Discussion:
Opensc and SetCOS.
Patrik Martinsson
2010-08-24 07:09:56 UTC
Permalink
Hello everyone,

At our company we use identification cards as security tokens. We have
successfully used those together with
the pkcs11 lib that the company behind these cards deliver, however I'm
getting tired of their negligent and incompetent support, therefore I
would like to use opensc driver instead.

Enough with the wining, lets go down to business.

The cards we have uses SetCOS and I've successfully got them to work
with opensc, however I've got some concerns.

First some outputs,
$ opensc-tool --atr
Using reader with a card: OmniKey CardMan 3121 01 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00

$ opensc-tool --name
Using reader with a card: OmniKey CardMan 3121 01 00
SetCOS

Question #1,

Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported
INS byte in APDU
PIN for token: xxxx
Printing data for mapper cn:
username

Works like a charm, however it gives me those two lines which is a bit
worrying/annoying.
What do they mean and is there anything i can do to fix them ?

Question #2,
I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.

That one is failing telling me, "assertion 'slot_id >= 1' failed",
obviously slot_id should be >= than 1, but it isn't and I'm not sure why.

I'm attaching my configfiles, logs.
I'm more then happy to help debugging this more if necessary.

Thanks in advance.

/Patrik Martinsson,
Sweden
Patrik Martinsson
2010-08-24 16:28:07 UTC
Permalink
Hey again,

I'm answering my own mail here.
This issue seems to be resolved in version opensc-0.12.0-svn-r4647, I'm
using that one now instead.
gdm-plugin-smartcard still doesn't work though, however now slot_id has
a value. Something else is fishy, I'm talking to the gdm-developers
about that, if any of you are interested, here's the link.
http://mail.gnome.org/archives/gdm-list/2010-August/msg00023.html

Thanks anyway guys.

/Patrik Martinsson,
Sweden.
Post by Patrik Martinsson
Hello everyone,
At our company we use identification cards as security tokens. We have
successfully used those together with
the pkcs11 lib that the company behind these cards deliver, however
I'm getting tired of their negligent and incompetent support,
therefore I would like to use opensc driver instead.
Enough with the wining, lets go down to business.
The cards we have uses SetCOS and I've successfully got them to work
with opensc, however I've got some concerns.
First some outputs,
$ opensc-tool --atr
Using reader with a card: OmniKey CardMan 3121 01 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00
$ opensc-tool --name
Using reader with a card: OmniKey CardMan 3121 01 00
SetCOS
Question #1,
Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
supported or invalid
Unsupported INS byte in APDU
PIN for token: xxxx
username
Works like a charm, however it gives me those two lines which is a bit
worrying/annoying.
What do they mean and is there anything i can do to fix them ?
Question #2,
I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
That one is failing telling me, "assertion 'slot_id >= 1' failed",
obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
I'm attaching my configfiles, logs.
I'm more then happy to help debugging this more if necessary.
Thanks in advance.
/Patrik Martinsson,
Sweden
_______________________________________________
opensc-devel mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Peter Stuge
2010-08-24 18:08:01 UTC
Permalink
Hej Patrik!
Post by Patrik Martinsson
gdm-plugin-smartcard still doesn't work though, however now slot_id
has a value. Something else is fishy, I'm talking to the
gdm-developers about that, if any of you are interested, here's the
link.
http://mail.gnome.org/archives/gdm-list/2010-August/msg00023.html
Thanks for the link! I'd appreciate if you send a note once you've
had a chance to try the latest version of gdm with the fixes from
Ray.


//Peter
Martin Paljak
2010-08-25 07:55:15 UTC
Permalink
Hello,
Post by Patrik Martinsson
Question #1,
Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported INS byte in APDU
PIN for token: xxxx
username
Works like a charm, however it gives me those two lines which is a bit worrying/annoying.
What do they mean and is there anything i can do to fix them ?
card-setcos.c does not override iso7816.get_challenge, but the card rejects the ISO version. This results in C_GenerateRandom() failing, but I guess pkcs11_inspect will then just use some other random source. OpenSC SVN/0.12+ will not output such internal errors to stderr by default, so you'll not see it in future versions.

If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
Post by Patrik Martinsson
Question #2,
I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
That one is failing telling me, "assertion 'slot_id >= 1' failed", obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
That assertion seems to come from something else than OpenSC. Where can the source code of the gdm-plugin-smartcard be downloaded? I suspect the assert is erroneous, as from the PKCS#11 spec:
"""
A priori, any value of CK_SLOT_ID can be a valid slot identifier—in particular, a system may have a slot identified by the value 0. It need not have such a slot, however.
"""

Cheers,
--
Martin Paljak
@martinpaljak.net
+3725156495
Ludovic Rousseau
2010-08-25 11:55:54 UTC
Permalink
Post by Martin Paljak
Hello,
Post by Patrik Martinsson
Question #1,
Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported INS byte in APDU
PIN for token: xxxx
username
Works like a charm, however it gives me those two lines which is a bit worrying/annoying.
What do they mean and is there anything i can do to fix them ?
card-setcos.c does not override iso7816.get_challenge, but the card rejects the ISO version. This results in C_GenerateRandom() failing, but I guess pkcs11_inspect will then just use some other random source. OpenSC SVN/0.12+ will not output such internal errors to stderr by default, so you'll not see it in future versions.
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I could not find any use of C_GenerateRandom() by pam_pkcs11. So I am
not sure the culprit is pkcs11_inspect or another part of pam_pkcs11.

Maybe it is an OpenSC internal call?

Bye
--
 Dr. Ludovic Rousseau
Martin Paljak
2010-08-25 12:14:28 UTC
Permalink
Helo,
Post by Ludovic Rousseau
Post by Martin Paljak
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I could not find any use of C_GenerateRandom() by pam_pkcs11. So I am
not sure the culprit is pkcs11_inspect or another part of pam_pkcs11.
pam_sm_authenticate in src/pam_pkcs11/pam_pkcs11.c [1] calls get_random_value [2] which has two implementations in src/common/pkcs11_lib.c:
- one that uses C_GenerateRandom [3]
- one that uses /dev/random [4]


I think this is the "main" authentication callback of pam_pkcs11?
The two different implementations seem to come from NSS vs no NSS.

[1] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L173
[2] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L597
[3] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L834
[4] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L1754
--
Martin Paljak
@martinpaljak.net
+3725156495
Patrik Martinsson
2010-08-27 11:37:06 UTC
Permalink
Hi again guys,

Thanks your input. I've been away for a couple of days, that's why I've
haven't been able to answer.

I feel i need to explain a little, just so we are on the same page here,

Running this on my rhel 6 system.
OpenSc, checked out revision 4654, configured and build. (patched with
the earlier attached patch from Andre Zepezauer.
pam_pkcs11, checked out revision 447, confured with _nss_ and build.
Pcsc-lite, using version that came with rhel6, pcsc-lite-1.5.2-5.el6.x86_64.
Cardreader, OmniKey 3121, driver by their homepage. (tried with the one
that comes with rhel too, but same issue)

What I'm trying to accomplish,
Get our ~100+ clients to be able to login through their smartcard.
Cards are delivered by a company called secmaker, is suppose to have
setcos 4.4.1, cards delivered by gemalto.

