opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Chris J A. <chr...@gm...>]

On 02/14/2013 04:16 PM, Alon Bar-Lev wrote:
> I don't see an issue, you are being asked for PIN, this means that the
> card was found.
> 

In this part of the openvpn log you see it asks for the user PIN, and I
correctly enter the PIN. However it then gives a CKR_GENERAL_ERROR.

Thu Feb 14 12:05:55 2013 us=249692 PKCS#11: pkcs11h_token_freeTokenId return
Thu Feb 14 12:05:55 2013 us=249697 PKCS#11: _pkcs11h_session_reset
return rv=0-'CKR_OK', *p_slot=1
Thu Feb 14 12:05:55 2013 us=249717 PKCS#11: Calling pin_prompt hook for
'Client (User PIN)'
Thu Feb 14 12:05:59 2013 us=213357 PKCS#11: pin_prompt hook return rv=0
Thu Feb 14 12:05:59 2013 us=213669 PKCS#11: _pkcs11h_session_login
C_Login rv=5-'CKR_GENERAL_ERROR'

If you look at the opensc log from the same time you see:

0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:136:session_start_operation: called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:137:session_start_operation: Session 0x7fd537cf67c0, type 1
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
pkcs11-object.c:594:C_SignInit: C_SignInit() = CKR_OK
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:158:session_get_operation: called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:158:session_get_operation: called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:158:session_get_operation: called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
framework-pkcs15.c:2630:pkcs15_prkey_sign: Initiating signing operation,
mechanism 0x1.
0x7fd535a83700 12:05:55.249 [opensc-pkcs11] card.c:292:sc_lock: called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:511:pcsc_lock:
called
0x7fd535a83700 12:05:55.249 [opensc-pkcs11] reader-pcsc.c:538:pcsc_lock:
Gemalto GemPC Express 00 00:SCardBeginTransaction failed: 0x8010001d
0x7fd535a83700 12:05:55.249 [opensc-pkcs11]
misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1101 (No
readers found)
0x7fd535a83700 12:05:55.249 [opensc-pkcs11] pkcs11-object.c:635:C_Sign:
C_Sign() = CKR_GENERAL_ERROR

So it tries to call sc_lock, but somewhere SCARD_E_NO_SERVICE is being
returned. And at this point the card reader and smartcard are in my
computer.

So I'm not sure where the problem lies, yes it asks for a PIN, but it
does so over and over again and never accepts it. Thus after the first
data channel key renegotiation it no longer works.

--chris

> 
> On Fri, Feb 15, 2013 at 12:05 AM, Chris J Arges
> <chr...@gm... <mailto:chr...@gm...>> wrote:
> 
>     I'm having (another) issue using OpenVPN with a smartcard in Ubuntu
>     12.04. If I do a clean install with the following packages:
>      pcscd pcsc-tools libccid libpcsclite1 opensc libp11-2
>     libengine-pkcs11-openssl openvpn
> 
>     Then I try to connect to an OpenVPN server, I can connect. However
>     whenever the data channel key is renegotiated the smartcard reader is
>     not found. This can be easily reproduced by connecting to an openvpn
>     server, making the client use a pkcs11 id, and setting reneg-sec to a
>     short interval to reproduce the problem sooner.
> 
>     Here are the versions I am using currently:
>       pcscd - Version: 1.7.4-2ubuntu2
>       pcsc-tools - Version: 1.4.18-1
>       libccid - Version: 1.4.5-1
>       libpcsclite1 - Version: 1.7.4-2ubuntu2
>       opensc - Version: 0.12.2-2ubuntu1
>       libp11-2 - Version: 0.2.8-2
>       libengine-pkcs11-openssl - Version: 0.1.8-2build1
>       openvpn - Version: 2.2.1-8ubuntu1
>       libpkcs11-helper1 - Version: 1.09-1
> 
>     I have attached logs with the issue.
>     Let me know what else would be helpful to look at, or where I should
>     file a bug.
> 
>     Thanks,
>     --chris j arges
> 
> 

Re: [Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Alon Bar-L. <alo...@gm...>]

I don't see an issue, you are being asked for PIN, this means that the card
was found.


On Fri, Feb 15, 2013 at 12:05 AM, Chris J Arges
<chr...@gm...>wrote:

> I'm having (another) issue using OpenVPN with a smartcard in Ubuntu
> 12.04. If I do a clean install with the following packages:
>  pcscd pcsc-tools libccid libpcsclite1 opensc libp11-2
> libengine-pkcs11-openssl openvpn
>
> Then I try to connect to an OpenVPN server, I can connect. However
> whenever the data channel key is renegotiated the smartcard reader is
> not found. This can be easily reproduced by connecting to an openvpn
> server, making the client use a pkcs11 id, and setting reneg-sec to a
> short interval to reproduce the problem sooner.
>
> Here are the versions I am using currently:
>   pcscd - Version: 1.7.4-2ubuntu2
>   pcsc-tools - Version: 1.4.18-1
>   libccid - Version: 1.4.5-1
>   libpcsclite1 - Version: 1.7.4-2ubuntu2
>   opensc - Version: 0.12.2-2ubuntu1
>   libp11-2 - Version: 0.2.8-2
>   libengine-pkcs11-openssl - Version: 0.1.8-2build1
>   openvpn - Version: 2.2.1-8ubuntu1
>   libpkcs11-helper1 - Version: 1.09-1
>
> I have attached logs with the issue.
> Let me know what else would be helpful to look at, or where I should
> file a bug.
>
> Thanks,
> --chris j arges
>

