opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] OPenSC AppVeyer is acting up

[Viktor T. <vik...@gm...>]

seems that it's working now.

On Thu, Apr 21, 2016 at 11:57 PM, Douglas E Engert <dee...@gm...>
wrote:

>
> It appears that AppVeyer is having problems loading zlib. See:
>
>
> https://ci.appveyor.com/project/LudovicRousseau/opensc/build/0.16.0.595/job/65tmhvbcns2grosi
>
> Error downloading file: Unable to connect to the remote server
>
> 7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18
>
>
> Error:
> cannot find archive
> Rename-Item : Cannot rename because item at 'c:\zlib-1.2.8' does not exist.
> At line:11 char:3
> +   Rename-Item -path "c:\zlib-${env:ZLIB_VER_DOT}" -newName "zlib"
> +   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>      + CategoryInfo          : InvalidOperation: (:) [Rename-Item],
> PSInvalidOperationException
>      + FullyQualifiedErrorId :
> InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand
>
> Command executed with exception: Cannot rename because item at
> 'c:\zlib-1.2.8' does not exist.
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications
> Manager
> Applications Manager provides deep performance insights into multiple
> tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] OPenSC AppVeyer is acting up

[Douglas E E. <dee...@gm...>]

It appears that AppVeyer is having problems loading zlib. See:

https://ci.appveyor.com/project/LudovicRousseau/opensc/build/0.16.0.595/job/65tmhvbcns2grosi

Error downloading file: Unable to connect to the remote server

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18


Error:
cannot find archive
Rename-Item : Cannot rename because item at 'c:\zlib-1.2.8' does not exist.
At line:11 char:3
+   Rename-Item -path "c:\zlib-${env:ZLIB_VER_DOT}" -newName "zlib"
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
     + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

Command executed with exception: Cannot rename because item at 'c:\zlib-1.2.8' does not exist.

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Information for not yet supported card

[Frank M. <mo...@in...>]

Sorry, this does unfortunately not contain any useful information.

Greets, Frank.


On Tuesday, April 19 at 07:09PM, Claudio Felix wrote:
> Hi,
> 
> Some time ago I bought a card in an online store to store digital
> certificates for e-CPF or e-CNPJ, which are respectively like a tax payer
> identifier for people and companies. I don't have the e-mail from the store
> anymore, but I remember something about JCOP and java card. Although it
> seems yet unsupported in OpenSC, it looks supported in PCSC, since
> pcsc_scan outputs the following information when the card gets inserted:
> 
> Reader 0: CASTLES EZ100PU 00 00
>   Card state: Card inserted,
>   ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
> 
> ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
> + TS = 3B --> Direct Convention
> + T0 = 6A, Y(1): 0110, K: 10 (historical bytes)
>   TB(1) = 00 --> VPP is not electrically connected
>   TC(1) = FF --> Extra guard time: 255 (special value)
> + Historical bytes: 4A 43 4F 50 32 31 56 32 33 31
>   Category indicator byte: 4A (proprietary format)
> 
> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
>         JCOP21 v2.3 Standard
> 
> 
> Hope this helps getting the card supported.
> 
> Thank you,
> 
> Claudio

> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

[Opensc-devel] Information for not yet supported card

[Claudio F. <fel...@gm...>]

Hi,

Some time ago I bought a card in an online store to store digital
certificates for e-CPF or e-CNPJ, which are respectively like a tax payer
identifier for people and companies. I don't have the e-mail from the store
anymore, but I remember something about JCOP and java card. Although it
seems yet unsupported in OpenSC, it looks supported in PCSC, since
pcsc_scan outputs the following information when the card gets inserted:

Reader 0: CASTLES EZ100PU 00 00
  Card state: Card inserted,
  ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31

ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
+ TS = 3B --> Direct Convention
+ T0 = 6A, Y(1): 0110, K: 10 (historical bytes)
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = FF --> Extra guard time: 255 (special value)
+ Historical bytes: 4A 43 4F 50 32 31 56 32 33 31
  Category indicator byte: 4A (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
        JCOP21 v2.3 Standard


Hope this helps getting the card supported.

Thank you,

Claudio

[Opensc-devel] OpenSC-0.16.0 and OpenSSL-1.1.0-pre5 and libp11

[Douglas E E. <dee...@gm...>]

P.S. Libp11 will also need changes as p11_key.c also tries to access the internals of the RSA structure.



OpenSSL announced today: OpenSSL version 1.1.0 pre release 5 (beta)

Building OpenSC-0.16.0 from git, with my https://github.com/OpenSC/OpenSC/pull/717
that compiled with the OpenSSL-1.1.0-pre4 now shows 117 errors 13 files.

Between pre4 and pre5 OpenSSL has now hidden the internals of the RSA structure.
One can no longer reference via a pointer the BIGNUM for n, e, d, r, q, dump1, dmq1 or iqmp.
One must use these routines:
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
void RSA_get0_key(const RSA *r, BIGNUM **n, BIGNUM **e, BIGNUM **d);
void RSA_get0_factors(const RSA *r, BIGNUM **p, BIGNUM **q);
void RSA_get0_crt_params(const RSA *r,
                          BIGNUM **dmp1, BIGNUM **dmq1, BIGNUM **iqmp);
void RSA_clear_flags(RSA *r, int flags);
int RSA_test_flags(const RSA *r, int flags);
void RSA_set_flags(RSA *r, int flags);

I have started looking at the changes needed to PR #717 that will be needed.

These are the routines that need to be modified:

pkcs15init.c
pkcs15-westcos.c
pkcs15-prkey.c
pkcs15-pubkey.c
card-westcos.c
cwa14890.c
cwa-dnie.c
piv-tool.c
pkcs15-tool.c
p15card-helper.c
westcost-tool.c
cryptoflex-tool.c
pkcs15-tool.c

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] OpenSC-0.16.0 and OpenSSL-1.1.0-pre5

[Douglas E E. <dee...@gm...>]

OpenSSL announced today: OpenSSL version 1.1.0 pre release 5 (beta)

Building OpenSC-0.16.0 from git, with my https://github.com/OpenSC/OpenSC/pull/717
that compiled with the OpenSSL-1.1.0-pre4 now shows 117 errors 13 files.

Between pre4 and pre5 OpenSSL has now hidden the internals of the RSA structure.
One can no longer reference via a pointer the BIGNUM for n, e, d, r, q, dump1, dmq1 or iqmp.
One must use these routines:
int RSA_set0_key(RSA *r, BIGNUM *n, BIGNUM *e, BIGNUM *d);
int RSA_set0_factors(RSA *r, BIGNUM *p, BIGNUM *q);
int RSA_set0_crt_params(RSA *r,BIGNUM *dmp1, BIGNUM *dmq1, BIGNUM *iqmp);
void RSA_get0_key(const RSA *r, BIGNUM **n, BIGNUM **e, BIGNUM **d);
void RSA_get0_factors(const RSA *r, BIGNUM **p, BIGNUM **q);
void RSA_get0_crt_params(const RSA *r,
                          BIGNUM **dmp1, BIGNUM **dmq1, BIGNUM **iqmp);
void RSA_clear_flags(RSA *r, int flags);
int RSA_test_flags(const RSA *r, int flags);
void RSA_set_flags(RSA *r, int flags);

I have started looking at the changes needed to PR #717 that will be needed.

These are the routines that need to be modified:

pkcs15init.c
pkcs15-westcos.c
pkcs15-prkey.c
pkcs15-pubkey.c
card-westcos.c
cwa14890.c
cwa-dnie.c
piv-tool.c
pkcs15-tool.c
p15card-helper.c
westcost-tool.c
cryptoflex-tool.c
pkcs15-tool.c

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] How to retrieve RSA private key from wrapped key blob?

[Andreas S. <and...@ca...>]

Dear Przemysław,

if you register at the CardContact Developers Network, you can download
the SDK [1]. It contains a class DKEK.js which can be used to decrypt
and dump the key blob.

Andreas


[1]
https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip

On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote:
> Hello,
> 
> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:
> 
> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe
> 
> sc-hsm-tool --initialize --dkek-shares 2
> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1
> 
> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?
> 
> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.
> 
> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
> So if you can answer my question, the reputation is yours to get :)
> 
> Best regards,
> Przemysław Ogorzałek
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

[Opensc-devel] How to retrieve RSA private key from wrapped key blob?

[Ogorzalek, P. <prz...@wi...>]

Hello,

I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:

sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe

sc-hsm-tool --initialize --dkek-shares 2
sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1

I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to  reencrypt the RSA key to store it in file protected simply by a passphrase?

Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.

I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
So if you can answer my question, the reputation is yours to get :)

Best regards,
Przemysław Ogorzałek

Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

Hi Andreas,

that is totally true. Usually the public key does not need to reside on
my HW device and it can not if I think of classical applications like
message encryption, where the encrypting party does not have my hardware
device - of course.

But it may be a bit different with the smartcard HSM. I want to use the
smartcard HSM (or the nitrokey HSM) to do server side encrption. I.e. I
want to encrypt information in the database.
The server will encrypt incoming or changing data with the public key.
And decrypt data read from the database. And as the smartcard is
connected, I could easily use the key from the smartcard also to encrypt
the data.

Well, now I need to add a dependency to a 2nd external RSA lib. It is
ok, I understand the reason. I know I will not change opensc here. ;-)
But it is a bit disillusioning.

