opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] C_Initialize

[Douglas E. E. <dee...@an...>]

Your solution below might work, but I would like others
to comment on your proposal as well.

On a different point, your first note says:
"This causes quite a problem in gnutls which has transparent smart card
support and calls C_Initialize on startup."

How transparent is this?
How does gnutls find a PKCS#11 implementation?
Wll gnutls try and load any and all PKCS#11 modules it finds?
Can it load more then one PKCS#11 module?

I ask this as just loading another PKCS#11 may include
loading more libraries, placing more of a dependency on
all these libraries loading correctly even when they are
not used.

The OpenSC PKCS#11 will include OpenSSL for example.

OpenSC will try and use pcscd as well.

I am asking this as adding "transparent smart card support"
may not be as transparent as you think.

I see in:
http://www.gnu.org/software/gnutls/manual/gnutls.html#Smart-cards-and-HSMs

is using /etc/pkcs11/modules a system wide file?



On 2/18/2013 2:11 PM, Nikos Mavrogiannopoulos wrote:
> On 02/18/2013 08:16 PM, Douglas E. Engert wrote:
>
>
>> I understand that card_detect may not be needed by C_Initialize,
>> and postponing the calling of card_detect till actually needed
>> would help in your situation.
>> But your patch does not appear to do that, it just removes
>> two calls to card_detect, and removes the call to sc_detect_card_presence.
>
>
> The call to sc_detect_card_presence seem superfluous since it is
> repeated in card_detect().
>
>> We need to make sure there are no code paths that avoid calling
>
>> the card_detect or rely on the results of one  of the removed
>> card_detect calls.  Either could result in not recogniing
>> a card is present, or some segfault if card_detect set some
>> values that other code is depending on.
>
>
> So in that case that should be called on every function except
> C_Initialize, C_GetSlotList, C_GetFunctionList, C_GetInfo,
> C_Finalize.
>
> However, several functions depend on a session being setup (so they
> would be fine if only C_OpenSession was detecting cards) that leaves us
> with:
>
> C_OpenSession, C_GetMechanismList, C_WaitForSlotEvent, C_GetTokenInfo,
> C_GetSlotInfo (I hope I'm not missing any here).
>
> Now:
> C_OpenSession, C_GetMechanismList, C_GetTokenInfo:
> call slot_get_token() which in turn calls card_detect().
>
> C_WaitForSlotEvent calls card_detect_all explicitly.
>
> C_GetSlotInfo: calls slot_get_slot() which doesn't seem to detect anything.
>
> So would calling card_detect_all() in C_GetSlotInfo (see patch) fulfill
> your concerns?
>
> regards,
> Nikos
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: [Opensc-devel] Last minute patching

[Toni S. - A. <dev...@av...>]

Hi,

First of all, I'm sorry for the problems you got due to a change we did.

At the time, it seemed for me that the OpenSC's ECC parts were very
incomplete,
especially key generation. We added these parts and tried to interpret
standards to get everything right.

I tried to look at the actual problem you got, but I cannot find the patch
you mentioned.
Could you post a direct link to the pull request?

Kind regards,
Toni

> -----Original Message-----
> From: Andreas Schwier (ML) [mailto:and...@ca...]
> Sent: 15. helmikuuta 2013 19:01
> To: Viktor Tarasov
> Cc: ope...@li...
> Subject: Re: [Opensc-devel] Last minute patching
> 
> Dear Viktor,
> 
> the patch is attached to the pending pull request for
> CardContact/OpenSC.
> 
> Andreas
> 
> Am 15.02.2013 15:31, schrieb Viktor Tarasov:
> > Hello,
> >
> > On Fri, Feb 15, 2013 at 2:41 PM, Andreas Schwier (ML)
> > <and...@ca...
> > <mailto:and...@ca...>> wrote:
> >
> >     while doing some regression testing we've come across a problem
> that
> >     once working code broke apart immediately before the 0.13 release
> was
> >     finished.
> >
> >     We traced the problem down to a code change introduced by the
> MyEID
> >     ECDSA patch [1] that went into the 0.13 version as one of the
> very final
> >     patches.
> >
> >     Even though the code change is valid, it breaks existing code,
> rendering
> >     the ECDSA key generation for the SmartCard-HSM in the 0.13
> release
> >     pretty much useless.
> >
> >
> > Sorry, for these problems.
> >
> >
> >
> >     Can we for the future agree, that we don't squeeze such a large
> code
> >     change in right before doing a release ?
> >
> >
> >
> > Yes, in the future we'll be less hazardous.
> >
> > This release was not as like the others -- first train after the long
> > interruption of traffic: many passengers, new locomotive, equipage
> > without experience, ...
> >
> >
> >
> >     We tested all the release candidates and they worked up and until
> the
> >     very last patch.
> >
> >     Andreas
> >
> >
> > Kind regards,
> > Viktor.
> >
> >
> >
> >
> >
> >
> >
> https://github.com/OpenSC/OpenSC/commit/457426543dfa02597895d57013dde9
> > 4cc9e7d038
> >
> >     --
> >
> >         ---------    CardContact Software & System Consulting
> >        |.##> <##.|   Andreas Schwier
> >        |#       #|   Schülerweg 38
> >        |#       #|   32429 Minden, Germany
> >        |'##> <##'|   Phone +49 571 56149 <tel:%2B49%20571%2056149>
> >         ---------    http://www.cardcontact.de
> >                      http://www.tscons.de
> >                      http://www.openscdp.org
> >
> >
> >     -----------------------------------------------------------------
> -------------
> >     Free Next-Gen Firewall Hardware Offer
> >     Buy your Sophos next-gen firewall before the end March 2013
> >     and get the hardware for free! Learn more.
> >     http://p.sf.net/sfu/sophos-d2d-feb
> >     _______________________________________________
> >     Opensc-devel mailing list
> >     Ope...@li...
> >     <mailto:Ope...@li...>
> >     https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
> >
> 
> 
> --
> 
>     ---------    CardContact Software & System Consulting
>    |.##> <##.|   Andreas Schwier
>    |#       #|   Schülerweg 38
>    |#       #|   32429 Minden, Germany
>    |'##> <##'|   Phone +49 571 56149
>     ---------    http://www.cardcontact.de
>                  http://www.tscons.de
>                  http://www.openscdp.org
> 
> 
> -----------------------------------------------------------------------
> -------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 and get the
> hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] C_Initialize

