opencryptoki-users Mailing List for openCryptoki (Page 5)
Brought to you by:
ebarretto
Menu
▾
▴
opencryptoki-users — Discuss usage of the PKCS#11 API and App development
You can subscribe to this list here.
| 2005 |
Jan
|
Feb
|
Mar
|
Apr
(3) |
May
|
Jun
(8) |
Jul
(5) |
Aug
(5) |
Sep
(2) |
Oct
|
Nov
(3) |
Dec
|
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2006 |
Jan
(7) |
Feb
(5) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
(7) |
Aug
|
Sep
|
Oct
|
Nov
(8) |
Dec
(3) |
| 2007 |
Jan
(14) |
Feb
|
Mar
|
Apr
(14) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
(2) |
Nov
(10) |
Dec
(6) |
| 2008 |
Jan
(2) |
Feb
|
Mar
(5) |
Apr
(6) |
May
(3) |
Jun
(6) |
Jul
(10) |
Aug
(4) |
Sep
(17) |
Oct
(13) |
Nov
(43) |
Dec
(72) |
| 2009 |
Jan
(4) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(9) |
Sep
(5) |
Oct
(2) |
Nov
|
Dec
|
| 2010 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
(23) |
Aug
|
Sep
|
Oct
|
Nov
(9) |
Dec
|
| 2011 |
Jan
(2) |
Feb
|
Mar
|
Apr
|
May
(1) |
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2012 |
Jan
|
Feb
(15) |
Mar
|
Apr
(1) |
May
(6) |
Jun
(5) |
Jul
|
Aug
(2) |
Sep
(6) |
Oct
|
Nov
(1) |
Dec
|
| 2013 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
(6) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2016 |
Jan
(1) |
Feb
|
Mar
(1) |
Apr
|
May
(5) |
Jun
(1) |
Jul
|
Aug
|
Sep
(4) |
Oct
(2) |
Nov
|
Dec
|
| 2017 |
Jan
|
Feb
|
Mar
(2) |
Apr
(1) |
May
(2) |
Jun
(1) |
Jul
|
Aug
|
Sep
(1) |
Oct
(2) |
Nov
(1) |
Dec
|
| 2018 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
|
| 2019 |
Jan
(1) |
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
| 2021 |
Jan
|
Feb
(4) |
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Kent Y. <shp...@gm...> - 2010-07-20 16:11:52
|
Hmm, there are really only 2 reasons why that should fail... Does `id` show your user in the pkcs11 group? Sometimes that requires a logout/login to take effect? 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: > Yup, there's a message saying: > > openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory > > This appears each time I run the tpmtoken_init command. > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 9:04 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > Are there any messages in /var/log/messages? > > If you've installed packages from a distro, can you install the > debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see > if anything is logged. > > If you've installed from source, you'd need to configure > --enable-debug, then make, make install and export the env var above. > > 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: >> Both of these are true already, but still the error appears. >> >> Alex >> >> -----Original Message----- >> From: Kent Yoder [mailto:shp...@gm...] >> Sent: Tuesday, July 20, 2010 8:24 AM >> To: Alexander Loukissas (aloukiss) >> Cc: Klaus Heinrich Kiwi; ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> Hi Alex, >> >> Make sure pkcsslotd is running and that the user executing this >> command is a member of the pkcs11 group. >> >> Kent >> >> On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) >> <alo...@ci...> wrote: >>> Thanks Klaus, >>> >>> I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). >>> >>> Any ideas on that? >>> >>> Thanks >>> Alex >>> >>> -----Original Message----- >>> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >>> Sent: Monday, July 19, 2010 6:47 PM >>> To: Alexander Loukissas (aloukiss) >>> Cc: ope...@li... >>> Subject: Re: [opencryptoki-users] error initializing token >>> >>> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>>> Hello, >>>> >>>> I've been playing around with opencryptoki and I've been seeing some >>>> issues initializing the TPM token (token #0) on my machine. When running >>>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>>> initializing token: 0xA4". Looking up the header files in the >>>> opencryptoki package, I found that this error corresponds to a >>>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>>> >>>> In more detail, I do exactly what is described here: >>>> http://www.mail-archive.com/lin...@vm.../msg53084.html >>>> >>>> When trying the exact same steps for the soft token (token #1), all >>>> succeeds and I end up with the (correct) flags 0x44D on that token. >>>> >>>> Would anyone have an idea where this problem could be coming from? I've >>>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>>> etc, but it didn't help. >>>> >>>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>>> TPM and Fedora Core 13. >>> >>> Hi Alexander. Thank you for your contact. >>> >>> Please try these instructions and let us know: >>> http://trousers.sourceforge.net/pkcs11.html >>> >>> Basically, you'll need to set the SRK passphrase in your TPM to the >>> "well-known password" (or something like it), that is, all zeros (there >>> are switches for that in the tpm tools - see their man pages). >>> >>> After that, use "tpmtoken_init" to initialize token. >>> >>> We know it's counter-intuitive to not use the pkcsconf utility like we >>> are able to in other tokens, but currently, due to the way the tpm token >>> is built, we have no way of doing that relying solely on the PKCS#11 >>> API. >>> >>> -Klaus >>> >>>> Thanks, >>>> >>>> Alexander Loukissas >>>> >>>> >>>> ------------------------------------------------------------------------------ >>>> This SF.net email is sponsored by Sprint >>>> What will you do first with EVO, the first 4G phone? >>>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>>> _______________________________________________ >>>> opencryptoki-users mailing list >>>> ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>> >>> >>> -- >>> Klaus Heinrich Kiwi | kl...@br... >>> IBM LTC Security Development | http://blog.klauskiwi.com >>> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> _______________________________________________ >>> opencryptoki-users mailing list >>> ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >>> >> > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 16:08:05
