Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Douglas E E. <dee...@gm...> - 2021-02-02 13:49:03
|
The point of using a smartcard is the crypto operations are done on the smart card, token or other hardware like a HSM, or TPS. The point of FIPS is the software and hardware has been approved and tested to do appropriate crypto operations. The "fix" to just set RSA_FLAG_FIPS_METHOD is not a fix, it is lie. It in effect is saying libp11 take the responsibility of saying the PKCS11 modules and the smart card, tokens or other hardware are FIPS complaint. The problem today, from the PKCS#11 standpoint, there is no way to prove the PKCS#11 modules, and hardware meet the FIPS standards. Some PKCS#11 modules are software only, designed they can run the cloud and with better performance. Some smart cards have applets that have never bee approved. (Note: The RedHat comments in the bug fix say it is not a proper fix.) You as the application developer have a choice, as to what version of OpenSSL you use. As Petr said, you can split the operations up, so the engine with pkcs11 is used with a non FIPS mode OpenSSL, and FIPS mode for the rest. Or you can use non-FIPS OpenSSL. Or modify the code like RedHat did. You also have a choice as to what PKCS11 modules and hardware you are using. From an OpenSC developer, I see this is a problem, but would not want to see the "fix" in the code as it is a lie. But it might be possible to add code that would set that flag Maybe via env variable? This would let the application developer decide if they want to take responsibility. This is going to be more complicated with ECC and newer versions of OpenSSL too. P.S. You used the phrase "get the private key". For most PKCS11 systems, the private key never leaves the smart card. The Crypto operation is done on the card, you can only retrieve the result of the operation, like a signature. If you can "get the private key" off the smartcard using PKCS11, there would be no need of a smart card, it could be a file that you read and pass to openssl and no need to use an engine or libp11. On 2/1/2021 9:15 PM, George wrote: > Hi Petr, > > I would like to clarify my original problem. The mutual authentication is between my application using OpenSSL and another server. I am using LIBP11 to with OpenSSL to allow OpenSSL to access the > certificate and private key on my smart card. i.e. OpenSSL is using LIBP11 to get the private key and certificate. > > When FIPS is enabled, I see the OpenSSL error: > > *error:0409909D:rsa routines:RSA_public_encrypt:non fips rsa method* > > > Since I am not making any calls directly to LIBP11, how can I fix this in my code? i.e. OpenSSL is using LIBP11, not my application code. > > This problem was described in the Red Hat bug report: > > https://bugzilla.redhat.com/show_bug.cgi?id=1827535 <https://bugzilla.redhat.com/show_bug.cgi?id=1827535> > > The solution was to add a flag RSA_FLAG_FIPS_METHOD in the p11_rsa.c function: > > RSA_METHOD *PKCS11_get_rsa_method(void) > { > static RSA_METHOD *ops = NULL; > > if (!ops) { > alloc_rsa_ex_index(); > ops = RSA_meth_dup(RSA_get_default_method()); > if (!ops) > return NULL; > RSA_meth_set1_name(ops, "libp11 RSA method"); > *RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); <-- This flag was added to fix the problem* > RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); > RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); > RSA_meth_set_finish(ops, pkcs11_rsa_free_method); > } > return ops; > } > > > Is the problem related to the actual PIN? If so, how can I fix that? > > My OpenSSL dynamic engine is initialized with code to obtain the smart card password from the user with getPassword(): > > ENGINE_ctrl_cmd_string(engine, "PIN", getPassword(), 0); > > > > Thanks, > George > > > On 2021-02-01 1:35 p.m., Petr Pisar wrote: >> V Mon, Feb 01, 2021 at 12:39:30PM -0500, George napsal(a): >>> Hi, >>> >>> I had a closer look at this problem and confirmed that I have >>> successfully enabled FIPS in OpenSSL and am using the FIPS compliant >>> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. >>> (https://wiki.openssl.org/index.php/FIPS_mode_and_TLS#TLS_1.2) >>> >> That's a cipher suite for TLS (encrypted TCP). >> >>> However, LIBP11 still fails unless I make a modification to the source >>> code in p11_rsa.c. Does this mean there is indeed a bug in LIBP11? >>> >> I think that a mutual authentication in context of libp11 means a "secure" >> authentication of a user to a cryptographic card instead of sending a PIN in >> a "plain" text between the user and the card. I saw a few hints that there is >> used a MD5-based HMAC. And that probably triggers your issue. >> >> -- Petr >> >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: Petr P. <pet...@at...> - 2021-02-02 06:50:42
|
V Mon, Feb 01, 2021 at 10:15:43PM -0500, George napsal(a): > I would like to clarify my original problem. The mutual > authentication is between my application using OpenSSL and another > server. I am using LIBP11 to with OpenSSL to allow OpenSSL to access the > certificate and private key on my smart card. i.e. OpenSSL is using > LIBP11 to get the private key and certificate. > > When FIPS is enabled, I see the OpenSSL error: > > *error:0409909D:rsa routines:RSA_public_encrypt:non fips rsa method* > > > Since I am not making any calls directly to LIBP11, how can I fix this > in my code? i.e. OpenSSL is using LIBP11, not my application code. > There can be many places which violate FIPS. Your (server or client) X.509 certificate can use a weak digest algorithm. The TLS cipher suite can use a weak algorithm. Your PKCS11 driver can use a weak algorithm when loging into a smart card. And probably other places. I recommend you to split your code into smaller pieces: Establishing a TLS connection without the smart card. Logging into the smart card without making a TLS connection. Making TLS connection using keys on the card without libp11 library (libp11 is only an abstraction layer. You can use OpenSSL engines directly.) And find out where the problem exactly is. > Is the problem related to the actual PIN? If so, how can I fix that? > The problem is not a value of the PIN. It might be a way how the card driver logs into the card with the PIN. If it is so, you would have to look into the PKCS11 driver of your card. -- Petr |
|
From: George <whi...@gm...> - 2021-02-02 03:16:06
|
Hi Petr,
I would like to clarify my original problem. The mutual
authentication is between my application using OpenSSL and another
server. I am using LIBP11 to with OpenSSL to allow OpenSSL to access the
certificate and private key on my smart card. i.e. OpenSSL is using
LIBP11 to get the private key and certificate.
When FIPS is enabled, I see the OpenSSL error:
*error:0409909D:rsa routines:RSA_public_encrypt:non fips rsa method*
Since I am not making any calls directly to LIBP11, how can I fix this
in my code? i.e. OpenSSL is using LIBP11, not my application code.
