Menu
▾
▴
opensc-devel
|
From: Ferdinand R. <ra...@we...> - 2015-11-08 20:08:57
|
Dear all, I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: https://github.com/OpenSC/OpenSC/pull/357 The result is as follows: 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. Please find below the output of serveral common commands. Could someone please confirm that a) the card suitable for this kind of digital signatures in principle b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. Best regards, and thanks in advance, Ferdinand > $ opensc-tool -i > OpenSC 0.15.0 [gcc 4.9.2] > Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) ---------------------- > $ opensc-tool --list-readers > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 ---------------------- > $ opensc-tool --name > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > STARCOS SPK 3.4 ---------------------- > $ opensc-tool --atr > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 ---------------------- > $ pkcs11-tool --list-slots > Available slots: > Slot 0 (0xffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 > token label : D-TRUST Card V3.0 standard 2ga ( > token manufacturer : D-TRUST GmbH (C) > token model : PKCS#15 > token flags : rng, login required, PIN initialized, PIN pad present, token initialized > hardware version : 0.0 > firmware version : 0.0 > serial num : > Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 > token label : D-TRUST Card V3.0 standard 2ga ( > token manufacturer : D-TRUST GmbH (C) > token model : PKCS#15 > token flags : rng, login required, PIN initialized, PIN pad present, token initialized > hardware version : 0.0 > firmware version : 0.0 > serial num : ---------------------- > $ pkcs11-tool --list-objects > Using slot 1 with a present token (0x1) > Public Key Object; RSA 2048 bits > label: D-TRUST Authentication Key > ID: 11 > Usage: encrypt, verify, wrap > Certificate Object, type = X.509 cert > label: D-TRUST Authentication Key > ID: 11 > Certificate Object, type = X.509 cert > label: > ID: 2d333730343631303735333036303830313534 > Public Key Object; RSA 2048 bits > label: > ID: 2d333730343631303735333036303830313534 > Usage: encrypt, verify > Certificate Object, type = X.509 cert > label: > ID: 2d32303036363939383139343731343534393238 > Public Key Object; RSA 2048 bits > label: > ID: 2d32303036363939383139343731343534393238 > Usage: encrypt, verify ---------------------- > $ pkcs15-tool -D > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: > Version : 0 > Serial number : > Manufacturer ID: D-TRUST GmbH (C) > Flags : Login required, EID compliant > > PIN [PIN1] > Object Flags : [0x3], private, modifiable > Auth ID : 03 > ID : 01 > Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData > Length : min_len:6, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 1 (0x01) > Type : iso 9664-1 > Path : a000000063504b43532d3135:: > > PIN [PUK1] > Object Flags : [0x3], private, modifiable > ID : 03 > Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData > Length : min_len:8, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 1 (0x01) > Type : iso 9664-1 > Path : a000000063504b43532d3135:: > > PIN [PIN2] > Object Flags : [0x3], private, modifiable > Auth ID : 04 > ID : 02 > Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData > Length : min_len:6, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 129 (0x81) > Type : iso 9664-1 > Path : 3f000604 > > PIN [PUK2] > Object Flags : [0x3], private, modifiable > ID : 04 > Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData > Length : min_len:8, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 129 (0x81) > Type : iso 9664-1 > Path : 3f000604 > > Private RSA Key [D-TRUST Authentication Key] > Object Flags : [0x1], private > Usage : [0x2E], decrypt, sign, signRecover, unwrap > Access Flags : [0x0] > ModLength : 2048 > Key ref : 1 (0x1) > Native : yes > Path : a000000063504b43532d3135::3f000fff0f01 > Auth ID : 01 > ID : 11 > MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} > :cmap flags : 0x0 > :sign : 0 > :key-exchange: 0 > > Private RSA Key [SigG Signature Key] > Object Flags : [0x1], private > Usage : [0x200], nonRepudiation > Access Flags : [0x0] > ModLength : 2048 > Key ref : 4 (0x4) > Native : yes > Path : a000000063504b43532d3135::3f0006040f01 > Auth ID : 02 > ID : 12 > MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} > :cmap flags : 0x0 > :sign : 0 > :key-exchange: 0 > > Public RSA Key [D-TRUST Authentication Key] > Object Flags : [0x2], modifiable > Usage : [0xD1], encrypt, wrap, verify, verifyRecover > Access Flags : [0x0] > ModLength : 2048 > Key ref : 1 (0x1) > Native : yes > Path : a000000063504b43532d3135::3f000fff0e01 > Auth ID : 01 > ID : 11 > > Public RSA Key [SigG Signature Key] > Object Flags : [0x2], modifiable > Usage : [0x204], sign, nonRepudiation > Access Flags : [0x0] > ModLength : 2048 > Key ref : 4 (0x4) > Native : yes > Path : a000000063504b43532d3135::3f0006040e01 > Auth ID : 02 > ID : 12 > > X.509 Certificate [D-TRUST Authentication Key] > Object Flags : [0x2], modifiable > Authority : no > Path : a000000063504b43532d3135::3f001501c100 > ID : 11 > Encoded serial : 02 03 168A81 > X.509 Certificate [SigG Signature Key] > Object Flags : [0x2], modifiable > Authority : no > Path : a000000063504b43532d3135::3f001501c103 > ID : 12 > Encoded serial : 02 03 168A82 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c102 > ID : 2d32303036363939383139343731343534393238 > Encoded serial : 02 03 030E96 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c101 > ID : 2d333730343631303735333036303830313534 > Encoded serial : 02 03 097D43 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c105 > ID : 37353738323838313038333736373637303437 > Encoded serial : 02 03 159923 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c104 > ID : 38323832353936323735353833303736353131 > Encoded serial : 02 03 159924 ---------------------- > $ pcsc_scan > PC/SC device scanner > V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> > Compiled with PC/SC lite version: 1.8.11 > Using reader plug'n play mechanism > Scanning present readers... > 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > > Sat Nov 7 01:39:47 2015 > Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > Card state: Card inserted, > ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > > ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > + TS = 3B --> Direct Convention > + T0 = D8, Y(1): 1101, K: 8 (historical bytes) > TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU > 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s > TC(1) = FF --> Extra guard time: 255 (special value) > TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 > ----- > TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 > ----- > TA(3) = FE --> IFSC: 254 > TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 > TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following > ----- > TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V > + Historical bytes: 80 64 04 1A B4 03 81 05 > Category indicator byte: 80 (compact TLV data object) > Tag: 6, len: 4 (pre-issuing data) > Data: 04 1A B4 03 > Tag: 8, len: 1 (status indicator) > LCS (life card cycle): 05 > + TCK = 61 (correct checksum) > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): > 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > D-Trust multicard advanced 3.1 > German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. |