|
Yup, there's a message saying: openCryptokiModule[2051]: api_interface.c:3397 Cannot Attach to Shared Memory This appears each time I run the tpmtoken_init command. Alex -----Original Message----- From: Kent Yoder [mailto:shp...@gm...] Sent: Tuesday, July 20, 2010 9:04 AM To: Alexander Loukissas (aloukiss) Cc: Klaus Heinrich Kiwi; ope...@li... Subject: Re: [opencryptoki-users] error initializing token Are there any messages in /var/log/messages? If you've installed packages from a distro, can you install the debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see if anything is logged. If you've installed from source, you'd need to configure --enable-debug, then make, make install and export the env var above. 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: > Both of these are true already, but still the error appears. > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 8:24 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > Hi Alex, > > Make sure pkcsslotd is running and that the user executing this > command is a member of the pkcs11 group. > > Kent > > On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) > <alo...@ci...> wrote: >> Thanks Klaus, >> >> I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). >> >> Any ideas on that? >> >> Thanks >> Alex >> >> -----Original Message----- >> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >> Sent: Monday, July 19, 2010 6:47 PM >> To: Alexander Loukissas (aloukiss) >> Cc: ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>> Hello, >>> >>> I've been playing around with opencryptoki and I've been seeing some >>> issues initializing the TPM token (token #0) on my machine. When running >>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>> initializing token: 0xA4". Looking up the header files in the >>> opencryptoki package, I found that this error corresponds to a >>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>> >>> In more detail, I do exactly what is described here: >>> http://www.mail-archive.com/lin...@vm.../msg53084.html >>> >>> When trying the exact same steps for the soft token (token #1), all >>> succeeds and I end up with the (correct) flags 0x44D on that token. >>> >>> Would anyone have an idea where this problem could be coming from? I've >>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>> etc, but it didn't help. >>> >>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>> TPM and Fedora Core 13. >> >> Hi Alexander. Thank you for your contact. >> >> Please try these instructions and let us know: >> http://trousers.sourceforge.net/pkcs11.html >> >> Basically, you'll need to set the SRK passphrase in your TPM to the >> "well-known password" (or something like it), that is, all zeros (there >> are switches for that in the tpm tools - see their man pages). >> >> After that, use "tpmtoken_init" to initialize token. >> >> We know it's counter-intuitive to not use the pkcsconf utility like we >> are able to in other tokens, but currently, due to the way the tpm token >> is built, we have no way of doing that relying solely on the PKCS#11 >> API. >> >> -Klaus >> >>> Thanks, >>> >>> Alexander Loukissas >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> _______________________________________________ >>> opencryptoki-users mailing list >>> ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> >> >> -- >> Klaus Heinrich Kiwi | kl...@br... >> IBM LTC Security Development | http://blog.klauskiwi.com >> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> opencryptoki-users mailing list >> ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> > |
|
From: Kent Y. <shp...@gm...> - 2010-07-20 16:04:29
|
Are there any messages in /var/log/messages? If you've installed packages from a distro, can you install the debugging rpms, export PKCS11_API_LOG_DEBUG=1, then try again and see if anything is logged. If you've installed from source, you'd need to configure --enable-debug, then make, make install and export the env var above. 2010/7/20 Alexander Loukissas (aloukiss) <alo...@ci...>: > Both of these are true already, but still the error appears. > > Alex > > -----Original Message----- > From: Kent Yoder [mailto:shp...@gm...] > Sent: Tuesday, July 20, 2010 8:24 AM > To: Alexander Loukissas (aloukiss) > Cc: Klaus Heinrich Kiwi; ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > Hi Alex, > > Make sure pkcsslotd is running and that the user executing this > command is a member of the pkcs11 group. > > Kent > > On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) > <alo...@ci...> wrote: >> Thanks Klaus, >> >> I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). >> >> Any ideas on that? >> >> Thanks >> Alex >> >> -----Original Message----- >> From: Klaus Heinrich Kiwi [mailto:kl...@li...] >> Sent: Monday, July 19, 2010 6:47 PM >> To: Alexander Loukissas (aloukiss) >> Cc: ope...@li... >> Subject: Re: [opencryptoki-users] error initializing token >> >> On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >>> Hello, >>> >>> I've been playing around with opencryptoki and I've been seeing some >>> issues initializing the TPM token (token #0) on my machine. When running >>> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >>> initializing token: 0xA4". Looking up the header files in the >>> opencryptoki package, I found that this error corresponds to a >>> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >>> >>> In more detail, I do exactly what is described here: >>> http://www.mail-archive.com/lin...