This problem was described in the Red Hat bug report:
https://bugzilla.redhat.com/show_bug.cgi?id=1827535 <https://bugzilla.redhat.com/show_bug.cgi?id=1827535>
The solution was to add a flag RSA_FLAG_FIPS_METHOD in the p11_rsa.c
function:
RSA_METHOD *PKCS11_get_rsa_method(void)
{
static RSA_METHOD *ops = NULL;
if (!ops) {
alloc_rsa_ex_index();
ops = RSA_meth_dup(RSA_get_default_method());
if (!ops)
return NULL;
RSA_meth_set1_name(ops, "libp11 RSA method");
*RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); <-- This flag was
added to fix the problem*
RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method);
RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method);
RSA_meth_set_finish(ops, pkcs11_rsa_free_method);
}
return ops;
}
Is the problem related to the actual PIN? If so, how can I fix that?
My OpenSSL dynamic engine is initialized with code to obtain the smart
card password from the user with getPassword():
ENGINE_ctrl_cmd_string(engine, "PIN", getPassword(), 0);
Thanks,
George
On 2021-02-01 1:35 p.m., Petr Pisar wrote:
> V Mon, Feb 01, 2021 at 12:39:30PM -0500, George napsal(a):
>> Hi,
>>
>> I had a closer look at this problem and confirmed that I have
>> successfully enabled FIPS in OpenSSL and am using the FIPS compliant
>> cipher suite TLS_RSA_WITH_AES_128_CBC_SHA.
>> (https://wiki.openssl.org/index.php/FIPS_mode_and_TLS#TLS_1.2)
>>
> That's a cipher suite for TLS (encrypted TCP).
>
>> However, LIBP11 still fails unless I make a modification to the source
>> code in p11_rsa.c. Does this mean there is indeed a bug in LIBP11?
>>
> I think that a mutual authentication in context of libp11 means a "secure"
> authentication of a user to a cryptographic card instead of sending a PIN in
> a "plain" text between the user and the card. I saw a few hints that there is
> used a MD5-based HMAC. And that probably triggers your issue.
>
> -- Petr
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
|
From: Petr P. <pet...@at...> - 2021-02-01 18:36:17
|
V Mon, Feb 01, 2021 at 12:39:30PM -0500, George napsal(a): > Hi, > > I had a closer look at this problem and confirmed that I have > successfully enabled FIPS in OpenSSL and am using the FIPS compliant > cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. > (https://wiki.openssl.org/index.php/FIPS_mode_and_TLS#TLS_1.2) > That's a cipher suite for TLS (encrypted TCP). > However, LIBP11 still fails unless I make a modification to the source > code in p11_rsa.c. Does this mean there is indeed a bug in LIBP11? > I think that a mutual authentication in context of libp11 means a "secure" authentication of a user to a cryptographic card instead of sending a PIN in a "plain" text between the user and the card. I saw a few hints that there is used a MD5-based HMAC. And that probably triggers your issue. -- Petr |
|
From: George <whi...@gm...> - 2021-02-01 17:39:54
|
Hi, I had a closer look at this problem and confirmed that I have successfully enabled FIPS in OpenSSL and am using the FIPS compliant cipher suite TLS_RSA_WITH_AES_128_CBC_SHA. (https://wiki.openssl.org/index.php/FIPS_mode_and_TLS#TLS_1.2) However, LIBP11 still fails unless I make a modification to the source code in p11_rsa.c. Does this mean there is indeed a bug in LIBP11? I changed the line RSA_meth_set_flags(ops, 0); to RSA_meth_set_flags(ops, *RSA_FLAG_FIPS_METHOD*); in the code RSA_METHOD *PKCS11_get_rsa_method(void) { static RSA_METHOD *ops = NULL; if (!ops) { alloc_rsa_ex_index(); ops = RSA_meth_dup(RSA_get_default_method()); if (!ops) return NULL; RSA_meth_set1_name(ops, "libp11 RSA method"); RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); RSA_meth_set_priv_enc(ops, pkcs11_rsa_priv_enc_method); RSA_meth_set_priv_dec(ops, pkcs11_rsa_priv_dec_method); RSA_meth_set_finish(ops, pkcs11_rsa_free_method); } return ops; } (This was desribed in https://bugzilla.redhat.com/show_bug.cgi?id=1827535 ) The flag RSA_FLAG_FIPS_METHOD is defined to specify the RSA methods are FIPS compliant: /* If this flag is set the RSA method is FIPS compliant and can be used * in FIPS mode. This is set in the validated module method. If an * application sets this flag in its own methods it is its responsibility * to ensure the result is compliant. */ #define RSA_FLAG_FIPS_METHOD 0x0400 Thanks, George On 2021-01-28 2:03 a.m., George wrote: > Thanks for the information. Do you mean the line > RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); > will allow the inclusion of non-FIPS compliant algorithms? > > Does this mean I should not be using LIBP11 if I want my code to be > FIPS-compliant? > > > Thanks, > George > > > On 2021-01-27 2:54 a.m., Petr Pisar wrote: >> V Tue, Jan 26, 2021 at 11:25:13PM -0500, George napsal(a): >>> When I attempt to do mutual authentication with a smart card, it >>> fails. The problem appears to be related to enabling FIPS. I am using >>> OpenSSL 1.0.2u(with FIPS) and LIBP11 0.4.11. >>> The found the following Red Hat bug report, which describes the exact >>> same problem I am seeing: >>> https://bugzilla.redhat.com/show_bug.cgi?id=1827535 >>> >>> Is this a known LIBP11 bug? Will it be fixed in future versions of LIBP11? >>> >>> A suggested workaround in the above link is to make a change in the file >>> libp11-libp11-0.4.11\src\p11_rsa.c: >>> Change the line >>> >>> RSA_meth_set_flags(ops, 0); >>> >>> to >>> >>> RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); >>> >>> >>> Once I did this, it fixed my problem. Is this a proper fix? >>> >> The flag disables exclusion of FIPS noncompliant algorithms (e.g. MD5) from >> the OpenSSL routines and leaves the compliance to the application. >> >> In other words your system is not FIPS compliant anymore unless you get FIPS >> certification for your patched libp11. >> >> The questions are: >> >> Do you really need FIPS compliance? If not, then do not enable FIPS mode. >> >> Does the mutual authentication protocol manadate use of noncompliant >> algorithms? If yes, then it's broken by desisign and you simply cannot use the >> authentication in FIPS mode. Otherwise libp11 and your smart card should use >> a different, compliant algorithm instead. >> >> Is smart card mutual authentication subject of FIPS compliance? Technically >> you can use non-compliant algorithms for non-cryprographical purposes even in >> FIPS mode. E.g. MD5 for hash tables or data identification. But in my opinion >> authentication falls into a FIPS realm, so this not the case. You should talk >> to your security auditor about this. >> >> -- Petr >> >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: George <whi...@gm...> - 2021-01-28 07:04:06