[Nikos M. <n.m...@gm...>]

On 02/18/2013 08:16 PM, Douglas E. Engert wrote:


> I understand that card_detect may not be needed by C_Initialize,
> and postponing the calling of card_detect till actually needed
> would help in your situation.
> But your patch does not appear to do that, it just removes
> two calls to card_detect, and removes the call to sc_detect_card_presence.


The call to sc_detect_card_presence seem superfluous since it is
repeated in card_detect().

> We need to make sure there are no code paths that avoid calling

> the card_detect or rely on the results of one  of the removed
> card_detect calls.  Either could result in not recogniing
> a card is present, or some segfault if card_detect set some
> values that other code is depending on.


So in that case that should be called on every function except
C_Initialize, C_GetSlotList, C_GetFunctionList, C_GetInfo,
C_Finalize.

However, several functions depend on a session being setup (so they
would be fine if only C_OpenSession was detecting cards) that leaves us
with:

C_OpenSession, C_GetMechanismList, C_WaitForSlotEvent, C_GetTokenInfo,
C_GetSlotInfo (I hope I'm not missing any here).

Now:
C_OpenSession, C_GetMechanismList, C_GetTokenInfo:
call slot_get_token() which in turn calls card_detect().

C_WaitForSlotEvent calls card_detect_all explicitly.

C_GetSlotInfo: calls slot_get_slot() which doesn't seem to detect anything.

So would calling card_detect_all() in C_GetSlotInfo (see patch) fulfill
your concerns?

regards,
Nikos

Re: [Opensc-devel] C_Initialize

[Douglas E. E. <dee...@an...>]

On 2/18/2013 12:35 PM, Nikos Mavrogiannopoulos wrote:
> On 02/18/2013 06:34 PM, Douglas E. Engert wrote:
>
>
>>> Hello,
>>>    I've noticed that C_Initialize takes excessive time on the opensc
>>> pkcs11 module when a smart card is present. When no smart card is
>>> present everything is ok. This causes quite a problem in gnutls which
>>> has transparent smart card support and calls C_Initialize on startup. As
>>> a result, every application that uses gnutls gets 4-6 second delay on
>>> startup, irrespective on whether it will read that smart card or not.
>>>
>>> The attached patch seems to fix the initialization delays and the cards
>>> I have seem to work fine.
>>
>> With your mod in place, do smart cards still work with gnutls?
>>
>> The card-detect will have to be called sometime...
>
>
> Yes, but that should be when someone asks for a card. GnuTLS works fine
> with this patch, because the cards are detected in C_GetTokenInfo()
> which is the expected place.


I understand that card_detect may not be needed by C_Initialize,
and postponing the calling of card_detect till actually needed
would help in your situation.

But your patch does not appear to do that, it just removes
two calls to card_detect, and removes the call to sc_detect_card_presence.

We need to make sure there are no code paths that avoid calling
the card_detect or rely on the results of one  of the removed
card_detect calls.  Either could result in not recogniing
a card is present, or some segfault if card_detect set some
values that other code is depending on.

I don't believe that calling C_GetTokenInfo is a required call. So
depending on C_GetTokenInfo it to do the card_detect is not good
enough.



>
> regards,
> Nikos
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: [Opensc-devel] C_Initialize

[Nikos M. <n.m...@gm...>]

On 02/18/2013 06:34 PM, Douglas E. Engert wrote:


>> Hello,
>>   I've noticed that C_Initialize takes excessive time on the opensc
>> pkcs11 module when a smart card is present. When no smart card is
>> present everything is ok. This causes quite a problem in gnutls which
>> has transparent smart card support and calls C_Initialize on startup. As
>> a result, every application that uses gnutls gets 4-6 second delay on
>> startup, irrespective on whether it will read that smart card or not.
>>
>> The attached patch seems to fix the initialization delays and the cards
>> I have seem to work fine.
> 
> With your mod in place, do smart cards still work with gnutls?
> 
> The card-detect will have to be called sometime...