$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS

$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00

$ opensc-tool -R
Configured reader drivers:
pcsc PC/SC reader

$ opensc-tool -D
Configured card drivers:
cardos Siemens CardOS
cardos Siemens CardOS
flex Schlumberger Multiflex/Cryptoflex
cyberflex Schlumberger Cyberflex
gpk Gemplus GPK
gemsafeV1 driver for the Gemplus GemSAFE V1 applet
miocos MioCOS 1.1
mcrd MICARDO 2.1
asepcos Athena ASEPCOS
starcos STARCOS SPK 2.3/2.4
tcos TCOS 3.0
openpgp OpenPGP card
jcop JCOP cards with BlueZ PKCS#15 applet
oberthur Oberthur AuthentIC.v2/CosmopolIC.v4
belpic Belpic cards
ias IAS
incrypto34 Incard Incripto34
acos5 ACS ACOS5 card
akis TUBITAK UEKAE AKIS
entersafe entersafe
rutoken Rutoken driver
rutoken_ecp Rutoken ECP driver
westcos WESTCOS compatible cards
myeid MyEID cards with PKCS#15 applet
setcos Setec cards
muscle MuscleApplet
atrust-acos A-Trust ACOS cards
piv PIV-II for multiple cards
itacns Italian CNS
javacard JavaCard (without supported applet)
default Default driver for unknown cards

$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added
opensc module like with this, /usr/bin/modutil -force -dbdir
/etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so)
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded

slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services

slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB

2. OpenSC
library name: /usr/local/lib/opensc-pkcs11.so
slots: 5 slots attached
status: loaded

slot: Virtual hotplug slot
token:

slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8 (identification)

slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8 (signature)

slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8

slot: OMNIKEY CardMan 3x21 00 00
token:

$ pkcs11_inspect
PIN for token:
Printing data for mapper cn:
user

So.. to me everything seems to work quite well, however I've one problem
left and that's the pkcs11_eventmgr.

$ pkcs11_eventmgr debug nodaemon (card in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly,
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard">
module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting

$ pkcs11_eventmgr debug nodaemon (card NOT in reader)

DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly,
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard">
module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting






All the verbose logs are attached, the verbosity level is set to 2. Tell
me if i need to increase it, however I'm a bit concerned about mailing
out my certificate and username and that kind of stuff (which is
included in level 3), doesn't feel quite right, but maybe I'm wrong ?
I've also attached my configfiles.

Basically i want this working so gdm can recognize inserts / removals. I
talked to the gdm devolopers and they fixed some bugs with smartcards in
later releases which is cool, but as long as pkcs11_evengtmgr wont work
with nss i dont think gdm will work either. (gdm uses nss default)

Btw.
I've also tried card_evengtmgr, and that one works as expected.

So it seems somethings getting fishy when nss is involved.

Again, thanks for any kind of help, and tell me what kind of debug info
you need and I'll fix it.

/Patrik Martinsson,
Sweden.
Post by Martin Paljak
Helo,
Post by Ludovic Rousseau
Post by Martin Paljak
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I could not find any use of C_GenerateRandom() by pam_pkcs11. So I am
not sure the culprit is pkcs11_inspect or another part of pam_pkcs11.
- one that uses C_GenerateRandom [3]
- one that uses /dev/random [4]
I think this is the "main" authentication callback of pam_pkcs11?
The two different implementations seem to come from NSS vs no NSS.
[1] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L173
[2] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L597
[3] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L834
[4] http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L1754
JP Szikora
2010-08-27 12:40:40 UTC
Permalink
Post by Patrik Martinsson
Cards are delivered by a company called secmaker, is suppose to have
setcos 4.4.1, cards delivered by gemalto.
Hi Patrik,

The SetCOS cards is not produced anymore (end 2007) after Setec was
integrated by Gemalto. The SetCOS card was replaced by a GemXpresso4
card with a file sytem, a crypto file system and EID-applets. They call
that "SetCOSXpresso" and are much more expensive than the original
SetCOS 4.4.1! The compatibility with SetCOS is probably not perfect.

The ATR of the original SetCOS 4.4.1:
3b:9f:94:80:1f:c3:00:68:11:44:05:01:46:49:53:45:31:c8:07:90:00:19

The ATR of a SetCOSXpresso EID 2.1:
3b:7d:96:00:00:80:31:80:65:b0:83:11:40:ac:83:00:90:00

To check the EID version of the card:
opensc-tool -s 00:CA:DF:30:05
Using reader with a card: Vasco DP905 00 00
Sending: 00 CA DF 30 05
Received (SW1=0x90, SW2=0x00):
76 32 2E 31 30 v2.10

This is done also in card-setcos.c in the function setcos_match_card

Cheers,

Jean-Pierre
Post by Patrik Martinsson
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00
Patrik Martinsson
2010-08-27 13:27:46 UTC
Permalink
Hi Jean-Pierre,

Ok. Cool, I did not know that.
I've tested it and confirmed,

$ opensc-tool -s 00:CA:DF:30:05
0x7fd0da512700 15:24:21.566 [opensc-tool]
reader-pcsc.c:964:pcsc_detect_readers: returning with: 0
Using reader with a card: OMNIKEY CardMan 3x21 00 00
Sending: 00 CA DF 30 05
Received (SW1=0x90, SW2=0x00):
76 32 2E 31 30 v2.10

So our cards are not, SetCOS, they are SetCOSXpresso EID 2.1.

When you say, "The compatibility with SetCOS is probably not perfect. "
could that have something todo with why pkcs11_eventmgr doesn't work
correctly with nss ?

/Patrik
Post by JP Szikora
Post by Patrik Martinsson
Cards are delivered by a company called secmaker, is suppose to have
setcos 4.4.1, cards delivered by gemalto.
Hi Patrik,
The SetCOS cards is not produced anymore (end 2007) after Setec was
integrated by Gemalto. The SetCOS card was replaced by a GemXpresso4
card with a file sytem, a crypto file system and EID-applets. They
call that "SetCOSXpresso" and are much more expensive than the
original SetCOS 4.4.1! The compatibility with SetCOS is probably not
perfect.
3b:9f:94:80:1f:c3:00:68:11:44:05:01:46:49:53:45:31:c8:07:90:00:19
3b:7d:96:00:00:80:31:80:65:b0:83:11:40:ac:83:00:90:00
opensc-tool -s 00:CA:DF:30:05
Using reader with a card: Vasco DP905 00 00
Sending: 00 CA DF 30 05
76 32 2E 31 30 v2.10
This is done also in card-setcos.c in the function setcos_match_card
Cheers,
Jean-Pierre
Post by Patrik Martinsson
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00
Jean-Pierre Szikora
2010-08-27 19:02:58 UTC
Permalink
Post by Patrik Martinsson
Hi Jean-Pierre,
Ok. Cool, I did not know that.
I've tested it and confirmed,
$ opensc-tool -s 00:CA:DF:30:05
964:pcsc_detect_readers: returning with: 0
Using reader with a card: OMNIKEY CardMan 3x21 00 00
Sending: 00 CA DF 30 05
76 32 2E 31 30 v2.10
So our cards are not, SetCOS, they are SetCOSXpresso EID 2.1.
When you say, "The compatibility with SetCOS is probably not
perfect. " could that have something todo with why pkcs11_eventmgr
doesn't work correctly with nss ?
It can not answer to this question. When we saw the price increase,
our interest to investigate further was completely stopped ;-)

Cheers,

Jean-Pierre
Post by Patrik Martinsson
Post by JP Szikora
Post by Patrik Martinsson
Cards are delivered by a company called secmaker, is suppose to
have setcos 4.4.1, cards delivered by gemalto.
Hi Patrik,
The SetCOS cards is not produced anymore (end 2007) after Setec was
integrated by Gemalto. The SetCOS card was replaced by a
GemXpresso4 card with a file sytem, a crypto file system and EID-
applets. They call that "SetCOSXpresso" and are much more expensive
than the original SetCOS 4.4.1! The compatibility with SetCOS is
probably not perfect.
3b:9f:94:80:1f:c3:00:68:11:44:05:01:46:49:53:45:31:c8:07:90:00:19
3b:7d:96:00:00:80:31:80:65:b0:83:11:40:ac:83:00:90:00
opensc-tool -s 00:CA:DF:30:05
Using reader with a card: Vasco DP905 00 00
Sending: 00 CA DF 30 05
76 32 2E 31 30 v2.10
This is done also in card-setcos.c in the function setcos_match_card
Cheers,
Jean-Pierre
Post by Patrik Martinsson
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00
Jean-Michel Pouré - GOOZE
2010-08-28 10:13:21 UTC
Permalink
Post by Jean-Pierre Szikora
It can not answer to this question. When we saw the price increase,
our interest to investigate further was completely stopped ;-)
You may try the Feitian PKI smartcard or the Feitian ePass PKI instead.

