Comments (10)
please run pkcs15-tool -D
to see if user_consent is enabled for the key.
Debug output with level 3 is more helpful, complete logs even more! Note that there is a problem when setting app specific configuration #2999
from opensc.
pkcs15-tool -D
gives ....
Using reader with a card: REINER SCT cyberJack RFID komfort
Connecting to card in reader REINER SCT cyberJack RFID komfort...
Using card driver D-Trust Signature Card.
PKCS#15 Card [D-TRUST Card 4.1 Std. RSA 2ca]:
Version : 1
Serial number : 9276003211610361039f
Manufacturer ID: D-TRUST GmbH (C)
Flags : Login required, PRN generation
PIN [Card-PIN]
Object Flags : [0x03], private, modifiable
Auth ID : 04
ID : 03
Flags : [0x1811], case-sensitive, initialized, exchangeRefData
Length : min_len:6, max_len:12, stored_len:0
Pad char : 0x00
Reference : 3 (0x03)
Type : UTF-8
Tries left : 3
PIN [Card-PUK]
Object Flags : [0x03], private, modifiable
ID : 04
Flags : [0x859], case-sensitive, unblock-disabled, initialized, unblockingPin, exchangeRefData
Length : min_len:8, max_len:8, stored_len:0
Pad char : 0x00
Reference : 4 (0x04)
Type : UTF-8
Tries left : 3
PIN [Signature-PIN]
Object Flags : [0x03], private, modifiable
Auth ID : 04
ID : 07
Flags : [0x2813], case-sensitive, local, initialized, exchangeRefData
Length : min_len:6, max_len:12, stored_len:0
Pad char : 0x00
Reference : 135 (0x87)
Type : UTF-8
Path : 3f000101
Tries left : 3
Private RSA Key [Authentisierungsschluessel]
Object Flags : [0x01], private
Usage : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags : [0x00]
Algo_refs : 0
ModLength : 3072
Key ref : 3 (0x03)
Native : yes
Path : 3f000102
Auth ID : 03
ID : 03
MD:guid : dd545c0b-161a-e1d3-fa74-298d5007fe10
Private RSA Key [Signaturschluessel]
Object Flags : [0x01], private
Usage : [0x200], nonRepudiation
Access Flags : [0x00]
Algo_refs : 0
ModLength : 3072
Key ref : 2 (0x02)
Native : yes
Path : 3f000101
Auth ID : 07
ID : 02
MD:guid : ce9faed0-a0be-f5f0-d8f3-6a52b0ce575a
X.509 Certificate [Authentisierungszertifikat]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0001030204
ID : 03
Encoded serial : 02 10 59916C9A2008D89CFB67B6B1DBD20AD0
X.509 Certificate [Signaturzertifikat]
Object Flags : [0x02], modifiable
Authority : no
Path : 3f0001030201
ID : 02
Encoded serial : 02 10 64287BA4A6D860DEAADD3F53F5BC3930
X.509 Certificate [CA-Zertifikat fuer Authentisierung]
Object Flags : [0x02], modifiable
Authority : yes
Path : 3f0001030205
ID : 03
Encoded serial : 02 03 0FE54B
X.509 Certificate [Root-CA-Zertifikat fuer Authentisierung]
Object Flags : [0x02], modifiable
Authority : yes
Path : 3f0001030206
ID : 03
Encoded serial : 02 03 0FE529
X.509 Certificate [CA-Zertifikat fuer Signatur]
Object Flags : [0x02], modifiable
Authority : yes
Path : 3f0001030202
ID : 02
Encoded serial : 02 10 69F4C9580F580F631488B9632371E72E
X.509 Certificate [Root-CA-Zertifikat fuer Signatur]
Object Flags : [0x02], modifiable
Authority : yes
Path : 3f0001030203
ID : 02
Encoded serial : 02 10 6BC22A5479D8EA68A9C5A27A909BA938
from opensc.
Sorry, I just noticed that pkcs15-tool doesn't dump user_consent. if you use the debug level 7, then the ASN.1 properties should be printed, I think. Could you check if the string "userConsent" appears in the output of pkcs15-tool -D -vvvvvvvv
?
from opensc.
pkcs15-tool -D -vvvvvvvvvvvvvvvvvv 2>&1 | grep -i userConsent
11 entries found
10 entries show 'userConsent' not present
1 entry (5th entry) shows "raw data:01" and "'userConsent' returned 1"
the 5th entry is ...Private RSA Key [Signaturschluessel]
P:1497; T:0x140704553469888 00:31:37.340 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.340 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.342 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.342 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.344 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.344 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.407 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.407 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.409 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.409 [pkcs15-tool] asn1.c:1501:asn1_decode_entry: decoding 'userConsent', raw data:01
P:1497; T:0x140704553469888 00:31:37.409 [pkcs15-tool] asn1.c:1527:asn1_decode_entry: decoding 'userConsent' returned 1
P:1497; T:0x140704553469888 00:31:37.437 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.437 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.439 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.439 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.479 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.479 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.480 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.480 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.482 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.482 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
P:1497; T:0x140704553469888 00:31:37.483 [pkcs15-tool] asn1.c:1748:asn1_decode: Looking for 'userConsent', tag 0x2, OPTIONAL
P:1497; T:0x140704553469888 00:31:37.483 [pkcs15-tool] asn1.c:1762:asn1_decode: 'userConsent' not present
from opensc.
The userConsent
-field is not contained in the private key description object of the "Authentisierungsschluessel". It should be expected as an INTEGER
tag between line 6-7. But for the "Signaturschluessel" it is present on line 21. For some reason the flag is not reported upward through the stack.