Yes, but that should be when someone asks for a card. GnuTLS works fine
with this patch, because the cards are detected in C_GetTokenInfo()
which is the expected place.

regards,
Nikos

Re: [Opensc-devel] C_Initialize

[Douglas E. E. <dee...@an...>]

On 2/16/2013 6:40 PM, Nikos Mavrogiannopoulos wrote:
> Hello,
>   I've noticed that C_Initialize takes excessive time on the opensc
> pkcs11 module when a smart card is present. When no smart card is
> present everything is ok. This causes quite a problem in gnutls which
> has transparent smart card support and calls C_Initialize on startup. As
> a result, every application that uses gnutls gets 4-6 second delay on
> startup, irrespective on whether it will read that smart card or not.
>
> The attached patch seems to fix the initialization delays and the cards
> I have seem to work fine.

With your mod in place, do smart cards still work with gnutls?

The card-detect will have to be called sometime...

>
> regards,
> Nikos
>
>
>
> ------------------------------------------------------------------------------
> The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
> is your hub for all things parallel software development, from weekly thought
> leadership blogs to news, videos, case studies, tutorials, tech docs,
> whitepapers, evaluation guides, and opinion stories. Check out the most
> recent posts - join the conversation now. http://goparallel.sourceforge.net/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

[Opensc-devel] is PKCS11_CTX thread safe?

[Krzysztof R. <krz...@kr...>]

Hi 

Working on PKCS11 interface in my app I want to have one initialization of libp11. So the question is: is PKCS11_CTX thread safe? 
If not, how to operate in optimal I/O point (not to load module every time we need to sign or decrypt something)? 


Regards 

Re: [Opensc-devel] Issues connecting to OpenVPN with Smartcard

[Chris J A. <chr...@gm...>]

On 02/17/2013 09:42 AM, Ludovic Rousseau wrote:
> 2013/2/13 Chris J Arges <chr...@gm...>:
>> On 02/13/2013 10:15 AM, Alon Bar-Lev wrote:
>>> Can you please attach the opensc debug log as well?
>>>
>>
>> Attached is a log from a different run, but the results were the same. I
>> can recollect all logs if necessary.
> 
> The PKCS#11 functions from OpenSC all returned CKR_OK. In particular
> C_Sign() also returned CKR_OK.
> So at the OpenSC level everything looks fine.
> 
> I have no idea what is wrong.
> 

If you look earlier in this thread at log_openvpn.txt, you notice that
it stops at the following lines:
Wed Feb 13 09:51:06 2013 us=360891 TUN/TAP TX queue length set to 100
Wed Feb 13 09:51:06 2013 us=361004 do_ifconfig, tt->ipv6=0,
tt->did_ifconfig_ipv6_setup=0
Wed Feb 13 09:51:06 2013 us=361083 /sbin/ifconfig tun0 10.9.8.18
pointopoint 10.9.8.17 mtu 1500
Wed Feb 13 09:51:06 2013 us=362387 PKCS#11: __pkcs11h_forkFixup entry
pid=2475, activate_slotevent=1

This is where it hangs when trying to connect, and I have to kill
openvpn. This only happens when using libpcsclite1/libpcsclite-dev/pcscd
1.8.6, if I use 1.7.4 then it works (although I still have key
renegotiation problems).

For a more complete picture of this failure you can look at:
http://sourceforge.net/mailarchive/attachment.php?list_name=opensc-devel&message_id=511E99C3.9030505%40gmail.com&counter=1

Can anyone reproduce this issue with OpenVPN/Smartcards?

--chris

[Opensc-devel] ePassports with BAC,SAC and EAC

[Andreas S. <and...@ca...>]

Good morning,

for those of you interested in eID cards and ePassports conforming to
TR-03110, we've updated the simulation of the German eID card.

You find the details at http://www.openscdp.org/scripts/eID/index.html

Andreas

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

Re: [Opensc-devel] Issues connecting to OpenVPN with Smartcard

[Ludovic R. <lud...@gm...>]

2013/2/13 Chris J Arges <chr...@gm...>:
> On 02/13/2013 10:15 AM, Alon Bar-Lev wrote:
>> Can you please attach the opensc debug log as well?
>>
>
> Attached is a log from a different run, but the results were the same. I
> can recollect all logs if necessary.

The PKCS#11 functions from OpenSC all returned CKR_OK. In particular
C_Sign() also returned CKR_OK.
So at the OpenSC level everything looks fine.

I have no idea what is wrong.

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] C_Initialize

[Nikos M. <nm...@gn...>]

Hello,
 I've noticed that C_Initialize takes excessive time on the opensc
pkcs11 module when a smart card is present. When no smart card is
present everything is ok. This causes quite a problem in gnutls which
has transparent smart card support and calls C_Initialize on startup. As
a result, every application that uses gnutls gets 4-6 second delay on
startup, irrespective on whether it will read that smart card or not.

The attached patch seems to fix the initialization delays and the cards
I have seem to work fine.

regards,
Nikos

[Opensc-devel] status of itacns signature with CIE

[Antonio R. <aru...@ya...>]

Hi,
I'm owner of an Italian CIE issued in the past few months.
I'm trying to develop a service that uses it for authentication through a java applet, my code is an open source project on SF ("authentic").