[Opensc-devel] issues with smartcards and openvpn when renegotiating keys

[Chris J A. <chr...@gm...>]

I'm having (another) issue using OpenVPN with a smartcard in Ubuntu
12.04. If I do a clean install with the following packages:
 pcscd pcsc-tools libccid libpcsclite1 opensc libp11-2
libengine-pkcs11-openssl openvpn

Then I try to connect to an OpenVPN server, I can connect. However
whenever the data channel key is renegotiated the smartcard reader is
not found. This can be easily reproduced by connecting to an openvpn
server, making the client use a pkcs11 id, and setting reneg-sec to a
short interval to reproduce the problem sooner.

Here are the versions I am using currently:
  pcscd - Version: 1.7.4-2ubuntu2
  pcsc-tools - Version: 1.4.18-1
  libccid - Version: 1.4.5-1
  libpcsclite1 - Version: 1.7.4-2ubuntu2
  opensc - Version: 0.12.2-2ubuntu1
  libp11-2 - Version: 0.2.8-2
  libengine-pkcs11-openssl - Version: 0.1.8-2build1
  openvpn - Version: 2.2.1-8ubuntu1
  libpkcs11-helper1 - Version: 1.09-1

I have attached logs with the issue.
Let me know what else would be helpful to look at, or where I should
file a bug.

Thanks,
--chris j arges

[Opensc-devel] How to compile under mingw32 - custom libs & include paths

[Krzysztof R. <krz...@kr...>]

Hi 

Since Monday I`m trying to compile libp11 and pkcs11_engine under mingw32. The problem is non standard openssl path and windows environment. 
I`m using pre-compiled openssl libs provided by libcurl (this one ). I`ve no problem with compile the software I`m working on but libp11 kick me down :( 



Q1: Which version is more accurate? Sourceforge or GitHub (that one need boostraping first, the first needs only configure to run) 
Q2: How to provide custom paths to `include` and `libs` (.a files or DLL of Openssl) for libp11 and pkcs11_engine to compile it? 


It`s Windows app, heavy using libcurl and EVP. I need smartcard support for RSA crypto. 


Sorry if questions are dump but all my skills failed . I`m not to familiar with autoconf unfortunately. 


Regards 
Chris 

Re: [Opensc-devel] Issues connecting to OpenVPN with Smartcard

[Chris J A. <chr...@gm...>]

On 02/13/2013 10:15 AM, Alon Bar-Lev wrote:
> Can you please attach the opensc debug log as well?
> 

Attached is a log from a different run, but the results were the same. I
can recollect all logs if necessary.
Thanks,
--chris j arges

> On Wed, Feb 13, 2013 at 5:55 PM, Chris J Arges
> <chr...@gm...> wrote:
>> Hello,
>> I've been trying to connect to an OpenVPN server with the .p12 key
>> stored on my smartcard. I can connect to the OpenVPN server when not
>> using the smartcard. This worked previously on my Ubuntu 12.04 install,
>> but in 12.10 and 13.04 this is failing to work. When connecting it hangs
>> at the line:
>> PKCS#11: __pkcs11h_forkFixup entry pid=2475, activate_slotevent=1
>>
>> I'm not sure where the problem occurs, however it seems like somebody on
>> this mailing list, or Ludovic might be the person to ask. : )
>>
>> I'm using a gemalto PC express smartcard reader (08e6:34ec) with an
>> EnterSafe smartcard. According to the logs opensc-pkcs11 seems to think
>> that the card has been removed, even though I have never moved it from
>> the reader.
>> The versions I am currently running with are:
>> pcscd 1.8.8-1
>> libpcsclite1 1.8.8-1
>> pcsc-tools 1.4.21-1
>> libccid 1.4.9-1
>> opensc 0.12.2-2ubuntu2
>> libp11-2 0.2.8-2build1
>> libengine-pkcs11-openssl 0.1.8-2build1
>> openvpn 2.2.1-8ubuntu2
>>
>> I have attached a verbose log from openvpn with opensc debug output
>> printed to stdout. In addition I captured a pcscd log and attached it as
>> well. Finally, I've attached the openvpn conf file I've been using to
>> connect in case there is user error here. However, I know this
>> configuration works in older version of the software. I'd like to help
>> debug this as much as I can, so please let me know if this is a known
>> issue, or if there is software versions / patches I can test. Any clues
>> or places to look at in the code would be useful and I can try to debug
>> further.
>>
>> Thanks,
>> --chris j arges
>>
>> ------------------------------------------------------------------------------
>> Free Next-Gen Firewall Hardware Offer
>> Buy your Sophos next-gen firewall before the end March 2013
>> and get the hardware for free! Learn more.
>> http://p.sf.net/sfu/sophos-d2d-feb
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>

Re: [Opensc-devel] Issues connecting to OpenVPN with Smartcard

[Alon Bar-L. <alo...@gm...>]

Can you please attach the opensc debug log as well?

