opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[<Joe...@we...>]

Hi again,

thanks for your suggestions!
I took another look at this, but I did not find a nice solution to pass the information of the modlen 
to the lower layers without having to change the API, which would probably be too much of a hazzle for everyone else.

But what about checking the returned length in sc_pkcs15_compute_signature itself? By this we'd still make the 
entire outlen available to the drivers (in case someone needs more than modlen e.g. for temporary data), and would only
alter something if the retured data is less than modlen (but no error code), which to my understanding would 
always be unwanted behavior.
 
The modified patch looks like this:

diff --git a/src/libopensc/pkcs15-sec.c b/src/libopensc/pkcs15-sec.c
index 019d8a1..9c78acb
--- a/src/libopensc/pkcs15-sec.c
+++ b/src/libopensc/pkcs15-sec.c
@@ -433,6 +433,14 @@ int sc_pkcs15_compute_signature(struct sc_pkcs15_card *p15card,
 
        r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
                        out, outlen);
+
+       if (r >= 0 && (size_t)r < modlen) // returned size smaller than expected, add leading zeros
+       {
+               memmove(out + (modlen -r ), out, r); /* overlapping */
+               memset(out, 0, modlen -r );
+               r = modlen;
+       }
+
        LOG_TEST_RET(ctx, r, "use_key() failed");

 
This is working fine for me, I tested it with about 10000 different input strings, but obviously just with my card and
with this one use case.



Gesendet: Montag, 22. Februar 2016 um 19:16 Uhr
Von: "Douglas E Engert" <dee...@gm...>
An: ope...@li...
Betreff: Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
On 2/22/2016 9:51 AM, Joe...@we... wrote:
> Thanks for providing this patch, with this I got it _almost_ working :-)
> I ran into one real and two minor issues:
> 1) The real issue is that the outlen does not seem to be the expected signature length,
> but the size of the buffer with some extra space. In my case it is 1024 and not the expected
> 512, so this does not work. But I guess it would be possible to compute the expected signature
> length in a general way?

sc_pkcs15_compute_signature set modlen lines 324-336 from the type of key and its size, then tests if outlen is big enough:

339 if (inlen > sizeof(buf) || outlen < modlen)

But then it passes to lower levels, it passes outlen:

434 r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
435 out, outlen);

In all cases other then the card you have this is not a problem.

So one possible fix is to set line 435 to:
out, modlen);
then do the memmove stuff if its too short.

BUT THIS IS A GLOBAL CHANGE, and would need testing for other cards. I don't see why it would be an issue,
but you never know...

If you try and do an openpgp only fix, it looks like by the time pgp_set_security_env and pgp_compute_signature
are called, they size of the key is not known, just the outlen. Som info cold be saved in the

Another way: card-openpgp.c only supports RSA. And only 4K, 2K and maybe 1K keys are used.
So if apdu.resplen within 4 bytes of one of these values, assume it is dropped 1, 2, 3 or 4 bytes,
and do the memmove stuff then. (Not perfect, but chance of failure to catch a short signature is 1/2^32)

There may be more info in the OpenPGP documents that would show how to save the key size internally
in one of the card-openpgp.c internal structures.


> 2) Minor techical issues: the apdu was not updated in the end to return the new length,
> and src and dest were mixed up in the memmove

OK, I never tested the code. good to here you got it working.

> With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
> for exactly my usecase with at most one leading zero:
> --- a/src/libopensc/card-openpgp.c
> +++ b/src/libopensc/card-openpgp.c
> @@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
> r = sc_check_sw(card, apdu.sw1, apdu.sw2);
> LOG_TEST_RET(card->ctx, r, "Card returned error");
>
> + /* some cards may drop leading 0x00 byte on a signature */
> + if (apdu.resplen < 512) {
> + memmove(out + 1 , out, apdu.resplen); /* overlaping */
> + memset(out, 0, 1);
> + apdu.resplen = 512;
> + }
> +
> *Gesendet:* Sonntag, 21. Februar 2016 um 20:54 Uhr
> *Von:* "Douglas E Engert" <dee...@gm...>
> *An:* ope...@li...
> *Betreff:* Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
> The patch I sent you has a bug:
>
> memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
> should be:
>
> memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */
>
>
> I have not tried the patch.
>
> On 2/21/2016 7:53 AM, Douglas E Engert wrote:
>
> > Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
> >
>
>
> --
>
> Douglas E. Engert <DEE...@gm...>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]
>

--

Douglas E. Engert <DEE...@gm...>


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140[http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140]
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel[https://lists.sourceforge.net/lists/listinfo/opensc-devel]

Re: [Opensc-devel] SmartCard-HSM: How to unblock user pin from SO-PIN ?

[scott_thomas007 <sco...@ya...>]

Thanks, It worked



--
View this message in context: http://opensc.1086184.n5.nabble.com/SmartCard-HSM-How-to-unblock-user-pin-from-SO-PIN-tp15605p15612.html
Sent from the Developer mailing list archive at Nabble.com.

Re: [Opensc-devel] SmartCard-HSM: How to unblock user pin from SO-PIN ?

[Michael J. <mik...@gm...>]

pkcs11-tool \
    --slot 1 \
    --login \
    --login-type so \
    --so-pin ${SO_PIN} \
    --init-pin \
    --new-pin ${NEW_USER_PIN}

On Sun, Feb 21, 2016 at 4:57 PM, scott_thomas007
<sco...@ya...> wrote:
> I personalize the SC-HSM card with command
> sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 12345678
> --pin-retry 3 --reader 0
> Let's suppose i have forgot the PIN, so after 3 tries, the user PIN will be
> blocked.
> What's the way to set a new PIN with the help of SO PIN?
>
>
>
> --
> View this message in context: http://opensc.1086184.n5.nabble.com/SmartCard-HSM-How-to-unblock-user-pin-from-SO-PIN-tp15605.html
> Sent from the Developer mailing list archive at Nabble.com.
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] About old documentation in http://www.opensc-project.org/engine_pkcs11

[Nikos M. <n.m...@gm...>]

On Sun, Feb 21, 2016 at 8:01 PM, Jaime Hablutzel Egoavil
<hab...@gm...> wrote:
> Hi, is there a backup of the Trac wiki that used to be available at
> http://www.opensc-project.org/engine_pkcs11? Because I'm not sure if pages
> like the following one have been migrated,
> https://web.archive.org/web/20110909101027/http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart.

Check the text at:
https://github.com/opensc/engine_pkcs11

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Douglas E E. <dee...@gm...>]

On 2/22/2016 9:51 AM, Joe...@we... wrote:
> Thanks for providing this patch, with this I got it _almost_ working :-)
> I ran into one real and two minor issues:
> 1) The real issue is that the outlen does not seem to be the expected signature length,
> but the size of the buffer with some extra space. In my case it is 1024 and not the expected
> 512, so this does not work. But I guess it would be possible to compute the expected signature
> length in a general way?

sc_pkcs15_compute_signature set modlen lines 324-336 from the type of key and its size, then tests if outlen is big enough:

339 if (inlen > sizeof(buf) || outlen < modlen)

But then it passes to lower levels, it passes outlen:

434         r = use_key(p15card, obj, &senv, sc_compute_signature, tmp, inlen,
435                         out, outlen);

In all cases other then the card you have this is not a problem.

So one possible fix is to set line 435 to:
			    out, modlen);
then do the memmove stuff if its too short.

BUT THIS IS A GLOBAL CHANGE, and would need testing for other cards. I don't see why it would be an issue,
but you never know...

If you try and do an openpgp only fix, it looks like by the time pgp_set_security_env and pgp_compute_signature
are called, they size of the key is not known, just the outlen. Som info cold be saved in the

Another way: card-openpgp.c  only supports RSA. And only 4K, 2K and maybe 1K keys are used.
So if apdu.resplen within 4 bytes of one of these values, assume it is dropped 1, 2, 3 or 4 bytes,
and do the memmove stuff then. (Not perfect, but chance of failure to catch a short signature is 1/2^32)

There may be more info in the OpenPGP documents that would show how to save the key size internally
in one of the card-openpgp.c internal structures.


> 2) Minor techical issues: the apdu was not updated in the end to return the new length,
> and src and dest were mixed up in the memmove

OK, I never tested the code. good to here you got it working.