I can see all the files on the card as pkcs11 data objects, read certificates, login on the card, but i have problems signing. Am i hitting a bug or an unimplemented feature?

I've compiled the latest head version from GitHub.
This is the line i use for sign:

/src/tools/pkcs11-tool --module=src/pkcs11/.libs/opensc-pkcs11.so --slot-index 1 -v -l -p *my_pin* -m SHA1-RSA-PKCS -s -i README -o README1

and here are the logs of the signature part:0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:236:sc_pkcs1_encode: hash algorithm 0x20, pad algorithm 0x2

0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:259:sc_pkcs1_encode: returning with: 0 (Success)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:93:sc_pkcs15_decipher: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:273:sc_get_encoding_flags: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:277:sc_get_encoding_flags: iFlags 0x21, card capabilities 0xC0001FE2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:298:sc_get_encoding_flags: raw encryption is not supported: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:132:sc_pkcs15_decipher: cannot encode security operation flags: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:415:sc_pkcs15_compute_signature: returning with: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:310:sc_pkcs15_compute_signature: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:311:sc_pkcs15_compute_signature: security operation flags 0x22
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:393:sc_pkcs15_compute_signature: supported algorithm flags 0xC0001FE2, private key usage 0x224
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:232:sc_pkcs1_encode: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:236:sc_pkcs1_encode: hash algorithm 0x20, pad algorithm 0x2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:259:sc_pkcs1_encode: returning with: 0 (Success)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:93:sc_pkcs15_decipher: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:273:sc_get_encoding_flags: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:277:sc_get_encoding_flags: iFlags 0x21, card capabilities 0xC0001FE2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:298:sc_get_encoding_flags: raw encryption is not supported: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:132:sc_pkcs15_decipher: cannot encode security operation flags: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:415:sc_pkcs15_compute_signature: returning with: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] card.c:402:sc_unlock: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] reader-pcsc.c:554:pcsc_unlock: called
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] framework-pkcs15.c:3430:pkcs15_prkey_sign: Sign complete. Result -1408.
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] mechanism.c:444:sc_pkcs11_signature_final: returning with: 84
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] mechanism.c:309:sc_pkcs11_sign_final: returning with: 84
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] pkcs11-object.c:683:C_Sign: C_Sign() = CKR_FUNCTION_NOT_SUPPORTED


I'm also willing to help. I have some (limited) experience with smartcards and C code. 

Thanks in advance.

Antonio.

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Chris J A. <chr...@gm...>]

On 02/16/2013 01:57 PM, Ludovic Rousseau wrote:
> 2013/2/15 Chris J Arges <chr...@gm...>:
>> On 02/15/2013 09:17 AM, Ludovic Rousseau wrote:
>>> 2013/2/15 Chris J Arges <chr...@gm...>:
>>>> On 02/15/2013 01:50 AM, Ludovic Rousseau wrote:
>>>
>>>>> What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?
>>>>
>>>> Unfortunately I'm not sure how to relate the timestamps between logs. So
>>>> I re-ran and redirected everything into a single file. I've attached
>>>> this log.
>>>>
>>>> When OpenSC reports SCARD_E_NO_SERVICE (0x8010001d), there is no
>>>> activity from pcscd. However, I am sure it hasn't crashed as the process
>>>> is still running after I kill openvpn.
>>>
>>> Install the pcsc-tool package. And use the command pcsc_scan to list
>>> the connected readers. You can exit pcsc_scan using Ctrl-C
>>> After OpenSC reports SCARD_E_NO_SERVICE start pcsc_scan again to see
>>> if this application can contact pcscd.
>>>
>>>
>>> Also can you upgrade pcsc-lite from 1.7.4 to 1.8.6?
>>> You may be able to use the Ubuntu packages from raring [1]. Or at
>>> least try version 1.8.5 [2] from quantal.
>>> You will need to upgrade pcscd and libpcsclite1 packages.
>>>
>> Hi,
>> Yes this is what I originally did was to actually try and run everything
>> from Raring to test the latest versions; however I was unable to connect
>> to the OpenVPN server at all. With pcsc-lite 1.8.6, installed onto 12.04
>> I have the same issues. I'll attach a new log with this information.
>>
>> Here are the versions for the new log:
>> pcscd - Version: 1.8.6-3ubuntu1
>> pcsc-tools - Version: 1.4.18-1
>> libccid - Version: 1.4.5-1
>> libpcsclite1 - Version: 1.8.6-3ubuntu1
>> opensc - Version: 0.12.2-2ubuntu1
>> libp11-2 - Version: 0.2.8-2
>> libengine-pkcs11-openssl - Version: 0.1.8-2build1
>> openvpn - Version: 2.2.1-8ubuntu1
>> libpkcs11-helper1 - Version: 1.09-1
>>
>> I have also attached pcsc_scan(before|after) which show the output of
>> pcsc_scan before initiating the openvpn connection, and after. It is
>> identical.
> 
> I can't find the SCARD_E_NO_SERVICE (0x8010001d) error in this log.
> Maybe you still have a problem but it should not be the same as before.
> 
> Bye
> 

Yes, when I use the original versions (1.7.4), I can connect to an
OpenVPN server, but after the first key renegotiation, I can no longer
connect. If I upgrade to 1.8.6, then I cannot connect to the OpenVPN
server at all.