On Wed, Feb 13, 2013 at 5:55 PM, Chris J Arges
<chr...@gm...> wrote:
> Hello,
> I've been trying to connect to an OpenVPN server with the .p12 key
> stored on my smartcard. I can connect to the OpenVPN server when not
> using the smartcard. This worked previously on my Ubuntu 12.04 install,
> but in 12.10 and 13.04 this is failing to work. When connecting it hangs
> at the line:
> PKCS#11: __pkcs11h_forkFixup entry pid=2475, activate_slotevent=1
>
> I'm not sure where the problem occurs, however it seems like somebody on
> this mailing list, or Ludovic might be the person to ask. : )
>
> I'm using a gemalto PC express smartcard reader (08e6:34ec) with an
> EnterSafe smartcard. According to the logs opensc-pkcs11 seems to think
> that the card has been removed, even though I have never moved it from
> the reader.
> The versions I am currently running with are:
> pcscd 1.8.8-1
> libpcsclite1 1.8.8-1
> pcsc-tools 1.4.21-1
> libccid 1.4.9-1
> opensc 0.12.2-2ubuntu2
> libp11-2 0.2.8-2build1
> libengine-pkcs11-openssl 0.1.8-2build1
> openvpn 2.2.1-8ubuntu2
>
> I have attached a verbose log from openvpn with opensc debug output
> printed to stdout. In addition I captured a pcscd log and attached it as
> well. Finally, I've attached the openvpn conf file I've been using to
> connect in case there is user error here. However, I know this
> configuration works in older version of the software. I'd like to help
> debug this as much as I can, so please let me know if this is a known
> issue, or if there is software versions / patches I can test. Any clues
> or places to look at in the code would be useful and I can try to debug
> further.
>
> Thanks,
> --chris j arges
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] Issues connecting to OpenVPN with Smartcard

[Chris J A. <chr...@gm...>]

Hello,
I've been trying to connect to an OpenVPN server with the .p12 key
stored on my smartcard. I can connect to the OpenVPN server when not
using the smartcard. This worked previously on my Ubuntu 12.04 install,
but in 12.10 and 13.04 this is failing to work. When connecting it hangs
at the line:
PKCS#11: __pkcs11h_forkFixup entry pid=2475, activate_slotevent=1

I'm not sure where the problem occurs, however it seems like somebody on
this mailing list, or Ludovic might be the person to ask. : )

I'm using a gemalto PC express smartcard reader (08e6:34ec) with an
EnterSafe smartcard. According to the logs opensc-pkcs11 seems to think
that the card has been removed, even though I have never moved it from
the reader.
The versions I am currently running with are:
pcscd 1.8.8-1
libpcsclite1 1.8.8-1
pcsc-tools 1.4.21-1
libccid 1.4.9-1
opensc 0.12.2-2ubuntu2
libp11-2 0.2.8-2build1
libengine-pkcs11-openssl 0.1.8-2build1
openvpn 2.2.1-8ubuntu2

I have attached a verbose log from openvpn with opensc debug output
printed to stdout. In addition I captured a pcscd log and attached it as
well. Finally, I've attached the openvpn conf file I've been using to
connect in case there is user error here. However, I know this
configuration works in older version of the software. I'd like to help
debug this as much as I can, so please let me know if this is a known
issue, or if there is software versions / patches I can test. Any clues
or places to look at in the code would be useful and I can try to debug
further.

Thanks,
--chris j arges

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Alon Bar-L. <alo...@gm...>]

This is not the usual log...
I cannot see option values, and I see communications before any
PKCS#11 call, and I do not see the PKCS#11 initialization...

But even with this data, please also provide full debug of opensc PKCS#11 log.

Thanks,
Alon

On Thu, Feb 7, 2013 at 10:49 AM, Hasso Tepper <has...@gm...> wrote:
> Alon Bar-Lev wrote:
>> Please send full debug log of openvpn.
>
> Attached.
>
>
> Thanks,
>
> --
> Hasso Tepper

Re: [Opensc-devel] Fwd: SC_PATH_TYPE_DF_NAME

[Douglas E. E. <dee...@an...>]

On 2/6/2013 9:44 PM, Galoh Haron wrote:
> Hello,
>
> In opensc0.12.2, this code works.
>
> sc_format_path (aid, &app);
> app.type = SC_PATH_TYPE_DF_NAME;
> r = sc_get_iso7816_driver()->ops->select_file( card, &app, NULL );
>
> the debug output is
> 00 A4 04 00 0A 50 4B 49 41 50 50 00 00 00 01 .....PKIAPP....
>
> how ever in opensc 0.13.0, the same code give output of
> 00 A4 04 0C 0A 50 4B 49 41 50 50 00 00 00 01 .....PKIAPP....
>
> with different in the 4th column. 00 ->0C.
>
> Any new way to handle the SC_PATH_TYPE_DF_NAME in opensc0.13.0

the 0.13.0 iso7816.c has:

  465         if (file_out != NULL) {
  466                 apdu.p2 = 0;            /* first record, return FCI */
  467                 apdu.resp = buf;
  468                 apdu.resplen = sizeof(buf);
  469                 apdu.le = card->max_recv_size > 0 ? card->max_recv_size : 256;
  470         }
  471         else {
  472                 apdu.p2 = 0x0C;         /* first record, return nothing */
  473                 apdu.cse = (apdu.lc == 0) ? SC_APDU_CASE_1 : SC_APDU_CASE_3_SHORT;
  474         }

line 472 is new in 0.13.0
p2=0C Is "RFU" in the 1995 ISO7816, but may be defined in a newer version.
The comment implies it is, and is the way to specify don't return anything.