@vm.../msg53084.html >>> >>> When trying the exact same steps for the soft token (token #1), all >>> succeeds and I end up with the (correct) flags 0x44D on that token. >>> >>> Would anyone have an idea where this problem could be coming from? I've >>> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >>> etc, but it didn't help. >>> >>> For reference, I'm using an Intel DQ57TM motherboard with an on-board >>> TPM and Fedora Core 13. >> >> Hi Alexander. Thank you for your contact. >> >> Please try these instructions and let us know: >> http://trousers.sourceforge.net/pkcs11.html >> >> Basically, you'll need to set the SRK passphrase in your TPM to the >> "well-known password" (or something like it), that is, all zeros (there >> are switches for that in the tpm tools - see their man pages). >> >> After that, use "tpmtoken_init" to initialize token. >> >> We know it's counter-intuitive to not use the pkcsconf utility like we >> are able to in other tokens, but currently, due to the way the tpm token >> is built, we have no way of doing that relying solely on the PKCS#11 >> API. >> >> -Klaus >> >>> Thanks, >>> >>> Alexander Loukissas >>> >>> >>> ------------------------------------------------------------------------------ >>> This SF.net email is sponsored by Sprint >>> What will you do first with EVO, the first 4G phone? >>> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >>> _______________________________________________ >>> opencryptoki-users mailing list >>> ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> >> >> -- >> Klaus Heinrich Kiwi | kl...@br... >> IBM LTC Security Development | http://blog.klauskiwi.com >> http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog >> >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> opencryptoki-users mailing list >> ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users >> > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 15:54:20
|
Both of these are true already, but still the error appears. Alex -----Original Message----- From: Kent Yoder [mailto:shp...@gm...] Sent: Tuesday, July 20, 2010 8:24 AM To: Alexander Loukissas (aloukiss) Cc: Klaus Heinrich Kiwi; ope...@li... Subject: Re: [opencryptoki-users] error initializing token Hi Alex, Make sure pkcsslotd is running and that the user executing this command is a member of the pkcs11 group. Kent On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) <alo...@ci...> wrote: > Thanks Klaus, > > I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). > > Any ideas on that? > > Thanks > Alex > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Monday, July 19, 2010 6:47 PM > To: Alexander Loukissas (aloukiss) > Cc: ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >> Hello, >> >> I've been playing around with opencryptoki and I've been seeing some >> issues initializing the TPM token (token #0) on my machine. When running >> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >> initializing token: 0xA4". Looking up the header files in the >> opencryptoki package, I found that this error corresponds to a >> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >> >> In more detail, I do exactly what is described here: >> http://www.mail-archive.com/lin...@vm.../msg53084.html >> >> When trying the exact same steps for the soft token (token #1), all >> succeeds and I end up with the (correct) flags 0x44D on that token. >> >> Would anyone have an idea where this problem could be coming from? I've >> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >> etc, but it didn't help. >> >> For reference, I'm using an Intel DQ57TM motherboard with an on-board >> TPM and Fedora Core 13. > > Hi Alexander. Thank you for your contact. > > Please try these instructions and let us know: > http://trousers.sourceforge.net/pkcs11.html > > Basically, you'll need to set the SRK passphrase in your TPM to the > "well-known password" (or something like it), that is, all zeros (there > are switches for that in the tpm tools - see their man pages). > > After that, use "tpmtoken_init" to initialize token. > > We know it's counter-intuitive to not use the pkcsconf utility like we > are able to in other tokens, but currently, due to the way the tpm token > is built, we have no way of doing that relying solely on the PKCS#11 > API. > > -Klaus > >> Thanks, >> >> Alexander Loukissas >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> opencryptoki-users mailing list >> ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > -- > Klaus Heinrich Kiwi | kl...@br... > IBM LTC Security Development | http://blog.klauskiwi.com > http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: Kent Y. <shp...@gm...> - 2010-07-20 15:23:57
|
Hi Alex, Make sure pkcsslotd is running and that the user executing this command is a member of the pkcs11 group. Kent On Tue, Jul 20, 2010 at 9:48 AM, Alexander Loukissas (aloukiss) <alo...@ci...> wrote: > Thanks Klaus, > > I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). > > Any ideas on that? > > Thanks > Alex > > -----Original Message----- > From: Klaus Heinrich Kiwi [mailto:kl...@li...] > Sent: Monday, July 19, 2010 6:47 PM > To: Alexander Loukissas (aloukiss) > Cc: ope...@li... > Subject: Re: [opencryptoki-users] error initializing token > > On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: >> Hello, >> >> I've been playing around with opencryptoki and I've been seeing some >> issues initializing the TPM token (token #0) on my machine. When running >> "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error >> initializing token: 0xA4". Looking up the header files in the >> opencryptoki package, I found that this error corresponds to a >> "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h >> >> In more detail, I do exactly what is described here: >> http://www.mail-archive.com/lin...