> With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only
> for exactly my usecase with at most one leading zero:
> --- a/src/libopensc/card-openpgp.c
> +++ b/src/libopensc/card-openpgp.c
> @@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,
>          r = sc_check_sw(card, apdu.sw1, apdu.sw2);
>          LOG_TEST_RET(card->ctx, r, "Card returned error");
>
> +       /* some cards may drop leading 0x00 byte on a signature */
> +       if (apdu.resplen < 512) {
> +           memmove(out + 1 , out,  apdu.resplen); /* overlaping */
> +           memset(out, 0, 1);
> +           apdu.resplen = 512;
> +       }
> +
> *Gesendet:* Sonntag, 21. Februar 2016 um 20:54 Uhr
> *Von:* "Douglas E Engert" <dee...@gm...>
> *An:* ope...@li...
> *Betreff:* Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?
> The patch I sent you has a bug:
>
> memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
> should be:
>
> memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */
>
>
> I have not tried the patch.
>
> On 2/21/2016 7:53 AM, Douglas E Engert wrote:
>
>  > Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>  >
>
>
> --
>
> Douglas E. Engert <DEE...@gm...>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[<Joe...@we...>]

<html><head></head><body><div style="font-family: Verdana;font-size: 12.0px;"><div>
<div>Thanks for providing this patch, with this I got it _almost_ working :-)</div>

<div>&nbsp;</div>

<div>I ran into one real and two minor issues:</div>

<div>1) The real issue is that the outlen does not seem to be the expected signature length,</div>

<div>but the size of the buffer with some extra space. In my case it is 1024 and not the expected</div>

<div>512, so this does not work. But I guess it would be possible to compute the expected signature</div>

<div>length in a general way?</div>

<div>&nbsp;</div>

<div>2) Minor techical issues: the apdu was not updated in the end to return the new length,</div>

<div>and src and dest were mixed up in the memmove</div>

<div>&nbsp;</div>

<div>With this hacked up version of your patch I was able to get a valid signature :-) , but obviously it works only</div>

<div>for exactly my usecase with at most one leading zero:</div>

<div>&nbsp;</div>

<div>
<div>--- a/src/libopensc/card-openpgp.c<br/>
+++ b/src/libopensc/card-openpgp.c<br/>
@@ -1656,6 +1656,13 @@ pgp_compute_signature(sc_card_t *card, const u8 *data,<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; r = sc_check_sw(card, apdu.sw1, apdu.sw2);<br/>
&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; LOG_TEST_RET(card-&gt;ctx, r, &quot;Card returned error&quot;);<br/>
&nbsp;<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; /* some cards may drop leading 0x00 byte on a signature */<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; if (apdu.resplen &lt; 512) {<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memmove(out + 1 , out,&nbsp; apdu.resplen); /* overlaping */<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; memset(out, 0, 1);<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; apdu.resplen = 512;<br/>
+&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; }<br/>
+</div>

<div>&nbsp;</div>
</div>

<div>&nbsp;</div>

<div>&nbsp;
<div name="quote" style="margin:10px 5px 5px 10px; padding: 10px 0 10px 10px; border-left:2px solid #C3D9E5; word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;">
<div style="margin:0 0 10px 0;"><b>Gesendet:</b>&nbsp;Sonntag, 21. Februar 2016 um 20:54 Uhr<br/>
<b>Von:</b>&nbsp;&quot;Douglas E Engert&quot; &lt;dee...@gm...&gt;<br/>
<b>An:</b>&nbsp;ope...@li...<br/>
<b>Betreff:</b>&nbsp;Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?</div>

<div name="quoted-content">The patch I sent you has a bug:<br/>
<br/>
memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */<br/>
should be:<br/>
<br/>
memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */<br/>
<br/>
<br/>
I have not tried the patch.<br/>
<br/>
On 2/21/2016 7:53 AM, Douglas E Engert wrote:<br/>
<br/>
&gt; Try the attache patch. It is against http:/github.com/OpenSC/OpenSC<br/>
&gt;<br/>
<br/>
<br/>
--<br/>
<br/>
Douglas E. Engert &lt;DEE...@gm...&gt;<br/>
<br/>
<br/>
------------------------------------------------------------------------------<br/>
Site24x7 APM Insight: Get Deep Visibility into Application Performance<br/>
APM + Mobile APM + RUM: Monitor 3 App instances at just &#36;35/Month<br/>
Monitor end-to-end web transactions and take corrective actions now<br/>
Troubleshoot faster and improve end-user experience. Signup Now!<br/>
<a href="http://pubads.g.doubleclick.net/gampad/clk?id=272487151&amp;iu=/4140" target="_blank">http://pubads.g.doubleclick.net/gampad/clk?id=272487151&amp;iu=/4140</a><br/>
_______________________________________________<br/>
Opensc-devel mailing list<br/>
Ope...@li...<br/>
<a href="https://lists.sourceforge.net/lists/listinfo/opensc-devel" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a></div>
</div>
</div>
</div></div></body></html>

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Douglas E E. <dee...@gm...>]

The patch I sent you has a bug:

memmove(out, out -(outlen - apdu.resplen), apdu.resplen); /* overlaping */
should be:

memmove(out, out + (outlen - apdu.resplen), apdu.resplen); /* overlaping */


I have not tried the patch.

On 2/21/2016 7:53 AM, Douglas E Engert wrote:

> Try the attache patch. It is against http:/github.com/OpenSC/OpenSC
>


-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] About old documentation in http://www.opensc-project.org/engine_pkcs11

[Jaime H. E. <hab...@gm...>]

Hi, is there a backup of the Trac wiki that used to be available at
http://www.opensc-project.org/engine_pkcs11? Because I'm not sure if pages
like the following one have been migrated,
https://web.archive.org/web/20110909101027/http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
.

Regards.

-- 
Jaime Hablutzel -  RPC 994690880

[Opensc-devel] SmartCard-HSM: How to unblock user pin from SO-PIN ?

[scott_thomas007 <sco...@ya...>]

I personalize the SC-HSM card with command
sc-hsm-tool --initialize --so-pin 3537363231383830 --pin 12345678
--pin-retry 3 --reader 0
Let's suppose i have forgot the PIN, so after 3 tries, the user PIN will be
blocked.
What's the way to set a new PIN with the help of SO PIN?



--
View this message in context: http://opensc.1086184.n5.nabble.com/SmartCard-HSM-How-to-unblock-user-pin-from-SO-PIN-tp15605.html
Sent from the Developer mailing list archive at Nabble.com.

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Douglas E E. <dee...@gm...>]

Try the attache patch. It is against http:/github.com/OpenSC/OpenSC

Using the data and key thea produces the short signature you should see in debug log:
Incoming APDU data [  513 bytes] =====================================
...
card-openpgp.c:XXXX:pgp_compute_signature: returning with: 512
where it used to say 511

On 2/21/2016 3:53 AM, Joerg Kesten wrote:
> Thanks for your quick reply!
>
> I would also have thought that if this is a general issue with the card
> it would have shown up a long time ago...
>
> But if I understood your comment correctly it is really "just" a missing
> leading zero, right? In that case it would be relatively straight
> forward and a valid workaround to detect and correct this from opensc
> without introducing some security issue?
>
> I am obviously not familiar with the source code in card-openpgp and not
> an expert in this area, but if someone points me to the right functions
> I'd need to look at I'd be happy to help adding this.
>
>
> On 20.02.2016 16:41, Douglas E Engert wrote:
>> Some one who knows the card-openpgp.c code needs to look at this.
>>
>>
>> One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
>> an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
>> So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
>> Your card is dropping the leading zero.
>>
>> I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
>> as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
>> It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.
>>
>>
>> On 2/19/2016 9:08 AM, Joe...@we... wrote:
>>> Hi everyone,
>>> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
>>> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
>>> different.
>>> I am doing the following:
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
>>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>>> Verification Failure
>>> Doing the same with slightly altered input data runs fine:
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
>>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>>> Verified OK
>>> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
>>> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
>>> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
>>> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
>>> I have no idea what I might be doing wrong, any help would be highly appreciated!
>>> Thanks
>>> Jörg
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>>> Monitor end-to-end web transactions and take corrective actions now
>>> Troubleshoot faster and improve end-user experience. Signup Now!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Joerg K. <joe...@we...>]

Thanks for your quick reply!

I would also have thought that if this is a general issue with the card 
it would have shown up a long time ago...

But if I understood your comment correctly it is really "just" a missing 
leading zero, right? In that case it would be relatively straight 
forward and a valid workaround to detect and correct this from opensc 
without introducing some security issue?

I am obviously not familiar with the source code in card-openpgp and not 
an expert in this area, but if someone points me to the right functions 
I'd need to look at I'd be happy to help adding this.


On 20.02.2016 16:41, Douglas E Engert wrote:
> Some one who knows the card-openpgp.c code needs to look at this.
>
>
> One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
> an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
> So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
> Your card is dropping the leading zero.
>
> I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
> as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
> It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.
>
>
> On 2/19/2016 9:08 AM, Joe...@we... wrote:
>> Hi everyone,
>> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
>> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
>> different.
>> I am doing the following:
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>> Verification Failure
>> Doing the same with slightly altered input data runs fine:
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
>> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
>> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
>> Verified OK
>> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
>> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
>> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
>> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
>> I have no idea what I might be doing wrong, any help would be highly appreciated!
>> Thanks
>> Jörg
>>
>>
>> ------------------------------------------------------------------------------
>> Site24x7 APM Insight: Get Deep Visibility into Application Performance
>> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
>> Monitor end-to-end web transactions and take corrective actions now
>> Troubleshoot faster and improve end-user experience. Signup Now!
>> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Douglas E E. <dee...@gm...>]

Some one who knows the card-openpgp.c code needs to look at this.