Anyway, thanks a lot for your response, fix and background information.

Kind regards
Cornelius

Am Montag, den 18.04.2016, 08:47 +0200 schrieb Andreas Schwier:
> Hi Cornelius,
> 
> yes, that is what I'm saying: No support for public key operations in
> OpenSC. The reason is, that OpenSC is a PKCS#11 Interface to access
> private keys on a hardware device, it's not a fully-fledged crypto
> library. Typically public key operations don't require the token and are
> performed using a software crypto library. There are very few
> applications where public and private key operations are performed on
> the same system (e.g. Local disk encrypting).
> 
> Andreas
> 
> 
> 
> On 04/16/2016 02:22 PM, Cornelius Kölbel wrote:
> > Hello Andreas,
> > 
> > thanks for the clarification and the pull request.
> > 
> > OpenSC does not provide public key operations?
> > So you telling me, that running C_EncryptInit/C_Encrypt will not work
> > a.k.a raise a NotImplemented Exception?
> > 
> > Kind regards
> > Cornelius
> > 
> > Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier:
> >> Dear Cornelius,
> >>
> >> I can confirm that this is a bug.
> >>
> >> A patch is available on Github [1].
> >>
> >> The reason why this wasn't spotted before is, that the flag does not
> >> really have any relevance, as OpenSC does not provide for public key
> >> operations anyway. So the only use case for the public key object is to
> >> extract the public key value, i.e. to place that in a certificate.
> >>
> >> Andreas
> >>
> >> [1] https://github.com/OpenSC/OpenSC/pull/734
> >>
> >> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
> >>> Hi Andreas,
> >>>
> >>> I compile 0.15 and used it the below way. It still looks the same.
> >>> (Maybe I didn't use it correctly)
> >>>
> >>> But it still looks the same. When I list all objects, the public key
> >>> (12) does not have the key-usage "encrypt".
> >>>
> >>> Kind regards
> >>> Cornelius
> >>>
> >>> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
> >>> --keypairgen --key-type rsa:2048 --id 12
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Key pair generated:
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         12
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         12
> >>>   Usage:      encrypt, verify, wrap
> >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
> >>> --module /usr/local/lib/opensc-pkcs11.so -l -O
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      none
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         12
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         12
> >>>   Usage:      none
> >>>
> >>>
> >>>
> >>>
> >>> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
> >>>> Dear Cornelius,
> >>>>
> >>>> get a newer version ;-)
> >>>>
> >>>> 0.13 was the first version to support the SmartCard-HSM and a lot has
> >>>> happened since then.
> >>>>
> >>>> Andreas
> >>>>
> >>>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> >>>>> Hi,
> >>>>>
> >>>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> >>>>> It comes with 0.13.0-3ubuntu4.1.
> >>>>>
> >>>>> So you may simply tell me to get a newer version ;-)
> >>>>>
> >>>>> Now, when I generate a key pair everything looks fine.
> >>>>> The key usage of the pubkey is marked as _encrypt_.
> >>>>>
> >>>>> But when I run -l -O the public key has no attributes!
> >>>>>
> >>>>>
> >>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>>>> (git)-[pkcs11] % pkcs11-tool
> >>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> >>>>> --key-type rsa:2048 --id
> >>>>> 11                                                    
> >>>>> Using slot 1 with a present token (0x1)
> >>>>> Logging in to "SmartCard-HSM (UserPIN)".
> >>>>> Please enter User PIN: 
> >>>>> Key pair generated:
> >>>>> Private Key Object; RSA 
> >>>>>   label:      Private Key
> >>>>>   ID:         11
> >>>>>   Usage:      decrypt, sign, unwrap
> >>>>> Public Key Object; RSA 2048 bits
> >>>>>   label:      Private Key
> >>>>>   ID:         11
> >>>>>   Usage:      encrypt, verify, wrap
> >>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>>>> (git)-[pkcs11] % pkcs11-tool
> >>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> >>>>> Using slot 1 with a present token (0x1)
> >>>>> Logging in to "SmartCard-HSM (UserPIN)".
> >>>>> Please enter User PIN: 
> >>>>> Private Key Object; RSA 
> >>>>>   label:      Private Key
> >>>>>   ID:         11
> >>>>>   Usage:      decrypt, sign, unwrap
> >>>>> Public Key Object; RSA 2048 bits
> >>>>>   label:      Private Key
> >>>>>   ID:         11
> >>>>>   Usage:      none
> >>>>>
> >>>>> Also when I look at the object all key usage attribs are set to false:
> >>>>>
> >>>>> [CKA_ALWAYS_SENSITIVE: True
> >>>>> CKA_CLASS: CKO_PUBLIC_KEY
> >>>>> CKA_DECRYPT: False
> >>>>> CKA_DERIVE: False
> >>>>> CKA_ENCRYPT: False
> >>>>> CKA_EXTRACTABLE: (0L,)
> >>>>> CKA_ID: (17L,)
> >>>>> CKA_KEY_GEN_MECHANISM: -1
> >>>>> CKA_KEY_TYPE: CKK_RSA
> >>>>> CKA_LABEL: Private Key
> >>>>> CKA_LOCAL: True
> >>>>> CKA_MODIFIABLE: False
> >>>>>
> >>>>> When I try to encrypt with the key handle on key x11 i get
> >>>>> CKR_FUNCTION_NOT_SUPPORTED.
> >>>>>
> >>>>> So it looks like the attributes of the pubkey are not persisted.
> >>>>>
> >>>>> Am I missing something?
> >>>>>
> >>>>> Thanks a lot and kind regards
> >>>>> Cornelius
> >>>>>
> >>>>>  
> >>>>>
> >>>>>
> >>>>>
> >>>>> ------------------------------------------------------------------------------
> >>>>> Find and fix application performance issues faster with Applications Manager
> >>>>> Applications Manager provides deep performance insights into multiple tiers of
> >>>>> your business applications. It resolves application problems quickly and
> >>>>> reduces your MTTR. Get your free trial!
> >>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> >>>>>
> >>>>>
> >>>>>
> >>>>> _______________________________________________
> >>>>> Opensc-devel mailing list
> >>>>> Ope...@li...
> >>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>>>>
> >>>>
> >>>>
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> Find and fix application performance issues faster with Applications Manager
> >>> Applications Manager provides deep performance insights into multiple tiers of
> >>> your business applications. It resolves application problems quickly and
> >>> reduces your MTTR. Get your free trial!
> >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Opensc-devel mailing list
> >>> Ope...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>>
> >>
> >>
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications Manager
> > Applications Manager provides deep performance insights into multiple tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > 
> > 
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 
> 
> 

-- 
Cornelius Kölbel
cor...@ne...
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Re: [Opensc-devel] missing key usage of pubkey

[Andreas S. <and...@ca...>]

Hi Cornelius,

yes, that is what I'm saying: No support for public key operations in
OpenSC. The reason is, that OpenSC is a PKCS#11 Interface to access
private keys on a hardware device, it's not a fully-fledged crypto
library. Typically public key operations don't require the token and are
performed using a software crypto library. There are very few
applications where public and private key operations are performed on
the same system (e.g. Local disk encrypting).

