25 Jan
2011
25 Jan
'11
10:28 p.m.
On Tue, Jan 25, 2011 at 10:04:48PM +0100, Alain Knaff wrote:
On 01/25/2011 08:15 PM, Lionel Elie Mamane wrote:
> Try adding
"--module=/opensc/prefix/lib/opensc-pkcs11.so".
Indeed that works, thanks.
Actually, I had already tried this earlier, but it
took so long that
I mistakenly believed it was hung...
... btw, is this long wait expected? I seem to
understand that there
is some caching functionality, maybe for me this is off for some
reason?
Use of the cache is not enabled by default in SVN version (some
distros seem to have it enabled it by default in their packaged
versions), and in all versions never silently populated. So:
Enable it in /opensc/prefix/etc/opensc.conf and run
pkcs15-tool -L
to populate it.
Then, things should be *much* faster indeed.
Another strange thing:
time
/some/place/bin/pkcs11-tool --slot 1 --module=/some/place/lib/opensc-pkcs11.so -t -l
Logging in to "GemP15-1 (User PIN)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
ERR: C_GenerateRandom failed: CKR_GENERAL_ERROR (0x5)
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (User Cert Sig )
error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN (0x101) Aborting.
/some/place/bin/pkcs11-tool --slot 1 --module=/some/place/lib/opensc-pkcs11.s 0.01s user
0.04s system 0% cpu 24.305 total
Why does it say CKR_USER_NOT_LOGGED_IN? My pin was
correct;
It aborts when you try to use the signature key, which my driver is
unable to use: the card requires the command to be cryptographically
signed in some way I haven't cracked yet.
The error code given by the card is the same as if the PIN had not
been given, which explains the error message you get. The error code
is the one for "security status not satisfied", which can mean any of:
- no PIN given
- a PIN successfully given, but that PIN does not allow using that
key; a card can have several PINs that unlock the same or
different keys.
- the command needs to be cryptographically signed (our case)
- the data the card is asked to operate on is not formatted correctly
(e.g. wrong padding, not validly ASN.1 BER encoded, ...)
- possibly the card refuses to use that key with that algorithm
(e.g. with MD5)
I guess that PIN problems are by far the most common occurrence, at
least when the driver is complete and bug-free, so that very generic
error is mapped to the "the needed PIN has not been given" user-level
error. <shrug>
--
Lionel