A p2=00 is defined to return the FCI, but your code is passing NULL for the
for file_out, implying not to return anything.

So if you card can not handle p2=0c, provide a file_out parameter.


>
> Thank you
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

[Opensc-devel] n-of-m threshold scheme

[Andreas S. (ML) <and...@ca...>]

Hi list,

to satisfy enhanced key management requirements, we've added a n-of-m
threshold scheme to the sc-hsm-tool.

Using this scheme you can place the SmartCard-HSM's Device Key
Encryption Key under sole control of m key custodians from which n can
together reconstruct the secret key.

The scheme provides for even better security than the DKEK share
mechanism already available in the 0.13 version. Under the new scheme, a
lost share does not mean a complete loss of the secret key. A lost share
just reduces the number of available key custodians and has no impact on
the DKEK unless less than n share are left available.

The code is available in our repository at GITHUB [1] and a pull request
has been created to move the code into the OpenSC master branch.


Kind regards,


Andreas

[1] https://github.com/CardContact/OpenSC

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Hasso T. <has...@gm...>]

Alon Bar-Lev wrote:
> Please send full debug log of openvpn.

Attached.


Thanks,

-- 
Hasso Tepper

Re: [Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Alon Bar-L. <alo...@gm...>]

Please send full debug log of openvpn.
Thanks.

On Wed, Feb 6, 2013 at 10:37 PM, Hasso Tepper <has...@gm...> wrote:
> Hi,
>
> There have been many reports from MacOSX users during last years that
> PKCS#11 support in OpenVPN is broken for them. The problem seems to be
> related to forking (using execve()) and PKCS#11. Following post
> describes the situation well:
>
> http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick
>
> PKCS#11 support is started, PIN is asked etc, during first execve()
> (ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
> from second execve() (ifconfig tun0 <address>...) it doesn't return. The
> last line from pcscd log is "Client failed to authenticate".
>
> Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
> to use system() instead of execve() and it solves the problem.
> Unfortunately support for system() is removed from 2.3.
>
> Now, the question is what exactly is wrong? The very same conf works
> with Linux/BSD. I suspect that it's something to do with old smartcard
> related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
> found out that there have been reports from users who are not using
> opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
> OpenVPN works fine for them. So, I suspect it's something opensc can fix.
>
>
> Regards,
>
> --
> Hasso Tepper
>
> ------------------------------------------------------------------------------
> Free Next-Gen Firewall Hardware Offer
> Buy your Sophos next-gen firewall before the end March 2013
> and get the hardware for free! Learn more.
> http://p.sf.net/sfu/sophos-d2d-feb
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Fwd: SC_PATH_TYPE_DF_NAME

[Galoh H. <gr...@gm...>]

Hello,

In opensc0.12.2, this code works.

sc_format_path (aid, &app);
app.type = SC_PATH_TYPE_DF_NAME;
r = sc_get_iso7816_driver()->ops->select_file( card, &app, NULL );

the debug output is
00 A4 04 00 0A 50 4B 49 41 50 50 00 00 00 01 .....PKIAPP....

how ever in opensc 0.13.0, the same code give output of
00 A4 04 0C 0A 50 4B 49 41 50 50 00 00 00 01 .....PKIAPP....

with different in the 4th column. 00 ->0C.

Any new way to handle the SC_PATH_TYPE_DF_NAME in opensc0.13.0

Thank you

[Opensc-devel] OpenVPN, PKCS#11 and MacOSX

[Hasso T. <has...@gm...>]

Hi,

There have been many reports from MacOSX users during last years that
PKCS#11 support in OpenVPN is broken for them. The problem seems to be
related to forking (using execve()) and PKCS#11. Following post
describes the situation well:

http://www.gooze.eu/forums/support/feitian-epass-with-openvpn-tunnelblick

PKCS#11 support is started, PIN is asked etc, during first execve()
(ifconfig tun0 delete) PKCS#11 system seems to be reinitialised and
from second execve() (ifconfig tun0 <address>...) it doesn't return. The
last line from pcscd log is "Client failed to authenticate".

Avoiding fork at all seems to be a workaround. OpenVPN 2.2 can be forced
to use system() instead of execve() and it solves the problem.
Unfortunately support for system() is removed from 2.3.

Now, the question is what exactly is wrong? The very same conf works
with Linux/BSD. I suspect that it's something to do with old smartcard
related stuff in MacOSX (pcsc-lite 1.4.0, ccid 1.3.11), but ... I also
found out that there have been reports from users who are not using
opensc (but using Aladdin eToken Pro for example) and PKCS#11 support in
OpenVPN works fine for them. So, I suspect it's something opensc can fix.