|
Thanks for the information. Do you mean the line RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); will allow the inclusion of non-FIPS compliant algorithms? Does this mean I should not be using LIBP11 if I want my code to be FIPS-compliant? Thanks, George On 2021-01-27 2:54 a.m., Petr Pisar wrote: > V Tue, Jan 26, 2021 at 11:25:13PM -0500, George napsal(a): >> When I attempt to do mutual authentication with a smart card, it >> fails. The problem appears to be related to enabling FIPS. I am using >> OpenSSL 1.0.2u(with FIPS) and LIBP11 0.4.11. >> The found the following Red Hat bug report, which describes the exact >> same problem I am seeing: >> https://bugzilla.redhat.com/show_bug.cgi?id=1827535 >> >> Is this a known LIBP11 bug? Will it be fixed in future versions of LIBP11? >> >> A suggested workaround in the above link is to make a change in the file >> libp11-libp11-0.4.11\src\p11_rsa.c: >> Change the line >> >> RSA_meth_set_flags(ops, 0); >> >> to >> >> RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); >> >> >> Once I did this, it fixed my problem. Is this a proper fix? >> > The flag disables exclusion of FIPS noncompliant algorithms (e.g. MD5) from > the OpenSSL routines and leaves the compliance to the application. > > In other words your system is not FIPS compliant anymore unless you get FIPS > certification for your patched libp11. > > The questions are: > > Do you really need FIPS compliance? If not, then do not enable FIPS mode. > > Does the mutual authentication protocol manadate use of noncompliant > algorithms? If yes, then it's broken by desisign and you simply cannot use the > authentication in FIPS mode. Otherwise libp11 and your smart card should use > a different, compliant algorithm instead. > > Is smart card mutual authentication subject of FIPS compliance? Technically > you can use non-compliant algorithms for non-cryprographical purposes even in > FIPS mode. E.g. MD5 for hash tables or data identification. But in my opinion > authentication falls into a FIPS realm, so this not the case. You should talk > to your security auditor about this. > > -- Petr > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Petr P. <pet...@at...> - 2021-01-27 08:10:58
|
V Tue, Jan 26, 2021 at 11:25:13PM -0500, George napsal(a): > When I attempt to do mutual authentication with a smart card, it > fails. The problem appears to be related to enabling FIPS. I am using > OpenSSL 1.0.2u(with FIPS) and LIBP11 0.4.11. > The found the following Red Hat bug report, which describes the exact > same problem I am seeing: > https://bugzilla.redhat.com/show_bug.cgi?id=1827535 > > Is this a known LIBP11 bug? Will it be fixed in future versions of LIBP11? > > A suggested workaround in the above link is to make a change in the file > libp11-libp11-0.4.11\src\p11_rsa.c: > Change the line > > RSA_meth_set_flags(ops, 0); > > to > > RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); > > > Once I did this, it fixed my problem. Is this a proper fix? > The flag disables exclusion of FIPS noncompliant algorithms (e.g. MD5) from the OpenSSL routines and leaves the compliance to the application. In other words your system is not FIPS compliant anymore unless you get FIPS certification for your patched libp11. The questions are: Do you really need FIPS compliance? If not, then do not enable FIPS mode. Does the mutual authentication protocol manadate use of noncompliant algorithms? If yes, then it's broken by desisign and you simply cannot use the authentication in FIPS mode. Otherwise libp11 and your smart card should use a different, compliant algorithm instead. Is smart card mutual authentication subject of FIPS compliance? Technically you can use non-compliant algorithms for non-cryprographical purposes even in FIPS mode. E.g. MD5 for hash tables or data identification. But in my opinion authentication falls into a FIPS realm, so this not the case. You should talk to your security auditor about this. -- Petr |
|
From: George <whi...@gm...> - 2021-01-27 04:25:33
|
Hi, When I attempt to do mutual authentication with a smart card, it fails. The problem appears to be related to enabling FIPS. I am using OpenSSL 1.0.2u(with FIPS) and LIBP11 0.4.11. The found the following Red Hat bug report, which describes the exact same problem I am seeing: https://bugzilla.redhat.com/show_bug.cgi?id=1827535 Is this a known LIBP11 bug? Will it be fixed in future versions of LIBP11? A suggested workaround in the above link is to make a change in the file libp11-libp11-0.4.11\src\p11_rsa.c: Change the line RSA_meth_set_flags(ops, 0); to RSA_meth_set_flags(ops, RSA_FLAG_FIPS_METHOD); Once I did this, it fixed my problem. Is this a proper fix? Thanks, George |
|
From: Jakub J. <jj...@re...> - 2021-01-21 13:37:46
|
On 1/18/21 7:59 PM, Kaya Saman via Opensc-devel wrote: > Hi, > > > upon advice I bought a Feitian A22 Java card. I managed to get it to > work with PAM integration and wanted to share my notes on the procedure > as a lot of the information was scattered around or using a previous > version of OpenSSL; eventually I used about 20 or more? different sites > to figure out the below. > > > Maybe it could be put onto a Wiki somewhere? It is working on Arch Linux > and a Lenovo P15 notebook with SmartCard Reader option installed. > Feel free to find a wiki to update or create a new one on github: https://github.com/OpenSC/OpenSC/wiki/ Or Arch has one wiki too if I am right. Note, that some of the paths and pam modules are really specific to Arch and they will not work in other distros. > > INSTALL > ------- > > INSTALL IsoApplet TO CARD AND GENERATE PUBLIC KEY: This generates also a private key (which is IMHO more important than the public one). But not sure where do you use this key as you generate one more later. The other possibility is to use sssd to handle the smart card authentication (to sudo, gdm, anything), which I consider a bit more straight-forward (but I do not have a guide at hand just now). Regards, -- Jakub Jelen Senior Software Engineer Crypto Team, Security Engineering Red Hat, Inc. |
