Comments (15)
Can you please try it with the file cache disabled?
from opensc.
Tried with the following opensc.conf, but still got the same error.
app default {
debug = 9;
debug_file = c:\debug\opensc-debug64.txt;
framework pkcs15 {
use_file_caching = false;
}
}
from opensc.
The same thing happens on linux, it doesn't depend on the file cache.
Fail:
pkcs15-init -C --profile myeid --pin 1111 --puk 1111
OK:
pkcs15-init -C --pin 1111 --puk 1111
I'll look into it.
(one more change .. opensc 0.24 changed the file cache setting from "false" to "no", more in man opensc.conf)
from opensc.
It seems that this error has been around for a long time, I just compiled older versions of opensc and it turned out like this:
$ opensc-tool --version
OpenSC-0.22.0-rc1-74-gc902e1992, rev: c902e1992, commit-time: 2021-08-10 11:09:03 +0200
$ pkcs15-init -C --profile myeid --so-pin 11111111 --so-puk 11111111 --pin=11111111 --puk=11111111
Failed to create PKCS #15 meta structure: Invalid ASN.1 object
Segmentation fault (core dumped)
$ opensc-tool --version
OpenSC-0.23.0, rev: 5497519ea, commit-time: 2022-11-29 09:34:43 +0100
$ pkcs15-init -C --profile myeid --so-pin 11111111 --so-puk 11111111 --pin=11111111 --puk=11111111
Failed to create PKCS #15 meta structure: Invalid ASN.1 object
Initialization works without problems if -- profile myeid
is not specified.
I'm not completely familiar with the part of the OpenSC code that works with "profile", I'll see what I can find.
from opensc.
Debug, without --profile myeid
or if --profile pkcs15+myeid
is specified:
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:357:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:365:sc_profile_load: Trying profile file /usr/share/opensc/pkcs15.profile
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:370:sc_profile_load: profile /usr/share/opensc/pkcs15.profile loaded ok
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:384:sc_profile_load: returning with: 0 (Success)
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:337:sc_profile_load: called
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:357:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:354061; T:0x139877723094528 12:40:39.874 [pkcs15-init] profile.c:365:sc_profile_load: Trying profile file /usr/share/opensc/myeid.profile
P:354061; T:0x139877723094528 12:40:39.875 [pkcs15-init] profile.c:370:sc_profile_load: profile /usr/share/opensc/myeid.profile loaded ok
P:354061; T:0x139877723094528 12:40:39.875 [pkcs15-init] profile.c:384:sc_profile_load: returning with: 0 (Success)
P:354061; T:0x139877723094528 12:40:39.875 [pkcs15-init] profile.c:396:sc_profile_finish: called
This is loaded if --profile myeid
is specified:
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:356:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:364:sc_profile_load: Trying profile file /usr/share/opensc/myeid.profile
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:369:sc_profile_load: profile /usr/share/opensc/myeid.profile loaded ok
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:383:sc_profile_load: returning with: 0 (Success)
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:336:sc_profile_load: called
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:356:sc_profile_load: Using profile directory '/usr/share/opensc'.
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:364:sc_profile_load: Trying profile file /usr/share/opensc/myeid.profile
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:369:sc_profile_load: profile /usr/share/opensc/myeid.profile loaded ok
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:383:sc_profile_load: returning with: 0 (Success)
P:190081; T:0x139833593409024 10:45:41.326 [pkcs15-init] profile.c:395:sc_profile_finish: called
I assume that it is not good if the myeid profile is loaded twice..
from opensc.
Can you confirm if this solves the issue? If so, I will prepare a PR.
# diff -u /usr/share/opensc/myeid.profile~ /usr/share/opensc/myeid.profile
--- /usr/share/opensc/myeid.profile.orig 2023-12-19 13:14:35.000000000 +0100
+++ /usr/share/opensc/myeid.profile 2023-12-19 13:54:42.553785151 +0100
@@ -94,6 +94,7 @@
DF PKCS15-AppDF {
type = DF;
file-id = 5015;
+ aid = A0:00:00:00:63:50:4B:43:53:2D:31:35;
acl = DELETE=$PIN, CREATE=$PIN;
EF PKCS15-ODF {
from opensc.
I have come across one discrepancy in the MyEID profile regarding the pkcs#15 profile:
(src/pkcs15init/myeid.profile
, src/pkcs15init/pkcs15.profile
)
MyEID | PKCS15 | |
---|---|---|
PKCS15-CDF | 4403 | 4404 |
PKCS15-PuKDF | 4404 | 4403 |
I'm not sure what to do with it..
from opensc.