|
From: Andreas S. <and...@ca...> - 2015-11-08 21:21:38
|
Hi Ferdinand, can you set OPENSC_DEBUG=9 so we can see what is going on ? As an alternative you could try [1], which has been tested with D-Trust 3.0 cards. Andreas [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11 On 11/08/2015 09:08 PM, Ferdinand Rau wrote: > Dear all, > > I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. > The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards > > The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: > https://github.com/OpenSC/OpenSC/pull/357 > > The result is as follows: > 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. > > 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. > > 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. > > Please find below the output of serveral common commands. Could someone please confirm that > a) the card suitable for this kind of digital signatures in principle > b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch > c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch > > If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. > > Best regards, and thanks in advance, > Ferdinand > > >> $ opensc-tool -i >> OpenSC 0.15.0 [gcc 4.9.2] >> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) > > ---------------------- > >> $ opensc-tool --list-readers >> # Detected readers (pcsc) >> Nr. Card Features Name >> 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 > > ---------------------- > >> $ opensc-tool --name >> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> STARCOS SPK 3.4 > > ---------------------- > >> $ opensc-tool --atr >> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 > > ---------------------- > >> $ pkcs11-tool --list-slots >> Available slots: >> Slot 0 (0xffffffff): Virtual hotplug slot >> (empty) >> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> token label : D-TRUST Card V3.0 standard 2ga ( >> token manufacturer : D-TRUST GmbH (C) >> token model : PKCS#15 >> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >> hardware version : 0.0 >> firmware version : 0.0 >> serial num : >> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> token label : D-TRUST Card V3.0 standard 2ga ( >> token manufacturer : D-TRUST GmbH (C) >> token model : PKCS#15 >> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >> hardware version : 0.0 >> firmware version : 0.0 >> serial num : > > ---------------------- > >> $ pkcs11-tool --list-objects >> Using slot 1 with a present token (0x1) >> Public Key Object; RSA 2048 bits >> label: D-TRUST Authentication Key >> ID: 11 >> Usage: encrypt, verify, wrap >> Certificate Object, type = X.509 cert >> label: D-TRUST Authentication Key >> ID: 11 >> Certificate Object, type = X.509 cert >> label: >> ID: 2d333730343631303735333036303830313534 >> Public Key Object; RSA 2048 bits >> label: >> ID: 2d333730343631303735333036303830313534 >> Usage: encrypt, verify >> Certificate Object, type = X.509 cert >> label: >> ID: 2d32303036363939383139343731343534393238 >> Public Key Object; RSA 2048 bits >> label: >> ID: 2d32303036363939383139343731343534393238 >> Usage: encrypt, verify > > ---------------------- > >> $ pkcs15-tool -D >> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: >> Version : 0 >> Serial number : >> Manufacturer ID: D-TRUST GmbH (C) >> Flags : Login required, EID compliant >> >> PIN [PIN1] >> Object Flags : [0x3], private, modifiable >> Auth ID : 03 >> ID : 01 >> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >> Length : min_len:6, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 1 (0x01) >> Type : iso 9664-1 >> Path : a000000063504b43532d3135:: >> >> PIN [PUK1] >> Object Flags : [0x3], private, modifiable >> ID : 03 >> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >> Length : min_len:8, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 1 (0x01) >> Type : iso 9664-1 >> Path : a000000063504b43532d3135:: >> >> PIN [PIN2] >> Object Flags : [0x3], private, modifiable >> Auth ID : 04 >> ID : 02 >> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >> Length : min_len:6, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 129 (0x81) >> Type : iso 9664-1 >> Path : 3f000604 >> >> PIN [PUK2] >> Object Flags : [0x3], private, modifiable >> ID : 04 >> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >> Length : min_len:8, max_len:8, stored_len:8 >> Pad char : 0xFF >> Reference : 129 (0x81) >> Type : iso 9664-1 >> Path : 3f000604 >> >> Private RSA Key [D-TRUST Authentication Key] >> Object Flags : [0x1], private >> Usage : [0x2E], decrypt, sign, signRecover, unwrap >> Access Flags : [0x0] >> ModLength : 2048 >> Key ref : 1 (0x1) >> Native : yes >> Path : a000000063504b43532d3135::3f000fff0f01 >> Auth ID : 01 >> ID : 11 >> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} >> :cmap flags : 0x0 >> :sign : 0 >> :key-exchange: 0 >> >> Private RSA Key [SigG Signature Key] >> Object Flags : [0x1], private >> Usage : [0x200], nonRepudiation >> Access Flags : [0x0] >> ModLength : 2048 >> Key ref : 4 (0x4) >> Native : yes >> Path : a000000063504b43532d3135::3f0006040f01 >> Auth ID : 02 >> ID : 12 >> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} >> :cmap flags : 0x0 >> :sign : 0 >> :key-exchange: 0 >> >> Public RSA Key [D-TRUST Authentication Key] >> Object Flags : [0x2], modifiable >> Usage : [0xD1], encrypt, wrap, verify, verifyRecover >> Access Flags : [0x0] >> ModLength : 2048 >> Key ref : 1 (0x1) >> Native : yes >> Path : a000000063504b43532d3135::3f000fff0e01 >> Auth ID : 01 >> ID : 11 >> >> Public RSA Key [SigG Signature Key] >> Object Flags : [0x2], modifiable >> Usage : [0x204], sign, nonRepudiation >> Access Flags : [0x0] >> ModLength : 2048 >> Key ref : 4 (0x4) >> Native : yes >> Path : a000000063504b43532d3135::3f0006040e01 >> Auth ID : 02 >> ID : 12 >> >> X.509 Certificate [D-TRUST Authentication Key] >> Object Flags : [0x2], modifiable >> Authority : no >> Path : a000000063504b43532d3135::3f001501c100 >> ID : 11 >> Encoded serial : 02 03 168A81 >> X.509 Certificate [SigG Signature Key] >> Object Flags : [0x2], modifiable >> Authority : no >> Path : a000000063504b43532d3135::3f001501c103 >> ID : 12 >> Encoded serial : 02 03 168A82 >> X.509 Certificate [] >> Object Flags : [0x0] >> Authority : no >> Path : a000000063504b43532d3135::3f001501c102 >> ID : 2d32303036363939383139343731343534393238 >> Encoded serial : 02 03 030E96 >> X.509 Certificate [] >> Object Flags : [0x0] >> Authority : no >> Path : a000000063504b43532d3135::3f001501c101 >> ID : 2d333730343631303735333036303830313534 >> Encoded serial : 02 03 097D43 >> X.509 Certificate [] >> Object Flags : [0x0] >> Authority : no >> Path : a000000063504b43532d3135::3f001501c105 >> ID : 37353738323838313038333736373637303437 >> Encoded serial : 02 03 159923 >> X.509 Certificate [] >> Object Flags : [0x0] >> Authority : no >> Path : a000000063504b43532d3135::3f001501c104 >> ID : 38323832353936323735353833303736353131 >> Encoded serial : 02 03 159924 > > ---------------------- > >> $ pcsc_scan >> PC/SC device scanner >> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> >> Compiled with PC/SC lite version: 1.8.11 >> Using reader plug'n play mechanism >> Scanning present readers... >> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> >> Sat Nov 7 01:39:47 2015 >> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> Card state: Card inserted, >> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >> >> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >> + TS = 3B --> Direct Convention >> + T0 = D8, Y(1): 1101, K: 8 (historical bytes) >> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU >> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s >> TC(1) = FF --> Extra guard time: 255 (special value) >> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 >> ----- >> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 >> ----- >> TA(3) = FE --> IFSC: 254 >> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 >> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following >> ----- >> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V >> + Historical bytes: 80 64 04 1A B4 03 81 05 >> Category indicator byte: 80 (compact TLV data object) >> Tag: 6, len: 4 (pre-issuing data) >> Data: 04 1A B4 03 >> Tag: 8, len: 1 (status indicator) >> LCS (life card cycle): 05 >> + TCK = 61 (correct checksum) >> >> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >> D-Trust multicard advanced 3.1 >> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" > > Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Ferdinand R. <ra...@we...> - 2015-11-09 08:51:35
|
Dear Andreas, Please find here the requested output of OpenSC: https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1 (The file was too large for direct mailing) It was recorded with OPENSC_DEBUG=9 during the following actions: Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird. Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-) I hope the log file is helpful anyway. I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd Best, Ferdinand On 11/08/2015 10:21 PM, Andreas Schwier <and...@ca...> wrote: > Hi Ferdinand, > > can you set OPENSC_DEBUG=9 so we can see what is going on ? > > As an alternative you could try [1], which has been tested with D-Trust > 3.0 cards. > > Andreas > > [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11 > > On 11/08/2015 09:08 PM, Ferdinand Rau wrote: >> Dear all, >> >> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. >> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards >> >> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: >> https://github.com/OpenSC/OpenSC/pull/357 >> >> The result is as follows: >> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. >> >> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. >> >> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. >> >> Please find below the output of serveral common commands. Could someone please confirm that >> a) the card suitable for this kind of digital signatures in principle >> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch >> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch >> >> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. >> >> Best regards, and thanks in advance, >> Ferdinand >> >> >>> $ opensc-tool -i >>> OpenSC 0.15.0 [gcc 4.9.2] >>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) >> >> ---------------------- >> >>> $ opensc-tool --list-readers >>> # Detected readers (pcsc) >>> Nr. Card Features Name >>> 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 >> >> ---------------------- >> >>> $ opensc-tool --name >>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> STARCOS SPK 3.4 >> >> ---------------------- >> >>> $ opensc-tool --atr >>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 >> >> ---------------------- >> >>> $ pkcs11-tool --list-slots >>> Available slots: >>> Slot 0 (0xffffffff): Virtual hotplug slot >>> (empty) >>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> token label : D-TRUST Card V3.0 standard 2ga ( >>> token manufacturer : D-TRUST GmbH (C) >>> token model : PKCS#15 >>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>> hardware version : 0.0 >>> firmware version : 0.0 >>> serial num : >>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> token label : D-TRUST Card V3.0 standard 2ga ( >>> token manufacturer : D-TRUST GmbH (C) >>> token model : PKCS#15 >>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>> hardware version : 0.0 >>> firmware version : 0.0 >>> serial num : >> >> ---------------------- >> >>> $ pkcs11-tool --list-objects >>> Using slot 1 with a present token (0x1) >>> Public Key Object; RSA 2048 bits >>> label: D-TRUST Authentication Key >>> ID: 11 >>> Usage: encrypt, verify, wrap >>> Certificate Object, type = X.509 cert >>> label: D-TRUST Authentication Key >>> ID: 11 >>> Certificate Object, type = X.509 cert >>> label: >>> ID: 2d333730343631303735333036303830313534 >>> Public Key Object; RSA 2048 bits >>> label: >>> ID: 2d333730343631303735333036303830313534 >>> Usage: encrypt, verify >>> Certificate Object, type = X.509 cert >>> label: >>> ID: 2d32303036363939383139343731343534393238 >>> Public Key Object; RSA 2048 bits >>> label: >>> ID: 2d32303036363939383139343731343534393238 >>> Usage: encrypt, verify >> >> ---------------------- >> >>> $ pkcs15-tool -D >>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: >>> Version : 0 >>> Serial number : >>> Manufacturer ID: D-TRUST GmbH (C) >>> Flags : Login required, EID compliant >>> >>> PIN [PIN1] >>> Object Flags : [0x3], private, modifiable >>> Auth ID : 03 >>> ID : 01 >>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>> Length : min_len:6, max_len:8, stored_len:8 >>> Pad char : 0xFF >>> Reference : 1 (0x01) >>> Type : iso 9664-1 >>> Path : a000000063504b43532d3135:: >>> >>> PIN [PUK1] >>> Object Flags : [0x3], private, modifiable >>> ID : 03 >>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>> Length : min_len:8, max_len:8, stored_len:8 >>> Pad char : 0xFF >>> Reference : 1 (0x01) >>> Type : iso 9664-1 >>> Path : a000000063504b43532d3135:: >>> >>> PIN [PIN2] >>> Object Flags : [0x3], private, modifiable >>> Auth ID : 04 >>> ID : 02 >>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>> Length : min_len:6, max_len:8, stored_len:8 >>> Pad char : 0xFF >>> Reference : 129 (0x81) >>> Type : iso 9664-1 >>> Path : 3f000604 >>> >>> PIN [PUK2] >>> Object Flags : [0x3], private, modifiable >>> ID : 04 >>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>> Length : min_len:8, max_len:8, stored_len:8 >>> Pad char : 0xFF >>> Reference : 129 (0x81) >>> Type : iso 9664-1 >>> Path : 3f000604 >>> >>> Private RSA Key [D-TRUST Authentication Key] >>> Object Flags : [0x1], private >>> Usage : [0x2E], decrypt, sign, signRecover, unwrap >>> Access Flags : [0x0] >>> ModLength : 2048 >>> Key ref : 1 (0x1) >>> Native : yes >>> Path : a000000063504b43532d3135::3f000fff0f01 >>> Auth ID : 01 >>> ID : 11 >>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} >>> :cmap flags : 0x0 >>> :sign : 0 >>> :key-exchange: 0 >>> >>> Private RSA Key [SigG Signature Key] >>> Object Flags : [0x1], private >>> Usage : [0x200], nonRepudiation >>> Access Flags : [0x0] >>> ModLength : 2048 >>> Key ref : 4 (0x4) >>> Native : yes >>> Path : a000000063504b43532d3135::3f0006040f01 >>> Auth ID : 02 >>> ID : 12 >>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} >>> :cmap flags : 0x0 >>> :sign : 0 >>> :key-exchange: 0 >>> >>> Public RSA Key [D-TRUST Authentication Key] >>> Object Flags : [0x2], modifiable >>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover >>> Access Flags : [0x0] >>> ModLength : 2048 >>> Key ref : 1 (0x1) >>> Native : yes >>> Path : a000000063504b43532d3135::3f000fff0e01 >>> Auth ID : 01 >>> ID : 11 >>> >>> Public RSA Key [SigG Signature Key] >>> Object Flags : [0x2], modifiable >>> Usage : [0x204], sign, nonRepudiation >>> Access Flags : [0x0] >>> ModLength : 2048 >>> Key ref : 4 (0x4) >>> Native : yes >>> Path : a000000063504b43532d3135::3f0006040e01 >>> Auth ID : 02 >>> ID : 12 >>> >>> X.509 Certificate [D-TRUST Authentication Key] >>> Object Flags : [0x2], modifiable >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c100 >>> ID : 11 >>> Encoded serial : 02 03 168A81 >>> X.509 Certificate [SigG Signature Key] >>> Object Flags : [0x2], modifiable >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c103 >>> ID : 12 >>> Encoded serial : 02 03 168A82 >>> X.509 Certificate [] >>> Object Flags : [0x0] >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c102 >>> ID : 2d32303036363939383139343731343534393238 >>> Encoded serial : 02 03 030E96 >>> X.509 Certificate [] >>> Object Flags : [0x0] >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c101 >>> ID : 2d333730343631303735333036303830313534 >>> Encoded serial : 02 03 097D43 >>> X.509 Certificate [] >>> Object Flags : [0x0] >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c105 >>> ID : 37353738323838313038333736373637303437 >>> Encoded serial : 02 03 159923 >>> X.509 Certificate [] >>> Object Flags : [0x0] >>> Authority : no >>> Path : a000000063504b43532d3135::3f001501c104 >>> ID : 38323832353936323735353833303736353131 >>> Encoded serial : 02 03 159924 >> >> ---------------------- >> >>> $ pcsc_scan >>> PC/SC device scanner >>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> >>> Compiled with PC/SC lite version: 1.8.11 >>> Using reader plug'n play mechanism >>> Scanning present readers... >>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> >>> Sat Nov 7 01:39:47 2015 >>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> Card state: Card inserted, >>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>> >>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>> + TS = 3B --> Direct Convention >>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes) >>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU >>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s >>> TC(1) = FF --> Extra guard time: 255 (special value) >>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 >>> ----- >>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 >>> ----- >>> TA(3) = FE --> IFSC: 254 >>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 >>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following >>> ----- >>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V >>> + Historical bytes: 80 64 04 1A B4 03 81 05 >>> Category indicator byte: 80 (compact TLV data object) >>> Tag: 6, len: 4 (pre-issuing data) >>> Data: 04 1A B4 03 >>> Tag: 8, len: 1 (status indicator) >>> LCS (life card cycle): 05 >>> + TCK = 61 (correct checksum) >>> >>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>> D-Trust multicard advanced 3.1 >>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" >> >> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Andreas S. <and...@ca...> - 2015-11-09 13:36:23
|
Hi Ferdinand, I can't see any interaction with the card other than using the random number generator (00 84 00 00 APDUs in the log). I'm not sure what Thunderbird is trying to do. On 11/09/2015 09:51 AM, Ferdinand Rau wrote: > Dear Andreas, > > Please find here the requested output of OpenSC: > https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1 > (The file was too large for direct mailing) > > It was recorded with OPENSC_DEBUG=9 during the following actions: > Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird. > > Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-) > I hope the log file is helpful anyway. > > I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd > > Best, > Ferdinand > > > > On 11/08/2015 10:21 PM, Andreas Schwier <and...@ca...