Ticket #190 (new task)
Problems with Siemens CardOS 4.3b (authentication, tokeninfo)
| Reported by: | marc.waeckerlin | Owned by: | opensc-devel@… |
|---|---|---|---|
| Priority: | normal | Milestone: | Someday |
| Component: | card_driver | Version: | 0.11.4 |
| Severity: | normal | Keywords: | cardos |
| Cc: | marc.waeckerlin | Blocked By: | |
| Blocking: |
Description
We use a token with Siemens CardOS 4.3b and would like to use OpenSC. The token contains a PKCS#15 part and a special SigG part. Now there are several problems:
I've written a tool to read information (see attachments) from a slot or token (basically it's a C++ wrapper around the C-libraries to simplify access): http://dev.marc.waeckerlin.org/projects/libpcscxx
First symptom:
When I read data on Linux (Ubuntu 09.04) using the libsiecap11.so provided by Siemens and onepin-opensc-pkcs11.so from OpenSC, I get completely different results. Why?
E.g. I cannot even get the token's serial number. In fact, using my library, I can get the serial number by sending an APDU: serial = reader.transmit(0x00, 0xCA, 0x01, 0x81).substr(8, 8); But the serial number in tokeninfo is empty.
For details, please see the attachments.
Second symptom:
I can login to the token using onepin-opensc-pkcs11.so. Then I see the private keys. But as soon as I try to create or delete an object, or even when I want to decrypt a text, I get an error.
C_DestroyObject results in CKR_FUNCTION_NOT_SUPPORTED.
C_CreateObject results in CKR_USER_NOT_LOGGED_IN (even though the login was successful!) and in the console, I get the folloeing message in unfriendly red letters:
[opensc-pkcs11] card-cardos.c:255:cardos_check_sw: required access right not granted [opensc-pkcs11] card-cardos.c:917:cardos_lifecycle_set: Card returned error: Security status not satisfied [opensc-pkcs11] card.c:678:sc_card_ctl: returning with: Security status not satisfied
With other PKCS#11 drivers, it works better: Using the Siemens driver, I can create and delete objects. Problems here: Application crashes because of the driver, when no slot is available and it crashes also when I try to decrypt a secret. With a CryptoVision? driver, also the tokeninfo and mechanisms are differernt. But I can create and delete objects. When I try to decrypt, I get a wrong mechanism error (even though the mechanism is here and works with Siemens driver, but only on Windoze).
The onepin-opensc-pkcs11.so driver works at least partially. Firefox client authentication on a SSL apache webserver works with no problem.
If there's any way, how I can help you, please let me know.
Attachments
-
onepin-opensc-pkcs11.so.txt
(31.0 KB) -
added by marc.waeckerlin 2 years ago.
-
libsiecap11.so.2.txt
(22.2 KB) -
added by marc.waeckerlin 2 years ago.
-
libsiecap11.so.txt
(22.2 KB) -
added by marc.waeckerlin 2 years ago.
Change History
comment:2 Changed 13 months ago by martin
- Keywords cardos added
- Priority changed from high to normal
- Type changed from defect to task
- Component changed from opensc to card_driver
- Milestone set to Someday
You actually list several different problems.
- Serial number of the token and how this is matched to OpenSC PKCS#15 structures.
- Functioning of C_CreateObject (what exactly do you want to create?)
Overall it is normal that different PKCS#11 drivers behave differently, maybe you can split your bug report into more detailed "would want to have" requests.
