|
List Info
Thread: Array
|
|
| Array |
|
1969-12-31 18:00:00 |
|
Hello everyone,
I am expiriencing difficulties using OpenSC and smartcards on linux.
My configuration is: Linux FC5, OpenSC/OpenCT,
card reader: OMNIKEY CardMan 5121 (supported by OpenCT as CCID compatible),
smart card: STARCOS SPK 2.3 ( this is a card that STARCOS gave my company
for testing purposes, so it can be erased and reinitialized as many times as I wish).
Uploading certificates and private keys works for me, but signing
with the private key on the card doesn't seem to work. Here's the log:
---------------------------------------------------------------------
[root fc4_levi openct-0.6.8]# opensc-tool --list-readers
Readers known about:
Nr. Driver Name
0 openct CCID Compatible
1 openct OpenCT reader (detached)
2 openct OpenCT reader (detached)
3 openct OpenCT reader (detached)
4 openct OpenCT reader (detached)
[rootfc4_levi openct-0.6.8]# opensc-tool --reader 0 --name
STARCOS SPK 2.3
[rootfc4_levi openct-0.6.8]# opensc-tool --reader 0 --atr
3b:b7:94:00:81:31:fe:65:53:50:4b:32:33:90:00:d1
[rootfc4_levi ~]# opensc-explorer
OpenSC Explorer version 0.11.1
OpenSC [3F00]> erase
OpenSC [3F00]> quit
[rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile pkcs15
New Security Officer PIN (Optional - press return for no PIN).
[ ... ]
Please type again to verify:
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin --pin "123456" --puk "123456" --label "my PIN"
Security officer PIN required.
Please enter Security officer PIN:
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-private-key west.key --id 45
Please enter passphrase to unlock secret key:
[ ... ]
Please enter User PIN:
rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-certificate
westCert.pem
Security officer PIN required.
[ ... ]
Please enter User PIN:
[rootfc4_levi ~]#
--------------------------------
So installing a private key and a certificates passes OK, and now when I try
to perform signing using a key on the card, I get errors:
--------------------------------
[rootfc4_levi ~]# pkcs15-crypt --pkcs1 -s --input file_md5.bin --output file_md5_signed
Enter PIN [my PIN]:
apdu.c:341:sc_check_apdu: Invalid Case 4 short APDU:
cse=04 cla=00 ins=88 p1=10 p2=00 lc=0 le=256
resp=0xbfccc556 resplen=258 data=0xbfccc454 datelen=0
card-starcos.c:1219:starcos_compute_signature: APDU transmit failed: Invalid arguments
sec.c:53:sc_compute_signature: returning with: Invalid arguments
pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed: Invalid arguments
Compute signature failed: Invalid arguments
[rootfc4
_levi ~]#
--------------------------------
What does this mean? Could it be because this is a special *test* card, that can be
erased an infinte number of times and always be unlocked?
I also get a "Generic reader error"; in the similar scenario, when generating a key on the card.
[rootfc4_levi ~]# opensc-explorer
OpenSC Explorer version 0.11.1
OpenSC [3F00]> erase
OpenSC [3F00]> quit
[rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile pkcs15
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
[
rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin --pin "123456" --puk "123456" --label "my PIN"
Security officer PIN required.
Please enter Security officer PIN:
[rootfc4_levi ~]# pkcs15-init --generate-key rsa/1024 --auth-id 01
Security officer PIN required.
Please enter Security officer PIN:
reader-openct.c:341:openct_reader_transmit: unable to transmit
apdu.c:394:do_single_transmit: unable to transmit APDU
card-starcos.c:974:starcos_gen_key: APDU transmit failed: Generic reader error
card.c:687:sc_card_ctl: returning with: Generic reader error
Failed to generate key: Generic reader error
[rootfc4_levi ~]#
I am new to smart cards, please help. Thank you!
A.
|
| Array |
|
1969-12-31 18:00:00 |
sale kircanski wrote:
...
