search

CardContact / sc-hsm-embedded

PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards
BSD 3-Clause "New" or "Revised" License
95 stars 31 forks source link

Porting the smart cards to opensc? #16

Closed djtm closed 7 years ago

djtm commented 7 years ago

Do you think it might be possible to port the smart cards supported here (StarCos 3.5) to opensc? https://github.com/OpenSC/OpenSC/issues/1054

Thanks for considering

CardContact commented 7 years ago

Everything is possible. My questions would be why ?

Those cards are read/only cards and would not benefit from a port to OpenSC.

djtm commented 7 years ago

Some software supports opensc better than this module also distributions ship with opensc, so compatibility.

CardContact commented 7 years ago

Can you share which software that is ? I'd be interested to see a log from the module, which is enabled in the debug version if the directory /var/tmp/sc-hsm-embedded exists.

djtm commented 7 years ago

Command

p11tool --debug 9999 --provider /usr/local/lib/libsc-hsm-pkcs11.so --login --list-privkeys
Setting log level to 9999
|<2>| p11: Initializing module: /usr/local/lib/libsc-hsm-pkcs11.so
Debugging initialized ...
<hangs>

strace and library log attached strace ends with

stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 SCardTransmit: Command successful.\n", 55) = 55
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function transmitAPDUviaPCSC completes with rc=2.\n", 70) = 70
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 R-APDU: rc=0 SW1/SW2=63C3\n", 46) = 46
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function starcosCheckPINStatus completes with rc=25539.\n", 76) = 76
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function createStarcosToken completes with rc=0.\n", 69) = 69
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function newDGNToken completes with rc=0.\n", 62) = 62
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function newToken completes with rc=0.\n", 59) = 59
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function checkForNewPCSCToken completes with rc=0.\n", 71) = 71
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 SCardFreeMemory: Command successful.\n", 57) = 57
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function updatePCSCSlots completes with rc=0.\n", 66) = 66
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function updateSlots completes with rc=0.\n", 62) = 62
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function getValidatedToken called.\n", 55) = 55
futex(0x1da8750, FUTEX_WAIT_PRIVATE, 2, NULL

pkcs11-8937.log.txt strace.log.txt

CardContact commented 7 years ago

Turns out to be a deadlock when C_GetSlotList() is called with tokenPresent = true.

The tests in sc-hsm-pkcs11-test didn't catch it.

CardContact commented 7 years ago

There is also a bug in C_GetMechanismList() which does not return the length of the list if the required buffer size was not previously queried with pMechanismList set to NULL.

I will do more testing with p11tool and fix the bugs in the current development topic branch "genkey".

djtm commented 7 years ago

awesome, thanks! btw. I'm using -fstack-protector-strong which might really make sense in this context.

p11tool --debug 9999 --provider /usr/local/lib/libsc-hsm-pkcs11.so --login --list-privkeys works now :+1:

So does OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/ssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsc-hsm-pkcs11.so

However not

OpenSSL> req -engine pkcs11 -new -key 'pkcs11:model=... -keyform engine -out req.pem -text -x509 -subj "/CN=MY NAME"
engine "pkcs11" set.
PKCS#11 token PIN:  
Key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139832290076312:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
error in req

(key is from p11tool above, subj from the key on the card)

CardContact commented 7 years ago

Does the version of engine-pkcs11 support PKCS#11 URIs ? Haven't tried that myself.

What does the log say ?

djtm commented 7 years ago

It does. And there might be something odd going on. Because even when things work, I often get asked to put in the password for STARCOS.eUserPKI when I think it should be STARCOS.QES, because I'm only doing signatures.

(For me this is resolved for now with the version in the genkey branch. I can now sign documents, so I'm happy.)

pkcs11-25332.log.txt pkcs11-25334.log.txt