One more comment. Mathematically, the RSA signature is a large integer. But when used in certificates it is stored as
an ASN.1 BIT STRING with leading 0 (because signature is multiple of 8 bits)  followed by the 512 bytes of the signature for the 4096 bit key.
So there is a 1/256 chance the first byte of the actual signature being zero. (I have one such certificate.)
Your card is dropping the leading zero.

I would have assumed that if all openpgp cards dropped a leading zero byte, that this would have showed up long ago
as a bug in the OpenSC openpgp driver. I could be wrong. But code could be added to the driver to handle this.
It may be OpenPGP does not care, but when used within OpenSC, the leading byte should be there.


On 2/19/2016 9:08 AM, Joe...@we... wrote:
> Hi everyone,
> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
> different.
> I am doing the following:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verification Failure
> Doing the same with slightly altered input data runs fine:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verified OK
> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
> I have no idea what I might be doing wrong, any help would be highly appreciated!
> Thanks
> Jörg
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Bad signature generated by pkcs15-crypt ?

[Douglas E E. <dee...@gm...>]

I don't think you are doing anything wrong, but the openpgp card is.

Using your private key:
echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -sign privkey.pem -sha256  > sig.a

/tmp$ od -t x1 sig.a
0000000 00 8c f6 db 29 a7 d7 bd b3 63 4c fe d6 a9 fb a5
0000020 e0 38 7a ca a8 d4 9c 36 99 ab f6 2e 81 45 26 a7
0000040 60 4b 25 91 67 7e 86 31 10 5a db b4 86 d3 98 4d
0000060 34 94 0e 5e 0a ba 00 e0 47 2b e6 d2 1a d8 8a 61
0000100 d1 d1 69 c1 3c 02 ac 9d 2a af 23 0d cb 4f 40 a7
0000120 42 38 62 4b 6c b6 47 9d 36 80 f7 7c 17 60 49 46
0000140 a3 a9 92 73 44 0a 3f 6b ed de ff 85 76 f3 f2 32
0000160 6f 56 f3 1d dd c6 0d fe d0 99 e2 bd 1e 33 ea de
0000200 f1 00 a1 35 2c 80 e2 b9 cc da 23 fc c5 25 f1 05
0000220 7c 42 2b 99 3c ea a8 be 9d 00 da bc b1 da 6f 4d
...
0000660 a8 46 f4 46 c9 b2 ad 8d bf 9f 55 35 00 aa d9 5c
0000700 a2 29 7b c0 00 d0 dc d3 82 4c a9 18 55 f0 c0 74
0000720 bb 7d 6e 4b e0 b7 0f 84 c5 49 e2 92 f3 9c 9d 1c
0000740 9c 58 f4 12 d5 4b 36 db b2 3f d2 a2 ff 49 fb 7e
0000760 cd 94 33 4e f6 fd 78 cb 2c 7d a2 55 01 d4 7b 48

The signatire is 512 bytes with the first byte being 0x00

in bad_signature.txt lines 597-612 return 513 bytes, signature + 9000

*BUT* the card is tot returning the leading 0x00!
It appears it is a problem with the card, not with OpenSC.





On 2/19/2016 9:08 AM, Joe...@we... wrote:
> Hi everyone,
> I am using the Gemalto Open GPG dongle v2.1 with a RSA 4096 bit key to generate signatures for relatively short ID-strings. In general the process I set up runs fine, but I get a bad signature for
> about 2% of my inputs. Bad means the data is 1 byte short and fails verification with openssl. But is not just truncated, comparing to a valid signature generated with openssl it looks completely
> different.
> I am doing the following:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verification Failure
> Doing the same with slightly altered input data runs fine:
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB==" | openssl dgst -binary -sha256  > dgst.txt
> $ tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
> $ echo -ne "CgABEQS/SUEAAAAAAAAINB=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
> Verified OK
> This is reproducible with different keys (each key fails for different input data though), I saw the same issue when generating rsa signatures with pkcs11-tool (using parameters -s -m RSA-PKCS -i
> dgst.txt -o sig.txt) , again the bad signatures happen for different input data, so to me it seems that certain key/data combinations may have an issue, or I am doing something wrong...
> Please find attached the logs of both runs I mentioned above with OPENSC_DEBUG=9 set (you can see the good run returned 512 bytes as signature, whereas the bad one only returned 511), and the public
> and private key stored on the card  I used for this example (which I explicitly generated for this test ;-) )
> I have no idea what I might be doing wrong, any help would be highly appreciated!
> Thanks
> Jörg
>
>
> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=272487151&iu=/4140
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] SmartCard-HSM: Error Generating Private Key on Smart card through OpenSC PKCS11 Module

[scott_thomas007 <sco...@ya...>]

I am trying to generate private key on SmartCard-HSM but its showing that it
is unsupported. I tried to generate the private key through OpenSC PKCS11
module

It generated the error popup "The procedure entry point sc_error could not
ve located in the dynamic link library opensc.dll"

<http://opensc.1086184.n5.nabble.com/file/n15600/issue.jpg> 

It also generated the following error

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 12345678
--key
pairgen --key-type rsa:1024 --id 10 -label "KEY" --module
C:\WINDOWS\system32\opensc-pkcs11.dll
sc_dlopen failed: LoadLibrary/GetProcAddress failed
error: Failed to load pkcs11 module
Aborting.

What's this issue, can't we generate a key on SmartCard-HSM ?????



--
View this message in context: http://opensc.1086184.n5.nabble.com/SmartCard-HSM-Error-Generating-Private-Key-on-Smart-card-through-OpenSC-PKCS11-Module-tp15600.html
Sent from the Developer mailing list archive at Nabble.com.

[Opensc-devel] SmartCard-HSM: Error Generating Private Key on Smart card through SC-HSM PKCS11 Module

[scott_thomas007 <sco...@ya...>]

I am trying to generate private key on SmartCard-HSM but its showing that it
is unsupported.

1st i tried to generate the private key through PKCS11
module(sc-hsm-pkcs11-2.7.0.msi) provided on SC-HSM website but it doesn't
support key generation. Link of that zip file was
http://www.cardcontact.de/download/sc-hsm-starterkit.zip 

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 12345678
--key
pairgen --key-type rsa:2048 --id 10 -label "KEY" --module "C:\Program
Files\Card
Contact\sc-hsm-pkcs11\lib\sc-hsm-pkcs11.dll"
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv =
CKR_FUNCTION_NOT_SUPPORTED
 (0x54)
Aborting.

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -l --pin 12345678
--key
pairgen --key-type rsa:1024 --id 10 -label "KEY" --module "C:\Program
Files\Open
SC Project\OpenSC\tools\sc-hsm-pkcs11.dll"
Using slot 0 with a present token (0x0)
error: PKCS11 function C_GenerateKeyPair failed: rv =
CKR_FUNCTION_NOT_SUPPORTED
 (0x54)
Aborting.

What's this issue, can't we generate a key on SmartCard-HSM ?????



--
View this message in context: http://opensc.1086184.n5.nabble.com/SmartCard-HSM-Error-Generating-Private-Key-on-Smart-card-through-SC-HSM-PKCS11-Module-tp15599.html
Sent from the Developer mailing list archive at Nabble.com.

[Opensc-devel] Bad signature generated by pkcs15-crypt ?

[<Joe...@we...>]