Hope this helps.
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Martin Paljak
2010-08-27 14:21:51 UTC
Permalink
Hello!
Cardreader, OmniKey 3121, driver by their homepage. (tried with the one that comes with rhel too, but same issue)
Better use the open source CCID driver. Just to be sure.
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
The same command produces different output on my computer:

$ opensc-tool -i
opensc 0.12.0-svn [gcc 4.2.1 (Apple Inc. build 5646) (dot 1)]
Enabled features: zlib readline iconv openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
$ opensc-tool -D
cardos Siemens CardOS
cardos Siemens CardOS
Ah, the double entry got removed, thanks for sending this!
$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added opensc module like with this, /usr/bin/modutil -force -dbdir /etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so)
AFAIK the shared NSS db has nothing to do with pam_pkcs11.
So.. to me everything seems to work quite well, however I've one problem left and that's the pkcs11_eventmgr.
$ pkcs11_eventmgr debug nodaemon (card in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
Strange, the same on my Debian:


***@debian:~/projects/pam_pkcs11-trunk/src$ pkcs11_eventmgr nodaemon debug
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/lib/opensc-pkcs11.so

DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:484: Card inserted,
DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore'
DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo '
foo
DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0
DEBUG:pkcs11_eventmgr.c:484: Card inserted,
DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore'
DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo '
foo
DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0


The first event when a card is removed from the reader is lost, but that is a bug of OpenSC and should not result in behavior as you experience.
Looking at pam_pkcs11 source, I can only see that the loop breaks only if C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the relevant error code is SC_ERROR_EVENT_TIMEOUT
$ pkcs11_eventmgr debug nodaemon (card NOT in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
All the verbose logs are attached, the verbosity level is set to 2. Tell me if i need to increase it, however I'm a bit concerned about mailing out my certificate and username and that kind of stuff (which is included in level 3), doesn't feel quite right, but maybe I'm wrong ?
If you have so sensitive data in your public information (certificates are usually "public", at least in your 100+ computer PKI system), don't send out *anything* from your computer system.

If not, the only sensitive information in the log file is your PIN code (if you don't use a pinpad) If that is the case, either edit the log file and remove the lines with the PIN code (you can grep for it) or change it to a dummy value (0000/1234) before generating the test log.

Usually the best is to set the debug to "very high" so that all bits and pieces would get logged. For pkcs11_eventmgr, nothing about certificates should get logged. Plase send a full log file (set debug to 9 in opensc.conf and set an output file to some value) with the failing case "pkcs11_eventmgr debug nodaemon (card NOT in reader)"

Finally, I don't think you *have* to use NSS with pam_pkcs11, only because GDM uses NSS.

But the issue should be fixed nevertheless.
--
Martin Paljak
@martinpaljak.net
+3725156495
Patrik Martinsson
2010-08-27 15:14:32 UTC
Permalink
Hey,
Post by Martin Paljak
Post by Martin Paljak
Better use the open source CCID driver. Just to be sure.
Understood, will do that.
Post by Martin Paljak
Post by Martin Paljak
$ opensc-tool -i
Sorry, i meant opensc -n
Post by Martin Paljak
Post by Martin Paljak
$ opensc-tool -D
Ah, the double entry got removed, thanks for sending this!
Didn't notice it myself actually, just thought it would be useful as background info on my problem :)
Post by Martin Paljak
Post by Martin Paljak
AFAIK the shared NSS db has nothing to do with pam_pkcs11.
If that's true, why do i have the option of choosing to compile pam_pkcs11 with nss ?
./configure --help | grep nss
--with-nss use NSS instead of openSSL and raw PKCS 11
That's the default package when it comes with Red Hat.
Post by Martin Paljak
Post by Martin Paljak
The first event when a card is removed from the reader is lost, but that is a bug of OpenSC and should not result in behavior as you experience.
Looking at pam_pkcs11 source, I can only see that the loop breaks only if C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the relevant error code is SC_ERROR_EVENT_TIMEOUT
Yeah, i hear you, Ive looked at the part too, question is why do i get SC_ERROR_EVENT_TIMEOUT.
Post by Martin Paljak
Post by Martin Paljak
If you have so sensitive data in your public information (certificates are usually "public", at least in your 100+ computer PKI system), don't send out *anything* from your computer system.
If not, the only sensitive information in the log file is your PIN code (if you don't use a pinpad) If that is the case, either edit the log file and remove the lines with the PIN code (you can grep for it) or change it to a dummy value (0000/1234) before generating the test log.
Usually the best is to set the debug to "very high" so that all bits and pieces would get logged. For pkcs11_eventmgr, nothing about certificates should get logged. Plase send a full log file (set debug to 9 in opensc.conf and set an output file to some value) with the failing case "pkcs11_eventmgr debug nodaemon (card NOT in reader)"
Ok, I understand. AFAIK we don't story anything else then the public certificate so maybe it's alright, however my knowledge around this is limited so i need to check it on Monday with the security expert.
Post by Martin Paljak
Post by Martin Paljak
Finally, I don't think you *have* to use NSS with pam_pkcs11, only because GDM uses NSS.
I think that both pam_pkcs11 and gdm uses nss as default when they come packaged with Red Hat. So if I get one working i think the other one will too(if pam_eventmgr with nss = OK, i think gdm will work too, because they use the same method of detecting insertions/removals).
But maybe I'm wrong.

Thanks for your help and let me get back next week with some more info.

/Patrik Martinsson,
Sweden.
Post by Martin Paljak
Hello!
Post by Martin Paljak
Cardreader, OmniKey 3121, driver by their homepage. (tried with the one that comes with rhel too, but same issue)
Better use the open source CCID driver. Just to be sure.
Post by Martin Paljak
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
$ opensc-tool -i
opensc 0.12.0-svn [gcc 4.2.1 (Apple Inc. build 5646) (dot 1)]
Enabled features: zlib readline iconv openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC)
Post by Martin Paljak
$ opensc-tool -D
cardos Siemens CardOS
cardos Siemens CardOS
Ah, the double entry got removed, thanks for sending this!
Post by Martin Paljak
$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added opensc module like with this, /usr/bin/modutil -force -dbdir /etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so)
AFAIK the shared NSS db has nothing to do with pam_pkcs11.
Post by Martin Paljak
So.. to me everything seems to work quite well, however I've one problem left and that's the pkcs11_eventmgr.
$ pkcs11_eventmgr debug nodaemon (card in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:484: Card inserted,
DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore'
DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo '
foo
DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0
DEBUG:pkcs11_eventmgr.c:484: Card inserted,
DEBUG:pkcs11_eventmgr.c:169: Onerror is set to: 'ignore'
DEBUG:pkcs11_eventmgr.c:173: Executiong action: 'echo foo '
foo
DEBUG:pkcs11_eventmgr.c:182: Action 'echo foo ' returns 0
The first event when a card is removed from the reader is lost, but that is a bug of OpenSC and should not result in behavior as you experience.
Looking at pam_pkcs11 source, I can only see that the loop breaks only if C_WaitForSlotEvent (the SECMOD_ wrapper of it in NSS) returns NULL. Here the relevant error code is SC_ERROR_EVENT_TIMEOUT
Post by Martin Paljak
$ pkcs11_eventmgr debug nodaemon (card NOT in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly, moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so" name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
All the verbose logs are attached, the verbosity level is set to 2. Tell me if i need to increase it, however I'm a bit concerned about mailing out my certificate and username and that kind of stuff (which is included in level 3), doesn't feel quite right, but maybe I'm wrong ?
If you have so sensitive data in your public information (certificates are usually "public", at least in your 100+ computer PKI system), don't send out *anything* from your computer system.
If not, the only sensitive information in the log file is your PIN code (if you don't use a pinpad) If that is the case, either edit the log file and remove the lines with the PIN code (you can grep for it) or change it to a dummy value (0000/1234) before generating the test log.
Usually the best is to set the debug to "very high" so that all bits and pieces would get logged. For pkcs11_eventmgr, nothing about certificates should get logged. Plase send a full log file (set debug to 9 in opensc.conf and set an output file to some value) with the failing case "pkcs11_eventmgr debug nodaemon (card NOT in reader)"
Finally, I don't think you *have* to use NSS with pam_pkcs11, only because GDM uses NSS.
But the issue should be fixed nevertheless.
Patrik Martinsson
2010-08-30 10:54:40 UTC
Permalink
Hello again,

Just to clarify before posting fully debuglogs, we have our private
certificates on these cards. But those are not exportable right ?
And by posting fully opensc(debug 99) logs here i wont expose those in
any way right ?