Regards,

-- 
Hasso Tepper

Re: [Opensc-devel] Problem developing in OpenSC project

[Douglas E. E. <dee...@an...>]

On 1/29/2013 12:22 PM, Danilo Nicolò wrote:
> Hi,
>
> I'm trying to develop in OpenSC project and I modified opensc-tool.c
> I added a code block and in this code there is "int res = sc_load_foo(s);"
> The function sc_load is declared in /src/libopensc/opensc.h (int sc_load_foo(char *);) and is implemented in /src/libopensc/card.c

It is?
Are you saying you added the function sc_load_foo?

What version are you using. I don't see it in 0.12.3 or 0.13

> When I try to compile project I get this error :
> "*undefined reference to 'sc_load_foo(s)'*" in opensc-tool.c
> But in opensc-tool.c there is the line #include "libopensc/opensc.h" and in card.c there is #include "internal.h"
> and in internal.h there is #include "libopensc/opensc.h"
> Why when I try to do make I get this error?
> Anyone can help me?

If you added this function to the library, you need to update the
libopensc.exports file too.

>
> Regards,
>
> Danilo
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

[Opensc-devel] Problem developing in OpenSC project

[Danilo N. <dan...@gm...>]

Hi,

I'm trying to develop in OpenSC project and I modified opensc-tool.c
I added a code block and in this code there is "int res = sc_load_foo(s);"
The function sc_load is declared in /src/libopensc/opensc.h (int 
sc_load_foo(char *);) and is implemented in /src/libopensc/card.c
When I try to compile project I get this error :
"*undefined reference to 'sc_load_foo(s)'*" in opensc-tool.c
But in opensc-tool.c there is the line #include "libopensc/opensc.h" and 
in card.c there is #include "internal.h"
and in internal.h there is #include "libopensc/opensc.h"
Why when I try to do make I get this error?
Anyone can help me?

Regards,

Danilo

Re: [Opensc-devel] Trying to build libp11 on OS X

[Ramon G. <ram...@na...>]

So I tried from the github source and from the tar.gz on source forge. The
tar.gz file is the one I am trying to build from. Not sure how to build
the github version. And I also have removed and reinstalled the lib tool
package from brew:

HOST:src$ brew install libtool
Error: libtool-2.4.2 already installed




-- 
Ramon Gonzalez





On 1/25/13 8:10 AM, "Ludovic Rousseau" <lud...@gm...> wrote:

>2013/1/24 Ramon Gonzalez <ram...@na...>:
>> HOST:libp11-0.2.8$ sudo ./configure
>
>NEVER, never run ./configure as root.
>
>And do not run 'make' as root either. Only 'make install' may need to
>be run as root.
>
>
>> checking for lt_dlopen in -lltdl... no
>> configure: error: ltdl not found, please install libltdl and/or libtool
>
>I do not have this line but:
>checking for dlopen in -ldl... yes
>
>I am using libp11 from github [1]
>On my Mountain Lion system it is installed in /usr/lib/libdl.dylib
>
>I also checked using libp11-0.2.8 from Sourceforge [2] and I do not
>have the problem either. But I have:
>checking for lt_dlopen in -lltdl... yes
>
>And /usr/local/lib/libltdl.dylib is provided by libtool-2.4.2
>installed by homebrew [3].
>
>It looks like Apple distributed a limited/truncated version of libtool.
>
>Bye
>
>[1] https://github.com/OpenSC/libp11
>[2] http://sourceforge.net/projects/opensc/files/libp11/
>[3] http://mxcl.github.com/homebrew/
>
>-- 
> Dr. Ludovic Rousseau

Re: [Opensc-devel] Trying to build libp11 on OS X

[Ludovic R. <lud...@gm...>]

2013/1/24 Ramon Gonzalez <ram...@na...>:
> HOST:libp11-0.2.8$ sudo ./configure

NEVER, never run ./configure as root.

And do not run 'make' as root either. Only 'make install' may need to
be run as root.


> checking for lt_dlopen in -lltdl... no
> configure: error: ltdl not found, please install libltdl and/or libtool

I do not have this line but:
checking for dlopen in -ldl... yes

I am using libp11 from github [1]
On my Mountain Lion system it is installed in /usr/lib/libdl.dylib

I also checked using libp11-0.2.8 from Sourceforge [2] and I do not
have the problem either. But I have:
checking for lt_dlopen in -lltdl... yes

And /usr/local/lib/libltdl.dylib is provided by libtool-2.4.2
installed by homebrew [3].

It looks like Apple distributed a limited/truncated version of libtool.

Bye

[1] https://github.com/OpenSC/libp11
[2] http://sourceforge.net/projects/opensc/files/libp11/
[3] http://mxcl.github.com/homebrew/

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] help building engine_pkcs11

[Ludovic R. <lud...@gm...>]

2013/1/24 Steve Beaty <dr...@gm...>:
>
> On Jan 24, 2013, at 5:22 AM, Andreas Jellinghaus wrote:
>
>> If you use the release *.tar.gz file, you don't need to ./bootstrap
>> it. Instead simple run configure, everything you need should be
>> included already.
>
>         Thanks!  What I ended up doing is downloading newer versions of autoconf-2.69, automake-1.13, and libtool-2.4 as I couldn't find a configure file in the stand-alone engine_pkcs11 git clone or zip file.  I see the configure in the .tar.gz for OpenSC, but don't see the engine_pkcs11 nor libp11 in there.  Am I approaching this the wrong way?