Andreas



On 04/16/2016 02:22 PM, Cornelius Kölbel wrote:
> Hello Andreas,
> 
> thanks for the clarification and the pull request.
> 
> OpenSC does not provide public key operations?
> So you telling me, that running C_EncryptInit/C_Encrypt will not work
> a.k.a raise a NotImplemented Exception?
> 
> Kind regards
> Cornelius
> 
> Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier:
>> Dear Cornelius,
>>
>> I can confirm that this is a bug.
>>
>> A patch is available on Github [1].
>>
>> The reason why this wasn't spotted before is, that the flag does not
>> really have any relevance, as OpenSC does not provide for public key
>> operations anyway. So the only use case for the public key object is to
>> extract the public key value, i.e. to place that in a certificate.
>>
>> Andreas
>>
>> [1] https://github.com/OpenSC/OpenSC/pull/734
>>
>> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
>>> Hi Andreas,
>>>
>>> I compile 0.15 and used it the below way. It still looks the same.
>>> (Maybe I didn't use it correctly)
>>>
>>> But it still looks the same. When I list all objects, the public key
>>> (12) does not have the key-usage "encrypt".
>>>
>>> Kind regards
>>> Cornelius
>>>
>>> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
>>> --keypairgen --key-type rsa:2048 --id 12
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Key pair generated:
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      encrypt, verify, wrap
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
>>> --module /usr/local/lib/opensc-pkcs11.so -l -O
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      none
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         12
>>>   Usage:      none
>>>
>>>
>>>
>>>
>>> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
>>>> Dear Cornelius,
>>>>
>>>> get a newer version ;-)
>>>>
>>>> 0.13 was the first version to support the SmartCard-HSM and a lot has
>>>> happened since then.
>>>>
>>>> Andreas
>>>>
>>>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
>>>>> Hi,
>>>>>
>>>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
>>>>> It comes with 0.13.0-3ubuntu4.1.
>>>>>
>>>>> So you may simply tell me to get a newer version ;-)
>>>>>
>>>>> Now, when I generate a key pair everything looks fine.
>>>>> The key usage of the pubkey is marked as _encrypt_.
>>>>>
>>>>> But when I run -l -O the public key has no attributes!
>>>>>
>>>>>
>>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>>>> (git)-[pkcs11] % pkcs11-tool
>>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
>>>>> --key-type rsa:2048 --id
>>>>> 11                                                    
>>>>> Using slot 1 with a present token (0x1)
>>>>> Logging in to "SmartCard-HSM (UserPIN)".
>>>>> Please enter User PIN: 
>>>>> Key pair generated:
>>>>> Private Key Object; RSA 
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      decrypt, sign, unwrap
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      encrypt, verify, wrap
>>>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>>>> (git)-[pkcs11] % pkcs11-tool
>>>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
>>>>> Using slot 1 with a present token (0x1)
>>>>> Logging in to "SmartCard-HSM (UserPIN)".
>>>>> Please enter User PIN: 
>>>>> Private Key Object; RSA 
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      decrypt, sign, unwrap
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      Private Key
>>>>>   ID:         11
>>>>>   Usage:      none
>>>>>
>>>>> Also when I look at the object all key usage attribs are set to false:
>>>>>
>>>>> [CKA_ALWAYS_SENSITIVE: True
>>>>> CKA_CLASS: CKO_PUBLIC_KEY
>>>>> CKA_DECRYPT: False
>>>>> CKA_DERIVE: False
>>>>> CKA_ENCRYPT: False
>>>>> CKA_EXTRACTABLE: (0L,)
>>>>> CKA_ID: (17L,)
>>>>> CKA_KEY_GEN_MECHANISM: -1
>>>>> CKA_KEY_TYPE: CKK_RSA
>>>>> CKA_LABEL: Private Key
>>>>> CKA_LOCAL: True
>>>>> CKA_MODIFIABLE: False
>>>>>
>>>>> When I try to encrypt with the key handle on key x11 i get
>>>>> CKR_FUNCTION_NOT_SUPPORTED.
>>>>>
>>>>> So it looks like the attributes of the pubkey are not persisted.
>>>>>
>>>>> Am I missing something?
>>>>>
>>>>> Thanks a lot and kind regards
>>>>> Cornelius
>>>>>
>>>>>  
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> Find and fix application performance issues faster with Applications Manager
>>>>> Applications Manager provides deep performance insights into multiple tiers of
>>>>> your business applications. It resolves application problems quickly and
>>>>> reduces your MTTR. Get your free trial!
>>>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> Ope...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>>>
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Find and fix application performance issues faster with Applications Manager
>>> Applications Manager provides deep performance insights into multiple tiers of
>>> your business applications. It resolves application problems quickly and
>>> reduces your MTTR. Get your free trial!
>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

Hello Andreas,

thanks for the clarification and the pull request.

OpenSC does not provide public key operations?
So you telling me, that running C_EncryptInit/C_Encrypt will not work
a.k.a raise a NotImplemented Exception?

Kind regards
Cornelius

Am Samstag, den 16.04.2016, 13:37 +0200 schrieb Andreas Schwier:
> Dear Cornelius,
> 
> I can confirm that this is a bug.
> 
> A patch is available on Github [1].
> 
> The reason why this wasn't spotted before is, that the flag does not
> really have any relevance, as OpenSC does not provide for public key
> operations anyway. So the only use case for the public key object is to
> extract the public key value, i.e. to place that in a certificate.
> 
> Andreas
> 
> [1] https://github.com/OpenSC/OpenSC/pull/734
> 
> On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
> > Hi Andreas,
> > 
> > I compile 0.15 and used it the below way. It still looks the same.
> > (Maybe I didn't use it correctly)
> > 
> > But it still looks the same. When I list all objects, the public key
> > (12) does not have the key-usage "encrypt".
> > 
> > Kind regards
> > Cornelius
> > 
> > /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
> > --keypairgen --key-type rsa:2048 --id 12
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Key pair generated:
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         12
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         12
> >   Usage:      encrypt, verify, wrap
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
> > --module /usr/local/lib/opensc-pkcs11.so -l -O
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      none
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         12
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         12
> >   Usage:      none
> > 
> > 
> > 
> > 
> > Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
> >> Dear Cornelius,
> >>
> >> get a newer version ;-)
> >>
> >> 0.13 was the first version to support the SmartCard-HSM and a lot has
> >> happened since then.
> >>
> >> Andreas
> >>
> >> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> >>> Hi,
> >>>
> >>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> >>> It comes with 0.13.0-3ubuntu4.1.
> >>>
> >>> So you may simply tell me to get a newer version ;-)
> >>>
> >>> Now, when I generate a key pair everything looks fine.
> >>> The key usage of the pubkey is marked as _encrypt_.
> >>>
> >>> But when I run -l -O the public key has no attributes!
> >>>
> >>>
> >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>> (git)-[pkcs11] % pkcs11-tool
> >>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> >>> --key-type rsa:2048 --id
> >>> 11                                                    
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Key pair generated:
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      encrypt, verify, wrap
> >>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> >>> (git)-[pkcs11] % pkcs11-tool
> >>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> >>> Using slot 1 with a present token (0x1)
> >>> Logging in to "SmartCard-HSM (UserPIN)".
> >>> Please enter User PIN: 
> >>> Private Key Object; RSA 
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      decrypt, sign, unwrap
> >>> Public Key Object; RSA 2048 bits
> >>>   label:      Private Key
> >>>   ID:         11
> >>>   Usage:      none
> >>>
> >>> Also when I look at the object all key usage attribs are set to false:
> >>>
> >>> [CKA_ALWAYS_SENSITIVE: True
> >>> CKA_CLASS: CKO_PUBLIC_KEY
> >>> CKA_DECRYPT: False
> >>> CKA_DERIVE: False
> >>> CKA_ENCRYPT: False
> >>> CKA_EXTRACTABLE: (0L,)
> >>> CKA_ID: (17L,)
> >>> CKA_KEY_GEN_MECHANISM: -1
> >>> CKA_KEY_TYPE: CKK_RSA
> >>> CKA_LABEL: Private Key
> >>> CKA_LOCAL: True
> >>> CKA_MODIFIABLE: False
> >>>
> >>> When I try to encrypt with the key handle on key x11 i get
> >>> CKR_FUNCTION_NOT_SUPPORTED.
> >>>
> >>> So it looks like the attributes of the pubkey are not persisted.
> >>>
> >>> Am I missing something?
> >>>
> >>> Thanks a lot and kind regards
> >>> Cornelius
> >>>
> >>>  
> >>>
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> Find and fix application performance issues faster with Applications Manager
> >>> Applications Manager provides deep performance insights into multiple tiers of
> >>> your business applications. It resolves application problems quickly and
> >>> reduces your MTTR. Get your free trial!
> >>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Opensc-devel mailing list
> >>> Ope...@li...
> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>>
> >>
> >>
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications Manager
> > Applications Manager provides deep performance insights into multiple tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > 
> > 
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 
> 
> 

-- 
Cornelius Kölbel
cor...@ne...
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Re: [Opensc-devel] missing key usage of pubkey

[Andreas S. <and...@ca...>]

Dear Cornelius,

I can confirm that this is a bug.

A patch is available on Github [1].

The reason why this wasn't spotted before is, that the flag does not
really have any relevance, as OpenSC does not provide for public key
operations anyway. So the only use case for the public key object is to
extract the public key value, i.e. to place that in a certificate.

Andreas

[1] https://github.com/OpenSC/OpenSC/pull/734

On 04/16/2016 10:36 AM, Cornelius Kölbel wrote:
> Hi Andreas,
> 
> I compile 0.15 and used it the below way. It still looks the same.
> (Maybe I didn't use it correctly)
> 
> But it still looks the same. When I list all objects, the public key
> (12) does not have the key-usage "encrypt".
> 
> Kind regards
> Cornelius
> 
> /usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
> --keypairgen --key-type rsa:2048 --id 12
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Key pair generated:
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         12
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         12
>   Usage:      encrypt, verify, wrap
> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> (git)-[pkcs11] % /usr/local/bin/pkcs11-tool
> --module /usr/local/lib/opensc-pkcs11.so -l -O
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         11
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         11
>   Usage:      none
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         12
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         12
>   Usage:      none
> 
> 
> 
> 
> Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
>> Dear Cornelius,
>>
>> get a newer version ;-)
>>
>> 0.13 was the first version to support the SmartCard-HSM and a lot has
>> happened since then.
>>
>> Andreas
>>
>> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
>>> Hi,
>>>
>>> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
>>> It comes with 0.13.0-3ubuntu4.1.
>>>
>>> So you may simply tell me to get a newer version ;-)
>>>
>>> Now, when I generate a key pair everything looks fine.
>>> The key usage of the pubkey is marked as _encrypt_.
>>>
>>> But when I run -l -O the public key has no attributes!
>>>
>>>
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % pkcs11-tool
>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
>>> --key-type rsa:2048 --id
>>> 11                                                    
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Key pair generated:
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      encrypt, verify, wrap
>>> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
>>> (git)-[pkcs11] % pkcs11-tool
>>> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
>>> Using slot 1 with a present token (0x1)
>>> Logging in to "SmartCard-HSM (UserPIN)".
>>> Please enter User PIN: 
>>> Private Key Object; RSA 
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      decrypt, sign, unwrap
>>> Public Key Object; RSA 2048 bits
>>>   label:      Private Key
>>>   ID:         11
>>>   Usage:      none
>>>
>>> Also when I look at the object all key usage attribs are set to false:
>>>
>>> [CKA_ALWAYS_SENSITIVE: True
>>> CKA_CLASS: CKO_PUBLIC_KEY
>>> CKA_DECRYPT: False
>>> CKA_DERIVE: False
>>> CKA_ENCRYPT: False
>>> CKA_EXTRACTABLE: (0L,)
>>> CKA_ID: (17L,)
>>> CKA_KEY_GEN_MECHANISM: -1
>>> CKA_KEY_TYPE: CKK_RSA
>>> CKA_LABEL: Private Key
>>> CKA_LOCAL: True
>>> CKA_MODIFIABLE: False
>>>
>>> When I try to encrypt with the key handle on key x11 i get
>>> CKR_FUNCTION_NOT_SUPPORTED.
>>>
>>> So it looks like the attributes of the pubkey are not persisted.
>>>
>>> Am I missing something?
>>>
>>> Thanks a lot and kind regards
>>> Cornelius
>>>
>>>  
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Find and fix application performance issues faster with Applications Manager
>>> Applications Manager provides deep performance insights into multiple tiers of
>>> your business applications. It resolves application problems quickly and
>>> reduces your MTTR. Get your free trial!
>>> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