/Patrik Martinsson
Post by Patrik Martinsson
Hi again guys,
Thanks your input. I've been away for a couple of days, that's why
I've haven't been able to answer.
I feel i need to explain a little, just so we are on the same page here,
Running this on my rhel 6 system.
OpenSc, checked out revision 4654, configured and build. (patched with
the earlier attached patch from Andre Zepezauer.
pam_pkcs11, checked out revision 447, confured with _nss_ and build.
Pcsc-lite, using version that came with rhel6,
pcsc-lite-1.5.2-5.el6.x86_64.
Cardreader, OmniKey 3121, driver by their homepage. (tried with the
one that comes with rhel too, but same issue)
What I'm trying to accomplish,
Get our ~100+ clients to be able to login through their smartcard.
Cards are delivered by a company called secmaker, is suppose to have
setcos 4.4.1, cards delivered by gemalto.
$ opensc-tool -i
Using reader with a card: OMNIKEY CardMan 3x21 00 00
SetCOS
$ opensc-tool -a
Using reader with a card: OMNIKEY CardMan 3x21 00 00
3b:7d:96:00:00:80:31:80:65:b0:a3:11:40:a9:83:00:90:00
$ opensc-tool -R
pcsc PC/SC reader
$ opensc-tool -D
cardos Siemens CardOS
cardos Siemens CardOS
flex Schlumberger Multiflex/Cryptoflex
cyberflex Schlumberger Cyberflex
gpk Gemplus GPK
gemsafeV1 driver for the Gemplus GemSAFE V1 applet
miocos MioCOS 1.1
mcrd MICARDO 2.1
asepcos Athena ASEPCOS
starcos STARCOS SPK 2.3/2.4
tcos TCOS 3.0
openpgp OpenPGP card
jcop JCOP cards with BlueZ PKCS#15 applet
oberthur Oberthur AuthentIC.v2/CosmopolIC.v4
belpic Belpic cards
ias IAS
incrypto34 Incard Incripto34
acos5 ACS ACOS5 card
akis TUBITAK UEKAE AKIS
entersafe entersafe
rutoken Rutoken driver
rutoken_ecp Rutoken ECP driver
westcos WESTCOS compatible cards
myeid MyEID cards with PKCS#15 applet
setcos Setec cards
muscle MuscleApplet
atrust-acos A-Trust ACOS cards
piv PIV-II for multiple cards
itacns Italian CNS
javacard JavaCard (without supported applet)
default Default driver for unknown cards
$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/ (I've previoslu added
opensc module like with this, /usr/bin/modutil -force -dbdir
/etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so)
Listing of PKCS #11 Modules
-----------------------------------------------------------
1. NSS Internal PKCS #11 Module
slots: 2 slots attached
status: loaded
slot: NSS Internal Cryptographic Services
token: NSS Generic Crypto Services
slot: NSS User Private Key and Certificate Services
token: NSS Certificate DB
2. OpenSC
library name: /usr/local/lib/opensc-pkcs11.so
slots: 5 slots attached
status: loaded
slot: Virtual hotplug slot
slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8 (identification)
slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8 (signature)
slot: OMNIKEY CardMan 3x21 00 00
token: Instant EID IP8
slot: OMNIKEY CardMan 3x21 00 00
$ pkcs11_inspect
user
So.. to me everything seems to work quite well, however I've one
problem left and that's the pkcs11_eventmgr.
$ pkcs11_eventmgr debug nodaemon (card in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly,
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so"
name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
$ pkcs11_eventmgr debug nodaemon (card NOT in reader)
DEBUG:pkcs11_eventmgr.c:379: Initializing NSS ...
DEBUG:pkcs11_eventmgr.c:395: loading the module ...
DEBUG:pkcs11_eventmgr.c:405: loading Module explictly,
moduleSpec=<library="/usr/local/lib/opensc-pkcs11.so"
name="SmartCard"> module=/usr/local/lib/opensc-pkcs11.so
DEBUG:pkcs11_eventmgr.c:453: Waiting for Events
DEBUG:pkcs11_eventmgr.c:601: Exited from main loop
DEBUG:pkcs11_eventmgr.c:91: Exitting
All the verbose logs are attached, the verbosity level is set to 2.
Tell me if i need to increase it, however I'm a bit concerned about
mailing out my certificate and username and that kind of stuff (which
is included in level 3), doesn't feel quite right, but maybe I'm wrong ?
I've also attached my configfiles.
Basically i want this working so gdm can recognize inserts / removals.
I talked to the gdm devolopers and they fixed some bugs with
smartcards in later releases which is cool, but as long as
pkcs11_evengtmgr wont work with nss i dont think gdm will work either.
(gdm uses nss default)
Btw.
I've also tried card_evengtmgr, and that one works as expected.
So it seems somethings getting fishy when nss is involved.
Again, thanks for any kind of help, and tell me what kind of debug
info you need and I'll fix it.
/Patrik Martinsson,
Sweden.
Post by Martin Paljak
Helo,
Post by Ludovic Rousseau
Post by Martin Paljak
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I could not find any use of C_GenerateRandom() by pam_pkcs11. So I am
not sure the culprit is pkcs11_inspect or another part of pam_pkcs11.
- one that uses C_GenerateRandom [3]
- one that uses /dev/random [4]
I think this is the "main" authentication callback of pam_pkcs11?
The two different implementations seem to come from NSS vs no NSS.
[1]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L173
[2]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/pam_pkcs11/pam_pkcs11.c#L597
[3]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L834
[4]http://www.opensc-project.org/pam_pkcs11/browser/trunk/src/common/pkcs11_lib.c#L1754
_______________________________________________
opensc-devel mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Patrik Martinsson
2010-08-30 11:38:19 UTC
Permalink
Hello again,

Here is the log with the card *not insterted* in the reader.

I'm using this version of pcsc.
rpm -qa | grep pcsc
pcsc-lite-libs-1.5.2-5.el6.x86_64
pcsc-lite-1.5.2-5.el6.x86_64
pcsc-lite-devel-1.5.2-5.el6.x86_64
pcsc-lite-debuginfo-1.5.2-5.el6.x86_64

ccid driver I'm currently using the one delivered from omnikey called,
ifdokccid_lnx_x64-3.5.1.

I could change to use the opensource ccid if you want ?