$ echo -ne "CgABEQS/SUEAAAAAAAAINA==" | openssl dgst -binary -sha256  > dgst.txt                                                                                                                                                                                   

$ OPENSC_DEBUG=9  tools/pkcs15-crypt.exe -s -k 1 -r 1 -i dgst.txt -o sig.txt  --sha-256 --pkcs1 -p 123456
2016-02-19 11:54:23.686 ===================================
2016-02-19 11:54:23.686 opensc version: 0.15.0
2016-02-19 11:54:23.686 PC/SC options: connect_exclusive=0 disconnect_action=1 transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
2016-02-19 11:54:23.686 [pkcs15-crypt] reader-pcsc.c:956:pcsc_detect_readers: called
2016-02-19 11:54:23.686 Probing PC/SC readers
2016-02-19 11:54:23.686 Establish PC/SC context
2016-02-19 11:54:23.691 Found new PC/SC reader 'Broadcom Corp Contacted SmartCard 0'
2016-02-19 11:54:23.691 Broadcom Corp Contacted SmartCard 0 check
2016-02-19 11:54:23.691 current  state: 0x01700012
2016-02-19 11:54:23.691 previous state: 0x00000000
2016-02-19 11:54:23.691 card absent
2016-02-19 11:54:23.691 Requesting reader features ... 
2016-02-19 11:54:23.691 Broadcom Corp Contacted SmartCard 0:SCardConnect(DIRECT): 0x00000000
2016-02-19 11:54:23.691 [pkcs15-crypt] reader-pcsc.c:831:detect_reader_features: called
2016-02-19 11:54:23.692 Broadcom Corp Contacted SmartCard 0:SCardControl failed: 0x00000001
2016-02-19 11:54:23.693 Found new PC/SC reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.693 Gemalto USB SmartCard Reader 0 check
2016-02-19 11:54:23.693 current  state: 0x00010422
2016-02-19 11:54:23.693 previous state: 0x00000000
2016-02-19 11:54:23.693 card present, changed
2016-02-19 11:54:23.693 Requesting reader features ... 
2016-02-19 11:54:23.868 Gemalto USB SmartCard Reader 0:SCardConnect(SHARED): 0x00000000
2016-02-19 11:54:23.868 [pkcs15-crypt] reader-pcsc.c:831:detect_reader_features: called
2016-02-19 11:54:23.870 Gemalto USB SmartCard Reader 0:SCardControl failed: 0x00000001
2016-02-19 11:54:23.871 [pkcs15-crypt] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
2016-02-19 11:54:23.871 [pkcs15-crypt] sc.c:251:sc_detect_card_presence: called
2016-02-19 11:54:23.871 [pkcs15-crypt] reader-pcsc.c:372:pcsc_detect_card_presence: called
2016-02-19 11:54:23.871 Gemalto USB SmartCard Reader 0 check
2016-02-19 11:54:23.871 current  state: 0x00010022
2016-02-19 11:54:23.871 previous state: 0x00010422
2016-02-19 11:54:23.871 card present
2016-02-19 11:54:23.871 [pkcs15-crypt] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 1
2016-02-19 11:54:23.872 [pkcs15-crypt] sc.c:256:sc_detect_card_presence: returning with: 1
2016-02-19 11:54:23.872 [pkcs15-crypt] card.c:148:sc_connect_card: called
2016-02-19 11:54:23.872 [pkcs15-crypt] reader-pcsc.c:452:pcsc_connect: called
2016-02-19 11:54:23.872 Gemalto USB SmartCard Reader 0 check
2016-02-19 11:54:23.872 [pkcs15-crypt] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
2016-02-19 11:54:23.873 Initial protocol: T=1
2016-02-19 11:54:23.873 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.873 ATR try : 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.873 ATR try : 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR try : 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR try : 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR try : 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.873 ATR try : 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR try : 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43
2016-02-19 11:54:23.873 ignored - wrong length
2016-02-19 11:54:23.873 ATR try : 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 matching configured ATRs
2016-02-19 11:54:23.874 trying driver 'authentic'
2016-02-19 11:54:23.874 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.874 ATR try : 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 trying driver 'iasecc'
2016-02-19 11:54:23.874 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.874 ATR try : 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 matching built-in ATRs
2016-02-19 11:54:23.874 trying driver 'cardos'
2016-02-19 11:54:23.874 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.874 ATR try : 3b:e2:00:ff:c1:10:31:fe:55:c8:02:9c
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:e9:00:ff:c1:10:31:fe:55:00:64:05:00:c8:02:31:80:00:47
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:fb:98:00:ff:c1:10:31:fe:55:00:64:05:20:47:03:31:80:00:90:00:f3
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:fc:98:00:ff:c1:10:31:fe:55:c8:03:49:6e:66:6f:63:61:6d:65:72:65:28
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:f4:98:00:ff:c1:10:31:fe:55:4d:34:63:76:b4
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:f2:18:00:ff:c1:0a:31:fe:55:c8:06:8a
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:d2:18:02:c1:0a:31:fe:58:c8:0d:51
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3b:d2:18:00:81:31:fe:58:c9:01:14
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 trying driver 'flex'
2016-02-19 11:54:23.874 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.874 ATR try : 3b:95:15:40:20:68:01:02:00:00
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:95:15:40:FF:68:01:02:02:01
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:95:15:40:FF:68:01:02:02:04
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:85:40:20:68:01:01:05:01
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:95:94:40:FF:63:01:01:02:01
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:95:15:40:FF:63:01:01:02:01
2016-02-19 11:54:23.874 ignored - wrong length
2016-02-19 11:54:23.874 ATR try : 3B:95:18:40:FF:64:02:01:01:02
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:01:01:00:00
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:01:02:01:04
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:04:01:01:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3b:95:15:40:ff:68:01:02:45:47
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:06
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:07
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:85:40:20:68:01:01:03:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:02:14:50
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:19:14:55:90:01:02:01:00:05:04:B0
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:32:15:00:06:80
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:32:15:00:06:95
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:19:14:59:01:01:0F:01:00:05:08:B0
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:19:14:55:90:01:01:01:00:05:08:B0
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:16:94:81:10:06:01:81:3F
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:16:94:81:10:06:01:81:2F
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 trying driver 'cyberflex'
2016-02-19 11:54:23.875 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.875 ATR try : 3b:95:15:40:20:68:01:02:00:00
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:15:40:FF:68:01:02:02:01
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:15:40:FF:68:01:02:02:04
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:85:40:20:68:01:01:05:01
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:94:40:FF:63:01:01:02:01
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:15:40:FF:63:01:01:02:01
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:64:02:01:01:02
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:01:01:00:00
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:01:02:01:04
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:95:18:40:FF:62:04:01:01:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3b:95:15:40:ff:68:01:02:45:47
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:06
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:E2:00:00:40:20:49:07
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.875 ATR try : 3B:85:40:20:68:01:01:03:05
2016-02-19 11:54:23.875 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:02:14:50
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:19:14:55:90:01:02:01:00:05:04:B0
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:32:15:00:06:80
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:32:15:00:06:95
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:19:14:59:01:01:0F:01:00:05:08:B0
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:19:14:55:90:01:01:01:00:05:08:B0
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:16:94:81:10:06:01:81:3F
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:16:94:81:10:06:01:81:2F
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 trying driver 'gpk'
2016-02-19 11:54:23.876 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.876 ATR try : 3B:27:00:80:65:A2:04:01:01:37
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:27:00:80:65:A2:05:01:01:37
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:27:00:80:65:A2:0C:01:01:37
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:A7:00:40:14:80:65:A2:14:01:01:37
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:A7:00:40:18:80:65:A2:08:01:01:52
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:A7:00:40:18:80:65:A2:09:01:01:52
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:A7:00:40:18:80:65:A2:09:01:02:52
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:A7:00:40:18:80:65:A2:09:01:03:52
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 trying driver 'gemsafeV1'
2016-02-19 11:54:23.876 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.876 ATR try : 3B:7B:94:00:00:80:65:B0:83:01:01:74:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:6B:00:00:80:65:B0:83:01:01:74:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3b:6d:00:00:80:31:80:65:b0:83:01:02:90:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:6B:00:00:80:65:B0:83:01:03:74:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7A:94:00:00:80:65:A2:01:01:01:3D:72:D6:43
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:94:00:00:80:31:80:65:B0:83:01:01:90:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:96:00:00:80:31:80:65:B0:83:11:48:C8:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:95:00:00:80:31:80:65:B0:83:11:C0:A9:83:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:95:00:00:80:31:80:65:B0:83:11:C0:A9:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:95:00:00:80:31:80:65:B0:83:11:00:C8:83:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:95:00:00:80:31:80:65:B0:83:11:00:C8:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:C8:83:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 trying driver 'miocos'