Hi Andreas,

I compile 0.15 and used it the below way. It still looks the same.
(Maybe I didn't use it correctly)

But it still looks the same. When I list all objects, the public key
(12) does not have the key-usage "encrypt".

Kind regards
Cornelius

/usr/local/bin/pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l
--keypairgen --key-type rsa:2048 --id 12
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Key pair generated:
Private Key Object; RSA 
  label:      Private Key
  ID:         12
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         12
  Usage:      encrypt, verify, wrap
(venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
(git)-[pkcs11] % /usr/local/bin/pkcs11-tool
--module /usr/local/lib/opensc-pkcs11.so -l -O
Using slot 1 with a present token (0x1)
Logging in to "SmartCard-HSM (UserPIN)".
Please enter User PIN: 
Private Key Object; RSA 
  label:      Private Key
  ID:         11
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         11
  Usage:      none
Private Key Object; RSA 
  label:      Private Key
  ID:         12
  Usage:      decrypt, sign, unwrap
Public Key Object; RSA 2048 bits
  label:      Private Key
  ID:         12
  Usage:      none




Am Samstag, den 16.04.2016, 00:11 +0200 schrieb Andreas Schwier:
> Dear Cornelius,
> 
> get a newer version ;-)
> 
> 0.13 was the first version to support the SmartCard-HSM and a lot has
> happened since then.
> 
> Andreas
> 
> On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> > Hi,
> > 
> > I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> > It comes with 0.13.0-3ubuntu4.1.
> > 
> > So you may simply tell me to get a newer version ;-)
> > 
> > Now, when I generate a key pair everything looks fine.
> > The key usage of the pubkey is marked as _encrypt_.
> > 
> > But when I run -l -O the public key has no attributes!
> > 
> > 
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % pkcs11-tool
> > --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> > --key-type rsa:2048 --id
> > 11                                                    
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Key pair generated:
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      encrypt, verify, wrap
> > (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> > (git)-[pkcs11] % pkcs11-tool
> > --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> > Using slot 1 with a present token (0x1)
> > Logging in to "SmartCard-HSM (UserPIN)".
> > Please enter User PIN: 
> > Private Key Object; RSA 
> >   label:      Private Key
> >   ID:         11
> >   Usage:      decrypt, sign, unwrap
> > Public Key Object; RSA 2048 bits
> >   label:      Private Key
> >   ID:         11
> >   Usage:      none
> > 
> > Also when I look at the object all key usage attribs are set to false:
> > 
> > [CKA_ALWAYS_SENSITIVE: True
> > CKA_CLASS: CKO_PUBLIC_KEY
> > CKA_DECRYPT: False
> > CKA_DERIVE: False
> > CKA_ENCRYPT: False
> > CKA_EXTRACTABLE: (0L,)
> > CKA_ID: (17L,)
> > CKA_KEY_GEN_MECHANISM: -1
> > CKA_KEY_TYPE: CKK_RSA
> > CKA_LABEL: Private Key
> > CKA_LOCAL: True
> > CKA_MODIFIABLE: False
> > 
> > When I try to encrypt with the key handle on key x11 i get
> > CKR_FUNCTION_NOT_SUPPORTED.
> > 
> > So it looks like the attributes of the pubkey are not persisted.
> > 
> > Am I missing something?
> > 
> > Thanks a lot and kind regards
> > Cornelius
> > 
> >  
> > 
> > 
> > 
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications Manager
> > Applications Manager provides deep performance insights into multiple tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > 
> > 
> > 
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 
> 
> 

-- 
Cornelius Kölbel
cor...@ne...
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Re: [Opensc-devel] missing key usage of pubkey

[Cornelius K. <cor...@ne...>]

    
Hello Andreas,
Thanks a lot. I will do so, test it and report.
Kind regards Cornelius 


Cornelius Kölbe...@ne...+49 151 2960 1417
NetKnights GmbHhttp://netknights.itLandgraf-Karl-Str. 19, 34131 Kassel, GermanyTel: +49 561 3166797, Fax: +49 561 3166798
Amtsgericht Kassel, HRB 16405Geschäftsführer: Cornelius Kölbel

-------- Ursprüngliche Nachricht --------
Von: Andreas Schwier <and...@ca...> 
Datum: 16.04.2016  00:11  (GMT+01:00) 
An: ope...@li... 
Betreff: Re: [Opensc-devel] missing key usage of pubkey 

Dear Cornelius,

get a newer version ;-)

0.13 was the first version to support the SmartCard-HSM and a lot has
happened since then.

Andreas

On 04/15/2016 11:02 PM, Cornelius Kölbel wrote:
> Hi,
> 
> I am doing some tests with the nitrokey (smartcard-hsm) on Ubuntu 14.04.
> It comes with 0.13.0-3ubuntu4.1.
> 
> So you may simply tell me to get a newer version ;-)
> 
> Now, when I generate a key pair everything looks fine.
> The key usage of the pubkey is marked as _encrypt_.
> 
> But when I run -l -O the public key has no attributes!
> 
> 
> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> (git)-[pkcs11] % pkcs11-tool
> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l --keypairgen
> --key-type rsa:2048 --id
> 11                                                    
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Key pair generated:
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         11
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         11
>   Usage:      encrypt, verify, wrap
> (venv)cornelius@puckel ...c/privacyidea/privacyidea/lib/security
> (git)-[pkcs11] % pkcs11-tool
> --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -O
> Using slot 1 with a present token (0x1)
> Logging in to "SmartCard-HSM (UserPIN)".
> Please enter User PIN: 
> Private Key Object; RSA 
>   label:      Private Key
>   ID:         11
>   Usage:      decrypt, sign, unwrap
> Public Key Object; RSA 2048 bits
>   label:      Private Key
>   ID:         11
>   Usage:      none
> 
> Also when I look at the object all key usage attribs are set to false:
> 
> [CKA_ALWAYS_SENSITIVE: True
> CKA_CLASS: CKO_PUBLIC_KEY
> CKA_DECRYPT: False
> CKA_DERIVE: False
> CKA_ENCRYPT: False
> CKA_EXTRACTABLE: (0L,)
> CKA_ID: (17L,)
> CKA_KEY_GEN_MECHANISM: -1
> CKA_KEY_TYPE: CKK_RSA
> CKA_LABEL: Private Key
> CKA_LOCAL: True
> CKA_MODIFIABLE: False
> 
> When I try to encrypt with the key handle on key x11 i get
> CKR_FUNCTION_NOT_SUPPORTED.
> 
> So it looks like the attributes of the pubkey are not persisted.
> 
> Am I missing something?
> 
> Thanks a lot and kind regards
> Cornelius
> 
>  
> 
> 
> 
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 


-- 

    ---------    CardContact Systems GmbH
   |.##> <##.|   Schülerweg 38
   |#       #|   D-32429 Minden, Germany
   |#       #|   Phone +49 571 56149
   |'##> <##'|   http://www.cardcontact.de
    ---------    Registergericht Bad Oeynhausen HRB 14880
                 Geschäftsführer Andreas Schwier

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Remove Solaris support

[Viktor T. <vik...@gm...>]

Hi,

support of Solaris in OpenSC was not updated for the years.
As it is now it seems to be unusable for a long time -- in 'proto' there
are  missing references, wrong paths to source files.

It was not missing for anyone, so, I propose to remove this part of code
from sources.

Kind regards,
Viktor.

Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Douglas E E. <dee...@gm...>]

The term public key is ambiguous.

When there was only RSA, it was simple, modulus and exponent.
With EC there are the point and the parameters or namedcurve.
Other algorithms have different parameters too.
Then to tell them apart you need key type.

PKCS#11 presents the key type and the caller can request the attributes based in the key type.

pkcs11-tool was meant to be a test tools and until EC was added pkcs11-tool
only worked with RSA.

OpenSSL may have evolved over the years, some apps may assume the type,
but later apps tend to take a EVP_KEY which includes a key type.

The SPKI from a certificate is the ASN.1 encoding for a EVP_KEY.


Have you tried reading the certificate? The rsautl says it can use a certificate in place of
a public key.