@vm.../msg53084.html >> >> When trying the exact same steps for the soft token (token #1), all >> succeeds and I end up with the (correct) flags 0x44D on that token. >> >> Would anyone have an idea where this problem could be coming from? I've >> tried to clear out the TPM entirely from the BIOS, reclaim ownership, >> etc, but it didn't help. >> >> For reference, I'm using an Intel DQ57TM motherboard with an on-board >> TPM and Fedora Core 13. > > Hi Alexander. Thank you for your contact. > > Please try these instructions and let us know: > http://trousers.sourceforge.net/pkcs11.html > > Basically, you'll need to set the SRK passphrase in your TPM to the > "well-known password" (or something like it), that is, all zeros (there > are switches for that in the tpm tools - see their man pages). > > After that, use "tpmtoken_init" to initialize token. > > We know it's counter-intuitive to not use the pkcsconf utility like we > are able to in other tokens, but currently, due to the way the tpm token > is built, we have no way of doing that relying solely on the PKCS#11 > API. > > -Klaus > >> Thanks, >> >> Alexander Loukissas >> >> >> ------------------------------------------------------------------------------ >> This SF.net email is sponsored by Sprint >> What will you do first with EVO, the first 4G phone? >> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first >> _______________________________________________ >> opencryptoki-users mailing list >> ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > > > -- > Klaus Heinrich Kiwi | kl...@br... > IBM LTC Security Development | http://blog.klauskiwi.com > http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users > |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-20 14:56:07
|
Thanks Klaus, I've actually tried doing what you've suggested but I still can't make it to work. In more detail, I get an error message when running the tpmtoken_init: C_Initialize failed: 0x00000002 (2). Any ideas on that? Thanks Alex -----Original Message----- From: Klaus Heinrich Kiwi [mailto:kl...@li...] Sent: Monday, July 19, 2010 6:47 PM To: Alexander Loukissas (aloukiss) Cc: ope...@li... Subject: Re: [opencryptoki-users] error initializing token On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: > Hello, > > I've been playing around with opencryptoki and I've been seeing some > issues initializing the TPM token (token #0) on my machine. When running > "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error > initializing token: 0xA4". Looking up the header files in the > opencryptoki package, I found that this error corresponds to a > "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h > > In more detail, I do exactly what is described here: > http://www.mail-archive.com/lin...@vm.../msg53084.html > > When trying the exact same steps for the soft token (token #1), all > succeeds and I end up with the (correct) flags 0x44D on that token. > > Would anyone have an idea where this problem could be coming from? I've > tried to clear out the TPM entirely from the BIOS, reclaim ownership, > etc, but it didn't help. > > For reference, I'm using an Intel DQ57TM motherboard with an on-board > TPM and Fedora Core 13. Hi Alexander. Thank you for your contact. Please try these instructions and let us know: http://trousers.sourceforge.net/pkcs11.html Basically, you'll need to set the SRK passphrase in your TPM to the "well-known password" (or something like it), that is, all zeros (there are switches for that in the tpm tools - see their man pages). After that, use "tpmtoken_init" to initialize token. We know it's counter-intuitive to not use the pkcsconf utility like we are able to in other tokens, but currently, due to the way the tpm token is built, we have no way of doing that relying solely on the PKCS#11 API. -Klaus > Thanks, > > Alexander Loukissas > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users -- Klaus Heinrich Kiwi | kl...@br... IBM LTC Security Development | http://blog.klauskiwi.com http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog |
|
From: Klaus H. K. <kl...@li...> - 2010-07-20 11:03:43
|
On Mon, 2010-07-19 at 17:18 -0500, Alexander Loukissas (aloukiss) wrote: > Hello, > > I've been playing around with opencryptoki and I've been seeing some > issues initializing the TPM token (token #0) on my machine. When running > "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error > initializing token: 0xA4". Looking up the header files in the > opencryptoki package, I found that this error corresponds to a > "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h > > In more detail, I do exactly what is described here: > http://www.mail-archive.com/lin...@vm.../msg53084.html > > When trying the exact same steps for the soft token (token #1), all > succeeds and I end up with the (correct) flags 0x44D on that token. > > Would anyone have an idea where this problem could be coming from? I've > tried to clear out the TPM entirely from the BIOS, reclaim ownership, > etc, but it didn't help. > > For reference, I'm using an Intel DQ57TM motherboard with an on-board > TPM and Fedora Core 13. Hi Alexander. Thank you for your contact. Please try these instructions and let us know: http://trousers.sourceforge.net/pkcs11.html Basically, you'll need to set the SRK passphrase in your TPM to the "well-known password" (or something like it), that is, all zeros (there are switches for that in the tpm tools - see their man pages). After that, use "tpmtoken_init" to initialize token. We know it's counter-intuitive to not use the pkcsconf utility like we are able to in other tokens, but currently, due to the way the tpm token is built, we have no way of doing that relying solely on the PKCS#11 API. -Klaus > Thanks, > > Alexander Loukissas > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Sprint > What will you do first with EVO, the first 4G phone? > Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users -- Klaus Heinrich Kiwi | kl...@br... IBM LTC Security Development | http://blog.klauskiwi.com http://www.ibm.com/linux/ltc | http://www.ratliff.net/blog |