> --------------------------------
> [rootfc4_levi ~]# pkcs15-crypt --pkcs1 -s --input
file_md5.bin --output
> file_md5_signed
> Enter PIN [my PIN]:
> apdu.c:341:sc_check_apdu: Invalid Case 4 short APDU:
> cse=04 cla=00 ins=88 p1=10 p2=00 lc=0 le=256
> resp=0xbfccc556 resplen=258 data=0xbfccc454 datelen=0
> card-starcos.c:1219:starcos_compute_signature: APDU
transmit failed:
> Invalid arguments
> sec.c:53:sc_compute_signature: returning with: Invalid
arguments
> pkcs15-sec.c:331:sc_pkcs15_compute_signature:
sc_compute_signature()
> failed: Invalid arguments
> Compute signature failed: Invalid arguments
> [rootfc4 _levi ~]#
> --------------------------------
>
> What does this mean? Could it be because this is a
special *test* card,
> that can be erased an infinte number of times and
always be unlocked?
no. The above error message means that no data (datalen ==
lc == 0)
was supplied to the signing function ... could it be that
the input
file is empty ?
>
>
> I also get a "Generic reader error" in the
similar scenario, when
> generating a key on the card.
>
> [rootfc4_levi ~]# opensc-explorer
> OpenSC Explorer version 0.11.1
> OpenSC [3F00]> erase
> OpenSC [3F00]> quit
> [rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile
pkcs15
> New Security Officer PIN (Optional - press return for
no PIN).
> Please enter Security Officer PIN:
> Please type again to verify:
> Unblock Code for New User PIN (Optional - press return
for no PIN).
> Please enter User unblocking PIN (PUK):
> Please type again to verify:
> [ rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin
--pin "123456"
> --puk "123456" --label "my PIN"
> Security officer PIN required.
> Please enter Security officer PIN:
> [rootfc4_levi ~]# pkcs15-init --generate-key rsa/1024
--auth-id 01
> Security officer PIN required.
> Please enter Security officer PIN:
> reader-openct.c:341:openct_reader_transmit: unable to
transmit
> apdu.c:394:do_single_transmit: unable to transmit APDU
> card-starcos.c:974:starcos_gen_key: APDU transmit
failed: Generic reader
> error
> card.c:687:sc_card_ctl: returning with: Generic reader
error
> Failed to generate key: Generic reader error
> [rootfc4_levi ~]#
don't know what causes this problem. Does it always occur ?
Could
you test another card reader ? It might be that the card
needs too
much time to generate a key and some kind of timeout has
occurred
in the reader driver ...
Cheers,
Nils
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| STARCOS SPK 2.3 card/OMNIKEY CardMan
5121 reader difficulties |
|
2006-07-05 08:01:57 |
|
On 6/30/06, Nils Larsch <gmx.net">nlarschgmx.net> wrote:
no. The above error message means that no data (datalen == lc == 0)
was supplied to the signing function ... could it be that the input
file is empty ?
Well, I think not. I played a little with this, and made it to work (partly). Here's a
little log of what I did. Card: STARCOS SPK2.3. Reader: OMNIKEY CardMan5121.
OpenSC/OpenCT, Fedora Core 5.
;
Here's the first log. If I download a key (in pem format) to the
card, and try to use it for signing, I get error.
------------------------------------------------------------------------
[rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile pkcs15
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin --pin "123456" --label "my PIN"
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-private-key /etc/ipsec.d/private/west.key --id 45
Please enter passphrase to unlock secret key:
User PIN required.
Please enter User PIN:
[rootfc4_levi ~]#
[rootfc4_levi ~]# pkcs15-tool -D
PKCS#15 Card [OpenSC Card]:
Version : 1
; Serial number : 7090191300132A34
Manufacturer ID: OpenSC Project
; Last update : 20060705065418Z
; Flags ; : EID compliant
PIN [my PIN]
; Com. Flags: 0x3
; ID ; : 01
; Flags ; : [0x3A], local, unblock-disabled, initialized, needs-padding
; Length : min_len:4, max_len:8, stored_len:8
; Pad char : 0x00
Reference : 131
; Type ; : ascii-numeric
; Path ; : 3f005015
Private RSA Key [Private Key]
; Com. Flags ; : 3
; Usage ; : [0x4], sign
; Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
; Key ref : 145
; Native : yes
; Path ; : 3f005015
; Auth ID : 01
; ID ; : 45
Public RSA Key [Public Key]
; Com. Flags ; : 2
; Usage ; : [0x4], sign
; Access Flags: [0x0]
ModLength : 1024
; Key ref : 0
; Native : no
; Path ; : 3f0050153048
; Auth ID :
; ID ; : 45
[rootfc4_levi ~]# echo "this is a test. this is a test."; > file
[rootfc4_levi ~]# openssl md5 -binary -out file_md5.bin file
[rootfc4_levi ~]# ls -l file_md5.bin
-rw-r--r-- 1 root root 16 Jul 5 08:56 file_md5.bin
[rootfc4_levi ~]# pkcs15-crypt -s --pkcs1 --input file_md5.bin --output file_signed
Enter PIN [my PIN]:
reader-openct.c:341:openct_reader_transmit: unable to transmit
apdu.c:394:do_single_transmit: unable to transmit APDU
card-starcos.c:1219:starcos_compute_signature: APDU transmit failed: Generic reader error
sec.c:53:sc_compute_signature: returning with: Generic reader error
pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed: Generic reader error
Compute signature failed: Generic reader error
card-starcos.c:1345:starcos_logout: APDU re-transmit failed: Generic reader error
[rootfc4_levi ~]#
[rootfc4_levi ~]# opensc-explorer
OpenSC Explorer version
0.11.1
-------------------------------------------------------------------------------
.. and I don't get opensc-explorer prompt anymore - the reader is stuck, I have it to
unplug it and plug it again.