So the newer version could be introducing another issue. I originally
posted about this with the subject "Issues connecting to OpenVPN with
Smartcard", and have logs attached there.

Have you or anyone else been able to reproduce this issue? I'm not sure
if this is specific to my reader/smartcard or not. I followed directions
from here:
http://www.gooze.eu/howto/openvpn-with-smart-cards-crypto-tokens-howto

Thanks,
--chris

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Ludovic R. <lud...@gm...>]

2013/2/15 Chris J Arges <chr...@gm...>:
> On 02/15/2013 09:17 AM, Ludovic Rousseau wrote:
>> 2013/2/15 Chris J Arges <chr...@gm...>:
>>> On 02/15/2013 01:50 AM, Ludovic Rousseau wrote:
>>
>>>> What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?
>>>
>>> Unfortunately I'm not sure how to relate the timestamps between logs. So
>>> I re-ran and redirected everything into a single file. I've attached
>>> this log.
>>>
>>> When OpenSC reports SCARD_E_NO_SERVICE (0x8010001d), there is no
>>> activity from pcscd. However, I am sure it hasn't crashed as the process
>>> is still running after I kill openvpn.
>>
>> Install the pcsc-tool package. And use the command pcsc_scan to list
>> the connected readers. You can exit pcsc_scan using Ctrl-C
>> After OpenSC reports SCARD_E_NO_SERVICE start pcsc_scan again to see
>> if this application can contact pcscd.
>>
>>
>> Also can you upgrade pcsc-lite from 1.7.4 to 1.8.6?
>> You may be able to use the Ubuntu packages from raring [1]. Or at
>> least try version 1.8.5 [2] from quantal.
>> You will need to upgrade pcscd and libpcsclite1 packages.
>>
> Hi,
> Yes this is what I originally did was to actually try and run everything
> from Raring to test the latest versions; however I was unable to connect
> to the OpenVPN server at all. With pcsc-lite 1.8.6, installed onto 12.04
> I have the same issues. I'll attach a new log with this information.
>
> Here are the versions for the new log:
> pcscd - Version: 1.8.6-3ubuntu1
> pcsc-tools - Version: 1.4.18-1
> libccid - Version: 1.4.5-1
> libpcsclite1 - Version: 1.8.6-3ubuntu1
> opensc - Version: 0.12.2-2ubuntu1
> libp11-2 - Version: 0.2.8-2
> libengine-pkcs11-openssl - Version: 0.1.8-2build1
> openvpn - Version: 2.2.1-8ubuntu1
> libpkcs11-helper1 - Version: 1.09-1
>
> I have also attached pcsc_scan(before|after) which show the output of
> pcsc_scan before initiating the openvpn connection, and after. It is
> identical.

I can't find the SCARD_E_NO_SERVICE (0x8010001d) error in this log.
Maybe you still have a problem but it should not be the same as before.

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Chris J A. <chr...@gm...>]

On 02/15/2013 09:17 AM, Ludovic Rousseau wrote:
> 2013/2/15 Chris J Arges <chr...@gm...>:
>> On 02/15/2013 01:50 AM, Ludovic Rousseau wrote:
> 
>>> What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?
>>
>> Unfortunately I'm not sure how to relate the timestamps between logs. So
>> I re-ran and redirected everything into a single file. I've attached
>> this log.
>>
>> When OpenSC reports SCARD_E_NO_SERVICE (0x8010001d), there is no
>> activity from pcscd. However, I am sure it hasn't crashed as the process
>> is still running after I kill openvpn.
> 
> Install the pcsc-tool package. And use the command pcsc_scan to list
> the connected readers. You can exit pcsc_scan using Ctrl-C
> After OpenSC reports SCARD_E_NO_SERVICE start pcsc_scan again to see
> if this application can contact pcscd.
> 
> 
> Also can you upgrade pcsc-lite from 1.7.4 to 1.8.6?
> You may be able to use the Ubuntu packages from raring [1]. Or at
> least try version 1.8.5 [2] from quantal.
> You will need to upgrade pcscd and libpcsclite1 packages.
> 
Hi,
Yes this is what I originally did was to actually try and run everything
from Raring to test the latest versions; however I was unable to connect
to the OpenVPN server at all. With pcsc-lite 1.8.6, installed onto 12.04
I have the same issues. I'll attach a new log with this information.

Here are the versions for the new log:
pcscd - Version: 1.8.6-3ubuntu1
pcsc-tools - Version: 1.4.18-1
libccid - Version: 1.4.5-1
libpcsclite1 - Version: 1.8.6-3ubuntu1
opensc - Version: 0.12.2-2ubuntu1
libp11-2 - Version: 0.2.8-2
libengine-pkcs11-openssl - Version: 0.1.8-2build1
openvpn - Version: 2.2.1-8ubuntu1
libpkcs11-helper1 - Version: 1.09-1

I have also attached pcsc_scan(before|after) which show the output of
pcsc_scan before initiating the openvpn connection, and after. It is
identical.

Thanks,
--chris

Re: [Opensc-devel] Last minute patching

[Andreas S. (ML) <and...@ca...>]

Dear Viktor,

the patch is attached to the pending pull request for CardContact/OpenSC.