|
From: Alexander L. (aloukiss) <alo...@ci...> - 2010-07-19 22:18:33
|
Hello, I've been playing around with opencryptoki and I've been seeing some issues initializing the TPM token (token #0) on my machine. When running "pkcsconf -I -c 0", I enter "87654321" as the SO PIN but I get "Error initializing token: 0xA4". Looking up the header files in the opencryptoki package, I found that this error corresponds to a "CKR_PIN_LOCKED" error in usr/include/pkcs11/pkcs11types.h In more detail, I do exactly what is described here: http://www.mail-archive.com/lin...@vm.../msg53084.html When trying the exact same steps for the soft token (token #1), all succeeds and I end up with the (correct) flags 0x44D on that token. Would anyone have an idea where this problem could be coming from? I've tried to clear out the TPM entirely from the BIOS, reclaim ownership, etc, but it didn't help. For reference, I'm using an Intel DQ57TM motherboard with an on-board TPM and Fedora Core 13. Thanks, Alexander Loukissas |
|
From: Klaus H. K. <kl...@li...> - 2010-05-04 17:30:40
|
I'm applying any new opencryptoki changes to the opencryptoki-next branch here: http://opencryptoki.git.sourceforge.net/git/gitweb.cgi?p=opencryptoki/opencryptoki;a=shortlog;h=refs/heads/opencryptoki-next This branch has a refactored build configuration (autoconf, automake) that still needs some testing before I merge it to 'master'. But while we're not there yet, please submit patches using this tree. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Rajiv A. <sr...@li...> - 2009-10-20 12:57:19
|
Thanks David, it's upstream now. Rajiv Andrade IBM LTC Security Development On Tue, 2009-10-20 at 18:32 +0900, David Smith wrote: > Hi opencryptoki devs, > > I found a bug in opencryptoki related to cached SRK & public/private > root/leaf keys when a caller attempts to close and open a new TPM > session in one process. I've attached a patch. > > In the TPM backend, the global references to the SRK & public/private > root/leaf keys can become stale when the TSP context is closed. The > patch just sets them all to NULL in token_specific_final(). > > Please take a look, > - dds > ------------------------------------------------------------------------------ > Come build with us! The BlackBerry(R) Developer Conference in SF, CA > is the only developer event you need to attend this year. Jumpstart your > developing skills, take BlackBerry mobile applications to market and stay > ahead of the curve. Join us from November 9 - 12, 2009. Register now! > http://p.sf.net/sfu/devconference > _______________________________________________ opencryptoki-users mailing list ope...@li... https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: David S. <dav...@gm...> - 2009-10-20 09:33:08
|
Hi opencryptoki devs, I found a bug in opencryptoki related to cached SRK & public/private root/leaf keys when a caller attempts to close and open a new TPM session in one process. I've attached a patch. In the TPM backend, the global references to the SRK & public/private root/leaf keys can become stale when the TSP context is closed. The patch just sets them all to NULL in token_specific_final(). Please take a look, - dds |
|
From: Klaus H. K. <kl...@li...> - 2009-09-09 11:19:47
|
On 09/08/2009 10:53 PM, mark.wen wrote: > Hi~ Klaus > Thanks your reply . You mean the file (PRIVATE_ROOT_KEY.pem , > PUBLIC_ROOT_KEY.pem) will produce automatically after executing > tpmtoken_init. Am I right ? Yes. tpmtoken_init should create the files under <prefix>/var/lib/opencryptoki/tpm/$USER. Those keys are only there for migration purposes (so you could migrate this directory to another system and still use the PKCS#11 datastore). You *can* move them to a safer storage in case you want to avoid brute force attacks against those keys. Please refer to http://trousers.sourceforge.net/pkcs11.html for more info. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Rajiv A. <sr...@li...> - 2009-09-09 02:00:37
|
> > > > 8. initial the token (tpm_takeowership) > > > Be sure too to set the SRK password to the well-known one: > tpm_takeownership -z > > There's no need to clear the TPM if you didn't set the well-known secret > earlier, just call tpm_changeauth -s -r to change SRK password to the 20 > bytes of zeros. Correcting myself here, it's tpm_changeownerauth. Rajiv |
|
From: Rajiv A. <sr...@li...> - 2009-09-09 01:57:36
|