On 3/29/2016 2:33 AM, Johannes Rath wrote:
> The latest build definitely looks better:
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.16.0rc1 [Microsoft 1800]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey.der -dump
>      0:d=0  hl=4 l= 290 cons: SEQUENCE
>      4:d=1  hl=2 l=  13 cons: SEQUENCE
>      6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
>     17:d=2  hl=2 l=   0 prim: NULL
>     19:d=1  hl=4 l= 271 prim: BIT STRING
>        0000 - 00 30 82 01 0a 02 82 01-01 00 99 c9 eb 66 11 84   .0...........f..
>        0010 - 89 08 a0 22 9d 1d cf 94-44 b8 e3 99 6c f9 7c c7   ..."....D...l.|.
>        0020 - a7 bb 52 d5 1b 3d 57 01-20 9d ec 96 99 7f ab 14   ..R..=W. .......
>        0030 - c0 18 06 07 89 9f d0 fa-5e 75 f1 2a 97 49 5b 44   ........^u.*.I[D
>        0040 - bb 34 96 1e a0 af 11 79-20 2c 82 61 71 c3 cd 98   .4.....y ,.aq...
>        0050 - 75 1e e1 6a dd 3e f2 e9-34 c5 66 cf 10 3d 3d f4   u..j.>..4.f..==.
>        0060 - 60 a6 19 07 46 f6 b4 10-a2 5a 5f d7 40 b9 18 2d   `...F....Z_.@..-
>        0070 - 9b 06 c2 18 0d 28 25 6c-ed d7 c9 92 5b d5 3a 36   .....(%l....[.:6
>        0080 - 84 58 8a b6 7c 8c 1c d1-cd a2 7a 7f cf 87 c0 23   .X..|.....z....#
>        0090 - 8c fe 84 39 1f 13 23 86-b6 d1 f7 5a 1e e6 b2 8f   ...9..#....Z....
>        00a0 - 70 27 cb 60 f9 be 41 b4-d2 30 18 87 15 19 bd 42   p'.`..A..0.....B
>        00b0 - 28 22 77 8c 2e 0c 2d 7d-91 dc 27 bc 15 5a 4f 1b   ("w...-}..'..ZO.
>        00c0 - de 66 96 37 f7 10 4a 94-3c 8a ef e0 fe 33 2e f9   .f.7..J.<....3..
>        00d0 - fe 3e 0a 1b 64 5d dc 54-a4 19 33 38 82 7e cb b4   .>..d].T..38.~..
>        00e0 - af f7 82 65 71 75 d3 b5-1c b2 a3 f1 81 6f 74 3a   ...equ.......ot:
>        00f0 - bb 0a 9d 56 d8 ea 4b 3c-e4 02 01 ae cc 95 90 ac   ...V..K<........
>        0100 - 60 4d 69 9e ef 79 7c 55-bc 87 02 03 01 00 01      `Mi..y|U.......
>
> -----Original Message-----
> From: Johannes Rath [mailto:joh...@sw...]
> Sent: Dienstag, 29. März 2016 09:08
> To: 'ope...@li...'
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> I am using OpenSC 0.15.0, but on Windows ;)
>
> Looks that version still uses the old format.
>
> C:\Users\Demo\workspace>opensc-tool -i
> OpenSC 0.15.0 [Microsoft 1600]
> Enabled features:pcsc openssl zlib
>
> C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
> ckey_45_2.key
> Using slot 1 with a present token (0x1)
>
> C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
> mp
>      0:d=0  hl=4 l= 266 cons: SEQUENCE
>      4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
> 2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
> 11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
> BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
> F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
> 2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
> 2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F
>
>    265:d=1  hl=2 l=   3 prim: INTEGER           :010001
>
>
> -----Original Message-----
> From: Douglas E Engert [mailto:dee...@gm...]
> Sent: Donnerstag, 24. März 2016 19:05
> To: ope...@li...
> Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey
>
> What version of OpenSC are you using?
>
> 0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.
>
> openssl asn1parse -i -inform DER -in publickey.key
>       0:d=0  hl=4 l= 266 cons: SEQUENCE
>       4:d=1  hl=4 l= 257 prim:  INTEGER
> :D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
>     265:d=1  hl=2 l=   3 prim:  INTEGER           :010001
>
> later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:
>
> pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
> openssl asn1parse -i -inform DER -in publickey.der -dump
>       0:d=0  hl=4 l= 290 cons: SEQUENCE
>       4:d=1  hl=2 l=  13 cons:  SEQUENCE
>       6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
>      17:d=2  hl=2 l=   0 prim:   NULL
>      19:d=1  hl=4 l= 271 prim:  BIT STRING
>         0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
>         0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
>         0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
>         0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
>         0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
>         0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
>         0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
>         0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
>         0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
>         0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
>         00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
>         00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
>         00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
>         00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
>         00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
>         00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
>         0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......
>
>
> On 3/24/2016 10:57 AM, Johannes Rath wrote:
>> Hi all,
>>
>> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>>
>> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>>
>> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>>
>> //
>>
>> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>>
>> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>>
>> //
>>
>> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>>
>> Any ideas?
>>
>> Thanks in advance
>>
>> Johannes
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Transform Data into Opportunity.
>> Accelerate data analysis in your applications with
>> Intel Data Analytics Acceleration Library.
>> Click to learn more.
>> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Johannes R. <joh...@sw...>]

The latest build definitely looks better:

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.16.0rc1 [Microsoft 1800]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey.der -dump
    0:d=0  hl=4 l= 290 cons: SEQUENCE
    4:d=1  hl=2 l=  13 cons: SEQUENCE
    6:d=2  hl=2 l=   9 prim: OBJECT            :rsaEncryption
   17:d=2  hl=2 l=   0 prim: NULL
   19:d=1  hl=4 l= 271 prim: BIT STRING
      0000 - 00 30 82 01 0a 02 82 01-01 00 99 c9 eb 66 11 84   .0...........f..
      0010 - 89 08 a0 22 9d 1d cf 94-44 b8 e3 99 6c f9 7c c7   ..."....D...l.|.
      0020 - a7 bb 52 d5 1b 3d 57 01-20 9d ec 96 99 7f ab 14   ..R..=W. .......
      0030 - c0 18 06 07 89 9f d0 fa-5e 75 f1 2a 97 49 5b 44   ........^u.*.I[D
      0040 - bb 34 96 1e a0 af 11 79-20 2c 82 61 71 c3 cd 98   .4.....y ,.aq...
      0050 - 75 1e e1 6a dd 3e f2 e9-34 c5 66 cf 10 3d 3d f4   u..j.>..4.f..==.
      0060 - 60 a6 19 07 46 f6 b4 10-a2 5a 5f d7 40 b9 18 2d   `...F....Z_.@..-
      0070 - 9b 06 c2 18 0d 28 25 6c-ed d7 c9 92 5b d5 3a 36   .....(%l....[.:6
      0080 - 84 58 8a b6 7c 8c 1c d1-cd a2 7a 7f cf 87 c0 23   .X..|.....z....#
      0090 - 8c fe 84 39 1f 13 23 86-b6 d1 f7 5a 1e e6 b2 8f   ...9..#....Z....
      00a0 - 70 27 cb 60 f9 be 41 b4-d2 30 18 87 15 19 bd 42   p'.`..A..0.....B
      00b0 - 28 22 77 8c 2e 0c 2d 7d-91 dc 27 bc 15 5a 4f 1b   ("w...-}..'..ZO.
      00c0 - de 66 96 37 f7 10 4a 94-3c 8a ef e0 fe 33 2e f9   .f.7..J.<....3..
      00d0 - fe 3e 0a 1b 64 5d dc 54-a4 19 33 38 82 7e cb b4   .>..d].T..38.~..
      00e0 - af f7 82 65 71 75 d3 b5-1c b2 a3 f1 81 6f 74 3a   ...equ.......ot:
      00f0 - bb 0a 9d 56 d8 ea 4b 3c-e4 02 01 ae cc 95 90 ac   ...V..K<........
      0100 - 60 4d 69 9e ef 79 7c 55-bc 87 02 03 01 00 01      `Mi..y|U.......

-----Original Message-----
From: Johannes Rath [mailto:joh...@sw...] 
Sent: Dienstag, 29. März 2016 09:08
To: 'ope...@li...'
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

I am using OpenSC 0.15.0, but on Windows ;)

Looks that version still uses the old format.

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.15.0 [Microsoft 1600]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
ckey_45_2.key
Using slot 1 with a present token (0x1)

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
mp
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F

  265:d=1  hl=2 l=   3 prim: INTEGER           :010001


-----Original Message-----
From: Douglas E Engert [mailto:dee...@gm...] 
Sent: Donnerstag, 24. März 2016 19:05
To: ope...@li...
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER 
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:
> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785471&iu=/4140
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Johannes R. <joh...@sw...>]

I am using OpenSC 0.15.0, but on Windows ;)

Looks that version still uses the old format.