Andreas

Am 15.02.2013 15:31, schrieb Viktor Tarasov:
> Hello,
> 
> On Fri, Feb 15, 2013 at 2:41 PM, Andreas Schwier (ML)
> <and...@ca...
> <mailto:and...@ca...>> wrote:
> 
>     while doing some regression testing we've come across a problem that
>     once working code broke apart immediately before the 0.13 release was
>     finished.
> 
>     We traced the problem down to a code change introduced by the MyEID
>     ECDSA patch [1] that went into the 0.13 version as one of the very final
>     patches.
> 
>     Even though the code change is valid, it breaks existing code, rendering
>     the ECDSA key generation for the SmartCard-HSM in the 0.13 release
>     pretty much useless.
> 
> 
> Sorry, for these problems.
>  
> 
> 
>     Can we for the future agree, that we don't squeeze such a large code
>     change in right before doing a release ?
> 
> 
> 
> Yes, in the future we'll be less hazardous.
> 
> This release was not as like the others -- 
> first train after the long interruption of traffic: many passengers, new
> locomotive, equipage without experience, ...
>  
> 
> 
>     We tested all the release candidates and they worked up and until the
>     very last patch.
> 
>     Andreas
> 
> 
> Kind regards,
> Viktor.
> 
>  
> 
> 
> 
>     https://github.com/OpenSC/OpenSC/commit/457426543dfa02597895d57013dde94cc9e7d038
> 
>     --
> 
>         ---------    CardContact Software & System Consulting
>        |.##> <##.|   Andreas Schwier
>        |#       #|   Schülerweg 38
>        |#       #|   32429 Minden, Germany
>        |'##> <##'|   Phone +49 571 56149 <tel:%2B49%20571%2056149>
>         ---------    http://www.cardcontact.de
>                      http://www.tscons.de
>                      http://www.openscdp.org
> 
> 
>     ------------------------------------------------------------------------------
>     Free Next-Gen Firewall Hardware Offer
>     Buy your Sophos next-gen firewall before the end March 2013
>     and get the hardware for free! Learn more.
>     http://p.sf.net/sfu/sophos-d2d-feb
>     _______________________________________________
>     Opensc-devel mailing list
>     Ope...@li...
>     <mailto:Ope...@li...>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 
> 


-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

Re: [Opensc-devel] Project Website

[Ludovic R. <lud...@gm...>]

Hello Martin,

The webpage at http://www.opensc-project.org/ just says: "It works!".

According to traceroute the website is hosted somewhere in .ee so I
guess you (Martin) is not far from the server :-)

Martin, what are your plan regarding the domain name?
Can you replace the web home page to redirect to
https://github.com/OpenSC/OpenSC/wiki/OpenSC-Services?

Thanks

2013/2/15 Andreas Schwier <and...@ca...>:
> Hi,
>
> under the URL http://www.opensc-project.org the server just displays a
> "It works!" message.
>
> The URL http://www.opensc.org doesn't show anything.
>
> Is that intentional ?
>
> I guess with dropping the website and stopping the mailing list we
> probably lost the last members of the community. I guess we need to
> improve the OpenSC marketing.
>
> Sigh...
>
> Andreas

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Ludovic R. <lud...@gm...>]

2013/2/15 Chris J Arges <chr...@gm...>:
> On 02/15/2013 01:50 AM, Ludovic Rousseau wrote:

>> What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?
>
> Unfortunately I'm not sure how to relate the timestamps between logs. So
> I re-ran and redirected everything into a single file. I've attached
> this log.
>
> When OpenSC reports SCARD_E_NO_SERVICE (0x8010001d), there is no
> activity from pcscd. However, I am sure it hasn't crashed as the process
> is still running after I kill openvpn.

Install the pcsc-tool package. And use the command pcsc_scan to list
the connected readers. You can exit pcsc_scan using Ctrl-C
After OpenSC reports SCARD_E_NO_SERVICE start pcsc_scan again to see
if this application can contact pcscd.


Also can you upgrade pcsc-lite from 1.7.4 to 1.8.6?
You may be able to use the Ubuntu packages from raring [1]. Or at
least try version 1.8.5 [2] from quantal.
You will need to upgrade pcscd and libpcsclite1 packages.

Bye,

[1] http://packages.ubuntu.com/raring/pcscd
[2] http://packages.ubuntu.com/quantal/pcscd

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Chris J A. <chr...@gm...>]