/Patrik Martinsson,
Sweden.
Post by Martin Paljak
Hello,
I already found the culprits. Just to confirm that the same thing happens the same way without the card, please provide the pkcs11_eventmgr log *without* the card in reader.. You can freely post the pkcs11_eventmgr (the only interesting log) log to the mailing list, it contains no sensitive (card related) information.
0x7f43bb0477c0 12:57:26.242 [opensc-pkcs11] reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x80100003 which translates to SCARD_E_INVALID_HANDLE
Also, please provide your pcsc-lite/ccid versions, as it relates to pcsc-lite version.
Thanks,
Hello Martin,
Ah ok, thanks for your help and interest on this matter Martin.
I've attached the logs from both pkcs11_inspect and pkcs11_eventmgr when debug is 99 in opensc.conf.
Theese lines seems to indicate that something is not right,
0x7f43bb0477c0 12:57:26.242 [opensc-pkcs11] reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x80100003
0x7f43bb0477c0 12:57:26.242 [opensc-pkcs11] sc.c:190:sc_detect_card_presence: returning with: -1900
0x7f43bb0477c0 12:57:26.242 [opensc-pkcs11] slot.c:192:card_detect: OMNIKEY CardMan 3x21 00 00: failed, Unknown error
0x7f43bb0477c0 12:57:26.242 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: opensc error: Unknown error (-1900)
0x7f43bb0477c0 12:57:26.244 [opensc-pkcs11] reader-pcsc.c:1143:pcsc_wait_for_event: returning with: -1112
0x7f43bb0477c0 12:57:26.244 [opensc-pkcs11] pkcs11-global.c:664:C_WaitForSlotEvent: sc_wait_for_event() returned -1112
0x7f43bb0477c0 12:57:26.244 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: opensc error: Timeout while waiting for event from card reader (-1112)
Please come back to me if there is anything more in debugway i can do.
/Patrik
Post by Martin Paljak
Hello,
Just to clarify before posting fully debuglogs, we have our private certificates on these cards. But those are not exportable right ?
And by posting fully opensc(debug 99) logs here i wont expose those in any way right ?
Private *keys* are not exportable (usually) but certificates are exposed in the log, yes. If you have sensitive material in your certificates, filter that. If you don't want the mailing list engine to archive your full logs (and you feel like that's appropriate for your security concerns) send them to me personally and I'll filter out anything that seems like "possibly not wanted to be publicly on the list archive".
Andre Zepezauer
2010-08-26 12:32:36 UTC
Permalink
Post by Martin Paljak
Hello,
Post by Patrik Martinsson
Question #1,
Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported INS byte in APDU
PIN for token: xxxx
username
Works like a charm, however it gives me those two lines which is a bit worrying/annoying.
What do they mean and is there anything i can do to fix them ?
card-setcos.c does not override iso7816.get_challenge, but the card rejects the ISO version. This results in C_GenerateRandom() failing, but I guess pkcs11_inspect will then just use some other random source. OpenSC SVN/0.12+ will not output such internal errors to stderr by default, so you'll not see it in future versions.
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I think that it is highly possible that most setcos cards will do fine
with the current implementation of get_challenge(). This is because the
driver is about 8 years old. So, anyone else would had reported this bug
before, if it was a general one. My assumption is, that this particular
card lakes the required hardware.

Attached is a patch, which exposes the RNG functionality only if the
token itself states support for it.

Regards
Andre
Post by Martin Paljak
Post by Patrik Martinsson
Question #2,
I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
That one is failing telling me, "assertion 'slot_id >= 1' failed", obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
"""
A priori, any value of CK_SLOT_ID can be a valid slot identifier—in particular, a system may have a slot identified by the value 0. It need not have such a slot, however.
"""
Cheers,
Andre Zepezauer
2010-08-26 14:05:45 UTC
Permalink
Post by Andre Zepezauer
Post by Martin Paljak
Hello,
Post by Patrik Martinsson
Question #1,
Try pkcs11_inspect.
$ pkcs11_inspect
[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with: Unsupported INS byte in APDU
PIN for token: xxxx
username
Works like a charm, however it gives me those two lines which is a bit worrying/annoying.
What do they mean and is there anything i can do to fix them ?
card-setcos.c does not override iso7816.get_challenge, but the card rejects the ISO version. This results in C_GenerateRandom() failing, but I guess pkcs11_inspect will then just use some other random source. OpenSC SVN/0.12+ will not output such internal errors to stderr by default, so you'll not see it in future versions.
If everything is working fine, there's nothing to worry about. If not, then it can be fixed by implementing a proper GET CHALLENGE method in card-setcos.c. If you can sniff the correct APDU for this (or if you have the manual) would be great. Or something in pkcs11_inspect should be fixed to not depend on the smart card module C_GenerateRandom().
I think that it is highly possible that most setcos cards will do fine
with the current implementation of get_challenge(). This is because the
driver is about 8 years old. So, anyone else would had reported this bug
before, if it was a general one. My assumption is, that this particular
card lakes the required hardware.
Attached is a patch, which exposes the RNG functionality only if the
token itself states support for it.
One file was missing in the previous patch, which is now included.
Post by Andre Zepezauer
Post by Martin Paljak
Post by Patrik Martinsson
Question #2,
I'm trying to use opensc-pkcs11.so together with gdm-plugin-smartcard.
That one is failing telling me, "assertion 'slot_id >= 1' failed", obviously slot_id should be >= than 1, but it isn't and I'm not sure why.
"""
A priori, any value of CK_SLOT_ID can be a valid slot identifier—in particular, a system may have a slot identified by the value 0. It need not have such a slot, however.
"""
Cheers,
_______________________________________________
opensc-devel mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Patrik Martinsson
2010-09-01 07:11:30 UTC
Permalink
Hey again, (my last message seems to have been discarded somehow)

Martin,
I tried the same setup with the open ccid driver and I'm posting my logs
here.

I got the same result as earlier, however following line is not present
anymore....
reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00
00:SCardGetStatusChange failed: 0x80100003

ccid-1.3.9-3.el6.x86_64
pcsc-lite-1.5.2-5.el6.x86_64
pcsc-lite-libs-1.5.2-5.el6.x86_64

Any ideas what could be wrong ?

/Patrik Martinsson,
Sweden.
Jean-Michel Pouré - GOOZE
2010-09-01 07:29:54 UTC
Permalink
Post by Patrik Martinsson
I got the same result as earlier, however following line is not present
anymore....
reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00
00:SCardGetStatusChange failed: 0x80100003
Make sure you don't compile OpenCT or do not unable it. When OpenCT is
enabled, there is a chance that it opens connection with the card and
locks access. This is one reason why OpenCT should be integrated as a
ifhandler in libccid.

Read:
http://www.gooze.eu/howto/smartcard-quickstarter-guide/known-issues
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Patrik Martinsson
2010-09-01 08:06:26 UTC
Permalink
Hmm, yes i hear you,

I've no openct packages installed, and in my opensc.conf there is only
the pcsc driver enabled, is there some other way to disable it that i
dont know of ?
reader_drivers = pcsc;

These lines indicates that something is wrong, doesnt they ? How can i
debug this ?
0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11]
reader-pcsc.c:1139:pcsc_wait_for_event: return allocated 'reader states'
0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11]
reader-pcsc.c:1143:pcsc_wait_for_event: returning with: -1112
0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11]
pkcs11-global.c:664:C_WaitForSlotEvent: sc_wait_for_event() returned -1112
0x7f79065f07c0 09:59:44.216 [opensc-pkcs11]
misc.c:59:sc_to_cryptoki_error_common: opensc error: Timeout while
waiting for event from card reader (-1112)


/Patrik Martinsson,
Sweden.
Post by Jean-Michel Pouré - GOOZE
Post by Patrik Martinsson
I got the same result as earlier, however following line is not present
anymore....
reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00
00:SCardGetStatusChange failed: 0x80100003
Make sure you don't compile OpenCT or do not unable it. When OpenCT is
enabled, there is a chance that it opens connection with the card and
locks access. This is one reason why OpenCT should be integrated as a
ifhandler in libccid.
http://www.gooze.eu/howto/smartcard-quickstarter-guide/known-issues
Jean-Michel Pouré - GOOZE
2010-09-01 08:25:08 UTC
Permalink
Post by Patrik Martinsson
I've no openct packages installed, and in my opensc.conf there is only
the pcsc driver enabled, is there some other way to disable it that i
dont know of ?
reader_drivers = pcsc;
These settings should suffice.

Another possibility is a PKCS#11 application having access to your card.
This is the case of some applications. Usually, I put lock_login =
false;

When using Gnome for example, Iceweasel, evolution and seahorse can have
simultaneous access, which may throw an error at some point.

Setting lock_login = less is less secure, but it avoids locking.

Your problem probably lays somewhere else. Use a recent and supported
smartcard and this should be Okay.

Kind regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Patrik Martinsson
2010-09-01 08:58:15 UTC
Permalink
Post by Jean-Michel Pouré - GOOZE
Post by Jean-Michel Pouré - GOOZE
These settings should suffice.
Ok, cool.
Post by Jean-Michel Pouré - GOOZE
Post by Jean-Michel Pouré - GOOZE
When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point.
Hmm, i dont have anything else running on the computer at this time.
Post by Jean-Michel Pouré - GOOZE
Post by Jean-Michel Pouré - GOOZE
Your problem probably lays somewhere else. Use a recent and supported smartcard and this should be Okay.
Yeah, well unfortunately i can not make this happen, since my company bought these cards to all the employes (+500).