Hello, On Mon, 2009-09-07 at 18:02 +0800, mark.wen wrote: > hi~ guys > > I have a project which uses infineon tpm to encrypt the file. I refer > to much more references from internet . using tpmtoken_inti to > initialize the tpm pkcs#11 data store. Unfortunately , I can't find > any rsa key pair in /usr/local/var/lib/opencryptoki/tpm/$USER . I > don't know how to import the rsa key pair using tpmtoken_import . > Could you give me some comment . thank you very much .Installing steps > is below. > > > > 1. Enable bios tpm function. > > 2. Setup TrouSerS-0.3.2 > > 3. Setup opencryptoki-2.2.6 ( libica can not be installed in system > but opencryptoki still can be installed ) (configure: error: *** > Unable to find linux/icaioctl.h ) > Be sure, as I mentioned in another thread, to enable the tpm token compilation, ./configure --enable-tpmtok To confirm this, can you tell us the pkcsconf -t output? > 4. Setup tpm-tools-1.3.1 > 5 .insmod tpm module (modprbe tpm_infineon ) > > 6. using tpm_version to check tpm is working. > > 7. executing the demeon (tcsd) > > 8. initial the token (tpm_takeowership) > Be sure too to set the SRK password to the well-known one: tpm_takeownership -z There's no need to clear the TPM if you didn't set the well-known secret earlier, just call tpm_changeauth -s -r to change SRK password to the 20 bytes of zeros. It is needed cut the step in the PKCS#11 related code when providing this secret, step that isn't feasible to implement cleanly in using PKCS#11 API. > 9.add the user in pkcs11 group > > 10.Initialize PKCS11 for opencryptoki (/usr/local/sbin/pkcs11_startup) > > 11.Start the deamon for PKCS slot (/etc/init.d/pkcsslotd start ) > > 12 tpmtoken_init Let us know if you get any success here, also using the information sent by Klaus contained at http://trousers.sourceforge.net/pkcs11.html Thanks, Rajiv Andrade IBM LTC Security Development |
|
From: Klaus H. K. <kl...@li...> - 2009-09-08 21:34:30
|
On 09/07/2009 07:02 AM, mark.wen wrote: > hi~ guys > > I have a project which uses infineon tpm to encrypt the file. I refer to > much more references from internet . using tpmtoken_inti to initialize > the tpm pkcs#11 data store. Unfortunately , I can't find any rsa key > pair in /usr/local/var/lib/opencryptoki/tpm/$USER . I don't know how to > import the rsa key pair using tpmtoken_import . Could you give me some > comment . thank you very much .Installing steps is below. Mark, I just replied a similar request from Nicolas Munoz on this same list. I was able to find the keys in /var/lib/opencryptoki/tpm/root: root@klausk-laptop:/var/lib/opencryptoki/tpm/root# ls -la total 112 drwx------ 3 root root 4096 2009-09-08 18:01 . drwxrwxr-x 3 root pkcs11 4096 2009-09-08 17:58 .. -rw------- 1 root root 232 2009-09-08 18:01 NVTOK.DAT -rw------- 1 root root 1766 2009-09-08 18:01 PRIVATE_ROOT_KEY.pem -rw------- 1 root root 1766 2009-09-08 18:00 PUBLIC_ROOT_KEY.pem -rwx------ 1 root root 82168 2009-09-08 18:15 .stmapfile drwx------ 2 root root 4096 2009-09-08 18:01 TOK_OBJ root@klausk-laptop:/var/lib/opencryptoki/tpm/root# Like instructed in http://trousers.sourceforge.net/pkcs11.html, I cold decrypt the keys using: openssl rsa -in PRIVATE_ROOT_KEY.pem <passphrase is USER PIN> openssl rsa -in PUBLIC_ROOT_KEY.pem <passphrase is SO PIN> I suppose tpmtoken_import > 1. Enable bios tpm function. > > 2. Setup TrouSerS-0.3.2 > > 3. Setup opencryptoki-2.2.6 ( libica can not be installed in system but > opencryptoki still can be installed ) (configure: error: *** Unable to > find linux/icaioctl.h ) > > 4. Setup tpm-tools-1.3.1 > > 5 .insmod tpm module (modprbe tpm_infineon ) > > 6. using tpm_version to check tpm is working. > > 7. executing the demeon (tcsd) > > 8. initial the token (tpm_takeowership) > > 9.add the user in pkcs11 group > > 10.Initialize PKCS11 for opencryptoki (/usr/local/sbin/pkcs11_startup) > > 11.Start the deamon for PKCS slot (/etc/init.d/pkcsslotd start ) > > 12 tpmtoken_init > -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: mark.wen <mar...@ad...> - 2009-09-07 11:01:35
|
hi~ guys I have a project which uses infineon tpm to encrypt the file. I refer to much more references from internet . using tpmtoken_inti to initialize the tpm pkcs#11 data store. Unfortunately , I can't find any rsa key pair in /usr/local/var/lib/opencryptoki/tpm/$USER . I don't know how to import the rsa key pair using tpmtoken_import . Could you give me some comment . thank you very much .Installing steps is below. 1. Enable bios tpm function. 2. Setup TrouSerS-0.3.2 3. Setup opencryptoki-2.2.6 ( libica can not be installed in system but opencryptoki still can be installed ) (configure: error: *** Unable to find linux/icaioctl.h ) 4. Setup tpm-tools-1.3.1 5 .insmod tpm module (modprbe tpm_infineon ) 6. using tpm_version to check tpm is working. 7. executing the demeon (tcsd) 8. initial the token (tpm_takeowership) 9.add the user in pkcs11 group 10.Initialize PKCS11 for opencryptoki (/usr/local/sbin/pkcs11_startup) 11.Start the deamon for PKCS slot (/etc/init.d/pkcsslotd start ) 12 tpmtoken_init Thanks Mark.wen |
|
From: Klaus H. K. <kl...@li...> - 2009-08-27 18:23:08
|
Marc Kaeser wrote: > root@lenovo:/usr/sbin# ./pkcsconf -t > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received > TCS Context: 0xa0e6c901 > Token #0 Info: > Label: TestToken > Manufacturer: IBM Corp. > Model: TPM v1.1 Token > Serial Number: 123 > Flags: 0x880445 > (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: -1/-1 > R/W Sessions: -1/-1 > PIN Length: 6-127 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 11:00:55 PM > Token #1 Info: > Label: IBM OS PKCS#11 > Manufacturer: IBM Corp. > Model: IBM SoftTok > Serial Number: 123 > Flags: 0x880045 > (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_TO_BE_CHANGED) > > Sessions: -1/-1 > R/W Sessions: -1/-1 > PIN Length: 4-8 > Public Memory: 0xFFFFFFFF/0xFFFFFFFF > Private Memory: 0xFFFFFFFF/0xFFFFFFFF > Hardware Version: 1.0 > Firmware Version: 1.0 > Time: 11:00:55 PM > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: 0xa0e6c901 > root@lenovo:/usr/sbin# ./pkcsconf -s > LOG_DEBUG TSPI rpc/tcstp/rpc.c:362 Sending TSP packet to host localhost. > LOG_DEBUG TSPI rpc/tcstp/rpc.c:377 Connecting to 127.0.0.