Can you confirm if this solves the issue? If so, I will prepare a PR.
# diff -u /usr/share/opensc/myeid.profile~ /usr/share/opensc/myeid.profile --- /usr/share/opensc/myeid.profile.orig 2023-12-19 13:14:35.000000000 +0100 +++ /usr/share/opensc/myeid.profile 2023-12-19 13:54:42.553785151 +0100 @@ -94,6 +94,7 @@ DF PKCS15-AppDF { type = DF; file-id = 5015; + aid = A0:00:00:00:63:50:4B:43:53:2D:31:35; acl = DELETE=$PIN, CREATE=$PIN; EF PKCS15-ODF {
Tested and the command succeeds after this change.
from opensc.
After some more testing, we found out that some settings set in the profile file do not take effect. For example, we tried changing Update, Delete and Generate ACLs to SOPIN for private keys like this:
EF template-private-key {
type = internal-ef;
file-id = 4B01;
acl = CRYPTO=$PIN, UPDATE=$SOPIN, DELETE=$SOPIN, GENERATE=$SOPIN;
}
... but all ACs were still set to PIN 1.
However, changing Update AC to SOPIN for PKCS15-PrKDF did take effect, and shows that the profile file really is read and used.
from opensc.
Thank you for looking into that @popovec .
Unfortunately documentation around profiles is suboptimal and syntax undocumented [1]. I think the profiles work in a way that the default generic profile is loaded first (see the comment in pkcs15.profile) and then on top of that, card-specific changes are applied to avoid a need to copy&paste all of the generic stuff into every card profile (pkcs15+myeid
) so it is not completely clear to me if we should aim for making they myeid profile self-contained as proposed in #2965.
Reading the pkcs15-init
manual page, there are two switches profile
and card-profile
, which refer to the above two profiles to load. So I think that the correct command you should have used should have been pkcs15-init -C --card-profile myeid --pin 1111 --puk 1111
.
My proposal would be to improve and clarify the documentation regarding this. For now just grepping through the wiki and documentaiton which proposes to use --profile
instead of --card-profile
where it should be used (or just remove them as this should be handled automatically if some corner case is not needed).
[1] https://github.com/OpenSC/OpenSC/blob/master/doc/files/pkcs15-profile.5.xml#L40
from opensc.
I believe that the user should not use the --profile
and --card-profile
switches at all when initializing the card. By default, the pkcs15 profile is loaded, followed by the corresponding profile according to the card driver. If the default profile (according to the driver) is not suitable, it is necessary to create a new profile and use it with the switch --card-profile
Examples:
this corresponds to the default (when neither --profile
nor --card-profile
switches are used):
--profile pkcs15 --card-profile myeid
: pkcs15 and myeid profile will be loaded
using specific profile:
--profile pkcs15 --card-profile myeid_user
: pkcs15 and myeid_user profile will be loaded
This is the same as when the --profile switch is omitted:
--card-profile myeid_user
: pkcs15 and myeid_user profile will be loaded
Using myeid and myeid_new:
--profile myeid --card-profile myeid-new
: myeid profile and myeid_new profile will be loaded
--profile myeid
: myeid and myeid profile will be loaded (the second loading of the myeid profile takes place according to the driver card - in this case myeid)
For the "--profile" switch, you can use the "+" sign as an "option", an example is "pkcs15+onepin" - more in the file pkcs15.profile
I am looking to see if the myeid profile could be trimmed in such a way that only those things that myeid changes are recorded in the myeid profile.. but it would be a problem, almost every file would need a change, see for example AODF:
EF PKCS15-AODF {
file-id = 4401;
size = $aodf-size;
ACL = $protected;
}
EF PKCS15-AODF {
file-id = 4401;
structure = transparent;
size = $aodf-size;
acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN;
}
In the current state, I really wouldn't change anything more than to fix the myeid profile so that it also works independently, without the pkcs15 profile.
from opensc.
EF template-private-key { type = internal-ef; file-id = 4B01; acl = CRYPTO=$PIN, UPDATE=$SOPIN, DELETE=$SOPIN, GENERATE=$SOPIN; }
... but all ACs were still set to PIN 1. However, changing Update AC to SOPIN for PKCS15-PrKDF did take effect, and shows that the profile file really is read and used.
I'll look into it, these things might need to be checked in src/pkcs15init/pkcs15-myeid.c
from opensc.