Now I'll try to generate a key on the card (in the last scenario, I tried to download
it on the card). Generating a key on the card works partly, i.e. if I try it several
times. This sounds like science fiction, but exactly the same commands are executed,
and sometimes they work and sometimes not.
When key generation on the card succedes, signing with that key works (every time).
So actually in that case, I can use the card and everything is OK.
---------------------------------------------------------------------------------
[rootfc4_levi ~]# opensc-explorer
OpenSC Explorer version 0.11.1
OpenSC [3F00]> erase
OpenSC [3F00]> quit
[rootfc4
_levi ~]# pkcs15-init --create-pkcs15 --profile pkcs15
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin --pin "123456" --label "my PIN"
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
[rootfc4_levi ~]# pkcs15-init --generate-key rsa/1024 --auth-id 01
reader-openct.c:341:openct_reader_transmit: unable to transmit
apdu.c:394:do_single_transmit: unable to transmit APDU
card-starcos.c:974:starcos_gen_key: APDU transmit failed: Generic reader error
card.c:687:sc_card_ctl: returning with: Generic reader error
Failed to generate key: Generic reader error
[rootfc4_levi ~]#
[ ... OK it doesn't work, but I unplug the plug the device again, and it suddenly
works, with exactly the same commands executed. This looks like science fiction,
but it works - if not from the second try, then from the third, fourth.. ]
[rootfc4_levi ~]# opensc-explorer
OpenSC Explorer version 0.11.1
OpenSC [3F00]> erase
OpenSC [3F00]> quit
[rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile pkcs15
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
[rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin --pin "123456" --label "my PIN"
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
[rootfc4_levi ~]# pkcs15-init --generate-key rsa/1024 --auth-id 01
User PIN required.
Please enter User PIN:
[rootfc4_levi ~]#
[ It worked! with exactly the same commands executed. Now I can sign with the card. ]
[rootfc4_levi ~]# pkcs15-crypt -s --pkcs1 --input file_md5.bin --output file_signed
Enter PIN [my PIN]:
[rootfc4_levi ~]#
--------------------------------------------------------------------------------------
Summary:
Downloading key to the card works (everytime), but signing with that key doesn't.
Genereting a key on the card works *sometimes* and sometimes not, and signing with
that key (when it is once generated) works always.
So that's it. Any idea? Thanks..
A.
&nbs p;
|
| STARCOS SPK 2.3 card/OMNIKEY CardMan
5121 reader difficulties |
|
2006-07-05 11:47:26 |
On 05.07.2006, at 11:01, sale kircanski wrote:
> So that's it. Any idea? Thanks..
Try with another reader driver (I guess it's ccid so try
pcsc-lite
and the ccid driver)
--
Martin Paljak / martinpaljak.pri.ee
martin.paljak.pri.ee / ideelabor.ee
+372 515 64 95
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
| STARCOS SPK 2.3 card/OMNIKEY CardMan
5121 reader difficulties |
|
2006-07-05 21:32:44 |
sale kircanski wrote:
>
>
> On 6/30/06, *Nils Larsch* <nlarschgmx.net
<mailto:nlarschgmx.net>> wrote:
>
> no. The above error message means that no data
(datalen == lc == 0)
> was supplied to the signing function ... could it
be that the input
> file is empty ?