I'm putting my faith in this mailing-list.. :)

/Patrik Martinsson,
Sweden.
Post by Jean-Michel Pouré - GOOZE
Post by Jean-Michel Pouré - GOOZE
I've no openct packages installed, and in my opensc.conf there is only
the pcsc driver enabled, is there some other way to disable it that i
dont know of ?
reader_drivers = pcsc;
These settings should suffice.
Another possibility is a PKCS#11 application having access to your card.
This is the case of some applications. Usually, I put lock_login =
false;
When using Gnome for example, Iceweasel, evolution and seahorse can have
simultaneous access, which may throw an error at some point.
Setting lock_login = less is less secure, but it avoids locking.
Your problem probably lays somewhere else. Use a recent and supported
smartcard and this should be Okay.
Kind regards,
_______________________________________________
opensc-devel mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Martin Paljak
2010-09-01 09:41:07 UTC
Permalink
Post by Jean-Michel Pouré - GOOZE
Post by Patrik Martinsson
I've no openct packages installed, and in my opensc.conf there is only
the pcsc driver enabled, is there some other way to disable it that i
dont know of ?
reader_drivers = pcsc;
These settings should suffice.
Another possibility is a PKCS#11 application having access to your card.
This is the case of some applications. Usually, I put lock_login =
false;
OpenSC 0.12.0-svn has lock_login = false by default, also written in the log file (lock_login=0):

0x7ffd4bc067c0 16:23:28.457 [opensc-pkcs11] misc.c:325:load_pkcs11_parameters: PKCS#11 options: plug_and_play=1 max_virtual_slots=16 slots_per_card=4 hide_empty_tokens=1 lock_login=0 pin_unblock_style=0 zero_ckaid_for_ca_certs=0
--
Martin Paljak
@martinpaljak.net
+3725156495
Jean-Michel Pouré
2010-09-01 08:34:16 UTC
Permalink
When using Gnome for example, Iceweasel, evolution and seahorse can have
simultaneous access, which may throw an error at some point.

Just for information, a nice project would be to participate
in Gnome-Keyring to have good support for PKCS#11 and let Gnome-Keyring manage
security based on smartcards.

Kind regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Patrik Martinsson
2010-09-01 09:12:06 UTC
Permalink
Post by Jean-Michel Pouré - GOOZE
When using Gnome for example, Iceweasel, evolution and seahorse can have
simultaneous access, which may throw an error at some point.
Just for information, a nice project would be to participate
in Gnome-Keyring to have good support for PKCS#11 and let Gnome-Keyring manage
security based on smartcards.
Yeah, i would love that, however my programming skills are limited, and
my smart-card skills even more.

I would like to see a couple of things on the smart-card side when it
comes to Linux though,

1. Support for integrated readers (like the one's in hp's laptops
(6930p/8440p etc.), i guess the hardware manufacturers are the only ones
that could change this.
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know why
this is not possible today ? )
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.

I guess 2 and 3 are application-specific rather then opensc, however i
though i would share my two cents.

/Patrik Martinsson,
Sweden.
Martin Paljak
2010-09-01 09:55:54 UTC
Permalink
Hello,
Post by Patrik Martinsson
1. Support for integrated readers (like the one's in hp's laptops
(6930p/8440p etc.), i guess the hardware manufacturers are the only ones
that could change this.
Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do "secure digital" and "smart card". Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list...
Post by Patrik Martinsson
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know why
this is not possible today ? )
Why should a screensaver handle locked cards? Unlocking PIN-s via PKCS#11 is somewhat tricky/impossible. I can understand, that for usability, if you have a single workstation and you get locked out of your computer, how else could you unlock your card. But from security perspective handling a locked token as a dysfunctional token is OK. Depending on the setup, maybe you need to talk to a security officer to get your card unlocked or do a more complicated (remote) unlock procedure.

PKCS#11 only provides C_SetPIN which is meant to change the PIN code of the current user.
Post by Patrik Martinsson
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.
wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI.
Post by Patrik Martinsson
I guess 2 and 3 are application-specific rather then opensc, however i
though i would share my two cents.
OpenSC can use any smart card reader that has a functioning driver in either pcsc-lite (preferred), OpenCT (might exist for exotic devices on Linux) or CT-API (you'll probably not find them).

To collect such wishlist items, I created a small wiki page [1] for things that would really be nice to have one day, but what are not realistic or are not actionable enough to create a ticket at this current moment. Feel free to update it.

[1] http://www.opensc-project.org/opensc/wiki/WishList
--
Martin Paljak
@martinpaljak.net
+3725156495
Patrik Martinsson
2010-09-01 10:58:22 UTC
Permalink
About gdm, screensaver etc.

Yes i know its possible to lock the screen at removals and poke the
screensaver at insertions, my suggestion was the ability to unlock the
pin on the card at those times. (eg. entered wrong pin x number of times
and pin gets locked.)
Whether this is a good security practice or not I leave unsaid, I can
only compare to our Windows users that gets the possibility to unlock
their pin through their puk when they insert a card and it's pin is
locked. (whether it's at logon or at the screensaver it doesn't matter,
they use a third party software for this and maybe this behavior is bad,
however that's what i was comparing against.)
As a Linux user today at our company you need to find a Windows computer
or go to our helpdesk to get your card unlocked, you also need to call
the helpdesk to get your puk.
I guess what I'm asking for is a simple way for the user to understand
that their card is locked, eg. telling the user that the 'card is
locked' instead of 'logon failure' as it is today. But again, maybe this
is not possible, or maybe this is applications specific rather then opensc.
Post by Martin Paljak
Post by Martin Paljak
Only if they integrate standard CCID readers directly to the USB
bus. Unfortunately they use integrated chips that do "secure digital"
and "smart card". Some Linux tutorials in the wild, that talk about
OpenSC, >> direct people to memory card reader listings (where, indeed,
some chips support smart cards but AFAIK only on Windows) instead of
libccid's extensive list...

Yep, i was actually talking about one of those chips,R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ?
Post by Martin Paljak
Post by Martin Paljak
wpa_supplicant, which NetworkManager uses, should support PKCS#11,
but apparently the functionality is not important enough to be exposed
via the GUI.
Exactly, we got this working with wpa_supplicant, however it would be
gold for the users if they simply could connect through NM with this
type of security. I've seen some patches around this at Ubuntu's
launchpad,
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/120363,
unfortunately i didn't got this working.
Post by Martin Paljak
Post by Martin Paljak
Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting.
Hmm yes, I've checked the logs, and as i understand it you correctly, it's a pcsc-lite issue ? So i should take it on their mailinglist instead ?

/Patrik Martinsson,
Sweden
Post by Martin Paljak
Hello,
Post by Martin Paljak
1. Support for integrated readers (like the one's in hp's laptops
(6930p/8440p etc.), i guess the hardware manufacturers are the only ones
that could change this.
Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do "secure digital" and "smart card". Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list...
Post by Martin Paljak
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know why
this is not possible today ? )
Why should a screensaver handle locked cards? Unlocking PIN-s via PKCS#11 is somewhat tricky/impossible. I can understand, that for usability, if you have a single workstation and you get locked out of your computer, how else could you unlock your card. But from security perspective handling a locked token as a dysfunctional token is OK. Depending on the setup, maybe you need to talk to a security officer to get your card unlocked or do a more complicated (remote) unlock procedure.
PKCS#11 only provides C_SetPIN which is meant to change the PIN code of the current user.
Post by Martin Paljak
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.
wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI.
Post by Martin Paljak
I guess 2 and 3 are application-specific rather then opensc, however i
though i would share my two cents.
OpenSC can use any smart card reader that has a functioning driver in either pcsc-lite (preferred), OpenCT (might exist for exotic devices on Linux) or CT-API (you'll probably not find them).
To collect such wishlist items, I created a small wiki page [1] for things that would really be nice to have one day, but what are not realistic or are not actionable enough to create a ticket at this current moment. Feel free to update it.
[1] http://www.opensc-project.org/opensc/wiki/WishList
Martin Paljak
2010-09-01 11:17:41 UTC
Permalink
Hello,
As a Linux user today at our company you need to find a Windows computer or go to our helpdesk to get your card unlocked, you also need to call the helpdesk to get your puk.
I guess what I'm asking for is a simple way for the user to understand that their card is locked, eg. telling the user that the 'card is locked' instead of 'logon failure' as it is today. But again, maybe this is not possible, or maybe this is applications specific rather then opensc.
That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED after a PIN entrr try if the method got blocked. Even NSS/Firefox used to ignore this return code for a long time and as a result asked for a PIN 3 times (hardcoded apparently) even if the PIN was already locked. That got fixed lately, don't know when it will arrive in Firefox though. Also see ticket #250, for further flags to check for usability (e.g. "This will be your final PIN try, failing this will block your PIN" message).
Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do "secure digital" and "smart card". Some Linux tutorials in the wild, that talk about OpenSC, >> direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list...
Yep, i was actually talking about one of those chips,R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ?
This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3].
Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting.
Hmm yes, I've checked the logs, and as i understand it you correctly, it's a pcsc-lite issue ? So i should take it on their mailinglist instead ?
No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to the fact that it has nothing to do with Open*CT*.