On 02/15/2013 01:50 AM, Ludovic Rousseau wrote:
> 2013/2/15 Chris J Arges <chr...@gm...>:
>> On 02/14/2013 04:16 PM, Alon Bar-Lev wrote:
>>> I don't see an issue, you are being asked for PIN, this means that the
>>> card was found.
>>>
>>
>> In this part of the openvpn log you see it asks for the user PIN, and I
>> correctly enter the PIN. However it then gives a CKR_GENERAL_ERROR.
>>
>> Thu Feb 14 12:05:55 2013 us=249692 PKCS#11: pkcs11h_token_freeTokenId return
>> Thu Feb 14 12:05:55 2013 us=249697 PKCS#11: _pkcs11h_session_reset
>> return rv=0-'CKR_OK', *p_slot=1
>> Thu Feb 14 12:05:55 2013 us=249717 PKCS#11: Calling pin_prompt hook for
>> 'Client (User PIN)'
>> Thu Feb 14 12:05:59 2013 us=213357 PKCS#11: pin_prompt hook return rv=0
>> Thu Feb 14 12:05:59 2013 us=213669 PKCS#11: _pkcs11h_session_login
>> C_Login rv=5-'CKR_GENERAL_ERROR'
>>
>> If you look at the opensc log from the same time you see:
>>
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:136:session_start_operation: called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:137:session_start_operation: Session 0x7fd537cf67c0, type 1
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> pkcs11-object.c:594:C_SignInit: C_SignInit() = CKR_OK
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:158:session_get_operation: called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:158:session_get_operation: called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:158:session_get_operation: called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> framework-pkcs15.c:2630:pkcs15_prkey_sign: Initiating signing operation,
>> mechanism 0x1.
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] card.c:292:sc_lock: called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:511:pcsc_lock:
>> called
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:538:pcsc_lock:
>> Gemalto GemPC Express 00 00:SCardBeginTransaction failed: 0x8010001d
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
>> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1101 (No
>> readers found)
>> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] pkcs11-object.c:635:C_Sign:
>> C_Sign() = CKR_GENERAL_ERROR
>>
>> So it tries to call sc_lock, but somewhere SCARD_E_NO_SERVICE is being
>> returned. And at this point the card reader and smartcard are in my
>> computer.
> 
> SCARD_E_NO_SERVICE is returned when pcscd is not running (or has crashed).
> From you first log_pcscd.txt log file I can't find any crash of pcscd.
> 
> What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?
> 

Unfortunately I'm not sure how to relate the timestamps between logs. So
I re-ran and redirected everything into a single file. I've attached
this log.

When OpenSC reports SCARD_E_NO_SERVICE (0x8010001d), there is no
activity from pcscd. However, I am sure it hasn't crashed as the process
is still running after I kill openvpn.

Thanks,
--chris

[Opensc-devel] Project Website

[Andreas S. <and...@ca...>]

Hi,

under the URL http://www.opensc-project.org the server just displays a
"It works!" message.

The URL http://www.opensc.org doesn't show anything.

Is that intentional ?

I guess with dropping the website and stopping the mailing list we
probably lost the last members of the community. I guess we need to
improve the OpenSC marketing.

Sigh...

Andreas

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

Re: [Opensc-devel] Last minute patching

[Viktor T. <vik...@gm...>]

Hello,

On Fri, Feb 15, 2013 at 2:41 PM, Andreas Schwier (ML) <
and...@ca...> wrote:

> while doing some regression testing we've come across a problem that
> once working code broke apart immediately before the 0.13 release was
> finished.
>
> We traced the problem down to a code change introduced by the MyEID
> ECDSA patch [1] that went into the 0.13 version as one of the very final
> patches.
>
> Even though the code change is valid, it breaks existing code, rendering
> the ECDSA key generation for the SmartCard-HSM in the 0.13 release
> pretty much useless.
>

Sorry, for these problems.


>
> Can we for the future agree, that we don't squeeze such a large code
> change in right before doing a release ?
>


Yes, in the future we'll be less hazardous.

This release was not as like the others --
first train after the long interruption of traffic: many passengers, new
locomotive, equipage without experience, ...


>
> We tested all the release candidates and they worked up and until the
> very last patch.
>
> Andreas
>

Kind regards,
Viktor.



>
>
>
> https://github.com/OpenSC/OpenSC/commit/457426543dfa02597895d57013dde94cc9e7d038
>
> --
>
>     ---------    CardContact Software & System Consulting
>    |.##> <##.|   Andreas Schwier
>    |#       #|   Schülerweg 38
>    |#       #|   32429 Minden, Germany
>    |'##> <##'|   Phone +49 571 56149
>     ---------    http://www.cardcontact.de
>                  http://www.tscons.de
>                  http://www.openscdp.org
>
>
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] Last minute patching

[Andreas S. (ML) <and...@ca...>]

Hi all,

while doing some regression testing we've come across a problem that
once working code broke apart immediately before the 0.13 release was
finished.

We traced the problem down to a code change introduced by the MyEID
ECDSA patch [1] that went into the 0.13 version as one of the very final
patches.

Even though the code change is valid, it breaks existing code, rendering
the ECDSA key generation for the SmartCard-HSM in the 0.13 release
pretty much useless.

Can we for the future agree, that we don't squeeze such a large code
change in right before doing a release ?

We tested all the release candidates and they worked up and until the
very last patch.

Andreas


https://github.com/OpenSC/OpenSC/commit/457426543dfa02597895d57013dde94cc9e7d038

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

Re: [Opensc-devel] How to compile under mingw32 - custom libs & include???paths

[Frank M. <mo...@in...>]

For cross compiling with mingw32 see this script
https://github.com/frankmorgner/vsmartcard/blob/master/npa/win32/Makefile.am#L33

You have two options:
1. configure opensc with PKG_CONFIG_LIBDIR pointing to the directory
   containing libcrypto.pc
2. configure opensc with the appropriate OPENSSL_CFLAGS and OPENSSL_LIBS

Pre compiled versions of OpenSC can be found here
http://sourceforge.net/projects/opensc/files/

Cheers, Frank.