> wrote: >> Hi Ferdinand, >> >> can you set OPENSC_DEBUG=9 so we can see what is going on ? >> >> As an alternative you could try [1], which has been tested with D-Trust >> 3.0 cards. >> >> Andreas >> >> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11 >> >> On 11/08/2015 09:08 PM, Ferdinand Rau wrote: >>> Dear all, >>> >>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. >>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards >>> >>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: >>> https://github.com/OpenSC/OpenSC/pull/357 >>> >>> The result is as follows: >>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. >>> >>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. >>> >>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. >>> >>> Please find below the output of serveral common commands. Could someone please confirm that >>> a) the card suitable for this kind of digital signatures in principle >>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch >>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch >>> >>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. >>> >>> Best regards, and thanks in advance, >>> Ferdinand >>> >>> >>>> $ opensc-tool -i >>>> OpenSC 0.15.0 [gcc 4.9.2] >>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) >>> >>> ---------------------- >>> >>>> $ opensc-tool --list-readers >>>> # Detected readers (pcsc) >>>> Nr. Card Features Name >>>> 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>> >>> ---------------------- >>> >>>> $ opensc-tool --name >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> STARCOS SPK 3.4 >>> >>> ---------------------- >>> >>>> $ opensc-tool --atr >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 >>> >>> ---------------------- >>> >>>> $ pkcs11-tool --list-slots >>>> Available slots: >>>> Slot 0 (0xffffffff): Virtual hotplug slot >>>> (empty) >>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>> token manufacturer : D-TRUST GmbH (C) >>>> token model : PKCS#15 >>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>> hardware version : 0.0 >>>> firmware version : 0.0 >>>> serial num : >>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>> token manufacturer : D-TRUST GmbH (C) >>>> token model : PKCS#15 >>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>> hardware version : 0.0 >>>> firmware version : 0.0 >>>> serial num : >>> >>> ---------------------- >>> >>>> $ pkcs11-tool --list-objects >>>> Using slot 1 with a present token (0x1) >>>> Public Key Object; RSA 2048 bits >>>> label: D-TRUST Authentication Key >>>> ID: 11 >>>> Usage: encrypt, verify, wrap >>>> Certificate Object, type = X.509 cert >>>> label: D-TRUST Authentication Key >>>> ID: 11 >>>> Certificate Object, type = X.509 cert >>>> label: >>>> ID: 2d333730343631303735333036303830313534 >>>> Public Key Object; RSA 2048 bits >>>> label: >>>> ID: 2d333730343631303735333036303830313534 >>>> Usage: encrypt, verify >>>> Certificate Object, type = X.509 cert >>>> label: >>>> ID: 2d32303036363939383139343731343534393238 >>>> Public Key Object; RSA 2048 bits >>>> label: >>>> ID: 2d32303036363939383139343731343534393238 >>>> Usage: encrypt, verify >>> >>> ---------------------- >>> >>>> $ pkcs15-tool -D >>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: >>>> Version : 0 >>>> Serial number : >>>> Manufacturer ID: D-TRUST GmbH (C) >>>> Flags : Login required, EID compliant >>>> >>>> PIN [PIN1] >>>> Object Flags : [0x3], private, modifiable >>>> Auth ID : 03 >>>> ID : 01 >>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>> Length : min_len:6, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 1 (0x01) >>>> Type : iso 9664-1 >>>> Path : a000000063504b43532d3135:: >>>> >>>> PIN [PUK1] >>>> Object Flags : [0x3], private, modifiable >>>> ID : 03 >>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>> Length : min_len:8, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 1 (0x01) >>>> Type : iso 9664-1 >>>> Path : a000000063504b43532d3135:: >>>> >>>> PIN [PIN2] >>>> Object Flags : [0x3], private, modifiable >>>> Auth ID : 04 >>>> ID : 02 >>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>> Length : min_len:6, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 129 (0x81) >>>> Type : iso 9664-1 >>>> Path : 3f000604 >>>> >>>> PIN [PUK2] >>>> Object Flags : [0x3], private, modifiable >>>> ID : 04 >>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>> Length : min_len:8, max_len:8, stored_len:8 >>>> Pad char : 0xFF >>>> Reference : 129 (0x81) >>>> Type : iso 9664-1 >>>> Path : 3f000604 >>>> >>>> Private RSA Key [D-TRUST Authentication Key] >>>> Object Flags : [0x1], private >>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 1 (0x1) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f000fff0f01 >>>> Auth ID : 01 >>>> ID : 11 >>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} >>>> :cmap flags : 0x0 >>>> :sign : 0 >>>> :key-exchange: 0 >>>> >>>> Private RSA Key [SigG Signature Key] >>>> Object Flags : [0x1], private >>>> Usage : [0x200], nonRepudiation >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 4 (0x4) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f0006040f01 >>>> Auth ID : 02 >>>> ID : 12 >>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} >>>> :cmap flags : 0x0 >>>> :sign : 0 >>>> :key-exchange: 0 >>>> >>>> Public RSA Key [D-TRUST Authentication Key] >>>> Object Flags : [0x2], modifiable >>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 1 (0x1) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f000fff0e01 >>>> Auth ID : 01 >>>> ID : 11 >>>> >>>> Public RSA Key [SigG Signature Key] >>>> Object Flags : [0x2], modifiable >>>> Usage : [0x204], sign, nonRepudiation >>>> Access Flags : [0x0] >>>> ModLength : 2048 >>>> Key ref : 4 (0x4) >>>> Native : yes >>>> Path : a000000063504b43532d3135::3f0006040e01 >>>> Auth ID : 02 >>>> ID : 12 >>>> >>>> X.509 Certificate [D-TRUST Authentication Key] >>>> Object Flags : [0x2], modifiable >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c100 >>>> ID : 11 >>>> Encoded serial : 02 03 168A81 >>>> X.509 Certificate [SigG Signature Key] >>>> Object Flags : [0x2], modifiable >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c103 >>>> ID : 12 >>>> Encoded serial : 02 03 168A82 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c102 >>>> ID : 2d32303036363939383139343731343534393238 >>>> Encoded serial : 02 03 030E96 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c101 >>>> ID : 2d333730343631303735333036303830313534 >>>> Encoded serial : 02 03 097D43 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c105 >>>> ID : 37353738323838313038333736373637303437 >>>> Encoded serial : 02 03 159923 >>>> X.509 Certificate [] >>>> Object Flags : [0x0] >>>> Authority : no >>>> Path : a000000063504b43532d3135::3f001501c104 >>>> ID : 38323832353936323735353833303736353131 >>>> Encoded serial : 02 03 159924 >>> >>> ---------------------- >>> >>>> $ pcsc_scan >>>> PC/SC device scanner >>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> >>>> Compiled with PC/SC lite version: 1.8.11 >>>> Using reader plug'n play mechanism >>>> Scanning present readers... >>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> >>>> Sat Nov 7 01:39:47 2015 >>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> Card state: Card inserted, >>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> >>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> + TS = 3B --> Direct Convention >>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes) >>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU >>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s >>>> TC(1) = FF --> Extra guard time: 255 (special value) >>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 >>>> ----- >>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 >>>> ----- >>>> TA(3) = FE --> IFSC: 254 >>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 >>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following >>>> ----- >>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V >>>> + Historical bytes: 80 64 04 1A B4 03 81 05 >>>> Category indicator byte: 80 (compact TLV data object) >>>> Tag: 6, len: 4 (pre-issuing data) >>>> Data: 04 1A B4 03 >>>> Tag: 8, len: 1 (status indicator) >>>> LCS (life card cycle): 05 >>>> + TCK = 61 (correct checksum) >>>> >>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>> D-Trust multicard advanced 3.1 >>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" >>> >>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. >>> >>> ------------------------------------------------------------------------------ >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > ------------------------------------------------------------------------------ > Presto, an open source distributed SQL query engine for big data, initially > developed by Facebook, enables you to easily query your data on Hadoop in a > more interactive manner. Teradata is also now providing full enterprise > support for Presto. Download a free open source copy now. > http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Ferdinand R. <ra...@we...> - 2015-11-10 05:20:47
|
Ok. I will investigate and report back in a couple of days. Ferdinand On 11/09/2015 14:36 AM, Andreas Schwier <and...@ca...> wrote: > Hi Ferdinand, > > I can't see any interaction with the card other than using the random > number generator (00 84 00 00 APDUs in the log). I'm not sure what > Thunderbird is trying to do. > > > > On 11/09/2015 09:51 AM, Ferdinand Rau wrote: >> Dear Andreas, >> >> Please find here the requested output of OpenSC: >> https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1 >> (The file was too large for direct mailing) >> >> It was recorded with OPENSC_DEBUG=9 during the following actions: >> Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird. >> >> Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-) >> I hope the log file is helpful anyway. >> >> I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd >> >> Best, >> Ferdinand >> >> >> >> On 11/08/2015 10:21 PM, Andreas Schwier <and...@ca...> wrote: >>> Hi Ferdinand, >>> >>> can you set OPENSC_DEBUG=9 so we can see what is going on ? >>> >>> As an alternative you could try [1], which has been tested with D-Trust >>> 3.0 cards. >>> >>> Andreas >>> >>> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11 >>> >>> On 11/08/2015 09:08 PM, Ferdinand Rau wrote: >>>> Dear all, >>>> >>>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. >>>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards >>>> >>>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: >>>> https://github.com/OpenSC/OpenSC/pull/357 >>>> >>>> The result is as follows: >>>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. >>>> >>>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. >>>> >>>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. >>>> >>>> Please find below the output of serveral common commands. Could someone please confirm that >>>> a) the card suitable for this kind of digital signatures in principle >>>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch >>>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch >>>> >>>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. >>>> >>>> Best regards, and thanks in advance, >>>> Ferdinand >>>> >>>> >>>>> $ opensc-tool -i >>>>> OpenSC 0.15.0 [gcc 4.9.2] >>>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) >>>> >>>> ---------------------- >>>> >>>>> $ opensc-tool --list-readers >>>>> # Detected readers (pcsc) >>>>> Nr. Card Features Name >>>>> 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>> >>>> ---------------------- >>>> >>>>> $ opensc-tool --name >>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> STARCOS SPK 3.4 >>>> >>>> ---------------------- >>>> >>>>> $ opensc-tool --atr >>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 >>>> >>>> ---------------------- >>>> >>>>> $ pkcs11-tool --list-slots >>>>> Available slots: >>>>> Slot 0 (0xffffffff): Virtual hotplug slot >>>>> (empty) >>>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>>> token manufacturer : D-TRUST GmbH (C) >>>>> token model : PKCS#15 >>>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>>> hardware version : 0.0 >>>>> firmware version : 0.0 >>>>> serial num : >>>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> token label : D-TRUST Card V3.0 standard 2ga ( >>>>> token manufacturer : D-TRUST GmbH (C) >>>>> token model : PKCS#15 >>>>> token flags : rng, login required, PIN initialized, PIN pad present, token initialized >>>>> hardware version : 0.0 >>>>> firmware version : 0.0 >>>>> serial num : >>>> >>>> ---------------------- >>>> >>>>> $ pkcs11-tool --list-objects >>>>> Using slot 1 with a present token (0x1) >>>>> Public Key Object; RSA 2048 bits >>>>> label: D-TRUST Authentication Key >>>>> ID: 11 >>>>> Usage: encrypt, verify, wrap >>>>> Certificate Object, type = X.509 cert >>>>> label: D-TRUST Authentication Key >>>>> ID: 11 >>>>> Certificate Object, type = X.509 cert >>>>> label: >>>>> ID: 2d333730343631303735333036303830313534 >>>>> Public Key Object; RSA 2048 bits >>>>> label: >>>>> ID: 2d333730343631303735333036303830313534 >>>>> Usage: encrypt, verify >>>>> Certificate Object, type = X.509 cert >>>>> label: >>>>> ID: 2d32303036363939383139343731343534393238 >>>>> Public Key Object; RSA 2048 bits >>>>> label: >>>>> ID: 2d32303036363939383139343731343534393238 >>>>> Usage: encrypt, verify >>>> >>>> ---------------------- >>>> >>>>> $ pkcs15-tool -D >>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: >>>>> Version : 0 >>>>> Serial number : >>>>> Manufacturer ID: D-TRUST GmbH (C) >>>>> Flags : Login required, EID compliant >>>>> >>>>> PIN [PIN1] >>>>> Object Flags : [0x3], private, modifiable >>>>> Auth ID : 03 >>>>> ID : 01 >>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>>> Length : min_len:6, max_len:8, stored_len:8 >>>>> Pad char : 0xFF >>>>> Reference : 1 (0x01) >>>>> Type : iso 9664-1 >>>>> Path : a000000063504b43532d3135:: >>>>> >>>>> PIN [PUK1] >>>>> Object Flags : [0x3], private, modifiable >>>>> ID : 03 >>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>>> Length : min_len:8, max_len:8, stored_len:8 >>>>> Pad char : 0xFF >>>>> Reference : 1 (0x01) >>>>> Type : iso 9664-1 >>>>> Path : a000000063504b43532d3135:: >>>>> >>>>> PIN [PIN2] >>>>> Object Flags : [0x3], private, modifiable >>>>> Auth ID : 04 >>>>> ID : 02 >>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData >>>>> Length : min_len:6, max_len:8, stored_len:8 >>>>> Pad char : 0xFF >>>>> Reference : 129 (0x81) >>>>> Type : iso 9664-1 >>>>> Path : 3f000604 >>>>> >>>>> PIN [PUK2] >>>>> Object Flags : [0x3], private, modifiable >>>>> ID : 04 >>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData >>>>> Length : min_len:8, max_len:8, stored_len:8 >>>>> Pad char : 0xFF >>>>> Reference : 129 (0x81) >>>>> Type : iso 9664-1 >>>>> Path : 3f000604 >>>>> >>>>> Private RSA Key [D-TRUST Authentication Key] >>>>> Object Flags : [0x1], private >>>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap >>>>> Access Flags : [0x0] >>>>> ModLength : 2048 >>>>> Key ref : 1 (0x1) >>>>> Native : yes >>>>> Path : a000000063504b43532d3135::3f000fff0f01 >>>>> Auth ID : 01 >>>>> ID : 11 >>>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} >>>>> :cmap flags : 0x0 >>>>> :sign : 0 >>>>> :key-exchange: 0 >>>>> >>>>> Private RSA Key [SigG Signature Key] >>>>> Object Flags : [0x1], private >>>>> Usage : [0x200], nonRepudiation >>>>> Access Flags : [0x0] >>>>> ModLength : 2048 >>>>> Key ref : 4 (0x4) >>>>> Native : yes >>>>> Path : a000000063504b43532d3135::3f0006040f01 >>>>> Auth ID : 02 >>>>> ID : 12 >>>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} >>>>> :cmap flags : 0x0 >>>>> :sign : 0 >>>>> :key-exchange: 0 >>>>> >>>>> Public RSA Key [D-TRUST Authentication Key] >>>>> Object Flags : [0x2], modifiable >>>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover >>>>> Access Flags : [0x0] >>>>> ModLength : 2048 >>>>> Key ref : 1 (0x1) >>>>> Native : yes >>>>> Path : a000000063504b43532d3135::3f000fff0e01 >>>>> Auth ID : 01 >>>>> ID : 11 >>>>> >>>>> Public RSA Key [SigG Signature Key] >>>>> Object Flags : [0x2], modifiable >>>>> Usage : [0x204], sign, nonRepudiation >>>>> Access Flags : [0x0] >>>>> ModLength : 2048 >>>>> Key ref : 4 (0x4) >>>>> Native : yes >>>>> Path : a000000063504b43532d3135::3f0006040e01 >>>>> Auth ID : 02 >>>>> ID : 12 >>>>> >>>>> X.509 Certificate [D-TRUST Authentication Key] >>>>> Object Flags : [0x2], modifiable >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c100 >>>>> ID : 11 >>>>> Encoded serial : 02 03 168A81 >>>>> X.509 Certificate [SigG Signature Key] >>>>> Object Flags : [0x2], modifiable >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c103 >>>>> ID : 12 >>>>> Encoded serial : 02 03 168A82 >>>>> X.509 Certificate [] >>>>> Object Flags : [0x0] >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c102 >>>>> ID : 2d32303036363939383139343731343534393238 >>>>> Encoded serial : 02 03 030E96 >>>>> X.509 Certificate [] >>>>> Object Flags : [0x0] >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c101 >>>>> ID : 2d333730343631303735333036303830313534 >>>>> Encoded serial : 02 03 097D43 >>>>> X.509 Certificate [] >>>>> Object Flags : [0x0] >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c105 >>>>> ID : 37353738323838313038333736373637303437 >>>>> Encoded serial : 02 03 159923 >>>>> X.509 Certificate [] >>>>> Object Flags : [0x0] >>>>> Authority : no >>>>> Path : a000000063504b43532d3135::3f001501c104 >>>>> ID : 38323832353936323735353833303736353131 >>>>> Encoded serial : 02 03 159924 >>>> >>>> ---------------------- >>>> >>>>> $ pcsc_scan >>>>> PC/SC device scanner >>>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> >>>>> Compiled with PC/SC lite version: 1.8.11 >>>>> Using reader plug'n play mechanism >>>>> Scanning present readers... >>>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> >>>>> Sat Nov 7 01:39:47 2015 >>>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 >>>>> Card state: Card inserted, >>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>>> >>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>>> + TS = 3B --> Direct Convention >>>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes) >>>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU >>>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s >>>>> TC(1) = FF --> Extra guard time: 255 (special value) >>>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 >>>>> ----- >>>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 >>>>> ----- >>>>> TA(3) = FE --> IFSC: 254 >>>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 >>>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following >>>>> ----- >>>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V >>>>> + Historical bytes: 80 64 04 1A B4 03 81 05 >>>>> Category indicator byte: 80 (compact TLV data object) >>>>> Tag: 6, len: 4 (pre-issuing data) >>>>> Data: 04 1A B4 03 >>>>> Tag: 8, len: 1 (status indicator) >>>>> LCS (life card cycle): 05 >>>>> + TCK = 61 (correct checksum) >>>>> >>>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): >>>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 >>>>> D-Trust multicard advanced 3.1 >>>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" >>>> >>>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. >>>> >>>> ------------------------------------------------------------------------------ >>>> _______________________________________________ >>>> Opensc-devel mailing list >>>> Ope...@li... >>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> >> >> ------------------------------------------------------------------------------ >> Presto, an open source distributed SQL query engine for big data, initially >> developed by Facebook, enables you to easily query your data on Hadoop in a >> more interactive manner. Teradata is also now providing full enterprise >> support for Presto. Download a free open source copy now. >> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140 >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Ferdinand R. <ra...@we...> - 2015-11-11 07:52:22
|
