Comments (6)
OpenSC.tokend has been totally broken (for PIV tokens at least) till very recently. It is much better now, but still somewhat short of the mark.
The symptoms you describe remind me of the problem I used to have trying to unlock the token using Keychain Access.
My recommendation: get the latest Github version of OpenSC (not the released version), and try mouse07410/OpenSC.tokend fork with it. This combination would give you the best chance.
from opensc.tokend.
The card driver implements an internal caching mechanism for the current EF/DF. Your log shows that it thinks of a cache hit and does not issue a select command on your key:
0x7fff78cb0000 16:37:24.608 [tokend] card.c:650:sc_select_file: called; type=2, path=3f00df71
0x7fff78cb0000 16:37:24.608 [tokend] card-atrust-acos.c:399:atrust_acos_select_file: current path (path, valid): 3f00df71 (len: 4)
0x7fff78cb0000 16:37:24.608 [tokend] card-atrust-acos.c:491:atrust_acos_select_file: cache hit
0x7fff78cb0000 16:37:24.608 [tokend] card.c:678:sc_select_file: returning with: 0 (Success)
Could you check if disabling the cache fixes the problem?
Also note that OpenSC internally tries to re-validate the cached PIN to then re-issue the signature command. For some strange reason the signature operation changes now and results in an error:
0x7fff78cb0000 16:37:24.993 [tokend] pkcs15-pin.c:682:sc_pkcs15_pincache_revalidate: returning with: 0 (Success)
0x7fff78cb0000 16:37:24.4294968289 [tokend] sec.c:54:sc_compute_signature: called
0x7fff78cb0000 16:37:24.140733193389025 [tokend] card-atrust-acos.c:748:atrust_acos_compute_signature: returning with: -1300 (Invalid arguments)
0x7fff78cb0000 16:37:24.4294968289 [tokend] sec.c:58:sc_compute_signature: returning with: -1300 (Invalid arguments)
I hope this gives you some directions, but debugging is really only possible with the card.
Please also try pkcs11-tool --login --test
to check if this is a problem within tokend or within the core library!
from opensc.tokend.
@mouse07410 Thanks for the quick reply, about to try that.
@frankmorgner Also thanks for the advise - unfortunately Turning of the cache did not solve the problem - however the logfiles are looking slightly different now.
We are using PKCS15 to access the card as there is no PKCS11 plugin available on OSX for our card. So we did disable use_pin_caching in the PKCS15 Framework.
Here are the logs (level 3) after turning of the cache:
Inserting the card
0x7fff73a82000 14:55:43.140733193388566 [tokend] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
0x7fff73a82000 14:55:43.140733193388566 [tokend] card.c:148:sc_connect_card: called
0x7fff73a82000 14:55:43.536 [tokend] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0x7fff73a82000 14:55:43.7741534218664018458 [tokend] card-entersafe.c:106:entersafe_match_card: called
0x7fff73a82000 14:55:43.140733193388570 [tokend] card-rutoken.c:103:rutoken_match_card: called
0x7fff73a82000 14:55:43.4294967899 [tokend] card-mcrd.c:296:mcrd_match_card: SELECT AID: 6A82
0x7fff73a82000 14:55:43.4294967982 [tokend] muscle.c:271:msc_select_applet: returning with: -1200 (Card command failed)
0x7fff73a82000 14:55:43.4294968082 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:43.4294968128 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.4294968176 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.4294968225 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.929 [tokend] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
0x7fff73a82000 14:55:43.140733193388961 [tokend] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called
0x7fff73a82000 14:55:43.4294968226 [tokend] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called
0x7fff73a82000 14:55:43.140733193388962 [tokend] pkcs15-piv.c:234:piv_detect_card: called
0x7fff73a82000 14:55:43.4294968226 [tokend] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called
0x7fff73a82000 14:55:44.4294967462 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967541 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967658 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967776 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:45.200 [tokend] sec.c:206:sc_pin_cmd: returning with: -1214 (PIN code or key incorrect)
Entering the valid PIN
0x7fff73a82000 14:55:48.695 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff73a82000 14:55:48.760 [tokend] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7fff73a82000 14:55:48.4294968197 [tokend] card-atrust-acos.c:754:atrust_acos_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff73a82000 14:55:48.4294968197 [tokend] sec.c:58:sc_compute_signature: returning with: -1211 (Security status not satisfied)
from opensc.tokend.
Disabling the file cache I talked about requires modification of the sourcecode (see card-atrust-acos.c:491
).
OpenSC ships with a PKCS#11 library on OS X. If your card works in tokend, it also works in opensc-pkcs11.dylib
from opensc.tokend.
I concur regarding testing with pkcs11-tool
. If that doesn't work, no need to even try tokend.
from opensc.tokend.
What kind of card/token is it? Is it provisioned fully?
from opensc.tokend.
Related Issues (13)
- OpenSC.tokend cannot PIN-unlock a PIV card HOT 8
- can't see my italian CRS/CNS in 10.10 keychain HOT 6
- Mac OS X Yosemite Problem HOT 8
- Current sha2 branch lost the ability to RSA-sign HOT 3
- OpenSC always prompts for a PIN to access public key, which is wrong HOT 2
- PIN not recognized with Gemalto Prox-DU reader HOT 6
- With Mac OS X 10.11.5 tokend does not work any more HOT 8
- epass2003 tokend MacOS 10.12 HOT 4
- ccccccejjfcudkhcelvhbbecrhujgljbjgjkclbfvtti HOT 2
- MacOS Xcode-10 tokend fails to build HOT 13
- tokend does not work any more HOT 9
- xcodebuild on OSX 10.10 fails with unwanted "register launch services" HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.tokend.