|
From: Kaya S. <kay...@op...> - 2021-01-18 19:00:28
|
Hi, upon advice I bought a Feitian A22 Java card. I managed to get it to work with PAM integration and wanted to share my notes on the procedure as a lot of the information was scattered around or using a previous version of OpenSSL; eventually I used about 20 or more? different sites to figure out the below. Maybe it could be put onto a Wiki somewhere? It is working on Arch Linux and a Lenovo P15 notebook with SmartCard Reader option installed. INSTALL ------- INSTALL IsoApplet TO CARD AND GENERATE PUBLIC KEY: java -jar /usr/share/java/globalplatformpro/gp.jar -info java -jar /usr/share/java/globalplatformpro/gp.jar -list cd IsoApplet/ java -jar /usr/share/java/globalplatformpro/gp.jar -install IsoApplet.cap java -jar /usr/share/java/globalplatformpro/gp.jar -list pcsc_scan pkcs15-init --generate-key "rsa/2048" --auth-id "FF" --label "myKey" --id "1" --key-usage digitalSignature,keyAgreement,keyEncipherment pkcs15-tool --dump pkcs15-tool --read-public-key "01" --output "publicKey.pem" pkcs11-tool -O pkcs11-tool -M OpenSSL /etc/ssl/openssl.cnf -> ADD TO TOP: # Note that you can include other files from the main configuration # file using the .include directive. #.include filename openssl_conf = openssl_init # This definition stops the following lines choking if HOME isn't # defined. HOME = . ADD TO BOTTOM: [engine_section] pkcs11 = pkcs11_section [pkcs11_section] engine_id = pkcs11 dynamic_path = /usr/lib/engines-1.1/libpkcs11.so MODULE_PATH = opensc-pkcs11.so init = 0 CHECK ENGINE AVAILABILITY: openssl engine pkcs11 -t (pkcs11) pkcs11 engine [ available ] GENERATE PRIVATE KEY: p11tool --provider /usr/lib/opensc-pkcs11.so --login --generate-rsa --bits 2048 --label $USER p11tool --provider /usr/lib/opensc-pkcs11.so --list-privkeys --login GENERATE CERTIFICATE: req -engine pkcs11 -new -key "pkcs11:object=myKey;type=private;pin-value=0000" -keyform engine -out req.pem -text -x509 -subj "/CN=$USER" STORE CERTIFICATE TO CARD AND COPY TO /etc/pam_pkcs11/cacerts: pkcs15-init --store-certificate cert.pem --id 1 --cert-label "$USER" cp /path/to/cert.pem /etc/pam_pkcs11/cacerts/ pkcs11_make_hash_link VERIFY INFORMATION ON CARD: pkcs15-tool --list-keys pkcs15-tool -D pkcs11_listcerts pkcs15-tool -c pkcs11-tool --list-token-slots pkcs11-tool --test --login --token-label "JavaCard isoApplet (User PIN)" PAM_PKCS11 /etc/pam_pkcs11/pam_pkcs11.conf -> cp /usr/share/doc/pam_pkcs11/pam_pkcs11.conf.example /etc/pam_pkcs11/pam_pkcs11.conf MODIFY: cert_policy = none; use_mappers = pwent PAM MODULES: /etc/pam.d/system-local-login -> auth sufficient /usr/lib/security/pam_pkcs11.so /etc/pam.d/sudo -> auth sufficient /usr/lib/security/pam_pkcs11.so TEST: sudo -i I also plan into looking at what more the card can be used for such as email with pk12 , ssh , vpn and many more. Eventually I think I want to get PAM to function in a way that it requires a FaceID or fingerprint in addition to the card. Currently everything works fine individually but the trick will be to combine things - fprintd and Howdy. Best Regards, Kaya |
|
From: Ondřej S. <on...@su...> - 2021-01-13 23:04:31
|
Hi, we are testing the engine_pkc11 with AEP Keeper and they have this kind of proxy that can utilize multiple HSMs to speed up the operation. Unfortunately, when BIND 9 signing is using the engine_pkcs11, we suspect that the problem is actually in the engine_pkcs11, because previously the OpenSSL patch from Sun didn’t suffer from this problem (the patch from Jan Pechanec). Is there somebody who we can work with on this problem as BIND 9 Developers? Ondrej -- Ondřej Surý (He/Him) on...@su... |
|
From: Ludovic R. <lud...@gm...> - 2021-01-11 13:55:56
|
Le lun. 11 janv. 2021 à 12:00, Daniel Pocock <da...@po...> a écrit : > Does this mean it will definitely not work with OpenSC, GNUPG or > anything else on GNU/Linux? > > > Parsing USB bus/device: 0C4B:0400 (bus 1, device 74) > idVendor: 0x0C4B iManufacturer: REINER SCT > idProduct: 0x0400 iProduct: cyberJack Secoder > NOT a CCID/ICCD device > No. It just means you can't use my CCID driver. You will need to use another driver. I guess the libifd-cyberjack6 will work https://packages.debian.org/buster/libifd-cyberjack6 Bye -- Dr. Ludovic Rousseau |
|
From: Daniel P. <da...@po...> - 2021-01-11 11:00:38
|
On 11/01/2021 10:10, Ludovic Rousseau wrote: > Hello Daniel, > > Le lun. 11 janv. 2021 à 09:57, Daniel Pocock <da...@po... > <mailto:da...@po...>> a écrit : > > > I was going through some old hardware and came across this device > > Is it useful with OpenSC or any other free software? > > Can anybody provide any links about how to use it with free software? > Or is it better to just throw it away/recycle it and use something > newer? > > Reiner SCT cyberJack secoder 2 > v2.2.0 > USB: 0c4b:0400 > > > I don't have this Reiner SCT device in my list > https://ccid.apdu.fr/select_readers/?any~reiner > > You can follow https://ccid.apdu.fr/#CCID_compliant Does this mean it will definitely not work with OpenSC, GNUPG or anything else on GNU/Linux? Parsing USB bus/device: 0C4B:0400 (bus 1, device 74) idVendor: 0x0C4B iManufacturer: REINER SCT idProduct: 0x0400 iProduct: cyberJack Secoder NOT a CCID/ICCD device |
|
From: Ludovic R. <lud...@gm...> - 2021-01-11 09:11:02
|
Hello Daniel, Le lun. 11 janv. 2021 à 09:57, Daniel Pocock <da...@po...> a écrit : > > I was going through some old hardware and came across this device > > Is it useful with OpenSC or any other free software? > > Can anybody provide any links about how to use it with free software? > Or is it better to just throw it away/recycle it and use something newer? > > Reiner SCT cyberJack secoder 2 > v2.2.0 > USB: 0c4b:0400 > I don't have this Reiner SCT device in my list https://ccid.apdu.fr/select_readers/?any~reiner You can follow https://ccid.apdu.fr/#CCID_compliant Bye -- Dr. Ludovic Rousseau |
|
From: Daniel P. <da...@po...> - 2021-01-11 08:56:55
|