What you did is correct. I just modified the ./bootstrap script to
create the m4 directory if needed.

You can also get a complete archive (including the ./configure script)
at https://sourceforge.net/projects/opensc/files/engine_pkcs11/

Sourceforge.net is the official place to get archives of the OpenSC project.

Bye

-- 
 Dr. Ludovic Rousseau

[Opensc-devel] Trying to build libp11 on OS X

[Ramon G. <ram...@na...>]

HOST:libp11-0.2.8$ sudo ./configure
checking for a BSD-compatible install... /usr/bin/install -c
checking whether build environment is sane... yes
checking for a thread-safe mkdir -p... ./install-sh -c -d
checking for gawk... gawk
checking whether make sets $(MAKE)... yes
checking build system type... x86_64-apple-darwin12.1.0
checking host system type... x86_64-apple-darwin12.1.0
checking for gcc... gcc
checking whether the C compiler works... yes
checking for C compiler default output file name... a.out
checking for suffix of executables...
checking whether we are cross compiling... no
checking for suffix of object files... o
checking whether we are using the GNU C compiler... yes
checking whether gcc accepts -g... yes
checking for gcc option to accept ISO C89... none needed
checking for style of include used by make... GNU
checking dependency style of gcc... gcc3
checking for pkg-config... /opt/local/bin/pkg-config
checking pkg-config is at least version 0.9.0... yes
checking how to run the C preprocessor... gcc -E
checking for grep that handles long lines and -e... /opt/local/bin/grep
checking for egrep... /opt/local/bin/grep -E
checking for ANSI C header files... yes
checking for sys/types.h... yes
checking for sys/stat.h... yes
checking for stdlib.h... yes
checking for string.h... yes
checking for memory.h... yes
checking for strings.h... yes
checking for inttypes.h... yes
checking for stdint.h... yes
checking for unistd.h... yes
checking whether byte ordering is bigendian... no
checking svn checkout... no
checking how to run the C preprocessor... gcc -E
checking whether ln -s works... yes
checking for a sed that does not truncate output... /usr/bin/sed
checking whether make sets $(MAKE)... (cached) yes
checking for a sed that does not truncate output... (cached) /usr/bin/sed
checking for fgrep... /opt/local/bin/grep -F
checking for ld used by gcc... /usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld
checking if the linker (/usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld) is GNU ld... no
checking for BSD- or MS-compatible name lister (nm)... /usr/bin/nm
checking the name lister (/usr/bin/nm) interface... BSD nm
checking the maximum length of command line arguments... 196608
checking whether the shell understands some XSI constructs... yes
checking whether the shell understands "+="... yes
checking for /usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld option to reload object files... -r
checking for objdump... no
checking how to recognize dependent libraries... pass_all
checking for ar... ar
checking for strip... strip
checking for ranlib... ranlib
checking command to parse /usr/bin/nm output from gcc object... ok
checking for dsymutil... dsymutil
checking for nmedit... nmedit
checking for lipo... lipo
checking for otool... otool
checking for otool64... no
checking for -single_module linker flag... yes
checking for -exported_symbols_list linker flag... yes
checking for dlfcn.h... yes
checking for objdir... .libs
checking if gcc supports -fno-rtti -fno-exceptions... no
checking for gcc option to produce PIC... -fno-common -DPIC
checking if gcc PIC flag -fno-common -DPIC works... yes
checking if gcc static flag -static works... no
checking if gcc supports -c -o file.o... yes
checking if gcc supports -c -o file.o... (cached) yes
checking whether the gcc linker (/usr/llvm-gcc-4.2/libexec/gcc/i686-apple-darwin11/4.2.1/ld) supports shared libraries... yes
checking dynamic linker characteristics... darwin12.1.0 dyld
checking how to hardcode library paths into programs... immediate
checking whether stripping libraries is possible... yes
checking if libtool supports shared libraries... yes
checking whether to build shared libraries... yes
checking whether to build static libraries... yes
checking for windres... no
checking for ANSI C header files... (cached) yes
checking for sys/wait.h that is POSIX.1 compatible... yes
checking errno.h usability... yes
checking errno.h presence... yes
checking for errno.h... yes
checking fcntl.h usability... yes
checking fcntl.h presence... yes
checking for fcntl.h... yes
checking malloc.h usability... no
checking malloc.h presence... no
checking for malloc.h... no
checking for stdlib.h... (cached) yes
checking for inttypes.h... (cached) yes
checking for string.h... (cached) yes
checking for strings.h... (cached) yes
checking sys/time.h usability... yes
checking sys/time.h presence... yes
checking for sys/time.h... yes
checking for unistd.h... (cached) yes
checking locale.h usability... yes
checking locale.h presence... yes
checking for locale.h... yes
checking getopt.h usability... yes
checking getopt.h presence... yes
checking for getopt.h... yes
checking for dlfcn.h... (cached) yes
checking utmp.h usability... yes
checking utmp.h presence... yes
checking for utmp.h... yes
checking for doxygen... no
checking for xsltproc... xsltproc
checking for svn... svn
checking for wget... no
checking for tr... tr
checking for lt_dlopen in -lltdl... no
configure: error: ltdl not found, please install libltdl and/or libtool

I have libtool install though:
HOST:libp11-0.2.8$ libtool -V
Apple Inc. version cctools-836

Any guidance would be greatly appreciated.