2016-02-19 11:54:23.876 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.876 ATR try : 3B:9D:94:40:23:00:68:10:11:4D:69:6F:43:4F:53:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 ATR try : 3B:9D:94:40:23:00:68:20:01:4D:69:6F:43:4F:53:00:90:00
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.876 trying driver 'asepcos'
2016-02-19 11:54:23.876 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.876 ATR try : 3b:d6:18:00:81:b1:80:7d:1f:03:80:51:00:61:10:30:8f
2016-02-19 11:54:23.876 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3b:d6:18:00:81:b1:fe:7d:1f:03:41:53:45:37:35:35:01
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 trying driver 'starcos'
2016-02-19 11:54:23.877 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.877 ATR try : 3B:B7:94:00:c0:24:31:fe:65:53:50:4b:32:33:90:00:b4
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:B7:94:00:81:31:fe:65:53:50:4b:32:33:90:00:d1
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3b:b7:18:00:c0:3e:31:fe:65:53:50:4b:32:34:90:00:25
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 trying driver 'tcos'
2016-02-19 11:54:23.877 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.877 ATR try : 3B:BA:13:00:81:31:86:5D:00:64:05:0A:02:01:31:80:90:00:8B
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:BA:14:00:81:31:86:5D:00:64:05:14:02:02:31:80:90:00:91
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:BA:96:00:81:31:86:5D:00:64:05:60:02:03:31:80:90:00:66
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:BA:96:00:81:31:86:5D:00:64:05:7B:02:03:31:80:90:00:7D
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:BF:96:00:81:31:FE:5D:00:64:04:11:03:01:31:C0:73:F7:01:D0:00:90:00:7D
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3B:BF:B6:00:81:31:FE:5D:00:64:04:28:03:02:31:C0:73:F7:01:D0:00:90:00:67
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 trying driver 'openpgp'
2016-02-19 11:54:23.877 ATR     : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.877 ATR try : 3b:fa:13:00:ff:81:31:80:45:00:31:c1:73:c0:01:00:00:90:00:b1
2016-02-19 11:54:23.877 ignored - wrong length
2016-02-19 11:54:23.877 ATR try : 3b:da:18:ff:81:b1:fe:75:1f:03:00:31:c5:73:c0:01:40:00:90:00:0c
2016-02-19 11:54:23.877 matched: OpenPGP card
2016-02-19 11:54:23.877 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.877 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.877 [pkcs15-crypt] reader-pcsc.c:519:pcsc_lock: called
2016-02-19 11:54:23.877 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.877 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.877 CLA:0, INS:A4, P1:4, P2:0, data(6) 0025FBD4
2016-02-19 11:54:23.877 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.877 
Outgoing APDU data [   12 bytes] =====================================
00 A4 04 00 06 D2 76 00 01 24 01 00 ......v..$..
======================================================================
2016-02-19 11:54:23.877 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:23.894 
Incoming APDU data [   25 bytes] =====================================
62 15 84 10 D2 76 00 01 24 01 02 01 00 05 00 00 b....v..$.......
2D C0 00 00 8A 01 05 90 00                      -........
======================================================================
2016-02-19 11:54:23.894 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.894 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.894 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.894 [pkcs15-crypt] reader-pcsc.c:556:pcsc_unlock: called
2016-02-19 11:54:23.894 processing FCI bytes
2016-02-19 11:54:23.894   File name: D2 76 00 01 24 01 02 01 00 05 00 00 2D C0 00 00 .v..$.......-...
2016-02-19 11:54:23.895 called, tag=5f52
2016-02-19 11:54:23.895 [pkcs15-crypt] card-openpgp.c:1138:pgp_get_data: called
2016-02-19 11:54:23.895 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.895 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.895 [pkcs15-crypt] reader-pcsc.c:519:pcsc_lock: called
2016-02-19 11:54:23.895 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.895 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.895 CLA:0, INS:CA, P1:5F, P2:52, data(0) 00000000
2016-02-19 11:54:23.895 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.895 
Outgoing APDU data [    7 bytes] =====================================
00 CA 5F 52 00 08 00 .._R...
======================================================================
2016-02-19 11:54:23.895 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:23.901 
Incoming APDU data [   12 bytes] =====================================
00 31 C5 73 C0 01 40 05 90 00 90 00 .1.s..@.....
======================================================================
2016-02-19 11:54:23.901 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.901 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.901 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.901 [pkcs15-crypt] reader-pcsc.c:556:pcsc_unlock: called
2016-02-19 11:54:23.901 [pkcs15-crypt] card-openpgp.c:1151:pgp_get_data: returning with: 10
2016-02-19 11:54:23.901 [pkcs15-crypt] card.c:691:sc_get_data: returning with: 10
2016-02-19 11:54:23.901 called, tag=006e
2016-02-19 11:54:23.901 [pkcs15-crypt] card-openpgp.c:1138:pgp_get_data: called
2016-02-19 11:54:23.901 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.901 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.901 [pkcs15-crypt] reader-pcsc.c:519:pcsc_lock: called
2016-02-19 11:54:23.901 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.901 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.901 CLA:0, INS:CA, P1:0, P2:6E, data(0) 00000000
2016-02-19 11:54:23.901 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.901 
Outgoing APDU data [    7 bytes] =====================================
00 CA 00 6E 00 08 00 ...n...
======================================================================
2016-02-19 11:54:23.901 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:23.959 
Incoming APDU data [  219 bytes] =====================================
4F 10 D2 76 00 01 24 01 02 01 00 05 00 00 2D C0 O..v..$.......-.
00 00 5F 52 0A 00 31 C5 73 C0 01 40 05 90 00 73 .._R..1.s..@...s
81 B7 C0 0A 7C 00 08 00 08 00 08 00 08 00 C1 06 ....|...........
01 10 00 00 20 00 C2 06 01 08 00 00 20 00 C3 06 .... ....... ...
01 08 00 00 20 00 C4 07 00 20 20 20 03 00 03 C5 .... ....   ....
3C EB 7C 72 9A 91 E3 02 16 EF CD 35 DB 6D 2E 4B <.|r.......5.m.K
95 3C C0 A8 BB 00 00 00 00 00 00 00 00 00 00 00 .<..............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 ..............<.
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 CD 0C 56 C6 DC .............V..
75 00 00 00 00 00 00 00 00 90 00                u..........
======================================================================
2016-02-19 11:54:23.959 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.959 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.959 [pkcs15-crypt] reader-pcsc.c:556:pcsc_unlock: called
2016-02-19 11:54:23.959 [pkcs15-crypt] card-openpgp.c:1151:pgp_get_data: returning with: 217
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:691:sc_get_data: returning with: 217
2016-02-19 11:54:23.959 card info name:'CryptoStick v1.2 (OpenPGP v2.0)', type:9002, flags:0x0, max_send/recv_size:2048/2048
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:1290:sc_card_sm_check: called
2016-02-19 11:54:23.959 card->sm_ctx.ops.open 00000000
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:1296:sc_card_sm_check: returning with: 0 (Success)
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:277:sc_connect_card: returning with: 0 (Success)
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.959 [pkcs15-crypt] reader-pcsc.c:519:pcsc_lock: called
2016-02-19 11:54:23.959 [pkcs15-crypt] pkcs15.c:1186:sc_pkcs15_bind: called
2016-02-19 11:54:23.959 application(aid:'empty')
2016-02-19 11:54:23.959 PKCS#15 options: use_file_cache=0 use_pin_cache=1 pin_cache_counter=10 pin_cache_ignore_user_consent=0
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.959 PKCS#15 emulation enabled
2016-02-19 11:54:23.959 [pkcs15-crypt] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
2016-02-19 11:54:23.959 no emulator list in config file, trying all builtin emulators
2016-02-19 11:54:23.959 trying westcos
2016-02-19 11:54:23.959 sc_pkcs15_init_func_ex westcos
2016-02-19 11:54:23.959 westcos_detect_card (CryptoStick v1.2 (OpenPGP v2.0))
2016-02-19 11:54:23.959 trying openpgp
2016-02-19 11:54:23.959 called; type=2, path=00655f2d
2016-02-19 11:54:23.959 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.959 called, tag=0065
2016-02-19 11:54:23.959 [pkcs15-crypt] card-openpgp.c:1138:pgp_get_data: called
2016-02-19 11:54:23.959 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.959 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.959 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.959 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.959 CLA:0, INS:CA, P1:0, P2:65, data(0) 00000000
2016-02-19 11:54:23.959 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.959 
Outgoing APDU data [    7 bytes] =====================================
00 CA 00 65 00 08 00 ...e...
======================================================================
2016-02-19 11:54:23.959 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:23.971 
Incoming APDU data [   13 bytes] =====================================
5B 00 5F 2D 02 64 65 5F 35 01 39 90 00 [._-.de_5.9..
======================================================================
2016-02-19 11:54:23.971 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.971 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1151:pgp_get_data: returning with: 11
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:691:sc_get_data: returning with: 11
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 called; 2 bytes at index 0
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 2
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 2
2016-02-19 11:54:23.971 called; type=2, path=006e007300c4
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 called; 7 bytes at index 0
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 7
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 7
2016-02-19 11:54:23.971 called; type=2, path=006e007300c5
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.971 called; 60 bytes at index 0
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 60