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:44 RPC_OpenContext_TP: Received > TCS Context: 0xa0e60102 > Slot #0 Info > Description: Linux 2.6.28.9 Linux (TPM) > Manufacturer: Linux 2.6.28.9 > Flags: 0x5 (TOKEN_PRESENT|HW_SLOT) > Hardware Version: 0.0 > Firmware Version: 1.1 > Slot #1 Info > Description: Linux 2.6.28.9 Linux (Soft) > Manufacturer: Linux 2.6.28.9 > Flags: 0x1 (TOKEN_PRESENT) > Hardware Version: 0.0 > Firmware Version: 1.1 > LOG_DEBUG TSPI rpc/tcstp/rpc_context.c:60 RPC_CloseContext_TP: TCS > Context: 0xa0e60102 Note that you have both the TPM token and the software token enabled. The PKCS#11 interface is able to advertise both, it will depend on NSS to choose which to use. Also note that both tokens needs to be initialized and have their User and Security Officer PINs changed (USER_PIN_TO_BE_CHANGED and SO_PIN_TO_BE_CHANGED flags) you can do it using pkcsconf: Initialize the token: pkcsconf -c 0 -I Initialize SO pin (note that the default SO PIN is 87654321): pkcsconf -c 0 -P Initialize User pin (use the SO PIN you just defined above): pkcsconf -c 0 -u Do the same for the software token (pkcsconf -c 1 ...) if you'd like to use it as well. After all is done, you should see something like the following with pkcsconf -t: klaus@klausk:~$ /usr/sbin/pkcsconf -t Token #1 Info: Label: KlausK Tests Token Manufacturer: IBM Corp. Model: IBM SoftTok Serial Number: 123 Flags: 0x44D (RNG|LOGIN_REQUIRED|USER_PIN_INITIALIZED|CLOCK_ON_TOKEN|TOKEN_INITIALIZED) Sessions: -1/-1 R/W Sessions: -1/-1 PIN Length: 4-8 Public Memory: 0xFFFFFFFF/0xFFFFFFFF Private Memory: 0xFFFFFFFF/0xFFFFFFFF Hardware Version: 1.0 Firmware Version: 1.0 Time: 03:21:15 PM (and the same for the TPM token) Note the TOKEN_INITIALIZED flag, and also that *_PIN_TO_BE_CHANGED flags are gone. Let us know of your results. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Klaus H. K. <kl...@li...> - 2009-08-27 17:09:46
|
Marc Kaeser wrote: > Hello Klaus, > > I tried to find those software tokens so I can test where the problem > comes from. Unfortunately I haven't been able to find that software > "emulating" a token. You talk about ica_tok or swtok, but where can I > find those software-tokens? Do they come with another module for > Firefox? Google doesn't find anything about "ica_tok" and a search using > "swtok" (by the way, does that name mean "software token"?) as string > doesn't help very much. Marc, from my understanding, you were using opencryptoki as the PKCS#11 provider for NSS. Opencryptoki provides a PKCS#11 layer for accessing cryptographic hardware that doesn't come with a native PKCS#11 interface (thing of it as a 'translation' library). In addition to a TPM token, opencryptoki also supports other token types as well: * ICA (IBM Cryptographic Accelerator) - aimed at s390x-specific hardware, but also supports software fallback since 1.3.9 * CCA (Secure Key token) - same as ICA, but proprietary * software token - if I remember correctly, using OpenSSL > If I understand that correctly, I have to "load" another token into > another slot (using swtok or ica_tok) to see if cryptoki slotdeamon > finds it, and if it does, look if I can import the matching module in > Firefox? I'm not sure if opencryptoki as shipped by the distros have the software token enabled (I know Ubuntu has), but you could download the latest opencryptoki from https://sourceforge.net/projects/opencryptoki/ and build the the software token enabled. After that, make sure you have the software token configured correctly (that's usually done using pkcs11_startup automatically), initialize the token using pkcsconf (see help) and point firefox to use the PKCS#11 library ({prefix}/lib/pkcs11/PKCS11_API.so) Tell us of your results. -Klaus -- Klaus Heinrich Kiwi | kl...@br... | http://blog.klauskiwi.com Open Source Security blog : http://www.ratliff.net/blog IBM Linux Technology Center : http://www.ibm.com/linux/ltc |
|
From: Nelson C. <nel...@gm...> - 2009-08-07 20:16:05
|
On Fri, Aug 7, 2009 at 2:03 PM, Klaus Heinrich Kiwi<kl...@li...> wrote: > Nelson Castillo wrote: >> >> On Fri, Aug 7, 2009 at 7:13 AM, Rajiv Andrade<sr...@li...> >> wrote: >>> >>> Hello Nelson, >>> >>> When detailing it can you mention which token you're having problems >>> with and also the openCryptoki version? >>> >>> Please post too the results shown when running >>> opencryptoki.source/testcases/driver/aes_tests >> >> Rajiv and Klaus, thanks for your answers. >> >> I'm using the soft-token and Opencryptoki from Debian Lenny. >> >> I had a fun bug. The memory of the initialization vector no longer >> belonged to me and different things happened with that memory on >> different platforms. >> >> After fixing the bug the results were consistent. > > Nelson, > > would you care to provide the fix upstream? Don't worry about formatting a > proper patch now if you don't feel comfortable. Just a high-level overview > of what was the problem and the solution would help us in delivering you > better code in the future. Oh, the error was in my code :-) If I ever manage to find something I'll send the patch or the report. Nelson.- |
|
From: Klaus H. K. <kl...@li...> - 2009-08-07 19:03:30
|
Nelson Castillo wrote: > On Fri, Aug 7, 2009 at 7:13 AM, Rajiv Andrade<sr...@li...> wrote: >> Hello Nelson, >> >> When detailing it can you mention which token you're having problems >> with and also the openCryptoki version? >> >> Please post too the results shown when running >> opencryptoki.source/testcases/driver/aes_tests > > Rajiv and Klaus, thanks for your answers. > > I'm using the soft-token and Opencryptoki from Debian Lenny. > > I had a fun bug. The memory of the initialization vector no longer > belonged to me and different things happened with that memory on > different platforms. > > After fixing the bug the results were consistent. Nelson, would you care to provide the fix upstream? Don't worry about formatting a proper patch now if you don't feel comfortable. Just a high-level overview of what was the problem and the solution would help us in delivering you better code in the future. Thanks, -Klaus |