I was going through some old hardware and came across this device Is it useful with OpenSC or any other free software? Can anybody provide any links about how to use it with free software? Or is it better to just throw it away/recycle it and use something newer? Reiner SCT cyberJack secoder 2 v2.2.0 USB: 0c4b:0400 |
|
From: William R. <bil...@gm...> - 2021-01-07 14:29:33
|
On Wed, Dec 2, 2020 at 1:06 PM William Roberts <bil...@gm...> wrote: > > On Wed, Dec 2, 2020 at 12:53 PM William Roberts > <bil...@gm...> wrote: > > > > On Wed, Dec 2, 2020 at 9:29 AM Eliot Roxbergh via Opensc-devel > > <ope...@li...> wrote: > > > > > > Regarding the deprecation of PKCS11_generate_key in libp11 > > > (pkcs11_engine), > > > > > > To generate keypairs in an HSM, I am currently using OpenSSL and > > > libp11. This is possible from OpenSSL by calling the pkcs11 engine with > > > control command "KEYPAIR_GEN_CTRL". However, since this functionality ( > > > PKCS11_generate_key) is said to be deprecated in libp11 0.5.0, I ask if > > > there is another way of doing this. > > > > > > As far as I understand, unlike the other functions which are to be > > > deprecated, to generate keys inside of the HSM is not supported > > > directly by OpenSSL. There must be something I am missing. > > > > The deprecated function used to generate the key material and the store them > > to the card. The routine was re-implemented and taken off the deprecated list > > when the implementation was changed to create the key on the HSM directly > > via the PKCS11 call C_GenerateKeyPair. This was done in this PR: > > - https://github.com/OpenSC/libp11/pull/188/files > > > > What's really confusing to me, is that it got re-deprecated again in a > > subsequent commit: > > - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f > > > > Even though the implementation looks right: > > - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f#diff-deee9b449d96805726eeedbf74c24211ebcb3ed246f6fc3ac063d675b6fe5b7fR132 > > > > I'm wondering if a bad merge or something occurred, and that > > DEPRECATED should go away? > > > > > > > > Naturally, it would be possible to generate the keys outside of the HSM > > > and then store them therein, but this is of course not acceptable for > > > security reasons. > > > > Yeah, that's less than ideal, and that's the old implementation that > > was changed by PR #188 > > This seems like a bug, thus I filed one: > - https://github.com/OpenSC/libp11/issues/377 > > I have a PR here: > - https://github.com/OpenSC/libp11/pull/378 > > Lets see what the maintainers have to say. > > > > > > > > > Best regards, > > > Eliot Roxbergh Eliot, FYI the fix I proposed has been merged. It should make it out on a subsequent release. > > > > > > _______________________________________________ > > > Opensc-devel mailing list > > > Ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: George <whi...@gm...> - 2021-01-07 01:06:31
|
Hi,
Thanks for your help. I was able to enable the debug compile/link in
the make file and can now step through the code using the visual studio
debugger.
It looks like the exception
"Exception thrown at 0x75D046D2 in GENCom.exe: Microsoft C++
exception: unsigned long at memory location 0x0355CE98. "
is caused by the following code in libp11-libp11-0.4.11\src\libpkcs11.c:
C_LoadModule(const char *mspec, CK_FUNCTION_LIST_PTR_PTR funcs)
{
.
.
.
#ifdef WIN32
mod->handle = LoadLibraryA(mspec); *<=== *** Exception occurs
here ****
#else
.
.
.
}
I'm not exactly sure why this is happening, though.
After that, I then see alot of the following exceptions:
Exception thrown at 0x76AC46D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location 0x0375D26C.
Exception thrown at 0x76AC46D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location 0x0375D26C.
Exception thrown at 0x76AC46D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location 0x0375D26C.
Exception thrown at 0x76AC46D2 in GENCom.exe: Microsoft C++
exception: AI::Middleware::CMWException at memory location 0x0375D26C.
.
.
.
Are these the result of the first exception, or is there a separate problem?
Thanks,
George
On 2021-01-06 8:26 a.m., Douglas E Engert wrote:
>
> ./src/eng_back.c ctx_load_cert() is expecting s_slot_cert_id is either
> a URI based on RFC7512 or the old way as defined in
> ./src/eng_parse.c parse_slot_id_string. This looks like it is assuming
> the slot is not defined and returns slot=-1 and the hex id.
>
>
> slot=-1 may not be the issue, but is easy to change.
>
> You are calling a routine that is normally called internally by libp11,
> so it may be missing some setup that libp11 would have done.
>
> Something else that might help in debugging is to use the OpenSC
> pkcs11 SPY module as the module loaded.
>
> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy
>
> On 1/5/2021 11:35 PM, George wrote:
>> Hi,
>>
>> I'm trying to use a certificate on a smart card with OpenSSL + libp11
>> in Windows 10. However, when I attempt to configure the OpenSSL
>> PKCS11 engine with "*LOAD_CERT_CTRL*", I'm seeing some exceptions.
>> Here is my console output :
>>
>> 'GENCom.exe' (Win32): Loaded
>> 'C:\Users\whipp\junk4\libp11-libp11-0.4.11\src\pkcs11.dll'. Module
>> was built without symbols.
>> *Exception thrown at 0x75D046D2 in GENCom.exe: Microsoft C++
>> exception: unsigned long at memory location 0x0355CE98.*
>> *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
>> Global\ActivClient\ac.smmw.mwctl.dll'. *
>> *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
>> Global\ActivClient\ac.smmw.common.srvprov.dll'. *
>> *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
>> Global\ActivClient\ac.smmw.common.srvctl.dll'. *
>> .
>> .
>> .
>>
>>
>> Here is a snippet of what my code looks like:
>>
>> struct
>> {
>> const char* s_slot_cert_id;
>> X509* cert;
>> } cert_info;
>> *cert_info.s_slot_cert_id =
>> "a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";*
>> cert_info.cert = NULL;
>>
>> *int return Code = ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0,
>> &cert_info, NULL, 0);*
>> *returnCode = SSL_CTX_use_certificate(sslContext, cert_info.cert);*
>>
>> *
>>
>> *The return code from ENGINE_ctrl_cmd is "1" even though I am seeing
>> some exceptions. Does anyone know what is causing the exceptions and
>> how I can fix it?
