Ticket #253 (closed defect: fixed)
PIV Certificates not displayed
| Reported by: | hawaiian717 | Owned by: | dengert |
|---|---|---|---|
| Priority: | normal | Milestone: | 0.12.0 |
| Component: | card_driver | Version: | 0.11.13 |
| Severity: | normal | Keywords: | PIV |
| Cc: | dengert | Blocked By: | |
| Blocking: |
Description
In current versions of OpenSC and SCA, certificates on a PIV card do not appear.
On Mac OS X 10.5.8, using SCA-Light 0.2.7 or the 0.12 pre-release and having removed Apple's CAC.tokend and PIV.toeknd, the PIV_II appears in my keychain but no certificates appear and can't be used. Using SCA-Light 0.2.6, the certificates appear in the keychain and can be used in Safari, Chrome, and Entourage.
On Linux, Fedora 13 for example, with OpenSC 0.11.13, the same thing happens. In Firefox when I attempt to use a web site that requests a certificate on the card, I am prompted for the PIN, then the connection fails. In the Security Devices window (Preferences -> Advanced -> Encryption) I can see that I am logged into the card, however when I attempt to view the certificates on the card, none appear. Using OpenSC 0.11.8, the certificates appear correctly and the card can be used.
Attachments
-
opensc-debug.log
(77.5 KB) -
added by hawaiian717 17 months ago.
-
apdu.patch.2.txt
(433 bytes) -
added by dengert 16 months ago.
- Second patch to apdu.c to allow reading partial objects
-
opensc-debug.2.log
(131.4 KB) -
added by hawaiian717 16 months ago.
-
apdu.c.patch.3.txt
(1.3 KB) -
added by dengert 16 months ago.
Change History
comment:1 Changed 17 months ago by martin
- Keywords PIV added
- Owner changed from opensc-devel@… to opensc-devel@…
- Component changed from opensc to card_driver
comment:2 Changed 17 months ago by hawaiian717
The opensc-tokend.log file was empty. I've attached the opensc-debug.log file which has plenty of stuff in it.
comment:3 Changed 17 months ago by dengert
- Cc dengert added
- Status changed from new to closed
- Resolution set to fixed
This is the same problen as #257, that was fixed today in the trunk Cards using T=0 vs T=1 could not use the trick of reading a partial object to get the length of the object. With a T=1 card the card would just return the 8 bytes. With a T=0 card (which is what you have) the code in apdu.c would treat this as an error, SC_ERROR_WRONG_LENGTH -1216. The code to read a partial object was added in 0.10.9, and the fix could be added to any version upto the current.
comment:4 follow-up: ↓ 5 Changed 17 months ago by hawaiian717
- Status changed from closed to reopened
- Resolution fixed deleted
I applied the patch from #257 to the source tarball for opensc-0.11.13 and compiled it. Using the module with Firefox, it still didn't work.
After inserting the card I attempt to view the certificates but they still don't appear, and attempting to a site that requires it failes.
The card I am testing with is an Oberthur ID One V5.2a Dual hybrid US DoD CAC/PIV card.
comment:5 in reply to: ↑ 4 ; follow-up: ↓ 6 Changed 17 months ago by martin
Replying to hawaiian717:
I applied the patch from #257 to the source tarball for opensc-0.11.13 and compiled it. Using the module with Firefox, it still didn't work.
Have you tried using the latest SVN snapshot instead?
comment:6 in reply to: ↑ 5 Changed 17 months ago by hawaiian717
Replying to martin:
Have you tried using the latest SVN snapshot instead?
I just tried applying the patch to opensc-0.12.0-svn-r4706. It didn't work either. I could log into the card but still no certificates displayed. The card is identified as PIV_II and I am prompted for a PIN when I try to connect to a site, but it still doesn't work; I'm not prompted to select a certificate.
comment:7 Changed 16 months ago by dengert
- Owner changed from opensc-devel@… to dengert
- Status changed from reopened to new
Can you send a opensc-debug.log with the #257 patch applied? Or send email directly to me at <deengert@…>
Changed 16 months ago by dengert
-
attachment
apdu.patch.2.txt
added
Second patch to apdu.c to allow reading partial objects
comment:8 Changed 16 months ago by dengert
Can you try applying the attached apdu.patch.2.txt as well as the patch from #257. There was more then only place in the code where trying to read a paritial object would fail. I have not tried this, as it looks like your card and reader are taking a different path through the code that my cards.
comment:9 Changed 16 months ago by hawaiian717
I tried applying both patches to r4706 and got the same result as before. An opensc-debug.log from this attempt is attached.
comment:10 Changed 16 months ago by dengert
I am attaching a new patch against r4706. Apply this patch without the others. It includes removing the first patch, and includes the second, and an unrelated patch r4757, that changed the debugging output.
The first patch was in the wrong spot, and tried to only read part of the data the card said it wanted to send. Some cards/readers would complain about this, and this is what is showing in the debug output.
Line 607 card returns 6100 - indicating it has 256 bytes (00 implies 256) to send Line 614 get_response tries to read 8 Line 619 card says 6C00 wrong length
If the patch works, the get_response would be 00 C0 00 00 00 and read 256 bytes.
The second patch reads as much as the card said it wanted to send, then returns to the caller as much as the caller requested.
You can also send email to me directly at DEEngert at anl.gov.
comment:11 Changed 16 months ago by hawaiian717
- Status changed from new to closed
- Resolution set to fixed
I just tested the 0.12.0-rc1 download without adding any additional patches and the card worked correctly.
Can you please provide the log, by setting debug = 9 in /Library/OpenSC/etc/opensc.conf and then connecting your card and reader and send the generated /tmp/opensc-tokend.log file.