|
From: Nelson C. <nel...@gm...> - 2009-08-07 16:47:41
|
On Fri, Aug 7, 2009 at 7:13 AM, Rajiv Andrade<sr...@li...> wrote: > Hello Nelson, > > When detailing it can you mention which token you're having problems > with and also the openCryptoki version? > > Please post too the results shown when running > opencryptoki.source/testcases/driver/aes_tests Rajiv and Klaus, thanks for your answers. I'm using the soft-token and Opencryptoki from Debian Lenny. I had a fun bug. The memory of the initialization vector no longer belonged to me and different things happened with that memory on different platforms. After fixing the bug the results were consistent. Cheers, Nelson.- |
|
From: Rajiv A. <sr...@li...> - 2009-08-07 12:40:04
|
Hello Nelson, When detailing it can you mention which token you're having problems with and also the openCryptoki version? Please post too the results shown when running opencryptoki.source/testcases/driver/aes_tests Thanks, Rajiv Andrade IBM LTC Security Development On Thu, 2009-08-06 at 16:10 -0300, Klaus Heinrich Kiwi wrote: > > I'm using AES_CBC with the same key in two different machines (32 and 64 bits). > > > > In a encrypt/decrypt operation I get different results between > > platforms with the same key/mechanism parameter. > > > > Is there anything I should worry about with 32/64 bits and endianess > > among platforms? > > There shouldn't be a problem in that case, specially since endianess > should be the same between 32/64 bit mode in the same platform. > > Endianess issues should become apparent if the code is running on both > x86 and Power platforms, for instance. > > Would you mind detailing a bit better the problems you're seeing? > Perhaps with a simple testcase? > > AES_CBC may be relying on endianess or integer size for padding, so it > must be investigated. > > Thanks, > > -Klaus > > ------------------------------------------------------------------------------ > Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day > trial. Simplify your report design, integration and deployment - and focus on > what you do best, core application coding. Discover what's new with > Crystal Reports now. http://p.sf.net/sfu/bobj-july > _______________________________________________ > opencryptoki-users mailing list > ope...@li... > https://lists.sourceforge.net/lists/listinfo/opencryptoki-users |
|
From: Klaus H. K. <kl...@li...> - 2009-08-06 19:10:17
|
> I'm using AES_CBC with the same key in two different machines (32 and 64 bits). > > In a encrypt/decrypt operation I get different results between > platforms with the same key/mechanism parameter. > > Is there anything I should worry about with 32/64 bits and endianess > among platforms? There shouldn't be a problem in that case, specially since endianess should be the same between 32/64 bit mode in the same platform. Endianess issues should become apparent if the code is running on both x86 and Power platforms, for instance. Would you mind detailing a bit better the problems you're seeing? Perhaps with a simple testcase? AES_CBC may be relying on endianess or integer size for padding, so it must be investigated. Thanks, -Klaus |
|
From: Nelson C. <nel...@gm...> - 2009-08-06 05:54:00
|
Hello there. This might be more a PKCS#11 question than a Opencryptoki question. Since I'm using Opencryptoki I thought it would be OK to post here (please point me to a more suitable list if this is not the place to ask). I'm using AES_CBC with the same key in two different machines (32 and 64 bits). In a encrypt/decrypt operation I get different results between platforms with the same key/mechanism parameter. Is there anything I should worry about with 32/64 bits and endianess among platforms? Regards, Nelson.- |
|
From: Massimiliano P. <Mas...@Da...> - 2009-01-20 23:28:54
|
Hi all, I am having some trouble with setting up the PKCS#11 interface with the TPM. What I have done so far: - downloaded and installed the trousers project http://trousers.sourceforge.net - downloaded and installed the opencryptoki-2.2.6 - downloaded and installed the TPM-TOOLS with pkcs11 support - run sudo tcsd -f At this point I was able to operate the TPM, take ownership, etc... Now, the documentation on how to use the opencryptoki with TPM is.. a little obscure. I used the tpm_takeownership, set the Owner password to <mypasswd> and I left the SRK password empty. After looking at some documentation from IBM: http://www.ibm.com/developerworks/linux/library/s-pkcs/ I found that the /usr/bin/pkcsslotd should be executed to provide the static memory for the tokens to work. I finally figured how to setup the details of the PKCS#11 with pkcsconf, e.g.: $ pkcsconf -c 0 -I ... $ pkcsconf -c 0 -u I can actually use the tpmtoken_init command, but I think I am not using the TPM at all.. how to I setup a slot that will use the TPM ???? Am I completely off the right path ? Please let me know... -- Best Regards, Massimiliano Pala --o------------------------------------------------------------------------ Massimiliano Pala [OpenCA Project Manager] Mas...@da... pro...@op... Dartmouth Computer Science Dept Home Phone: +1 (603) 369-9332 PKI/Trust Laboratory Work Phone: +1 (603) 646-9179 --o------------------------------------------------------------------------ People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov |
144 messages has been excluded from this view by a project administrator.