PS. Could someone of the admins update these pointers:
https://github.com/OpenSC/OpenSC/wiki/Download-latest-OpenSC-stable-release


On Thursday, February 14 at 04:46PM, Krzysztof Rutecki wrote:
> Hi 
> 
> Since Monday I`m trying to compile libp11 and pkcs11_engine under mingw32. The problem is non standard openssl path and windows environment. 
> I`m using pre-compiled openssl libs provided by libcurl (this one ). I`ve no problem with compile the software I`m working on but libp11 kick me down :( 
> 
> 
> 
> Q1: Which version is more accurate? Sourceforge or GitHub (that one need boostraping first, the first needs only configure to run) 
> Q2: How to provide custom paths to `include` and `libs` (.a files or DLL of Openssl) for libp11 and pkcs11_engine to compile it? 
> 
> 
> It`s Windows app, heavy using libcurl and EVP. I need smartcard support for RSA crypto. 
> 
> 
> Sorry if questions are dump but all my skills failed . I`m not to familiar with autoconf unfortunately. 
> 
> 
> Regards 
> Chris 
> 
> 

> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013 
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Ludovic R. <lud...@gm...>]

2013/2/15 Chris J Arges <chr...@gm...>:
> On 02/14/2013 04:16 PM, Alon Bar-Lev wrote:
>> I don't see an issue, you are being asked for PIN, this means that the
>> card was found.
>>
>
> In this part of the openvpn log you see it asks for the user PIN, and I
> correctly enter the PIN. However it then gives a CKR_GENERAL_ERROR.
>
> Thu Feb 14 12:05:55 2013 us=249692 PKCS#11: pkcs11h_token_freeTokenId return
> Thu Feb 14 12:05:55 2013 us=249697 PKCS#11: _pkcs11h_session_reset
> return rv=0-'CKR_OK', *p_slot=1
> Thu Feb 14 12:05:55 2013 us=249717 PKCS#11: Calling pin_prompt hook for
> 'Client (User PIN)'
> Thu Feb 14 12:05:59 2013 us=213357 PKCS#11: pin_prompt hook return rv=0
> Thu Feb 14 12:05:59 2013 us=213669 PKCS#11: _pkcs11h_session_login
> C_Login rv=5-'CKR_GENERAL_ERROR'
>
> If you look at the opensc log from the same time you see:
>
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:136:session_start_operation: called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:137:session_start_operation: Session 0x7fd537cf67c0, type 1
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> pkcs11-object.c:594:C_SignInit: C_SignInit() = CKR_OK
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:158:session_get_operation: called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:158:session_get_operation: called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:158:session_get_operation: called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> framework-pkcs15.c:2630:pkcs15_prkey_sign: Initiating signing operation,
> mechanism 0x1.
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] card.c:292:sc_lock: called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:511:pcsc_lock:
> called
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:538:pcsc_lock:
> Gemalto GemPC Express 00 00:SCardBeginTransaction failed: 0x8010001d
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1101 (No
> readers found)
> 0x7fd535a83700 12:05:55.249 [opensc-pkcs11] pkcs11-object.c:635:C_Sign:
> C_Sign() = CKR_GENERAL_ERROR
>
> So it tries to call sc_lock, but somewhere SCARD_E_NO_SERVICE is being
> returned. And at this point the card reader and smartcard are in my
> computer.

SCARD_E_NO_SERVICE is returned when pcscd is not running (or has crashed).
>From you first log_pcscd.txt log file I can't find any crash of pcscd.

What happens in the pcscd log when OpenSC reports SCARD_E_NO_SERVICE?

Bye

-- 
 Dr. Ludovic Rousseau

[Opensc-devel] Fwd: OpenVPN, PKCS#11 and MacOSX

[Ludovic R. <lud...@gm...>]

---------- Forwarded message ----------
From: Ludovic Rousseau <lud...@gm...>
Date: 2013/2/13
Subject: Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX
To: Hasso Tepper <has...@gm...>
Cc : OpenSC Development <ope...@li...>


2013/2/13 Alon Bar-Lev <alo...@gm...>:
> Hi,

Hello,

> Problem seems to be in pcsc-lite.

Exact.

> Call to pcsc_disconnect is not returning.
>
> Ludovic, can you please take a look?
> This happens after standard sequence of fork() usage with PKCS#11,
> child process should finalize and initialize PKCS#11.

I can reproduce the problem using the PC/SC Unitary Test SCard_fork.py [1].
After the fork the application should not do any PC/SC call in the son
using the father PC/SC context. Otherwise the PC/SC calls in the
father will be blocked.

It is a bug in Apple PC/SC. The same Unitary Test works find on
GNU/Linux with a recent PC/SC lite.

I don't know if the bug is easy to circumvent in OpenSC. OpenSC would
have to detect the application has forked and forget about the PC/SC
context in the son. This may be done only in C_Finalize() and only for
Mac OS X.

Bye,

[1] http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/UnitaryTests/SCard_fork.py?view=markup

--
 Dr. Ludovic Rousseau


-- 
 Dr. Ludovic Rousseau