash
> value
> card-cardos.c:806:cardos_compute_signature: returning
with: Internal
> error
> sec.c:53:sc_compute_signature: returning with: Internal
error
> card.c:312:sc_unlock: called
> pkcs15-sec.c:248:sc_pkcs15_compute_signature:
sc_compute_signature()
> failed: Internal error
> Compute signature failed: Internal error
> pkcs15.c:775:sc_pkcs15_unbind: called
> card.c:312:sc_unlock: called
> reader-openct.c:458:openct_reader_unlock: called
> card.c:236:sc_disconnect_card: called
> reader-openct.c:280:openct_reader_disconnect: called
> card.c:251:sc_disconnect_card: returning with: 0
> ctx.c:738:sc_release_context: called
> reader-openct.c:180:openct_reader_release: called
> reader-openct.c:180:openct_reader_release: called
> reader-openct.c:180:openct_reader_release: called
> reader-openct.c:180:openct_reader_release: called
> reader-openct.c:180:openct_reader_release: called
> reader-openct.c:165:openct_reader_finish: called
>
>
>
> Am Dienstag, den 13.03.2007, 22:17 +0100 schrieb
Andreas Jellinghaus:
>> Am Dienstag, 13. März 2007 17:40 schrieb Simon
Eisenmann:
>>> i today recieved the PINs for my ne D-TRUST
2048 Bit signature card
>>> which seems to use Siemens CardOS 4.3B. I can
read the certificates and
>>> keys from the card using opensc tools
perfectly.
>>>
>>> Though there is a problem when creating a
signature (opensc svn trunk).
>> a) which version of trunk exactly? what card reader
are you using?
>> we did some changes recently that might break
things - but I think
>> it only affects cards that can only do t=0 with
some readers, so it shouldn't
>> be a problem for you.
>>
>> so my wild guess is: can that key be used for both
signing and decryption
>> (check with pkcs11-tool or pkcs15-tool) ?
>>
>> cardos doesn't allow that for some stupid reason.
in real world it is needed.
>> so there are two hacks for this:
>> a) the opensc hack: store the private key twice -
once with key usage sign
>> and once with key usage decrypt, and then choose
the right one.
>> b) the siemens hack: store the key as decrypt key
and use raw rsa decryption
>> for signing.
>>
>> we haven't implemented b) yet, but we should add it
for compatibility.
>>
>>> note: When using opensc 0.11.1 the card is not
recognized as cardos (ATR
>>> not in the list of cardos implementation).
>> yes. we added that atr after 0.11.1.
>>
>> Regards, Andreas
>>
>>
------------------------------------------------------------
------------
>>
>> _______________________________________________
>> opensc-devel mailing list
>> opensc-devel lists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
--
Douglas E. Engert <DEEngertanl.gov>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
|