[1] http://www.opensc-project.org/opensc/ticket/250
[2] http://lists.drizzle.com/pipermail/muscle/2009-December/008009.html
[3] http://lists.drizzle.com/pipermail/muscle/2009-December/008013.html
--
Martin Paljak
@martinpaljak.net
+3725156495
Peter Stuge
2010-09-01 17:03:36 UTC
Permalink
Post by Martin Paljak
Post by Patrik Martinsson
R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html).
According to the homepage the chip is discontinued however HP
still delivers them in their brand new models, 8440p for example,
god knows why. Is there any chance that we would see some support
on these chipsets under Linux ?
This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3].
Unfortunately I'd say you are quite right, Martin.

HP do not make the computers they sell. There's a small group of
companies called ODMs, Original Design Manufacturer, typically in
Taiwan, which design and manufacture pretty much all consumer
electronics today.

The ODMs have the documentation for the chips, but they have
typically signed absurdly strict NDAs with the chip makers. Some chip
makers welcome the open source community and try to help them out,
others run away screaming. (Or decline politely.)

Unless the chip vendor wants to help, be it officially, or
unofficially, through some side channel, then reverse engineering is
the only way to get a device supported, but that requires tremendous
amounts of work, it can't really be justified economically by 500
users, or even 5000. :\

The (not-so-)quick fix would be in procurement. An open source aware
organization must factor software support into purchasing decisions,
maybe together with the group(s) which create technical requirements
in the organization, so the relevant pieces of hardware can be
ignored.

The purchasing task is hard, specifically because of the gap between
OEMs (HP, Lenovo, Dell, etc) and ODMs. There's maybe a handful of
people at HP worldwide who really know the details of components in
the systems they sell. There is no channel from consumers with a clue
to peers within the very long production chain for the products we
hold in our hands.


//Peter
Patrik Martinsson
2010-09-02 07:53:30 UTC
Permalink
Thanks for the info Peter, well explained !

I laughed to myself when I read this part,
Post by Peter Stuge
There's maybe a handful of people at HP worldwide who really know
the details of components in the systems they sell.
I can only confirm this, I've called HP several times about the
smartcard-reader in our laptops (6930/6910/8440) and they have no idea
what I'm talking about.

All this is a shame though.
We actually need to buy pcmcia/expresscard-readers for all our Linux
users to get their laptops working.
Even though that may be a relative small cost, it's a stupid an
unnecessary cost in my opinion.

/Patrik Martinsson,
Sweden.
Post by Peter Stuge
Post by Patrik Martinsson
R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html).
According to the homepage the chip is discontinued however HP
still delivers them in their brand new models, 8440p for example,
god knows why. Is there any chance that we would see some support
on these chipsets under Linux ?
This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3].
Unfortunately I'd say you are quite right, Martin.
HP do not make the computers they sell. There's a small group of
companies called ODMs, Original Design Manufacturer, typically in
Taiwan, which design and manufacture pretty much all consumer
electronics today.
The ODMs have the documentation for the chips, but they have
typically signed absurdly strict NDAs with the chip makers. Some chip
makers welcome the open source community and try to help them out,
others run away screaming. (Or decline politely.)
Unless the chip vendor wants to help, be it officially, or
unofficially, through some side channel, then reverse engineering is
the only way to get a device supported, but that requires tremendous
amounts of work, it can't really be justified economically by 500
users, or even 5000. :\
The (not-so-)quick fix would be in procurement. An open source aware
organization must factor software support into purchasing decisions,
maybe together with the group(s) which create technical requirements
in the organization, so the relevant pieces of hardware can be
ignored.
The purchasing task is hard, specifically because of the gap between
OEMs (HP, Lenovo, Dell, etc) and ODMs. There's maybe a handful of
people at HP worldwide who really know the details of components in
the systems they sell. There is no channel from consumers with a clue
to peers within the very long production chain for the products we
hold in our hands.
//Peter
_______________________________________________
opensc-devel mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Peter Stuge
2010-09-02 20:51:59 UTC
Permalink
Post by Patrik Martinsson
We actually need to buy pcmcia/expresscard-readers for all our
Linux users to get their laptops working.
Make sure to go for ExpressCard. PCMCIA chips are on par with PCI
chips, there are no docs and also no good API.

Buy a few different ExpressCard readers and test. ExpressCard is bog
standard PCI-Express x1 and USB 2.0. PCIe bandwidth isn't needed for
a smart card reader, so ExpressCard readers should be CCID USB
devices. As was mentioned, those are good/the best readers for open
source systems.

http://www.dustin.se/pd_5010134353.aspx
http://www.dustin.se/pd_5010373434.aspx

Sadly not in stock at Dustin. You could also try ordering from
Gemalto:

http://boutique.gemalto.com/boutique/GEMALTO-B2CCORP-Site/-/Pc-Express-Reader/pdu-WFS-en_US-EUR-wrAKAwOEefAAAAEizsko8Cyo-PqMKAwOE0S8AAAElGeseUAux;pgid=mvVSSnc0o4FSR0IaStIrwgc40000sVsxXoue;sid=7n-X4f3aWmd08LFa5zLM4_7QFv5sbsBbN2yqYCTJ0_5O8g==?JumpTo=OfferList&ParcoursTracking=.Cat.2CATALOGBIS

Gemalto mentions says this is "USB Microsoft CCID" (sheesh, as if
Microsoft would be significant there) and the Omnikey one is supposed
to support Linux, according to Dustin. I bet they're both standard
CCID readers.
Post by Patrik Martinsson
Even though that may be a relative small cost, it's a stupid an
unnecessary cost in my opinion.
Completely agreed.


//Peter
Ludovic Rousseau
2010-09-03 08:22:03 UTC
Permalink
Post by Peter Stuge
Post by Patrik Martinsson
We actually need to buy pcmcia/expresscard-readers for all our
Linux users to get their laptops working.
Make sure to go for ExpressCard. PCMCIA chips are on par with PCI
chips, there are no docs and also no good API.
The first 3 readers of [1] are ExpressCard readers. They are seen as
CCID USB readers and should work with my CCID driver.
Maybe you should avoid the OmniKey one. See the note column about it.

Bye

[1] http://pcsclite.alioth.debian.org/features.html
--
 Dr. Ludovic Rousseau
Peter Stuge
2010-09-04 00:17:32 UTC
Permalink
Post by Ludovic Rousseau
The first 3 readers of [1] are ExpressCard readers. They are seen
as CCID USB readers and should work with my CCID driver.
[1] http://pcsclite.alioth.debian.org/features.html
Thanks for the confirmation!
Post by Ludovic Rousseau
Maybe you should avoid the OmniKey one. See the note column about it.
Too bad. Then I personally think that the SCR3340 looks best.


//Peter

Patrik Martinsson
2010-09-02 08:32:16 UTC
Permalink
Hello again,
Post by Martin Paljak
That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED after a PIN entrr try if the method got blocked. Even NSS/Firefox used to ignore this return code for a long time and as a result asked for a PIN 3 times (hardcoded apparently) even if the PIN was already locked. That got fixed lately, don't know when it will arrive in Firefox though. Also see ticket #250, for further flags to check for usability (e.g. "This will be your final PIN try, failing this will block your PIN" message).
Ok, sounds good. I don't know if i got this right, but is this the "workflow" of how a authentication basically works with pkcs11 with nss enabled.

login(gdm/scrennsaver/whatever) => pam_pkcs11 => nss => opensc => pcscdriver => pcscd

So opensc returns "whatever" to nss and nss returns "whatever" to whats calling it ?
Is this the return codes from nss we are talking about, http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html#1039257, cant really see anything about blocket pin or similar. (maybe they haven't updated it yet)
And as long as nss doesn't return "whatever" opensc returns, it's impossible for pam_pkcs11 to tell the calling application the "correct" return code ?