>> Are there any debug logs I can look at? It seems like cert_info.cert
>> is being populated with a value, but I am not sure if it is valid or
>> not.*
>> *
>> The value
>> "2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba" is
>> the object ID of the certificate on the smart card:
>>
>> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool
>> --module="C:\Program Files\HID Global\ActivClient/acpkcs211.dll" -l -O
>> Using slot 0 with a present token (0x0)
>> Certificate Object; type = X.509 cert
>> label: Authentication - *
>> subject: DN: C=CA, ST=ON, L=OT, O=ABCD, OU=EFG, CN=*
>> *ID:
>> 2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba*
>> .
>> .
>> .
>>
>>
>> I tried to manually use LOAD_CERT_CTRL in the openssl shell but I
>> cannot seem to get it to work and cannot find any examples of how to
>> use it. Is the syntax for *LOAD_CERT_CTRL* correct? Is there any
>> detailed documentation on how to use it?
>>
>> Here is what I am trying to do
>>
>> OpenSSL> engine -vvvv -t dynamic -pre
>> "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
>> -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program
>> Files (x86)\HID
>> Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre
>> FORCE_LOGIN *-pre
>> "LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"
>>
>> *(dynamic) Dynamic engine loading support
>> [Success]:
>> SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
>> [Success]: ID:pkcs11
>> [Success]: LIST_ADD:1
>> [Success]: LOAD
>> [Success]: MODULE_PATH:C:\Program Files (x86)\HID
>> Global\ActivClient\\acpkcs211.dll
>> [Success]: PIN:123456
>> [Success]: FORCE_LOGIN
>> *[Failure]:
>> LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45**
>> **4196:error:260AB086:engine routines:ENGINE_ctrl_cmd_string:cmd
>> not executable:.\crypto\engine\eng_ctrl.c:316:*
>> Loaded: (pkcs11) pkcs11 engine
>> [ available ]
>> SO_PATH: Specifies the path to the 'pkcs11' engine shared
>> library
>> (input flags): STRING
>> MODULE_PATH: Specifies the path to the PKCS#11 module
>> shared library
>> (input flags): STRING
>> PIN: Specifies the pin code
>> (input flags): STRING
>> VERBOSE: Print additional details
>> (input flags): NO_INPUT
>> QUIET: Remove additional details
>> (input flags): NO_INPUT
>> *LOAD_CERT_CTRL: Get the certificate from card**
>> ** (input flags): [Internal]*
>> INIT_ARGS: Specifies additional initialization arguments to
>> the PKCS#11 module
>> (input flags): STRING
>> SET_USER_INTERFACE: Set the global user interface (internal)
>> (input flags): [Internal]
>> SET_CALLBACK_DATA: Set the global user interface extra data
>> (internal)
>> (input flags): [Internal]
>> FORCE_LOGIN: Force login to the PKCS#11 module
>> (input flags): NO_INPUT
>> OpenSSL>
>>
>>
>>
>>
>>
>> Thanks,
>> George
>> *
>> *
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
|
|
From: Douglas E E. <dee...@gm...> - 2021-01-06 13:26:50
|
./src/eng_back.c ctx_load_cert() is expecting s_slot_cert_id is either a URI based on RFC7512 or the old way as defined in ./src/eng_parse.c parse_slot_id_string. This looks like it is assuming the slot is not defined and returns slot=-1 and the hex id. slot=-1 may not be the issue, but is easy to change. You are calling a routine that is normally called internally by libp11, so it may be missing some setup that libp11 would have done. Something else that might help in debugging is to use the OpenSC pkcs11 SPY module as the module loaded. https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC#pkcs-11-spy On 1/5/2021 11:35 PM, George wrote: > Hi, > > I'm trying to use a certificate on a smart card with OpenSSL + libp11 in Windows 10. However, when I attempt to configure the OpenSSL PKCS11 engine with "*LOAD_CERT_CTRL*", I'm seeing some exceptions. > Here is my console output : > > 'GENCom.exe' (Win32): Loaded 'C:\Users\whipp\junk4\libp11-libp11-0.4.11\src\pkcs11.dll'. Module was built without symbols. > *Exception thrown at 0x75D046D2 in GENCom.exe: Microsoft C++ exception: unsigned long at memory location 0x0355CE98.* > *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID Global\ActivClient\ac.smmw.mwctl.dll'. * > *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID Global\ActivClient\ac.smmw.common.srvprov.dll'. * > *'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID Global\ActivClient\ac.smmw.common.srvctl.dll'. * > . > . > . > > > Here is a snippet of what my code looks like: > > struct > { > const char* s_slot_cert_id; > X509* cert; > } cert_info; > *cert_info.s_slot_cert_id = "a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";* > cert_info.cert = NULL; > > *int return Code = ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0, &cert_info, NULL, 0);* > *returnCode = SSL_CTX_use_certificate(sslContext, cert_info.cert);* > > * > > *The return code from ENGINE_ctrl_cmd is "1" even though I am seeing some exceptions. Does anyone know what is causing the exceptions and how I can fix it? > Are there any debug logs I can look at? It seems like cert_info.cert is being populated with a value, but I am not sure if it is valid or not.* > * > The value "2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba" is the object ID of the certificate on the smart card: > > C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool --module="C:\Program Files\HID Global\ActivClient/acpkcs211.dll" -l -O > Using slot 0 with a present token (0x0) > Certificate Object; type = X.509 cert > label: Authentication - * > subject: DN: C=CA, ST=ON, L=OT, O=ABCD, OU=EFG, CN=* > *ID: 2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba* > . > . > . > > > I tried to manually use LOAD_CERT_CTRL in the openssl shell but I cannot seem to get it to work and cannot find any examples of how to use it. Is the syntax for *LOAD_CERT_CTRL* correct? Is there any > detailed documentation on how to use it? > > Here is what I am trying to do > > OpenSSL> engine -vvvv -t dynamic -pre "SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll" -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre "MODULE_PATH:C:\Program Files (x86)\HID > Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre FORCE_LOGIN *-pre "LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45" > > *(dynamic) Dynamic engine loading support > [Success]: SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll > [Success]: ID:pkcs11 > [Success]: LIST_ADD:1 > [Success]: LOAD > [Success]: MODULE_PATH:C:\Program Files (x86)\HID Global\ActivClient\\acpkcs211.dll > [Success]: PIN:123456 > [Success]: FORCE_LOGIN > *[Failure]: LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45** > **4196:error:260AB086:engine routines:ENGINE_ctrl_cmd_string:cmd not executable:.\crypto\engine\eng_ctrl.c:316:* > Loaded: (pkcs11) pkcs11 engine > [ available ] > SO_PATH: Specifies the path to the 'pkcs11' engine shared library > (input flags): STRING > MODULE_PATH: Specifies the path to the PKCS#11 module shared library > (input flags): STRING > PIN: Specifies the pin code > (input flags): STRING > VERBOSE: Print additional details > (input flags): NO_INPUT > QUIET: Remove additional details > (input flags): NO_INPUT > *LOAD_CERT_CTRL: Get the certificate from card** > ** (input flags): [Internal]* > INIT_ARGS: Specifies additional initialization arguments to the PKCS#11 module > (input flags): STRING > SET_USER_INTERFACE: Set the global user interface (internal) > (input flags): [Internal] > SET_CALLBACK_DATA: Set the global user interface extra data (internal) > (input flags): [Internal] > FORCE_LOGIN: Force login to the PKCS#11 module > (input flags): NO_INPUT > OpenSSL> > > > > > > Thanks, > George > * > * > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: George <whi...@gm...> - 2021-01-06 05:35:26
|
Hi,
I'm trying to use a certificate on a smart card with OpenSSL + libp11 in
Windows 10. However, when I attempt to configure the OpenSSL PKCS11
engine with "*LOAD_CERT_CTRL*", I'm seeing some exceptions. Here is my
console output :
'GENCom.exe' (Win32): Loaded
'C:\Users\whipp\junk4\libp11-libp11-0.4.11\src\pkcs11.dll'. Module
was built without symbols.