C:\Users\Demo\workspace>opensc-tool -i
OpenSC 0.15.0 [Microsoft 1600]
Enabled features:pcsc openssl zlib

C:\Users\Demo\workspace>pkcs11-tool --read-object --type pubkey --id 45 -o publi
ckey_45_2.key
Using slot 1 with a present token (0x1)

C:\Users\Demo\workspace>openssl asn1parse -inform DER -in publickey_45_2.key -du
mp
    0:d=0  hl=4 l= 266 cons: SEQUENCE
    4:d=1  hl=4 l= 257 prim: INTEGER           :989FE2E678F264B80772816B3BCC064B
2C441E681DC8AD31ED686772EF7B9606FD1D72D16EFD2325BBB64AC318F518C806B91883339460AC
11E842B2D1FFC14058B0DB40EB5E08FB88C14FE9AF1B67464E39D0A050ED14DB6452CDF53AE87B35
BF09A09BD9F42DACC0ED36DA837240EC6466056AFEA22DC50C9D762F064924ED43826978802EF7A6
F81D7803CBB0B9C79B018A27B562BBF08E58424199880EC5147FC3E2E87EF6724C42BC6899DBF05F
2B3925C6F03D301ED0FB7FDB33A9E47CBD479EE57C462EAF78B5641C8F392273815839D070357F22
2AEA20D7AD6B8350A80FC3011B3478E1D4CCBAC1855C3910A9AC8287DACE818D0722488BE38B183F

  265:d=1  hl=2 l=   3 prim: INTEGER           :010001


-----Original Message-----
From: Douglas E Engert [mailto:dee...@gm...] 
Sent: Donnerstag, 24. März 2016 19:05
To: ope...@li...
Subject: Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER 
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:
> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>


------------------------------------------------------------------------------
Transform Data into Opportunity.
Accelerate data analysis in your applications with
Intel Data Analytics Acceleration Library.
Click to learn more.
http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Douglas E E. <dee...@gm...>]

Another option if you can not use a newer versions of pkcs11-tool.
If the card has a matching certificate, use pkcs11-tool to read certificate,
then use:
openssl rsautl -certin

On 3/24/2016 10:57 AM, Johannes Rath wrote:
> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Pin entry doesn't work under Windows

[twisteroid a. <twi...@gm...>]

It was cmd.exe and 64 bit.
Looks like you and Philip are both right. I also see the same errors in the
log with enough -v flags. If I use an autohotkey script to enter the pins
rapidly, then the PIN is changed successfully.
On Mar 23, 2016 6:19 PM, "Douglas E Engert" <dee...@gm...> wrote:

> In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?
>
> I think it is a lock timeout.
> I am seeing something similar on W10 64 bit. in both it fails.
>
> In powershell try this:
> ./pkcs15-tool --change-pin -vvvvvvvvv
>
> 2016-03-23 16:37:56.154 [pkcs15-tool]
> pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
> 2016-03-23 16:37:56.154 [pkcs15-tool]
> pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
> 2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind:
> returning with: 0 (Success)
> Found PIV_II!
> Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]:
> Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
> 968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
> 2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
> 2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
> 2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
> 2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart
> Card Reader 0'
> 2016-03-23 16:38:03.984
> Outgoing APDU data [   21 bytes] =====================================
> 00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
> 34 35 36 FF FF                                  456..
> ======================================================================
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:190:pcsc_internal_transmit: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0:SCardTransmit/Control failed: 0x80100068
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:384:pcsc_detect_card_presence: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0 check
> 2016-03-23 16:38:03.984 current  state: 0x00050122
> 2016-03-23 16:38:03.984 previous state: 0x00050022
> 2016-03-23 16:38:03.984 card present
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:384:pcsc_detect_card_presence: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0 check
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:38:03.984 unable to transmit
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit:
> unable to transmit APDU: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit
> APDU failed: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU
> transmit failed: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
> PIN code change failed: Transmit failed
> 2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind:
> called
> 2016-03-23 16:38:03.999 [pkcs15-tool]
> pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
> 2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
> 2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0:SCardEndTransaction failed: 0x80100068
>
>
> Using cut-and-paste and an editor, shows:
> Lock first called:
>         2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock:
> called
>
> End of last APDU before trying to send change:
>          2016-03-23 16:37:55.967 [pkcs15-tool]
> apdu.c:399:sc_single_transmit: returning with: 0 (Success)
>
> When change pin failed to be sent to card:
>          2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:190:pcsc_internal_transmit: called
>
> Lock finally released:
>         Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool]
> reader-pcsc.c:574:pcsc_unlock: called
>
> That is just over 8 seconds from last command to card, to prompt and enter
> 3 pins and try and send next APDU.
>
> I remember reading something about this, but can no0t find the timeout in
> the registry.
>
>
>   https://technet.microsoft.com/en-us/library/dn579258.aspx
>
> It could be:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft
> Smart Card Key Storage Provider
>
> TransactionTimeoutMilliseconds which is 1.5 seconds.
>
>
>
>
> On 3/23/2016 3:34 PM, twisteroid ambassador wrote:
> > Hi,
> >
> > Entering PINs interactively at the command prompt doesn't seem to work
> > in Windows 10.
> >
> > I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> > tokens. The same hardware works fine under Linux (Arch x64, latest
> > OpenSC). Under Windows, however, any operation that involves entering
> > PIN at the interactive prompt doesn't seem to work.
> >
> > For example, pkcs15-tool --change-pin:
> >
> > C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv
> > 2016-03-23 16:16:36.191 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.197 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Using reader with a card: FS USB Token 0
> > 2016-03-23 16:16:36.208 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.211 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Connecting to card in reader FS USB Token 0...
> > 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> > 2016-03-23 16:16:36.220 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.223 [pkcs15-tool]
> > card-entersafe.c:106:entersafe_match_card: called
> > Using card driver epass2003.
> > Trying to find a PKCS#15 compatible card...
> > Found OpenSC Card!
> > Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> > again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> > 2016-03-23 16:16:43.398 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:43.404 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> > 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> > with: -1107 (Transmit failed)
> > PIN code change failed: Transmit failed
> > 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context:
> called
> >
> >
> > (Note the line starting with "Enter old pin". All those prompts do
> > appear on the same line, as well as the next piece of debug info.
> > Maybe this hints at a Windows/Linux EOL problem?)
> >
> > The same command does work if the PIN is included in the arguments:
> >
> > C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> > --change-pin -vv --pin oldpin12 --new-pin 12345678
> > 2016-03-23 16:22:05.713 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Using reader with a card: FS USB Token 0
> > 2016-03-23 16:22:05.725 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:22:05.730 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Connecting to card in reader FS USB Token 0...
> > 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> > 2016-03-23 16:22:05.744 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:22:05.752 [pkcs15-tool]
> > card-entersafe.c:106:entersafe_match_card: called
> > Using card driver epass2003.
> > Trying to find a PKCS#15 compatible card...
> > Found OpenSC Card!
> > 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> > with: 0 (Success)
> > 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged
> to disk
> > PIN code changed successfully.
> > 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context:
> called
> >
> >
> > Similarly, when using private key stored on token for OpenVPN
> > authentication, there are errors after entering the PIN interactively.
> > Console log excerpt:
> >
> > Enter OpenSC Card (User PIN) token Password:
> > 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged
> to disk
> > Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> > 512:'CKR_FUNCTION_REJECTED'
> > Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> > error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> > Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext
> read error
> > Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
> >
> >
> >
> > Is this a known problem?
> > Please inform me if any more information is needed.
> >
> > Thanks,
> >
> > --
> > twisteroid ambassado
> >
> >
> ------------------------------------------------------------------------------
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Douglas E E. <dee...@gm...>]

What version of OpenSC are you using?

0.13.0 will output an RSA pubkey, i.e. sequence of modules and exponent. Not very useful.

openssl asn1parse -i -inform DER -in publickey.key
     0:d=0  hl=4 l= 266 cons: SEQUENCE
     4:d=1  hl=4 l= 257 prim:  INTEGER 
:D1C5D7F38C9134A4116D040DFE1066AF8B44A3BE6609C686A24F23E447906E33421BFEDC9DB16C2312306E63BA348B57A81D1CC241FE9813C0A02E343903D60315BC788289D44BFA2EC16B19D1CD8FB673CD90471F8301CFCCEE92E8A5119E6FEA76F9E4BC9C5F0120C606B6D1EC003D4606F49989D4D93DDE6C6AC6F079449219DA9063D319E93ACB5DBCB6AD9FD780BF6C94CBCC0AE542263E1772F283C0A2A8BDAFE0A6653004CA4D5CB3DF349FD87F10666F131B3FDE3C7D433D7C42374695E9B9FB73B655CA83F59838A1778504C11B82B94EBF5F247EA3D95F8E50A7C028C695ED16200F3B1C90C73FF25992458F0100222B5F6B6A12D5269AEA61DCC1
   265:d=1  hl=2 l=   3 prim:  INTEGER           :010001

later versions, including 0.16.0 will output a SPKI, what OpenSSL can use as a pubkey:

pkcs11-tool --read-object --type pubkey --id 01  -o publickey.der
openssl asn1parse -i -inform DER -in publickey.der -dump
     0:d=0  hl=4 l= 290 cons: SEQUENCE
     4:d=1  hl=2 l=  13 cons:  SEQUENCE
     6:d=2  hl=2 l=   9 prim:   OBJECT            :rsaEncryption
    17:d=2  hl=2 l=   0 prim:   NULL
    19:d=1  hl=4 l= 271 prim:  BIT STRING
       0000 - 00 30 82 01 0a 02 82 01-01 00 d1 c5 d7 f3 8c 91   .0..............
       0010 - 34 a4 11 6d 04 0d fe 10-66 af 8b 44 a3 be 66 09   4..m....f..D..f.
       0020 - c6 86 a2 4f 23 e4 47 90-6e 33 42 1b fe dc 9d b1   ...O#.G.n3B.....
       0030 - 6c 23 12 30 6e 63 ba 34-8b 57 a8 1d 1c c2 41 fe   l#.0nc.4.W....A.
       0040 - 98 13 c0 a0 2e 34 39 03-d6 03 15 bc 78 82 89 d4   .....49.....x...
       0050 - 4b fa 2e c1 6b 19 d1 cd-8f b6 73 cd 90 47 1f 83   K...k.....s..G..
       0060 - 01 cf cc ee 92 e8 a5 11-9e 6f ea 76 f9 e4 bc 9c   .........o.v....
       0070 - 5f 01 20 c6 06 b6 d1 ec-00 3d 46 06 f4 99 89 d4   _. ......=F.....
       0080 - d9 3d de 6c 6a c6 f0 79-44 92 19 da 90 63 d3 19   .=.lj..yD....c..
       0090 - e9 3a cb 5d bc b6 ad 9f-d7 80 bf 6c 94 cb cc 0a   .:.].......l....
       00a0 - e5 42 26 3e 17 72 f2 83-c0 a2 a8 bd af e0 a6 65   .B&>.r.........e
       00b0 - 30 04 ca 4d 5c b3 df 34-9f d8 7f 10 66 6f 13 1b   0..M\..4....fo..
       00c0 - 3f de 3c 7d 43 3d 7c 42-37 46 95 e9 b9 fb 73 b6   ?.<}C=|B7F....s.
       00d0 - 55 ca 83 f5 98 38 a1 77-85 04 c1 1b 82 b9 4e bf   U....8.w......N.
       00e0 - 5f 24 7e a3 d9 5f 8e 50-a7 c0 28 c6 95 ed 16 20   _$~.._.P..(....
       00f0 - 0f 3b 1c 90 c7 3f f2 59-92 45 8f 01 00 22 2b 5f   .;...?.Y.E..."+_
       0100 - 6b 6a 12 d5 26 9a ea 61-dc c1 02 03 01 00 01      kj..&..a.......


On 3/24/2016 10:57 AM, Johannes Rath wrote:
> Hi all,
>
> I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:
>
> /pkcs15-tool --read-public-key keyid -o publickey.pem/
>
> /openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt/
>
> //
>
> But when I use pkcs11-tool the exported key is kind of weird. I am using:
>
> /pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key/
>
> //
>
> I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.
>
> Any ideas?
>
> Thanks in advance
>
> Johannes
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] Key format of pkcs11-tool --read-object --type pubkey

[Johannes R. <joh...@sw...>]

Hi all,

I want to extract the public key and use it for encryption with OpenSSL. It works fine like this:

pkcs15-tool --read-public-key keyid -o publickey.pem
openssl rsautl -inkey publickey.pem -pubin -encrypt -pkcs -in plaintext.txt  -out ciphertext.txt

But when I use pkcs11-tool the exported key is kind of weird. I am using:
pkcs11-tool --read-object --type pubkey --id keyid -o publickey.key

I am trying to use publickey.key as the inkey for openssl rsautil -encrypt, but I always get an error from OpenSSL.

Any ideas?

Thanks in advance

Johannes

Re: [Opensc-devel] Pin entry doesn't work under Windows

[Philip W. <wen...@gm...>]

No time to check, but this is likely related to
https://github.com/OpenSC/OpenSC/issues/703

On Wed, 23 Mar 2016, 23:19 Douglas E Engert, <dee...@gm...> wrote:

> In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?
>
> I think it is a lock timeout.
> I am seeing something similar on W10 64 bit. in both it fails.
>
> In powershell try this:
> ./pkcs15-tool --change-pin -vvvvvvvvv
>
> 2016-03-23 16:37:56.154 [pkcs15-tool]
> pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
> 2016-03-23 16:37:56.154 [pkcs15-tool]
> pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
> 2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind:
> returning with: 0 (Success)
> Found PIV_II!
> Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]:
> Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
> 968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
> 2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
> 2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
> 2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
> 2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart
> Card Reader 0'
> 2016-03-23 16:38:03.984
> Outgoing APDU data [   21 bytes] =====================================
> 00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
> 34 35 36 FF FF                                  456..
> ======================================================================
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:190:pcsc_internal_transmit: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0:SCardTransmit/Control failed: 0x80100068
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:384:pcsc_detect_card_presence: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0 check
> 2016-03-23 16:38:03.984 current  state: 0x00050122
> 2016-03-23 16:38:03.984 previous state: 0x00050022
> 2016-03-23 16:38:03.984 card present
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:384:pcsc_detect_card_presence: called
> 2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0 check
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:38:03.984 unable to transmit
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit:
> unable to transmit APDU: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit
> APDU failed: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU
> transmit failed: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> 2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
> PIN code change failed: Transmit failed
> 2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind:
> called
> 2016-03-23 16:38:03.999 [pkcs15-tool]
> pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
> 2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
> 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
> 2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card
> Reader 0:SCardEndTransaction failed: 0x80100068
>
>
> Using cut-and-paste and an editor, shows:
> Lock first called:
>         2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock:
> called
>
> End of last APDU before trying to send change:
>          2016-03-23 16:37:55.967 [pkcs15-tool]
> apdu.c:399:sc_single_transmit: returning with: 0 (Success)
>
> When change pin failed to be sent to card:
>          2016-03-23 16:38:03.984 [pkcs15-tool]
> reader-pcsc.c:190:pcsc_internal_transmit: called
>
> Lock finally released:
>         Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool]
> reader-pcsc.c:574:pcsc_unlock: called
>
> That is just over 8 seconds from last command to card, to prompt and enter
> 3 pins and try and send next APDU.
>
> I remember reading something about this, but can no0t find the timeout in
> the registry.
>
>
>   https://technet.microsoft.com/en-us/library/dn579258.aspx
>
> It could be:
> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft
> Smart Card Key Storage Provider
>
> TransactionTimeoutMilliseconds which is 1.5 seconds.
>
>
>
>
> On 3/23/2016 3:34 PM, twisteroid ambassador wrote:
> > Hi,
> >
> > Entering PINs interactively at the command prompt doesn't seem to work
> > in Windows 10.
> >
> > I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> > tokens. The same hardware works fine under Linux (Arch x64, latest
> > OpenSC). Under Windows, however, any operation that involves entering
> > PIN at the interactive prompt doesn't seem to work.
> >
> > For example, pkcs15-tool --change-pin:
> >
> > C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv
> > 2016-03-23 16:16:36.191 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.197 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Using reader with a card: FS USB Token 0
> > 2016-03-23 16:16:36.208 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.211 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Connecting to card in reader FS USB Token 0...
> > 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> > 2016-03-23 16:16:36.220 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:36.223 [pkcs15-tool]
> > card-entersafe.c:106:entersafe_match_card: called
> > Using card driver epass2003.
> > Trying to find a PKCS#15 compatible card...
> > Found OpenSC Card!
> > Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> > again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> > 2016-03-23 16:16:43.398 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:16:43.404 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> > 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> > with: -1107 (Transmit failed)
> > PIN code change failed: Transmit failed
> > 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context:
> called
> >
> >
> > (Note the line starting with "Enter old pin". All those prompts do
> > appear on the same line, as well as the next piece of debug info.
> > Maybe this hints at a Windows/Linux EOL problem?)
> >
> > The same command does work if the PIN is included in the arguments:
> >
> > C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> > --change-pin -vv --pin oldpin12 --new-pin 12345678
> > 2016-03-23 16:22:05.713 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Using reader with a card: FS USB Token 0
> > 2016-03-23 16:22:05.725 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:22:05.730 [pkcs15-tool]
> > reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> > Connecting to card in reader FS USB Token 0...
> > 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> > 2016-03-23 16:22:05.744 [pkcs15-tool]
> > reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> > 2016-03-23 16:22:05.752 [pkcs15-tool]
> > card-entersafe.c:106:entersafe_match_card: called
> > Using card driver epass2003.
> > Trying to find a PKCS#15 compatible card...
> > Found OpenSC Card!
> > 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> > with: 0 (Success)
> > 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged
> to disk
> > PIN code changed successfully.
> > 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context:
> called
> >
> >
> > Similarly, when using private key stored on token for OpenVPN
> > authentication, there are errors after entering the PIN interactively.
> > Console log excerpt:
> >
> > Enter OpenSC Card (User PIN) token Password:
> > 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged
> to disk
> > Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> > 512:'CKR_FUNCTION_REJECTED'
> > Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> > error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> > Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext
> read error
> > Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
> >
> >
> >
> > Is this a known problem?
> > Please inform me if any more information is needed.
> >
> > Thanks,
> >
> > --
> > twisteroid ambassado
> >
> >
> ------------------------------------------------------------------------------
> > Transform Data into Opportunity.
> > Accelerate data analysis in your applications with
> > Intel Data Analytics Acceleration Library.
> > Click to learn more.
> > http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] Pin entry doesn't work under Windows

[Douglas E E. <dee...@gm...>]

In this with the powershell or cmd.exe? Are you using 32 or 64 bit version?