2016-02-19 11:54:23.971 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 60
2016-02-19 11:54:23.971 called; type=2, path=006e007300c1
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.971 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=006e007300c2
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=006e007300c3
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=006e007300c1
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=006e007300c2
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=006e007300c3
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.972 called; 6 bytes at index 0
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1029:pgp_read_binary: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1050:pgp_read_binary: returning with: 6
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:525:sc_read_binary: returning with: 6
2016-02-19 11:54:23.972 called; type=2, path=7f21
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.972 called, tag=7f21
2016-02-19 11:54:23.972 [pkcs15-crypt] card-openpgp.c:1138:pgp_get_data: called
2016-02-19 11:54:23.972 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.972 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.972 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.972 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.972 CLA:0, INS:CA, P1:7F, P2:21, data(0) 00000000
2016-02-19 11:54:23.972 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.972 
Outgoing APDU data [    7 bytes] =====================================
00 CA 7F 21 00 08 00 ...!...
======================================================================
2016-02-19 11:54:23.972 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:23.977 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
2016-02-19 11:54:23.977 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.977 [pkcs15-crypt] card-openpgp.c:1151:pgp_get_data: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:691:sc_get_data: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] pkcs15-syn.c:217:sc_pkcs15_bind_synthetic: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:23.977 [pkcs15-crypt] pkcs15.c:1250:sc_pkcs15_bind: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] pkcs15-pin.c:295:sc_pkcs15_verify_pin: called
2016-02-19 11:54:23.977 PIN(type:0;method:1;len:)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.977 called; type=2, path=3f00
2016-02-19 11:54:23.977 [pkcs15-crypt] card-openpgp.c:914:pgp_select_file: called
2016-02-19 11:54:23.977 [pkcs15-crypt] card-openpgp.c:981:pgp_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:678:sc_select_file: returning with: 0 (Success)
2016-02-19 11:54:23.977 [pkcs15-crypt] sec.c:159:sc_pin_cmd: called
2016-02-19 11:54:23.977 [pkcs15-crypt] card-openpgp.c:1249:pgp_pin_cmd: called
2016-02-19 11:54:23.977 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:23.977 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:23.977 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:23.977 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:23.977 CLA:0, INS:20, P1:0, P2:81, data(6) 0025D838
2016-02-19 11:54:23.977 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:23.977 
Outgoing APDU data [   11 bytes] =====================================
00 20 00 81 06 31 32 33 34 35 36 . ...123456
======================================================================
2016-02-19 11:54:23.977 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:24.051 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
2016-02-19 11:54:24.051 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:24.051 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:24.051 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:24.051 [pkcs15-crypt] card-openpgp.c:1276:pgp_pin_cmd: returning with: 0 (Success)
2016-02-19 11:54:24.051 [pkcs15-crypt] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
2016-02-19 11:54:24.051 PIN cmd result 0
2016-02-19 11:54:24.051 [pkcs15-crypt] pkcs15-pin.c:594:sc_pkcs15_pincache_add: called
2016-02-19 11:54:24.052 cannot lock memory, sensitive data may be paged to disk
2016-02-19 11:54:24.052 PIN(User PIN (sig)) cached
2016-02-19 11:54:24.052 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:24.052 [pkcs15-crypt] pkcs15-pin.c:373:sc_pkcs15_verify_pin: returning with: 0 (Success)
2016-02-19 11:54:24.053 [pkcs15-crypt] pkcs15-sec.c:312:sc_pkcs15_compute_signature: called
2016-02-19 11:54:24.053 security operation flags 0x202
2016-02-19 11:54:24.053 supported algorithm flags 0x80000013, private key usage 0x20C
2016-02-19 11:54:24.053 [pkcs15-crypt] padding.c:283:sc_get_encoding_flags: called
2016-02-19 11:54:24.053 iFlags 0x202, card capabilities 0x80000013
2016-02-19 11:54:24.053 pad flags 0x200, secure algorithm flags 0x2
2016-02-19 11:54:24.054 [pkcs15-crypt] padding.c:317:sc_get_encoding_flags: returning with: 0 (Success)
2016-02-19 11:54:24.054 DEE flags:0x00000202 alg_info->flags:0x80000013 pad:0x00000200 sec:0x00000002
2016-02-19 11:54:24.054 [pkcs15-crypt] padding.c:242:sc_pkcs1_encode: called
2016-02-19 11:54:24.054 hash algorithm 0x200, pad algorithm 0x0
2016-02-19 11:54:24.054 [pkcs15-crypt] padding.c:265:sc_pkcs1_encode: returning with: 0 (Success)
2016-02-19 11:54:24.054 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:24.054 Private key path ''
2016-02-19 11:54:24.054 [pkcs15-crypt] sec.c:68:sc_set_security_env: called
2016-02-19 11:54:24.054 [pkcs15-crypt] card-openpgp.c:1287:pgp_set_security_env: called
2016-02-19 11:54:24.054 Key ref 0
2016-02-19 11:54:24.054 Operation: Sign.
2016-02-19 11:54:24.054 [pkcs15-crypt] card-openpgp.c:1327:pgp_set_security_env: returning with: 0 (Success)
2016-02-19 11:54:24.054 [pkcs15-crypt] sec.c:72:sc_set_security_env: returning with: 0 (Success)
2016-02-19 11:54:24.054 [pkcs15-crypt] sec.c:54:sc_compute_signature: called
2016-02-19 11:54:24.054 [pkcs15-crypt] card-openpgp.c:1341:pgp_compute_signature: called
2016-02-19 11:54:24.054 [pkcs15-crypt] apdu.c:563:sc_transmit_apdu: called
2016-02-19 11:54:24.054 [pkcs15-crypt] card.c:352:sc_lock: called
2016-02-19 11:54:24.054 [pkcs15-crypt] apdu.c:530:sc_transmit: called
2016-02-19 11:54:24.054 [pkcs15-crypt] apdu.c:384:sc_single_transmit: called
2016-02-19 11:54:24.054 CLA:0, INS:2A, P1:9E, P2:9A, data(51) 0025F100
2016-02-19 11:54:24.054 reader 'Gemalto USB SmartCard Reader 0'
2016-02-19 11:54:24.054 
Outgoing APDU data [   60 bytes] =====================================
00 2A 9E 9A 00 00 33 30 31 30 0D 06 09 60 86 48 .*....3010...`.H
01 65 03 04 02 01 05 00 04 20 B2 71 52 03 EA 61 .e....... .qR..a
15 FE 34 E8 47 23 22 AB 22 F1 19 1C 35 8C 1B C2 ..4.G#"."...5...
87 CB 07 B7 5C BC 2F AF F1 AF 04 00             ....\./.....
======================================================================
2016-02-19 11:54:24.054 [pkcs15-crypt] reader-pcsc.c:184:pcsc_internal_transmit: called
2016-02-19 11:54:26.904 
Incoming APDU data [  513 bytes] =====================================
8C F6 DB 29 A7 D7 BD B3 63 4C FE D6 A9 FB A5 E0 ...)....cL......
38 7A CA A8 D4 9C 36 99 AB F6 2E 81 45 26 A7 60 8z....6.....E&.`
4B 25 91 67 7E 86 31 10 5A DB B4 86 D3 98 4D 34 K%.g~.1.Z.....M4
94 0E 5E 0A BA 00 E0 47 2B E6 D2 1A D8 8A 61 D1 ..^....G+.....a.
D1 69 C1 3C 02 AC 9D 2A AF 23 0D CB 4F 40 A7 42 .i.<...*.#..O@.B
38 62 4B 6C B6 47 9D 36 80 F7 7C 17 60 49 46 A3 8bKl.G.6..|.`IF.
A9 92 73 44 0A 3F 6B ED DE FF 85 76 F3 F2 32 6F ..sD.?k....v..2o
56 F3 1D DD C6 0D FE D0 99 E2 BD 1E 33 EA DE F1 V...........3...
00 A1 35 2C 80 E2 B9 CC DA 23 FC C5 25 F1 05 7C ..5,.....#..%..|
42 2B 99 3C EA A8 BE 9D 00 DA BC B1 DA 6F 4D 4F B+.<.........oMO
B2 68 E7 B9 D7 D1 B1 15 38 6D A3 A7 50 EE 58 EF .h......8m..P.X.
04 EF D2 45 BA F4 D8 74 8C AA 98 EB C4 19 A3 C4 ...E...t........
93 AF 6E F3 F8 34 2A 30 28 AE 32 EB 89 79 28 7B ..n..4*0(.2..y({
49 45 0E 6A 0C 28 52 E0 85 D2 6B FD 4A 2B E1 15 IE.j.(R...k.J+..
7F A5 42 7C 92 5D C6 F1 4E 32 C2 9D 32 9D 99 85 ..B|.]..N2..2...
72 9B E9 75 20 44 D3 57 DD 1E 5B FA 4D E7 80 68 r..u D.W..[.M..h
31 18 DA 45 7E 8F 94 2B 6B 76 73 E9 6C 64 42 4A 1..E~..+kvs.ldBJ
05 57 4D 75 A8 50 02 AF 8F 2D 7C C6 3C 81 AE 05 .WMu.P...-|.<...
16 A4 7D 22 5C BC FB 4F AB A0 12 23 C5 7E 79 3C ..}"\..O...#.~y<
72 1C C3 81 8B 8D 58 50 07 E5 86 9C 39 BB 4C 4E r.....XP....9.LN
4B E9 6C 6D B3 61 C0 F4 39 D5 73 A2 AE BF 21 67 K.lm.a..9.s...!g
76 84 21 EB 99 01 AE D0 F0 79 C9 09 94 3B AD FA v.!......y...;..
77 5A 40 FA A0 B2 BF 17 B6 F9 D6 ED 66 2B CA 39 wZ@.........f+.9
1F 1C 82 E8 02 5E D7 1B F8 F0 49 C8 FE 68 7A 5D .....^....I..hz]
FD 58 89 47 E9 36 0E F5 65 D5 18 A2 2B AF 8B BF .X.G.6..e...+...
BF F6 E3 1E F5 20 FC 3E 7D A7 FD D2 79 E4 ED 95 ..... .>}...y...
CB 14 89 DA D7 6E E0 D6 A4 E5 E5 3A 00 DF 29 A8 .....n.....:..).
46 F4 46 C9 B2 AD 8D BF 9F 55 35 00 AA D9 5C A2 F.F......U5...\.
29 7B C0 00 D0 DC D3 82 4C A9 18 55 F0 C0 74 BB ){......L..U..t.
7D 6E 4B E0 B7 0F 84 C5 49 E2 92 F3 9C 9D 1C 9C }nK.....I.......
58 F4 12 D5 4B 36 DB B2 3F D2 A2 FF 49 FB 7E CD X...K6..?...I.~.
94 33 4E F6 FD 78 CB 2C 7D A2 55 01 D4 7B 48 90 .3N..x.,}.U..{H.
00                                              .
======================================================================
2016-02-19 11:54:26.904 [pkcs15-crypt] apdu.c:399:sc_single_transmit: returning with: 0 (Success)
2016-02-19 11:54:26.904 [pkcs15-crypt] apdu.c:552:sc_transmit: returning with: 0 (Success)
2016-02-19 11:54:26.904 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:26.904 [pkcs15-crypt] card-openpgp.c:1375:pgp_compute_signature: returning with: 511
2016-02-19 11:54:26.904 [pkcs15-crypt] sec.c:58:sc_compute_signature: returning with: 511
2016-02-19 11:54:26.904 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:26.904 [pkcs15-crypt] pkcs15-sec.c:505:sc_pkcs15_compute_signature: returning with: 511
2016-02-19 11:54:26.905 [pkcs15-crypt] pkcs15.c:1263:sc_pkcs15_unbind: called
2016-02-19 11:54:26.905 [pkcs15-crypt] pkcs15-pin.c:690:sc_pkcs15_pincache_clear: called
2016-02-19 11:54:26.905 [pkcs15-crypt] card.c:392:sc_unlock: called
2016-02-19 11:54:26.905 [pkcs15-crypt] reader-pcsc.c:556:pcsc_unlock: called
2016-02-19 11:54:26.905 [pkcs15-crypt] card.c:294:sc_disconnect_card: called
2016-02-19 11:54:26.905 [pkcs15-crypt] reader-pcsc.c:506:pcsc_disconnect: called
2016-02-19 11:54:26.938 [pkcs15-crypt] card.c:315:sc_disconnect_card: returning with: 0 (Success)
2016-02-19 11:54:26.938 [pkcs15-crypt] ctx.c:799:sc_release_context: called
2016-02-19 11:54:26.938 [pkcs15-crypt] reader-pcsc.c:747:pcsc_finish: called