*Exception thrown at 0x75D046D2 in GENCom.exe: Microsoft C++
exception: unsigned long at memory location 0x0355CE98.*
*'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
Global\ActivClient\ac.smmw.mwctl.dll'. *
*'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
Global\ActivClient\ac.smmw.common.srvprov.dll'. *
*'GENCom.exe' (Win32): Loaded 'C:\Program Files (x86)\HID
Global\ActivClient\ac.smmw.common.srvctl.dll'. *
.
.
.
Here is a snippet of what my code looks like:
struct
{
const char* s_slot_cert_id;
X509* cert;
} cert_info;
*cert_info.s_slot_cert_id =
"a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45";*
cert_info.cert = NULL;
*int return Code = ENGINE_ctrl_cmd(engine, "LOAD_CERT_CTRL", 0,
&cert_info, NULL, 0);*
*returnCode = SSL_CTX_use_certificate(sslContext, cert_info.cert);*
*
*The return code from ENGINE_ctrl_cmd is "1" even though I am seeing
some exceptions. Does anyone know what is causing the exceptions and how
I can fix it?
Are there any debug logs I can look at? It seems like cert_info.cert is
being populated with a value, but I am not sure if it is valid or not.*
*
The value
"2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba" is
the object ID of the certificate on the smart card:
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool
--module="C:\Program Files\HID Global\ActivClient/acpkcs211.dll" -l -O
Using slot 0 with a present token (0x0)
Certificate Object; type = X.509 cert
label: Authentication - *
subject: DN: C=CA, ST=ON, L=OT, O=ABCD, OU=EFG, CN=*
*ID: 2b2586c684d69b670c0a805edf514e720f2b757d8e2faa0b3a7ff23d1ccfc7ba*
.
.
.
I tried to manually use LOAD_CERT_CTRL in the openssl shell but I cannot
seem to get it to work and cannot find any examples of how to use it.
Is the syntax for *LOAD_CERT_CTRL* correct? Is there any detailed
documentation on how to use it?
Here is what I am trying to do
OpenSSL> engine -vvvv -t dynamic -pre
"SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll"
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
"MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll" -pre PIN:123456 -pre FORCE_LOGIN
*-pre
"LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45"
*(dynamic) Dynamic engine loading support
[Success]:
SO_PATH:C:\\Users\\whipp\\junk4\\libp11-libp11-0.4.11\\src\\pkcs11.dll
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:C:\Program Files (x86)\HID
Global\ActivClient\\acpkcs211.dll
[Success]: PIN:123456
[Success]: FORCE_LOGIN
*[Failure]:
LOAD_CERT_CTRL:a9bee4d72100c52f77c3fc288d2be01a34b5d44f91b3b7ea3d349b8a25752c45**
**4196:error:260AB086:engine routines:ENGINE_ctrl_cmd_string:cmd not
executable:.\crypto\engine\eng_ctrl.c:316:*
Loaded: (pkcs11) pkcs11 engine
[ available ]
SO_PATH: Specifies the path to the 'pkcs11' engine shared library
(input flags): STRING
MODULE_PATH: Specifies the path to the PKCS#11 module shared
library
(input flags): STRING
PIN: Specifies the pin code
(input flags): STRING
VERBOSE: Print additional details
(input flags): NO_INPUT
QUIET: Remove additional details
(input flags): NO_INPUT
*LOAD_CERT_CTRL: Get the certificate from card**
** (input flags): [Internal]*
INIT_ARGS: Specifies additional initialization arguments to
the PKCS#11 module
(input flags): STRING
SET_USER_INTERFACE: Set the global user interface (internal)
(input flags): [Internal]
SET_CALLBACK_DATA: Set the global user interface extra data
(internal)
(input flags): [Internal]
FORCE_LOGIN: Force login to the PKCS#11 module
(input flags): NO_INPUT
OpenSSL>
Thanks,
George
*
*
|
|
From: Kaya S. <kay...@op...> - 2020-12-29 20:50:25
|
Hi, I hope this is the correct place to post this as it seems the opensc-users list is no longer active? Basically, I am wondering if the Feitian A22 JavaCOS is supported?? I have an Alcor Micro AU9560 card reader inside my laptop which runs Arch Linux. Reading through various pages on Linux and SmartCards - Debian/Arch/OpenSC wiki's the reader is definitely supported; as for the card, I could only find this reference: https://stackoverflow.com/questions/52131519/opensc-fails-to-connect-javacard-with-pkcs-applet I haven't purchased the card yet as I'm still trying to research as much as possible. My idea is to use the card for login purposes primarily. I may look at other things later on but for now that is what I want to achieve. Looking at my local vendor it seems that for Auth only Crescendo and Gemalto or ACOS5 cards are available which according to the OpenSC wiki are not supported though there is a project working on the ACOS5 currently. Am I looking at the correct card for what I am trying to do? I did also checkout the Feitian PKI card but it seems no longer available from anywhere including the Feitian online store. Thanks for any advice or recommendations. Regards, Kaya |
|
From: Douglas E E. <dee...@gm...> - 2020-12-28 19:44:25
|
NXP JCOP 2.4.1 is a Java card. OpenSC did not find any applet on the card that it supports. OpenSC supports PKCS15 cards and additional cards with applets like OpenPGP, EID, GIDS, PIV and others (usually) government issued cards. Traditionally, card vendors would issue cards with preinstalled software. Today's cards, like the one you have, can support multiple applets from different sources. opensc-tool --drivers will show what OpenSC supports. Search for GlobalPlatform like https://github.com/martinpaljak/GlobalPlatformPro and search for smart card applets On 12/28/2020 3:19 AM, Ludovic Rousseau wrote: > Le dim. 27 déc. 2020 à 23:56, Hamlet Kraskian via Opensc-devel <ope...@li... <mailto:ope...@li...>> a écrit : > > /opt/kse$ opensc-tool --name > Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card Reader] 00 00 > Unsupported card > > > /opt/kse$ opensc-tool --atr > Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card Reader] 00 00 > 3b:f8:13:00:00:81:31:fe:45:4a:43:4f:50:76:32:34:31:b7 > > > According to https://smartcard-atr.apdu.fr/parse?ATR=3BF81300008131FE454A434F5076323431B7 <https://smartcard-atr.apdu.fr/parse?ATR=3BF81300008131FE454A434F5076323431B7> your card is a: > Chip is NXP JCOP 2.4.1R3 > > I could not find it in https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 <https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29> > > Bye > > -- > Dr. Ludovic Rousseau > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: Ludovic R. <lud...@gm...> - 2020-12-28 09:20:10