What's the status of this topic, is there anything to do?
from opensc.
@hhonkanen
I think I've found where the problem with setting ACLs per profile is occurring. With the patch below, the ACLs are set per profile: (acl = CRYPTO=$PIN, UPDATE=$SOPIN, DELETE=$SOPIN, GENERATE=$SOPIN;)
OpenSC [3F00/5015]> info 4b01
File type [22] ID 4B01
File path: 3F00/5015/4B01
File size: 256 bytes
EF structure: Linear fixed
ACL for READ: N/A
ACL for UPDATE: CHV3
ACL for DELETE: CHV3
ACL for WRITE: N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE: N/A
ACL for LIST FILES: N/A
ACL for CRYPTO: CHV1
Type attributes: 22
Proprietary attributes: 01 00
Security attributes: 13 33 FF
Life cycle: Operational, activated
The patch omits part of the code in the myeid_create_key()
function, which overwrites the already correctly set ACL from the myeid_new_file()
function.
diff --git a/src/pkcs15init/pkcs15-myeid.c b/src/pkcs15init/pkcs15-myeid.c
index 6f63ebd6d..6fd76c467 100644
--- a/src/pkcs15init/pkcs15-myeid.c
+++ b/src/pkcs15init/pkcs15-myeid.c
@@ -537,9 +537,9 @@ myeid_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
struct sc_path *path;
int *key_reference;
struct sc_file *file = NULL;
- struct sc_pkcs15_object *pin_object = NULL;
+/* struct sc_pkcs15_object *pin_object = NULL;
struct sc_pkcs15_auth_info *pkcs15_auth_info = NULL;
- unsigned char sec_attrs[] = {0xFF, 0xFF, 0xFF};
+ unsigned char sec_attrs[] = {0xFF, 0xFF, 0xFF}; */
int r, ef_structure = 0, keybits = 0, pin_reference = -1;
unsigned char prop_info[] = {0x00, 0x00};
int extractable = FALSE;
@@ -617,7 +617,7 @@ myeid_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
sc_log(ctx, "Path of MyEID key file to create %s",
sc_print_path(&file->path));
-
+/*
if (object->auth_id.len >= 1) {
r = sc_pkcs15_find_pin_by_auth_id(p15card, &object->auth_id, &pin_object);
@@ -649,7 +649,7 @@ myeid_create_key(struct sc_profile *profile, struct sc_pkcs15_card *p15card,
sc_file_free(file);
LOG_TEST_RET(ctx, SC_ERROR_INVALID_ARGUMENTS, "Invalid AuthID value for a private key.");
}
-
+*/
/* TODO: fill all proprietary attributes here based on the object */
if (object->user_consent != 0 && pin_reference >= 1)
Please verify that the modified code works as expected. Well thank you.
from opensc.
@popovec Thank you for your effort to resolve this issue! The ACLs look correct and exactly what we are trying to achieve, so looks like your patch resolves the problem.
from opensc.
Related Issues (20)
- Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation HOT 2
- New epass2003 token fails to initialize with error `Failed to create PKCS #15 meta structure: Card command failed` HOT 23
- Update Links in README.md before making a release HOT 2
- Building eOI (Slovenian eID) on ubuntu 22.04 HOT 12
- Compiling on Windows ignores CNGSDK_INCL_DIR and CPDK_INCL_DIR env. variables values HOT 2
- Problems with test scripts HOT 9
- Reselection of DF after failure in `sc_pkcs15_decipher` function HOT 5
- PIN change fails with CKR_PIN_LEN_RANGE because current PIN is too long HOT 10
- RFE: tools add --module-init arg for non-standard NSS softokn configDir HOT 5
- ActivIdentity Activkey_Sim 00 00 HOT 3
- CI: Check if refresh in documentation is needed
- doc: Python wrapper HOT 6
- pkcs11-tool: return value is 0 when signature verification fails HOT 3
- PKCS15 framework influence PKCS11 interface HOT 3
- docbook-utf8.xsl missing from release archive HOT 1
- Probable Reasons For CKR_GENERAL_ERROR From C_Login HOT 4
- SC-HSM: Support for storing of ECDSA keys HOT 5
- C_FindObjects does not find keys generated by C_GenerateKeyPair without reinserting HOT 3
- In pkcs11-tool CKA_DERIVE is not set for write-object and keygen HOT 2
- pkcs15-crypt signing fails on release 0.25.0 w/ a YubiKey-bound RSA key HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.