I'm asking all this out of curiosity so i can get the basic understanding of what I'm talking about....
Post by Martin Paljak
No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to the fact that it has nothing to do with Open*CT*.
Ok cool. Is there anything i can debug to help us out here ? I would really like to get this working and I'm willing to spend alot of time on it to get there, just need some info on how to go further.

/Patrik Martinsson,
Sweden.
Post by Martin Paljak
Hello,
As a Linux user today at our company you need to find a Windows computer or go to our helpdesk to get your card unlocked, you also need to call the helpdesk to get your puk.
I guess what I'm asking for is a simple way for the user to understand that their card is locked, eg. telling the user that the 'card is locked' instead of 'logon failure' as it is today. But again, maybe this is not possible, or maybe this is applications specific rather then opensc.
That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED after a PIN entrr try if the method got blocked. Even NSS/Firefox used to ignore this return code for a long time and as a result asked for a PIN 3 times (hardcoded apparently) even if the PIN was already locked. That got fixed lately, don't know when it will arrive in Firefox though. Also see ticket #250, for further flags to check for usability (e.g. "This will be your final PIN try, failing this will block your PIN" message).
Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do "secure digital" and "smart card". Some Linux tutorials in the wild, that talk about OpenSC,>> direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list...
Yep, i was actually talking about one of those chips,R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ?
This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3].
Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting.
Hmm yes, I've checked the logs, and as i understand it you correctly, it's a pcsc-lite issue ? So i should take it on their mailinglist instead ?
No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to the fact that it has nothing to do with Open*CT*.
[1] http://www.opensc-project.org/opensc/ticket/250
[2] http://lists.drizzle.com/pipermail/muscle/2009-December/008009.html
[3] http://lists.drizzle.com/pipermail/muscle/2009-December/008013.html
Martin Paljak
2010-09-02 09:01:59 UTC
Permalink
Hello,
Post by Patrik Martinsson
Hello again,
That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED after a PIN entrr try if the method got blocked. Even NSS/Firefox used to ignore this return code for a long time and as a result asked for a PIN 3 times (hardcoded apparently) even if the PIN was already locked. That got fixed lately, don't know when it will arrive in Firefox though. Also see ticket #250, for further flags to check for usability (e.g. "This will be your final PIN try, failing this will block your PIN" message).
Ok, sounds good. I don't know if i got this right, but is this the "workflow" of how a authentication basically works with pkcs11 with nss enabled.
login(gdm/scrennsaver/whatever) => pam_pkcs11 => nss => opensc => pcscdriver => pcscd
Yes, it should look like this.

Bugzilla bugs:

https://bugzilla.mozilla.org/show_bug.cgi?id=506939
https://bugzilla.mozilla.org/show_bug.cgi?id=506965

Unfortunately, bugzilla has removed the "my votes" feature which I used to keep track of interesting issues and the user interface is soo sloow and complicated that I'm not able to find the more detailed reports. Feel free to surf bugzilla yourself for the exact status of the issues.
Post by Patrik Martinsson
No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to the fact that it has nothing to do with Open*CT*.
Ok cool. Is there anything i can debug to help us out here ? I would really like to get this working and I'm willing to spend alot of time on it to get there, just need some info on how to go further.
Not much, except for trying the patch when it's ready. I'm fixing it after the initial changes to #216, with the exception of adding "disappearing slots" to hotplugging PKCS#11 module, if it works with NSS.
It might get ready soon (this week)
--
Martin Paljak
@martinpaljak.net
+3725156495
Jean-Michel Pouré - GOOZE
2010-09-01 12:26:41 UTC
Permalink
Post by Martin Paljak
Post by Martin Paljak
wpa_supplicant, which NetworkManager uses, should support
PKCS#11,
but apparently the functionality is not important enough to be
exposed
via the GUI.
Exactly, we got this working with wpa_supplicant, however it would be
gold for the users if they simply could connect through NM with this
type of security. I've seen some patches around this at Ubuntu's
launchpad,
https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/120363,
unfortunately i didn't got this working.
This is a very cool feature that I was not aware of. And it seems
reasonable!

The place to discuss network manager smartcard features is probably the
project page http://projects.gnome.org/NetworkManager/

I registered the Gnome mailing list to discuss this feature.

Thanks.
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Jean-Michel Pouré - GOOZE
2010-09-01 10:28:17 UTC
Permalink
Post by Patrik Martinsson
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know why
this is not possible today ? )
Locking gdm screen is possible. A user sent me the solution:

pkcs11_eventmgr {

# Run in background? Implies debug=false if true
daemon = true;

# show debug messages?
debug = false;

# polling time in seconds
polling_time = 1;

# expire time in seconds
# default = 0 ( no expire )
expire_time = 0;

# pkcs11 module to use
pkcs11_module = /usr/lib/opensc-pkcs11.so;

#
# list of events and actions

# Card inserted
event card_insert {
# what to do if an action fail?
# ignore : continue to next action
# return : end action sequence
# quit : end program
on_error = ignore ;

# You can enter several, comma-separated action entries
# they will be executed in turn
action = "gnome-screensaver-command --poke";
}

# Card has been removed
event card_remove {
on_error = ignore;
action = "gnome-screensaver-command --lock";
}

# Too much time card removed
event expire_time {
on_error = ignore;
action = "/bin/false";
}
}
Post by Patrik Martinsson
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.
This can be done using a FreeRadius server and LDAP. You authenticate to
LDAP using a smartcard, and the wireless access point (AP) should
authenticate to the FreeRadius server. But this only works on your local
wireless network. And you need a Freeradius compatible AP. Some very
cheap Linux-based AP are available today.

I am not aware of a solution which would keep your WEP keys directly on
smartcard.

Gnome and gnome-keyring + seahorse are able to store the wireless keys
securely. You connect to Gnome using a smartcard and this unlocks the
wireless keys. In most cases, this is sufficient.

You may read these tutorials:
http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-p11
http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-pkcs11

After connection to Gnome using PAM, this should unlock the wireless
keys.

Kind regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
Martin Paljak
2010-09-01 10:37:22 UTC
Permalink
On Sep 1, 2010, at 1:28 PM, Jean-Michel Pouré - GOOZE wrote:
Hello,
Post by Jean-Michel Pouré - GOOZE
Post by Patrik Martinsson
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know why
this is not possible today ? )
Locking gdm screen is possible.
GDM/screensaver handling locked cards (with a blocked PIN code) by supporting unlocking them with a PUK code is not the same as locking gdm screen when a card is removed.
Post by Jean-Michel Pouré - GOOZE
Post by Patrik Martinsson
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.
I am not aware of a solution which would keep your WEP keys directly on
smartcard.
Why mix WEP (a totally broken crypto system) with smart cards (still pretty good protection for good crypto keys, if properly implemented) ??

There is EAP-TLS purely on a smart card prototype [1].

Smart card authentication usually means using the keys on the card, not storing plaintext keys to the card.

[1] http://perso.telecom-paristech.fr/~urien/openeapsmartcard/
--
Martin Paljak
@martinpaljak.net
+3725156495
Martin Paljak
2010-09-01 09:39:40 UTC
Permalink
Post by Jean-Michel Pouré - GOOZE
Post by Patrik Martinsson
I got the same result as earlier, however following line is not present
anymore....
reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00
00:SCardGetStatusChange failed: 0x80100003
Make sure you don't compile OpenCT or do not unable it. When OpenCT is
enabled, there is a chance that it opens connection with the card and
locks access. This is one reason why OpenCT should be integrated as a
ifhandler in libccid.
Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting.
--
Martin Paljak
@martinpaljak.net
+3725156495
Loading...