|
Le dim. 27 déc. 2020 à 23:56, Hamlet Kraskian via Opensc-devel < ope...@li...> a écrit : > /opt/kse$ opensc-tool --name > Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader > [OMNIKEY 3x21 Smart Card Reader] 00 00 > Unsupported card > > > /opt/kse$ opensc-tool --atr > Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader > [OMNIKEY 3x21 Smart Card Reader] 00 00 > 3b:f8:13:00:00:81:31:fe:45:4a:43:4f:50:76:32:34:31:b7 > > According to https://smartcard-atr.apdu.fr/parse?ATR=3BF81300008131FE454A434F5076323431B7 your card is a: Chip is NXP JCOP 2.4.1R3 I could not find it in https://github.com/OpenSC/OpenSC/wiki/Supported-hardware-%28smart-cards-and-USB-tokens%29 Bye -- Dr. Ludovic Rousseau |
|
From: Hamlet K. <hkr...@ya...> - 2020-12-27 22:56:06
|
/opt/kse$ opensc-tool --name Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card Reader] 00 00 Unsupported card /opt/kse$ opensc-tool --atr Using reader with a card: HID Global OMNIKEY 3x21 Smart Card Reader [OMNIKEY 3x21 Smart Card Reader] 00 00 3b:f8:13:00:00:81:31:fe:45:4a:43:4f:50:76:32:34:31:b7 |
|
From: William R. <bil...@gm...> - 2020-12-02 19:06:55
|
On Wed, Dec 2, 2020 at 12:53 PM William Roberts <bil...@gm...> wrote: > > On Wed, Dec 2, 2020 at 9:29 AM Eliot Roxbergh via Opensc-devel > <ope...@li...> wrote: > > > > Regarding the deprecation of PKCS11_generate_key in libp11 > > (pkcs11_engine), > > > > To generate keypairs in an HSM, I am currently using OpenSSL and > > libp11. This is possible from OpenSSL by calling the pkcs11 engine with > > control command "KEYPAIR_GEN_CTRL". However, since this functionality ( > > PKCS11_generate_key) is said to be deprecated in libp11 0.5.0, I ask if > > there is another way of doing this. > > > > As far as I understand, unlike the other functions which are to be > > deprecated, to generate keys inside of the HSM is not supported > > directly by OpenSSL. There must be something I am missing. > > The deprecated function used to generate the key material and the store them > to the card. The routine was re-implemented and taken off the deprecated list > when the implementation was changed to create the key on the HSM directly > via the PKCS11 call C_GenerateKeyPair. This was done in this PR: > - https://github.com/OpenSC/libp11/pull/188/files > > What's really confusing to me, is that it got re-deprecated again in a > subsequent commit: > - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f > > Even though the implementation looks right: > - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f#diff-deee9b449d96805726eeedbf74c24211ebcb3ed246f6fc3ac063d675b6fe5b7fR132 > > I'm wondering if a bad merge or something occurred, and that > DEPRECATED should go away? > > > > > Naturally, it would be possible to generate the keys outside of the HSM > > and then store them therein, but this is of course not acceptable for > > security reasons. > > Yeah, that's less than ideal, and that's the old implementation that > was changed by PR #188 This seems like a bug, thus I filed one: - https://github.com/OpenSC/libp11/issues/377 I have a PR here: - https://github.com/OpenSC/libp11/pull/378 Lets see what the maintainers have to say. > > > > > Best regards, > > Eliot Roxbergh > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: William R. <bil...@gm...> - 2020-12-02 18:53:54
|
On Wed, Dec 2, 2020 at 9:29 AM Eliot Roxbergh via Opensc-devel <ope...@li...> wrote: > > Regarding the deprecation of PKCS11_generate_key in libp11 > (pkcs11_engine), > > To generate keypairs in an HSM, I am currently using OpenSSL and > libp11. This is possible from OpenSSL by calling the pkcs11 engine with > control command "KEYPAIR_GEN_CTRL". However, since this functionality ( > PKCS11_generate_key) is said to be deprecated in libp11 0.5.0, I ask if > there is another way of doing this. > > As far as I understand, unlike the other functions which are to be > deprecated, to generate keys inside of the HSM is not supported > directly by OpenSSL. There must be something I am missing. The deprecated function used to generate the key material and the store them to the card. The routine was re-implemented and taken off the deprecated list when the implementation was changed to create the key on the HSM directly via the PKCS11 call C_GenerateKeyPair. This was done in this PR: - https://github.com/OpenSC/libp11/pull/188/files What's really confusing to me, is that it got re-deprecated again in a subsequent commit: - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f Even though the implementation looks right: - https://github.com/OpenSC/libp11/commit/c1c2753176421a148d02296a893a2fbe6374172f#diff-deee9b449d96805726eeedbf74c24211ebcb3ed246f6fc3ac063d675b6fe5b7fR132 I'm wondering if a bad merge or something occurred, and that DEPRECATED should go away? > > Naturally, it would be possible to generate the keys outside of the HSM > and then store them therein, but this is of course not acceptable for > security reasons. Yeah, that's less than ideal, and that's the old implementation that was changed by PR #188 > > Best regards, > Eliot Roxbergh > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
5 messages has been excluded from this view by a project administrator.