Hi Andreas, here is another log, recorded with OPENSC_DEBUG=2 (like this, Thunderbird does not freeze). Again, I am prompted to enter my PIN once before Thunderbird presents the error message. I am wondering about these lines, but I am not sure this is related to my issue: 0xb73f3700 08:31:19.130 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported) 0xb73f3700 08:31:19.130 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported) Best, Ferdinand 0xb73f3700 08:31:13.755 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success) 0xb73f3700 08:31:13.756 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:13.756 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:13.756 [opensc-pkcs11] card.c:148:sc_connect_card: called 0xb73f3700 08:31:13.757 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:13.858 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:15.285 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:15.320 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.672 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:16.690 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success) 0xb73f3700 08:31:16.691 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:16.715 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.728 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:16.756 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.772 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:16.788 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.809 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.835 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:16.859 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:16.886 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success) 0xb73f3700 08:31:18.948 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:18.958 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found) 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called 0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called 0xb73f3700 08:31:18.962 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:18.976 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success) 0xb73f3700 08:31:18.976 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:18.987 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found) 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called 0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called 0xb73f3700 08:31:18.991 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:19.015 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success) 0xb73f3700 08:31:19.015 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found) 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called 0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:19.028 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported) 0xb73f3700 08:31:19.028 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported) 0xb73f3700 08:31:19.130 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xb73f3700 08:31:19.130 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:19.130 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported) 0xb73f3700 08:31:19.130 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported) 0xa80feb40 08:31:19.228 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success) 0xa80feb40 08:31:19.228 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xa80feb40 08:31:19.229 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0x9b8feb40 08:31:31.923 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called 0x9b8feb40 08:31:31.941 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success) 0x9b8feb40 08:31:31.942 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0x9b8feb40 08:31:31.942 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0x9b8feb40 08:31:38.724 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: 0 (Success) 0x9b8feb40 08:31:38.724 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: 0 (Success) 0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success) 0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success) 0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5 0xb73f3700 08:31:47.923 [opensc-pkcs11] ctx.c:799:sc_release_context: called |
|
From: Ferdinand R. <ra...@we...> - 2015-11-18 13:13:44
|
Hello Andreas, I took a step back and tried to get things working just using the commend line tools, but without success. Eventually, I found out that I cannot even run 'pkcs11-tool --test' successfully. Here, you can download a log file of a failed 'pkcs11-tool --test' with OPENSC_DEBUG=9: https://www.dropbox.com/s/3jhe77n5ri1674k/log.txt.zip?dl=1 The reader does ask for the PIN and reports "PIN correct", but the test fails anyway with the following message: > error: PKCS11 function C_Sign failed: rv = CKR_USER_NOT_LOGGED_IN (0x101) Best regards, Ferdinand |
|
From: Douglas E E. <dee...@gm...> - 2015-11-18 19:33:29
|
One of the sign operations looks like it works. Data to be signed 7648 7691. Response with the signature 7691. PKCS#11 return 7722 and Start of failed sign 7773 data to be signed 7842 response 7849 with 7982 PKCS#11 return 9868 It could be that the newer card wants CKA_ALWAYS_AUTHENTICATE = TRUE, which is called in PKCS#15 user_consent. CKA_ALWAYS_AUTHENTICATE says the card requires the PIN to have been sent before each crypto operation for the selected key. pkcs11-tool.c line 3675 if (getALWAYS_AUTHENTICATE(sess, privKeyObject)) is asking if pin needs to be sent again. When uses without a pin pad reader, the PIN may have been cached, and sc_pkcs15_pincache_revalidate may have provided the pin without you knowledge. With a pin pad reader, the pin can not be cached, it never enters the host computer. Some simple things to try to prove the above is the problem. Use a non pinpad reader. If that works look at the log for the sc_pkcs15_pincache_revalidate being called and providing the key. then try uncomenting in opensc.conf this line. # use_pin_caching = false; it should fail, with sc_pkcs15_pincache_revalidate saying there is not pin cached. On 11/18/2015 7:13 AM, Ferdinand Rau wrote: > Hello Andreas, > > I took a step back and tried to get things working just using the commend line tools, but without success. > Eventually, I found out that I cannot even run 'pkcs11-tool --test' successfully. > > Here, you can download a log file of a failed 'pkcs11-tool --test' with OPENSC_DEBUG=9: > https://www.dropbox.com/s/3jhe77n5ri1674k/log.txt.zip?dl=1 > > The reader does ask for the PIN and reports "PIN correct", but the test fails anyway with the following message: >> error: PKCS11 function C_Sign failed: rv = CKR_USER_NOT_LOGGED_IN (0x101) > > Best regards, > Ferdinand > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: Ferdinand R. <ra...@we...> - 2015-11-18 19:57:48
|
Douglas, I don't have a reader without pin pad at hand, currently, but I will try this once I'll have the chance. Just for the record: Setting "use_pin_caching = false;" when using a reader _with_ pin pid did not change anything (as expected). Best, Ferdinand |
|
From: Douglas E E. <dee...@gm...> - 2015-11-18 20:30:35
|
Well try uncommenting in opensc.conf: 96 # enable_pinpad = false; Most pin pad readers can function as non-pin pad readers. On 11/18/2015 1:57 PM, Ferdinand Rau wrote: > Douglas, > > I don't have a reader without pin pad at hand, currently, but I will try this once I'll have the chance. > Just for the record: Setting "use_pin_caching = false;" when using a reader _with_ pin pid did not change anything (as expected). > > Best, > Ferdinand > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X