$ echo -ne "CgABEQS/SUEAAAAAAAAINA=="  | openssl dgst -sha256 -verify pubkey.pem -signature sig.txt
Verification Failure

$ 

Re: [Opensc-devel] OpenSC Issue with SC-HSM smart cards on Omni Key 3x21 smart card readers on Windows

[scott_thomas007 <sco...@ya...>]

Hi,

Good Hint, issue resolved.

https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#reader-support

Enable TPDU mode

Regards
Scott Thomas



--
View this message in context: http://opensc.1086184.n5.nabble.com/OpenSC-Issue-with-SC-HSM-smart-cards-on-Omni-Key-3x21-smart-card-readers-on-Windows-tp15595p15597.html
Sent from the Developer mailing list archive at Nabble.com.

Re: [Opensc-devel] OpenSC Issue with SC-HSM smart cards on Omni Key 3x21 smart card readers on Windows

[<pu...@fe...>]

Hi,

does your reader support "Extended-APDU"? Smartcard-HSM requires  
"Extended-APDU" support
on reader.

best regards
Christian

Zitat von scott_thomas007 <sco...@ya...>:

> Bonjour Users,
>  I am trying to use SC-HSM smart cards with Omni key 3x21 SC reader with

[Opensc-devel] OpenSC Issue with SC-HSM smart cards on Omni Key 3x21 smart card readers on Windows

[scott_thomas007 <sco...@ya...>]

Bonjour Users,
 I am trying to use SC-HSM smart cards with Omni key 3x21 SC reader with
OpenSC. I am using correct versions of reader driver
(hid_omnikey3x2x_x86_r1_2_20_0.exe) from the website
(http://www.hidglobal.com/drivers/19011). 
Also using the latest OpenSC version: 0.15 But when i try t run the basic
command of dump then it generates the following error. C:\Program
Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -D Using reader with a
card: OMNIKEY CardMan 3x21 0 PKCS#15 binding failed: Transmit failed
Interesting fact is that, if i replace Gemalto Smart card reader then the
command runs successfully. I tried the above steps on Windows XP, 7 and
8.1Pro. All result with the same error. Please guide me. 
Regards 
Scott Thomas



--
View this message in context: http://opensc.1086184.n5.nabble.com/OpenSC-Issue-with-SC-HSM-smart-cards-on-Omni-Key-3x21-smart-card-readers-on-Windows-tp15595.html
Sent from the Developer mailing list archive at Nabble.com.

Re: [Opensc-devel] Unblock PUK on PIV card

[Douglas E E. <dee...@gm...>]

<html>
  <head>
    <meta content="text/html; charset=windows-1252"
      http-equiv="Content-Type">
  </head>
  <body bgcolor="#FFFFFF" text="#000000">
    The NIST PIV specs leave a most of card management up to the vendor.
    Best I can tell this was done to allow vendors to have features that
    would allow them to sell their cards  based on their value added 
    features. In the NIST model, large federal agencies run the card
    management systems, issue cards and maintain the PUK.  Yubico on the
    other hand is selling tokens to individuals, and Yubico publishes
    how to reset the card so the PUK can also be reset.<br>
    <br>
    So if you can't get the documentation on how to reset the card or
    the PuK  from the card vendor,  it may be the PUK can not be reset.<br>
    Well managed card management systems would not loose the PUK. 
    Yubico on the other hand understands users may loose the PUK. <br>
    <br>
    Buy a new card. <br>
    <br>
    <div class="moz-cite-prefix">On 1/24/2016 11:26 PM, Ryan Chapman
      wrote:<br>
    </div>
    <blockquote
cite="mid:CAE-B26bA85W=xr3Sw91M=GW0...@ma..."
      type="cite">
      <div dir="ltr">Hi,
        <div><br>
        </div>
        <div>Does anyone know if there is a way to unblock a PUK on a
          PIV card or re-initialize the PIV applet?  </div>
        <div><br>
        </div>
        <div>The card is a Gemalto IDPrime PIV Card v2.0 using SCP01</div>
        <div>ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00</div>
        <div><br>
        </div>
        <div>I know the admin key for the card, but even when I
          authenticate to the card (which still works), I am unable to
          change the state of the PUK lockout. The PIN is also blocked,
          but I know how to unblock that if the PUK is unblocked (for
          anyone who wants to know, if your PUK is 12345 and you want to
          unblock the PIN and set the PIN to 1234, do: <span
            style="font-family:'Courier New';font-size:14px">piv-tool -A M:9B:03 -s 00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff</span>)</div>
        <div><br>
        </div>
        <div>
          <div>This command is used to change the PUK if the current one
            is known (it's 1234).  However, I'm told 0x6983, which
            according to ISO7816-4 means "Authentication method blocked"<br>
          </div>
        </div>
        <div>
          <div><br>
          </div>
          <div><font face="monospace, monospace">$ piv-tool -A M:9B:03
              -s
              00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff</font></div>
          <div><font face="monospace, monospace">Using reader with a
              card: Gemalto Prox Dual USB PC Link Reader(2)</font></div>
          <div><font face="monospace, monospace">Sending: 00 24 00 81 10
              31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF</font></div>
          <div><font face="monospace, monospace">Received (SW1=0x69,
              SW2=0x83)</font></div>
        </div>
        <div><br>
        </div>
        <div>According to the data sheet, the PUK is stored in the
          internal object tag 0xFF8101, but I am not sure if it is
          possible to write to that tag.</div>
        <div><a moz-do-not-send="true"
href="http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf">http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf</a><br>
        </div>
        <div><br>
        </div>
        <div>What got me here was that I was unable to generate a
          keypair on the card and thought I might be able to reset the
          PIV application like Yubikey NEO does it.  With their card,
          the PIN and PUK must be blocked, then you send "00 fb 00 00
          00" and the PIV applet is reset with retry counters set at 3
          again.  Not such much with Gemalto.  And I can't find anyone
          at Gemalto that will provide documentation, even if I am
          willing to pay for it.</div>
        <div><br>
        </div>
        <div>Thought I would check here before I toss the card in the
          drawer and get a new one.</div>
        <div><br>
        </div>
        <div>Thanks in advance</div>
        <div><br>
        </div>
        <div>Ryan</div>
      </div>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
<a class="moz-txt-link-freetext" href="http://pubads.g.doubleclick.net/gampad/clk?id=267308311&amp;iu=/4140">http://pubads.g.doubleclick.net/gampad/clk?id=267308311&amp;iu=/4140</a></pre>
      <br>
      <fieldset class="mimeAttachmentHeader"></fieldset>
      <br>
      <pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
    </blockquote>
    <br>
    <pre class="moz-signature" cols="200">-- 

 Douglas E. Engert  <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm...">&lt;DEE...@gm...&gt;</a>
 
</pre>
  </body>
</html>

[Opensc-devel] Unblock PUK on PIV card

[Ryan C. <ry...@rc...>]

Hi,

Does anyone know if there is a way to unblock a PUK on a PIV card or
re-initialize the PIV applet?