I think it is a lock timeout.
I am seeing something similar on W10 64 bit. in both it fails.

In powershell try this:
./pkcs15-tool --change-pin -vvvvvvvvv

2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-piv.c:1019:sc_pkcs15emu_piv_init: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15-syn.c:218:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
2016-03-23 16:37:56.154 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:37:56.154 [pkcs15-tool] pkcs15.c:1251:sc_pkcs15_bind: returning with: 0 (Success)
Found PIV_II!
Enter old PIN [PIV Card Holder pin]: Enter new PIN [PIV Card Holder pin]: Enter new PIN again [PIV Card Holder pin]: 2016-03-23 16:38:03.
968 [pkcs15-tool] pkcs15-pin.c:390:sc_pkcs15_change_pin: called
2016-03-23 16:38:03.968 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.968 [pkcs15-tool] sec.c:159:sc_pin_cmd: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:563:sc_transmit_apdu: called
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:394:sc_lock: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:530:sc_transmit: called
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:384:sc_single_transmit: called
2016-03-23 16:38:03.984 CLA:0, INS:24, P1:0, P2:80, data(16) 0018D328
2016-03-23 16:38:03.984 reader 'SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0'
2016-03-23 16:38:03.984
Outgoing APDU data [   21 bytes] =====================================
00 24 00 80 10 31 32 33 34 35 36 37 38 31 32 33 .$...12345678123
34 35 36 FF FF                                  456..
======================================================================
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardTransmit/Control failed: 0x80100068
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 current  state: 0x00050122
2016-03-23 16:38:03.984 previous state: 0x00050022
2016-03-23 16:38:03.984 card present
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:384:pcsc_detect_card_presence: called
2016-03-23 16:38:03.984 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 check
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:313:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:389:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:38:03.984 unable to transmit
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:397:sc_single_transmit: unable to transmit APDU: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] apdu.c:533:sc_transmit: transmit APDU failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.984 [pkcs15-tool] iso7816.c:1117:iso7816_pin_cmd: APDU transmit failed: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning with: -1107 (Transmit failed)
2016-03-23 16:38:03.984 [pkcs15-tool] card.c:434:sc_unlock: called
PIN code change failed: Transmit failed
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15.c:1264:sc_pkcs15_unbind: called
2016-03-23 16:38:03.999 [pkcs15-tool] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
2016-03-23 16:38:03.999 [pkcs15-tool] card.c:434:sc_unlock: called
2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called
2016-03-23 16:38:03.999 SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0:SCardEndTransaction failed: 0x80100068


Using cut-and-paste and an editor, shows:
Lock first called:
	2016-03-23 16:37:53.607 [pkcs15-tool] reader-pcsc.c:534:pcsc_lock: called

End of last APDU before trying to send change:
         2016-03-23 16:37:55.967 [pkcs15-tool] apdu.c:399:sc_single_transmit: returning with: 0 (Success)

When change pin failed to be sent to card:
         2016-03-23 16:38:03.984 [pkcs15-tool] reader-pcsc.c:190:pcsc_internal_transmit: called

Lock finally released:
	Line 2491: 2016-03-23 16:38:03.999 [pkcs15-tool] reader-pcsc.c:574:pcsc_unlock: called

That is just over 8 seconds from last command to card, to prompt and enter 3 pins and try and send next APDU.

I remember reading something about this, but can no0t find the timeout in the registry.


  https://technet.microsoft.com/en-us/library/dn579258.aspx

It could be:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Providers\Microsoft Smart Card Key Storage Provider

TransactionTimeoutMilliseconds which is 1.5 seconds.




On 3/23/2016 3:34 PM, twisteroid ambassador wrote:
> Hi,
>
> Entering PINs interactively at the command prompt doesn't seem to work
> in Windows 10.
>
> I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
> tokens. The same hardware works fine under Linux (Arch x64, latest
> OpenSC). Under Windows, however, any operation that involves entering
> PIN at the interactive prompt doesn't seem to work.
>
> For example, pkcs15-tool --change-pin:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
> 2016-03-23 16:16:36.191 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.197 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:16:36.208 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.211 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:16:36.220 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:36.223 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
> again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.398 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:16:43.404 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
> 2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: -1107 (Transmit failed)
> PIN code change failed: Transmit failed
> 2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> (Note the line starting with "Enter old pin". All those prompts do
> appear on the same line, as well as the next piece of debug info.
> Maybe this hints at a Windows/Linux EOL problem?)
>
> The same command does work if the PIN is included in the arguments:
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
> --change-pin -vv --pin oldpin12 --new-pin 12345678
> 2016-03-23 16:22:05.713 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Using reader with a card: FS USB Token 0
> 2016-03-23 16:22:05.725 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.730 [pkcs15-tool]
> reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
> Connecting to card in reader FS USB Token 0...
> 2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
> 2016-03-23 16:22:05.744 [pkcs15-tool]
> reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
> 2016-03-23 16:22:05.752 [pkcs15-tool]
> card-entersafe.c:106:entersafe_match_card: called
> Using card driver epass2003.
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> 2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
> with: 0 (Success)
> 2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
> PIN code changed successfully.
> 2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called
>
>
> Similarly, when using private key stored on token for OpenVPN
> authentication, there are errors after entering the PIN interactively.
> Console log excerpt:
>
> Enter OpenSC Card (User PIN) token Password:
> 2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
> Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
> 512:'CKR_FUNCTION_REJECTED'
> Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
> error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
> Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
> Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed
>
>
>
> Is this a known problem?
> Please inform me if any more information is needed.
>
> Thanks,
>
> --
> twisteroid ambassado
>
> ------------------------------------------------------------------------------
> Transform Data into Opportunity.
> Accelerate data analysis in your applications with
> Intel Data Analytics Acceleration Library.
> Click to learn more.
> http://pubads.g.doubleclick.net/gampad/clk?id=278785351&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] Pin entry doesn't work under Windows

[twisteroid a. <twi...@gm...>]

Hi,

Entering PINs interactively at the command prompt doesn't seem to work
in Windows 10.

I have OpenSC 0.15.0 win64 installed in Windows 10, using ePass2003
tokens. The same hardware works fine under Linux (Arch x64, latest
OpenSC). Under Windows, however, any operation that involves entering
PIN at the interactive prompt doesn't seem to work.

For example, pkcs15-tool --change-pin:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe --change-pin -vv
2016-03-23 16:16:36.191 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.197 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Using reader with a card: FS USB Token 0
2016-03-23 16:16:36.208 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.211 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Connecting to card in reader FS USB Token 0...
2016-03-23 16:16:36.217 [pkcs15-tool] card.c:148:sc_connect_card: called
2016-03-23 16:16:36.220 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:36.223 [pkcs15-tool]
card-entersafe.c:106:entersafe_match_card: called
Using card driver epass2003.
Trying to find a PKCS#15 compatible card...
Found OpenSC Card!
Enter old PIN [User PIN]: Enter new PIN [User PIN]: Enter new PIN
again [User PIN]: 2016-03-23 16:16:43.390 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:16:43.398 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:16:43.404 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
2016-03-23 16:16:43.411 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
with: -1107 (Transmit failed)
PIN code change failed: Transmit failed
2016-03-23 16:16:43.426 [pkcs15-tool] ctx.c:799:sc_release_context: called


(Note the line starting with "Enter old pin". All those prompts do
appear on the same line, as well as the next piece of debug info.
Maybe this hints at a Windows/Linux EOL problem?)

The same command does work if the PIN is included in the arguments:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe
--change-pin -vv --pin oldpin12 --new-pin 12345678
2016-03-23 16:22:05.713 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Using reader with a card: FS USB Token 0
2016-03-23 16:22:05.725 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:22:05.730 [pkcs15-tool]
reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
Connecting to card in reader FS USB Token 0...
2016-03-23 16:22:05.740 [pkcs15-tool] card.c:148:sc_connect_card: called
2016-03-23 16:22:05.744 [pkcs15-tool]
reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-03-23 16:22:05.752 [pkcs15-tool]
card-entersafe.c:106:entersafe_match_card: called
Using card driver epass2003.
Trying to find a PKCS#15 compatible card...
Found OpenSC Card!
2016-03-23 16:22:06.487 [pkcs15-tool] sec.c:206:sc_pin_cmd: returning
with: 0 (Success)
2016-03-23 16:22:06.493 cannot lock memory, sensitive data may be paged to disk
PIN code changed successfully.
2016-03-23 16:22:06.516 [pkcs15-tool] ctx.c:799:sc_release_context: called


Similarly, when using private key stored on token for OpenVPN
authentication, there are errors after entering the PIN interactively.
Console log excerpt:

Enter OpenSC Card (User PIN) token Password:
2016-03-23 16:02:21.334 cannot lock memory, sensitive data may be paged to disk
Wed Mar 23 16:02:21 2016 PKCS#11: Cannot perform signature
512:'CKR_FUNCTION_REJECTED'
Wed Mar 23 16:02:21 2016 TLS_ERROR: BIO read tls_read_plaintext error:
error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib
Wed Mar 23 16:02:21 2016 TLS Error: TLS object -> incoming plaintext read error
Wed Mar 23 16:02:21 2016 TLS Error: TLS handshake failed



Is this a known problem?
Please inform me if any more information is needed.

Thanks,

--
twisteroid ambassado