OpenSC [3F00/0104]> asn1 5001
30 SEQUENCE (66 bytes)
30 SEQUENCE (35 bytes)
0C UTF8String (26 bytes): Authentisierungsschluessel
03 BIT STRING (2 bytes): 01
04 OCTET STRING (1 byte): 03 .
30 SEQUENCE (11 bytes)
04 OCTET STRING (1 byte): 03 .
03 BIT STRING (2 bytes): 101110
02 INTEGER (2 bytes): 3
A1 Context 1 (14 bytes)
30 SEQUENCE (12 bytes)
30 SEQUENCE (6 bytes)
04 OCTET STRING (4 bytes): 3F 00 01 02 ?...
02 INTEGER (2 bytes): 3072
30 SEQUENCE (62 bytes)
30 SEQUENCE (30 bytes)
0C UTF8String (18 bytes): Signaturschluessel
03 BIT STRING (2 bytes): 01
04 OCTET STRING (1 byte): 07 .
02 INTEGER (1 byte): 1
30 SEQUENCE (12 bytes)
04 OCTET STRING (1 byte): 02 .
03 BIT STRING (3 bytes): 1000000000
02 INTEGER (2 bytes): 2
A1 Context 1 (14 bytes)
30 SEQUENCE (12 bytes)
30 SEQUENCE (6 bytes)
04 OCTET STRING (4 bytes): 3F 00 01 01 ?...
02 INTEGER (2 bytes): 3072
from opensc.
@frankmorgner : by the way: I would like to give you ALL log files in ALL log levels you need to be able to analyze this issue BUT I have read a notice that I have to be careful with that, because the logs might contain sensitive information like pins etc.
And due to the fact, that I feel "overstrained" (überfordert) with tons of lines of output, I decided not to put it here by just pasting it 1:1 - sorry for that. Next time please let me know, what I have to strip/delete and I will provide all the rest. Maybe there is something like a "Beginners-Guide" to log file handling, then just sent me the link ;-)
from opensc.
Keep Adobe open between the signing operations, but remove the card from the reader an reinsert it
I did not read through all the comments, but from the description and if the above use case is not working, I think it is an issue of the software using the OpenSC, that it is not able to detect the card removal and re-issue login. There is nothing in the OpenSC that could do this for the application. Once the card is removed from the reader, OpenSC removes all the structures that represent the card and treat newly inserted card as a new one (because it can be completely different card with different pin and different objects).
I do not know what API is used by the Acrobat on Mac so I will not be much help regarding getting debug information from there.
from opensc.
Hi @Jakuje , just to clear the "API" Question....
In Adobe Acrobat (and also in Adobe Reader) you can "attach" PKCS11 Modules (by the way - that's exactly why I am landed here, because I want to sign PDFs with Acrobat or Reader using OpenSC framework ;-).
There you have to enter the path to the pkcs11 library. In my case I just entered "/usr/local/lib/opensc-pkcs11.so"
Hope this answers your question: API is provided by exactly this opensc-pkcs11.so library I build using the master branch with the brand new d-trust driver. Hope this makes sense regarding your comment what API is used.
P.S.: And removing and reinserting was just one of four tests I should do so that the developer of the d-trust card can analyze, where exactly the issue arises in my case. Currently everything is indicating that this is an issue regarding PIN-Caching, because the D-TRUST-Cards require entering a PIN every time you want to sign a document. That's because we are talking about so called "qualified digital signatures" and "eIDAS" here. So maybe, the user (me) would be able to work around just by configuring opensc.conf a way that PIN-Caching is avoided when using such a D-Trust Signature Card. That's my personal understanding of the current situation - but I might be wrong ;-)
from opensc.
Thank you for clarification. So in that case, I would go ahead to try to gather the PKCS#11 trace using pkcs11-spy to see what is going on there, see
https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
You will find much easier to remove the sensitive data from the pkcs11 level log. It will be likely just the pin in the C_Login() function.
My assumption is that after you remove the card, the adobe will try to use some stale handles that will not work. After that, it should try to open a new session and login again, which is either not happening or it is happening wrongly (or the opensc returns some unexpected return codes that adobe does not interpret as a need to reauthenticate. We had something similar with NSS couple of years back.
from opensc.
We had something similar with NSS couple of years back.
I asume you re referring to: opensc.conf
https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in#L941-L946
from opensc.
Related Issues (20)
- Error: Could not add card "/usr/local/lib/opensc-pkcs11-local.so": agent refused operation HOT 2
- New epass2003 token fails to initialize with error `Failed to create PKCS #15 meta structure: Card command failed` HOT 24
- Update Links in README.md before making a release HOT 2
- Building eOI (Slovenian eID) on ubuntu 22.04 HOT 12
- Compiling on Windows ignores CNGSDK_INCL_DIR and CPDK_INCL_DIR env. variables values HOT 2
- Problems with test scripts HOT 9
- Reselection of DF after failure in `sc_pkcs15_decipher` function HOT 5
- PIN change fails with CKR_PIN_LEN_RANGE because current PIN is too long HOT 10
- RFE: tools add --module-init arg for non-standard NSS softokn configDir HOT 5
- ActivIdentity Activkey_Sim 00 00 HOT 3
- CI: Check if refresh in documentation is needed
- doc: Python wrapper HOT 6
- pkcs11-tool: return value is 0 when signature verification fails HOT 3
- PKCS15 framework influence PKCS11 interface HOT 3
- docbook-utf8.xsl missing from release archive HOT 1
- Probable Reasons For CKR_GENERAL_ERROR From C_Login HOT 4
- SC-HSM: Support for storing of ECDSA keys HOT 5
- C_FindObjects does not find keys generated by C_GenerateKeyPair without reinserting HOT 3
- In pkcs11-tool CKA_DERIVE is not set for write-object and keygen HOT 2
- pkcs15-crypt signing fails on release 0.25.0 w/ a YubiKey-bound RSA key HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.