--
Ramon Gonzalez

Re: [Opensc-devel] help building engine_pkcs11

[Steve B. <dr...@gm...>]

On Jan 24, 2013, at 5:22 AM, Andreas Jellinghaus wrote:

> If you use the release *.tar.gz file, you don't need to ./bootstrap
> it. Instead simple run configure, everything you need should be
> included already.

	Thanks!  What I ended up doing is downloading newer versions of autoconf-2.69, automake-1.13, and libtool-2.4 as I couldn't find a configure file in the stand-alone engine_pkcs11 git clone or zip file.  I see the configure in the .tar.gz for OpenSC, but don't see the engine_pkcs11 nor libp11 in there.  Am I approaching this the wrong way?

	Thanks,

                      -------------------------------
                      Steve Beaty | dr...@gm...
                       www.k336.org | steve.k336.org
                       -----------------------------

Re: [Opensc-devel] help building engine_pkcs11

[Andreas J. <an...@io...>]

If you use the release *.tar.gz file, you don't need to ./bootstrap
it. Instead simple run configure, everything you need should be
included already.

Good luck, Andreas

2013/1/23 Steve Beaty <dr...@gm...>:
> Hi all,
>
>         I'm trying to build a TinyCA2 and openssl certificate authority using a SafeNet LunaPCI HSM on CentOS 5.8.  The directions I've found online suggest using libp11 and engine_pkcs11.  I have openssl and libp11 built, but engine_pkcs isn't configuring properly.  First I made an empty 'm4' directory that seems to be necessary:
> -----
> [root@localhost engine_pkcs11]# ./bootstrap
> + test -f Makefile
> + rm -rf '*~' autom4te.cache aclocal.m4 config.guess config.log
> config.status config.sub depcomp ltmain.sh
> + autoreconf --verbose --install --force
> autoreconf: Entering directory `.'
> autoreconf: configure.ac: not using Gettext
> autoreconf: running: aclocal --force -I m4
> aclocal: error: couldn't open directory 'm4': No such file or directory
> autoreconf: aclocal failed with exit status: 1
> [root@localhost engine_pkcs11]# mkdir m4
> -----
>         Now, I get the following error:
> -----
> [root@localhost engine_pkcs11]# ./bootstrap
>
> ...
>
> aclocal.m4:235: AC_LIBTOOL_SETUP is expanded from...
> aclocal.m4:90: _AC_PROG_LIBTOOL is expanded from...
> aclocal.m4:70: AC_PROG_LIBTOOL is expanded from...
> configure.ac:115: the top level
> configure.ac:11: error: possibly undefined macro: AM_CONFIG_HEADER
>       If this token and others are legitimate, please use m4_pattern_allow.
>       See the Autoconf documentation.
> autoreconf: /usr/bin/autoconf failed with exit status: 1
> -----
>         I have installed a recent auto(re)conf:
> -----
> [root@localhost engine_pkcs11]# autoreconf --version
> autoreconf (GNU Autoconf) 2.69
> Copyright (C) 2012 Free Software Foundation, Inc.
> License GPLv3+/Autoconf: GNU GPL version 3 or later
> <http://gnu.org/licenses/gpl.html>,
> <http://gnu.org/licenses/exceptions.html>
> This is free software: you are free to change and redistribute it.
> There is NO WARRANTY, to the extent permitted by law.
>
> Written by David J. MacKenzie and Akim Demaille.
> -----
>
>         Any pointers for me?  Has anyone else built a CA using my approximate hw/sw configuration?  Many thanks,
>
>                       -------------------------------
>                       Steve Beaty | dr...@gm...
>                        www.k336.org | steve.k336.org
>                        -----------------------------
>
>
>
>
>
>
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] systemd-udevd problem

[Alon Bar-L. <alo...@gm...>]

The problem is that udev was hijacked by systemd developers!
The solution is to remove systemd from the world.
There should not be any dependency between low level component such as
udev and init.d system.
I moved to eudev project and am happy.

Alon


On Thu, Jan 24, 2013 at 11:10 AM, Anton <wa...@mt...> wrote:
> Seems the problem is explained here:
>
> http://blog.fraggod.net/2012/06/16/proper-ish-way-to-start-long-running-systemd-service-on-udev-event-device-hotplug.html
>
> So package openct needs to have new udev rules because RUN+=... no more work well and needs to have service files for
> work with systemd.
>
>
> On Wed, 23 Jan 2013 15:13:13 +0700
> Anton <wa...@mt...> wrote:
>
>> I was using eToken PRO 64K mostly with no problem several years. Now after moving to systemd in Archlinux I get very
>> unusable openct. I believe that the problem in openct. Problem looks like:
>>
>> After starting openct first time all works fine. After removing token from USB and then plug it back it works only
>> about 8-10 seconds. After that "openct list" shows nothing and ifdhandler died. "/etc/rc.d/openct restart" helps but I
>> can not do it every time :). B.t.w. "/etc/rc.d/openct" has to be an systemctl script but there is no one.
>>
>> I have several archlinux installations. Two of them have moved to systemd and others are still on initscripts. Both
>> "systemd" systems have this issue with ifdhandler death but "initscripts" systems work fine. All systems are
>> up-to-date and regularly updated.
>>
>> How can I make openct to work stable on systemd ?
>>
>>
>> --
>> Anton [WARM-RIPE]
>> MT NOC division head
>> tel. 8 (3822) 555-797
>>
>> ------------------------------------------------------------------------------
>> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
>> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
>> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
>> MVPs and experts. ON SALE this month only -- learn more at:
>> http://p.sf.net/sfu/learnnow-d2d
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
> --
> Anton [WARM-RIPE]
> MT NOC division head
> tel. 8 (3822) 555-797
>
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] systemd-udevd problem

[Anton <wa...@mt...>]

Seems the problem is explained here:

http://blog.fraggod.net/2012/06/16/proper-ish-way-to-start-long-running-systemd-service-on-udev-event-device-hotplug.html

So package openct needs to have new udev rules because RUN+=... no more work well and needs to have service files for
work with systemd.


On Wed, 23 Jan 2013 15:13:13 +0700
Anton <wa...@mt...> wrote:

> I was using eToken PRO 64K mostly with no problem several years. Now after moving to systemd in Archlinux I get very
> unusable openct. I believe that the problem in openct. Problem looks like:
> 
> After starting openct first time all works fine. After removing token from USB and then plug it back it works only
> about 8-10 seconds. After that "openct list" shows nothing and ifdhandler died. "/etc/rc.d/openct restart" helps but I
> can not do it every time :). B.t.w. "/etc/rc.d/openct" has to be an systemctl script but there is no one.
> 
> I have several archlinux installations. Two of them have moved to systemd and others are still on initscripts. Both
> "systemd" systems have this issue with ifdhandler death but "initscripts" systems work fine. All systems are
> up-to-date and regularly updated.
> 
> How can I make openct to work stable on systemd ?
> 
> 
> -- 
> Anton [WARM-RIPE]
> MT NOC division head
> tel. 8 (3822) 555-797
> 
> ------------------------------------------------------------------------------
> Master Visual Studio, SharePoint, SQL, ASP.NET, C# 2012, HTML5, CSS,
> MVC, Windows 8 Apps, JavaScript and much more. Keep your skills current
> with LearnDevNow - 3,200 step-by-step video tutorials by Microsoft
> MVPs and experts. ON SALE this month only -- learn more at:
> http://p.sf.net/sfu/learnnow-d2d
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 
Anton [WARM-RIPE]
MT NOC division head
tel. 8 (3822) 555-797

[Opensc-devel] help building engine_pkcs11

[Steve B. <dr...@gm...>]

Hi all,

	I'm trying to build a TinyCA2 and openssl certificate authority using a SafeNet LunaPCI HSM on CentOS 5.8.  The directions I've found online suggest using libp11 and engine_pkcs11.  I have openssl and libp11 built, but engine_pkcs isn't configuring properly.  First I made an empty 'm4' directory that seems to be necessary:
-----
[root@localhost engine_pkcs11]# ./bootstrap
+ test -f Makefile
+ rm -rf '*~' autom4te.cache aclocal.m4 config.guess config.log
config.status config.sub depcomp ltmain.sh
+ autoreconf --verbose --install --force
autoreconf: Entering directory `.'
autoreconf: configure.ac: not using Gettext
autoreconf: running: aclocal --force -I m4
aclocal: error: couldn't open directory 'm4': No such file or directory
autoreconf: aclocal failed with exit status: 1
[root@localhost engine_pkcs11]# mkdir m4
-----
	Now, I get the following error:
-----
[root@localhost engine_pkcs11]# ./bootstrap

...

aclocal.m4:235: AC_LIBTOOL_SETUP is expanded from...
aclocal.m4:90: _AC_PROG_LIBTOOL is expanded from...
aclocal.m4:70: AC_PROG_LIBTOOL is expanded from...
configure.ac:115: the top level
configure.ac:11: error: possibly undefined macro: AM_CONFIG_HEADER
      If this token and others are legitimate, please use m4_pattern_allow.
      See the Autoconf documentation.
autoreconf: /usr/bin/autoconf failed with exit status: 1
-----
	I have installed a recent auto(re)conf:
-----
[root@localhost engine_pkcs11]# autoreconf --version
autoreconf (GNU Autoconf) 2.69
Copyright (C) 2012 Free Software Foundation, Inc.
License GPLv3+/Autoconf: GNU GPL version 3 or later
<http://gnu.org/licenses/gpl.html>,
<http://gnu.org/licenses/exceptions.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.

Written by David J. MacKenzie and Akim Demaille.
-----

	Any pointers for me?  Has anyone else built a CA using my approximate hw/sw configuration?  Many thanks,

                      -------------------------------
                      Steve Beaty | dr...@gm...
                       www.k336.org | steve.k336.org
                       -----------------------------