The card is a Gemalto IDPrime PIV Card v2.0 using SCP01
ATR: 3b:7d:96:00:00:80:31:80:65:b0:83:11:11:e5:83:00:90:00

I know the admin key for the card, but even when I authenticate to the card
(which still works), I am unable to change the state of the PUK lockout.
The PIN is also blocked, but I know how to unblock that if the PUK is
unblocked (for anyone who wants to know, if your PUK is 12345 and you want
to unblock the PIN and set the PIN to 1234, do:
piv-tool -A M:9B:03 -s
00:2c:00:80:10:31:32:33:34:35:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
)

This command is used to change the PUK if the current one is known (it's
1234).  However, I'm told 0x6983, which according to ISO7816-4 means
"Authentication method blocked"

$ piv-tool -A M:9B:03 -s
00:24:00:81:10:31:32:33:34:ff:ff:ff:ff:31:32:33:34:ff:ff:ff:ff
Using reader with a card: Gemalto Prox Dual USB PC Link Reader(2)
Sending: 00 24 00 81 10 31 32 33 34 FF FF FF FF 31 32 33 34 FF FF FF FF
Received (SW1=0x69, SW2=0x83)

According to the data sheet, the PUK is stored in the internal object tag
0xFF8101, but I am not sure if it is possible to write to that tag.
http://www.gemalto.com/products/piv_card/download/IDPrime_PIV_Card_v2_0_SCP01_OTP_Data_Model_Samples.pdf

What got me here was that I was unable to generate a keypair on the card
and thought I might be able to reset the PIV application like Yubikey NEO
does it.  With their card, the PIN and PUK must be blocked, then you send
"00 fb 00 00 00" and the PIV applet is reset with retry counters set at 3
again.  Not such much with Gemalto.  And I can't find anyone at Gemalto
that will provide documentation, even if I am willing to pay for it.

Thought I would check here before I toss the card in the drawer and get a
new one.

Thanks in advance

Ryan

[Opensc-devel] Testing Libp11, engine and OpenSC with OpenSSL-1.1-pre2

[Douglas E E. <dee...@gm...>]

If anyone wants to do any testing of opensc libp11 and engine with OpenSSL-1.1  the patches applied to libp11 for use with OpenSSL-1.1 are based on the tag-OpenSSL_1_1_0-pre2.
  OpenSSL developers are  continuing to update the github version which introduces new issues.  (I am trying to follow them.)

There is still https://github.com/OpenSC/engine_pkcs11/pull/39
that adds the engine side of the patch.

$ /opt/smartcard/bin/openssl version
OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016


To test the engine with ECDH, I have been using PIV cards that have a key management cert and key.

To encrypt a message, $2 is the key management certificate of the recipient of the message.

No  card is need to send.  The sender's key is not used here because the method  cms uses only requires the recipient's certificate.
echo "Hello World!" > /tmp/ml.txt
openssl cms -encrypt -out  /tmp/cms.encrypted.mail.msg -from dee...@gm... -to DEE...@gm... -aes256 -in /tmp/ml.txt $2


Then to use the recipient's card and key management key:

# write out the recipient's cert from the card.
pkcs15-tool -r 03 > /tmp/mycert.pem
myeckey="slot_01-id_03"

openssl cms -decrypt -out  /tmp/cms.decrypted.mail.msg -engine pkcs11 -inkey $myeckey -keyform e -recip /tmp/mycert.pem -in /tmp/cms.encrypted.mail.msg

The above should work with OpenSSL-1.1.0-pre2.
Attached are two patches to tag-OpenSSL_1_1_0-pre2 to get openssl cms and openssl req to sign a message using the engine.

https://github.com/OpenSC/engine_pkcs11/pull/39
src/engine_pkcs11.c has some code  to find the pkcs#11 module that needs to be looked at.-- Douglas E. Engert <DEE...@gm...>

[Opensc-devel] FW: Question about OpenSC

[David S. <DS...@da...>]

I emailed this by mistake to the wrong address, I think.

From: David Sills
Sent: Monday, January 18, 2016 10:22 AM
To: 'Jaroslav Imrich'
Subject: RE: [Opensc-devel] Question about OpenSC

Jaroslav:

Thanks so much for your prompt reply. I pretty much started there. Of course, the Sun class is just a wrapper around a native provider (in my case, the OpenSC provider), so I was hoping to get some useful tips. However, perhaps there are not developers who have made this work.

We have a client who wants to “smart-card-enable” their application. Essentially, they want to identify the user from the smart card (not something I immediately see how to do, either from Sun or OpenSC) and find whether or not their certificate (and the question of “which certificate?” is a valid one) is valid, possibly checking whether their PIN is correctly entered. That would substitute for their logging on to the application with a username and password.

I know of no application that actually does this, so I am skeptical, but that is my charge for the moment.

Thanks for trying to help!

David

From: Jaroslav Imrich [mailto:jar...@gm...]
Sent: Monday, January 18, 2016 10:14 AM
To: David Sills
Cc: ope...@li...<mailto:ope...@li...>
Subject: Re: [Opensc-devel] Question about OpenSC

Hello David,

seems like your primary problem is behaviour of SunPKCS11 provider so IMO you should take a look at "Java PKCS#11 Reference Guide" [0] which describes in detail how this provider operates. I remember that values of CKA_LABEL and CKA_ID attributes were very important and that SunPKCS11 provider didn't "show" private key which were not associated with the certificate.

[0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html

Kind Regards / S pozdravom

Jaroslav Imrich
http://www.jimrich.sk
jar...@gm...<mailto:jar...@gm...>

On Mon, Jan 18, 2016 at 3:40 PM, David Sills <DS...@da...<mailto:DS...@da...>> wrote:
To whom it may concern:

This is apparently not a mailing list for users, but I am a (potential) user with many questions. Is there a mailing list for me?

I have successfully (more or less) got OpenSC working on my Windows 7 machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be able to detect keys (and thus certificates, I assume) on the card, but when I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I generate, which makes it, of course, impossible to get at the data. (What I really want to know is, is the certificate expired?) Is this a common occurrence, and has anyone any kind of solution for it?

Please redirect me if I am in the wrong list. Many thanks for your work in creating OpenSC.

Thanks!

David


------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance
APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
Monitor end-to-end web transactions and take corrective actions now
Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Opensc-devel mailing list
Ope...@li...<mailto:Ope...@li...>
https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Status of OpenSC, libp11, engine using OpenSSL-1.1-pre2

[Douglas E E. <dee...@gm...>]

I have OpenSC, libp11, engine-pkcs11, working with OpenSSL-1.1-pre2

This includes ECDH support in libp11, engine-pkcs11. There is still a lot of cleanup to be done to get the ECDH  code in shape.
I was able to use the OpenSSL cms -encrypt  using the certificate for the  recipient. Then used the cms -decrypt with the smart card of the
recipient to do a ECDH operation to get the AES key to decrypt the message.

OpenSSL is still not stable, but they have been fixing bugs.

One issue with OpenSC is that  src/common/simclist.h  does:
#   define inline           /* inline */

OpenSSL  e_os2.h does:
# if !defined(inline) && !defined(__cplusplus)

So depending on the order of header files, things work fine, or you get pages of errors
because  ossl_inline is not  not changed.

The line above should have been:
# if !defined(ossl_inline) && !defined(__cplusplus)
See: https://rt.openssl.org/Ticket/Display.html?id=4245

I hope to have the libp11 and engine changes cleaned up in the next few days.








-- 

  Douglas E. Engert  <DEE...@gm...>
  

Re: [Opensc-devel] Question about OpenSC

[Frank M. <mo...@in...>]

To extract the certificate, you could try something like
https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#store-certificates-and-data

On Monday, January 18 at 02:40PM, David Sills wrote:
> To whom it may concern:
> 
> This is apparently not a mailing list for users, but I am a (potential) user with many questions. Is there a mailing list for me?
> 
> I have successfully (more or less) got OpenSC working on my Windows 7 machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be able to detect keys (and thus certificates, I assume) on the card, but when I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I generate, which makes it, of course, impossible to get at the data. (What I really want to know is, is the certificate expired?) Is this a common occurrence, and has anyone any kind of solution for it?
> 
> Please redirect me if I am in the wrong list. Many thanks for your work in creating OpenSC.
> 
> Thanks!
> 
> David
> 

> ------------------------------------------------------------------------------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month
> Monitor end-to-end web transactions and take corrective actions now
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc