Closed djtm closed 7 years ago
Everything is possible. My questions would be why ?
Those cards are read/only cards and would not benefit from a port to OpenSC.
Some software supports opensc better than this module also distributions ship with opensc, so compatibility.
Can you share which software that is ? I'd be interested to see a log from the module, which is enabled in the debug version if the directory /var/tmp/sc-hsm-embedded exists.
Command
p11tool --debug 9999 --provider /usr/local/lib/libsc-hsm-pkcs11.so --login --list-privkeys
Setting log level to 9999
|<2>| p11: Initializing module: /usr/local/lib/libsc-hsm-pkcs11.so
Debugging initialized ...
<hangs>
strace and library log attached strace ends with
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 SCardTransmit: Command successful.\n", 55) = 55
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function transmitAPDUviaPCSC completes with rc=2.\n", 70) = 70
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 R-APDU: rc=0 SW1/SW2=63C3\n", 46) = 46
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function starcosCheckPINStatus completes with rc=25539.\n", 76) = 76
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function createStarcosToken completes with rc=0.\n", 69) = 69
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function newDGNToken completes with rc=0.\n", 62) = 62
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function newToken completes with rc=0.\n", 59) = 59
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function checkForNewPCSCToken completes with rc=0.\n", 71) = 71
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 SCardFreeMemory: Command successful.\n", 57) = 57
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function updatePCSCSlots completes with rc=0.\n", 66) = 66
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function updateSlots completes with rc=0.\n", 62) = 62
stat("/etc/localtime", {st_mode=S_IFREG|0644, st_size=2335, ...}) = 0
write(5, "01.05.2017 09:27:12 Function getValidatedToken called.\n", 55) = 55
futex(0x1da8750, FUTEX_WAIT_PRIVATE, 2, NULL
Turns out to be a deadlock when C_GetSlotList() is called with tokenPresent = true.
The tests in sc-hsm-pkcs11-test didn't catch it.
There is also a bug in C_GetMechanismList() which does not return the length of the list if the required buffer size was not previously queried with pMechanismList set to NULL.
I will do more testing with p11tool and fix the bugs in the current development topic branch "genkey".
awesome, thanks!
btw. I'm using -fstack-protector-strong
which might really make sense in this context.
p11tool --debug 9999 --provider /usr/local/lib/libsc-hsm-pkcs11.so --login --list-privkeys
works now :+1:
So does
OpenSSL> engine -t dynamic -pre SO_PATH:/usr/lib/ssl/engines/libpkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/local/lib/libsc-hsm-pkcs11.so
However not
OpenSSL> req -engine pkcs11 -new -key 'pkcs11:model=... -keyform engine -out req.pem -text -x509 -subj "/CN=MY NAME"
engine "pkcs11" set.
PKCS#11 token PIN:
Key not found.
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
139832290076312:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:eng_pkey.c:124:
unable to load Private Key
error in req
(key is from p11tool above, subj from the key on the card)
Does the version of engine-pkcs11 support PKCS#11 URIs ? Haven't tried that myself.
What does the log say ?
It does. And there might be something odd going on. Because even when things work, I often get asked to put in the password for STARCOS.eUserPKI
when I think it should be STARCOS.QES
, because I'm only doing signatures.
(For me this is resolved for now with the version in the genkey branch. I can now sign documents, so I'm happy.)
Do you think it might be possible to port the smart cards supported here (StarCos 3.5) to opensc? https://github.com/OpenSC/OpenSC/issues/1054
Thanks for considering