>
>
> Well, I think not. I played a little with this, and
made it to work
> (partly). Here's a
> little log of what I did. Card: STARCOS SPK2.3. Reader:
OMNIKEY CardMan5121.
> OpenSC/OpenCT, Fedora Core 5.
>
>
> Here's the first log. If I download a key (in pem
format) to the
> card, and try to use it for signing, I get error.
>
>
------------------------------------------------------------
------------
> [rootfc4_levi ~]# pkcs15-init --create-pkcs15 --profile
pkcs15
> [rootfc4_levi ~]# pkcs15-init --auth-id 1 --store-pin
--pin "123456"
> --label "my PIN"
> Unblock Code for New User PIN (Optional - press return
for no PIN).
> Please enter User unblocking PIN (PUK):
> [rootfc4_levi ~]# pkcs15-init --auth-id 1
--store-private-key
> /etc/ipsec.d/private/west.key --id 45
> Please enter passphrase to unlock secret key:
> User PIN required.
> Please enter User PIN:
> [rootfc4_levi ~]#
> [rootfc4_levi ~]# pkcs15-tool -D
> PKCS#15 Card [OpenSC Card]:
> Version : 1
> Serial number : 7090191300132A34
> Manufacturer ID: OpenSC Project
> Last update : 20060705065418Z
> Flags : EID compliant
>
> PIN [my PIN]
> Com. Flags: 0x3
> ID : 01
> Flags : [0x3A], local, unblock-disabled,
initialized,
> needs-padding
> Length : min_len:4, max_len:8, stored_len:8
> Pad char : 0x00
> Reference : 131
> Type : ascii-numeric
> Path : 3f005015
>
> Private RSA Key [Private Key]
> Com. Flags : 3
> Usage : [0x4], sign
> Access Flags: [0x1D], sensitive,
alwaysSensitive, neverExtract,
> local
> ModLength : 1024
> Key ref : 145
> Native : yes
> Path : 3f005015
> Auth ID : 01
> ID : 45
>
> Public RSA Key [Public Key]
> Com. Flags : 2
> Usage : [0x4], sign
> Access Flags: [0x0]
> ModLength : 1024
> Key ref : 0
> Native : no
> Path : 3f0050153048
> Auth ID :
> ID : 45
>
> [rootfc4_levi ~]# echo "this is a test. this is a
test." > file
> [rootfc4_levi ~]# openssl md5 -binary -out file_md5.bin
file
> [rootfc4_levi ~]# ls -l file_md5.bin
> -rw-r--r-- 1 root root 16 Jul 5 08:56 file_md5.bin
> [rootfc4_levi ~]# pkcs15-crypt -s --pkcs1 --input
file_md5.bin --output
you should add the "-md5" option to tell
pkcs15-crypt that the input is a MD5
hash.
> file_signed
> Enter PIN [my PIN]:
> reader-openct.c:341:openct_reader_transmit: unable to
transmit
> apdu.c:394:do_single_transmit: unable to transmit APDU
> card-starcos.c:1219:starcos_compute_signature: APDU
transmit failed:
> Generic reader error
> sec.c:53:sc_compute_signature: returning with: Generic
reader error
> pkcs15-sec.c:331:sc_pkcs15_compute_signature:
sc_compute_signature()
> failed: Generic reader error
> Compute signature failed: Generic reader error
> card-starcos.c:1345:starcos_logout: APDU re-transmit
failed: Generic
> reader error
> [rootfc4_levi ~]#
> [rootfc4_levi ~]# opensc-explorer
> OpenSC Explorer version 0.11.1
>
>
------------------------------------------------------------
-------------------
> .. and I don't get opensc-explorer prompt anymore -
the reader is stuck,
> I have it to
> unplug it and plug it again.
>
> Now I'll try to generate a key on the card (in the
last scenario, I
> tried to download
> it on the card). Generating a key on the card works
partly, i.e. if I
> try it several
> times. This sounds like science fiction, but exactly
the same commands
> are executed,
> and sometimes they work and sometimes not.
sounds like a timeout problem with the reader driver (the
time required to
generate a key or to do a crypto operation with a key is not
always the
same).
Cheers,
Nils
_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
|
|
[1-5]
|
|