Bug in pkcs15-init?

Hi,
I'm hitting problems when re-initializing ikey3k token with pkcs15-init
- I have to manualy erase certificate cache (~/.eid/cache) or
pkcs15-init fails *occassionaly*.
I think that pkcs15-init and other lower-level utilities should not use
any kind of cache, at least not when writing.

Jan
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

On Wednesday 12 October 2005 19:38, Jan Schermer wrote:
> I'm hitting problems when re-initializing ikey3k token with pkcs15-init
> - I have to manualy erase certificate cache (~/.eid/cache) or
> pkcs15-init fails *occassionaly*.
> I think that pkcs15-init and other lower-level utilities should not use
> any kind of cache, at least not when writing.

hmm. we have such a cache? didn't even know. did you change
anything in the config file to enable it? (on my system I don't
have such a file at all).

also could you please open a ticket at
        http://www.opensc.org/opensc/
so this issue is not lost? if you can reproduce it somehow,
that would be a big help.

Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Hi,
I don't remember enabling it specificaly, I usually don't change anything apart from lock_login=false (btw how insecure is that? I do it just because of Thundebird keeping the card locked all the time, but on the other hand, not locking it may be even bigger security problem just because of that?)

I just do

pkcs15-tool -L

that caches the info about certs to filesystem (I assume it then looks up the certificates by looking into the cache first and then asking for a specific ID, instead of unlocking every PIN and examining the certs).

I hit it every time when using my script (attached), it really gives some strange errors, sometimes even refuses to create the first PIN. Maybe I'm hitting some race condition because of so many certs and scripted initialization. It also occured to me when I tried initialization by hand - Btw when I began using opensc, I spent two days trying to get it working. Then I deleted the cache and wanted to kill someone :)

Below is the output from my script. Thunderbird was running at the time, cache was in place, I'm absolutely certain that my script works :)

Erasing Card: Success!
Creating PKCS#15 structures: Success!

This might take a moment.
Sit back and enjoy the ride...

Creating new auth-id 1 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 1: iso7816.c:98:iso7816_check_sw: Referenced data not found
sec.c:204:sc_pin_cmd: returning with: Data object not found
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x83)
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile
Failed to store private key: Object not valid
Failed!

Creating new auth-id 2 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 2: iso7816.c:98:iso7816_check_sw: Referenced data not found
sec.c:204:sc_pin_cmd: returning with: Data object not found
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x85)
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile
Failed to store private key: Object not valid
Failed!

Creating new auth-id 3 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 3: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

Creating new auth-id 4 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 4: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

Creating new auth-id 5 with label rootCA: Failed to store PIN: Invalid arguments
Failed!

Storing certificate rootCA.p12 with auth-id 5: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

I can create debug on demand, but only if you ask, I need the card now :)
I can create the ticket later, on demand ;)

Thanks!

Jan

Andreas Jellinghaus wrote:

On Wednesday 12 October 2005 19:38, Jan Schermer wrote:
  

I'm hitting problems when re-initializing ikey3k token with pkcs15-init 
- I have to manualy erase certificate cache (~/.eid/cache) or 
pkcs15-init fails *occassionaly*.
I think that pkcs15-init and other lower-level utilities should not use 
any kind of cache, at least not when writing.
    

hmm. we have such a cache? didn't even know. did you change
anything in the config file to enable it? (on my system I don't
have such a file at all).

also could you please open a ticket at
	http://www.opensc.org/opensc/
so this issue is not lost? if you can reproduce it somehow,
that would be a big help.

Andreas
  

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

and the file supposed to be attached is here, as usual :)

Jan Schermer wrote:

Hi,
I don't remember enabling it specificaly, I usually don't change anything apart from lock_login=false (btw how insecure is that? I do it just because of Thundebird keeping the card locked all the time, but on the other hand, not locking it may be even bigger security problem just because of that?)

I just do

pkcs15-tool -L

that caches the info about certs to filesystem (I assume it then looks up the certificates by looking into the cache first and then asking for a specific ID, instead of unlocking every PIN and examining the certs).

I hit it every time when using my script (attached), it really gives some strange errors, sometimes even refuses to create the first PIN. Maybe I'm hitting some race condition because of so many certs and scripted initialization. It also occured to me when I tried initialization by hand - Btw when I began using opensc, I spent two days trying to get it working. Then I deleted the cache and wanted to kill someone :)

Below is the output from my script. Thunderbird was running at the time, cache was in place, I'm absolutely certain that my script works :)

Erasing Card: Success!
Creating PKCS#15 structures: Success!

This might take a moment.
Sit back and enjoy the ride...

Creating new auth-id 1 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 1: iso7816.c:98:iso7816_check_sw: Referenced data not found
sec.c:204:sc_pin_cmd: returning with: Data object not found
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x83)
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile
Failed to store private key: Object not valid
Failed!

Creating new auth-id 2 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 2: iso7816.c:98:iso7816_check_sw: Referenced data not found
sec.c:204:sc_pin_cmd: returning with: Data object not found
pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x85)
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile
pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile
Failed to store private key: Object not valid
Failed!

Creating new auth-id 3 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 3: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

Creating new auth-id 4 with label [hidden email] Failed to store PIN: Invalid arguments
Failed!

Storing certificate [hidden email] with auth-id 4: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

Creating new auth-id 5 with label rootCA: Failed to store PIN: Invalid arguments
Failed!

Storing certificate rootCA.p12 with auth-id 5: iso7816.c:98:iso7816_check_sw: No precise diagnosis
card.c:836:sc_card_ctl: returning with: Card command failed
Failed to store private key: Card command failed
Failed!

I can create debug on demand, but only if you ask, I need the card now :)
I can create the ticket later, on demand ;)

Thanks!

Jan

Andreas Jellinghaus wrote:

On Wednesday 12 October 2005 19:38, Jan Schermer wrote:
  

I'm hitting problems when re-initializing ikey3k token with pkcs15-init 
- I have to manualy erase certificate cache (~/.eid/cache) or 
pkcs15-init fails *occassionaly*.
I think that pkcs15-init and other lower-level utilities should not use 
any kind of cache, at least not when writing.
    

hmm. we have such a cache? didn't even know. did you change
anything in the config file to enable it? (on my system I don't
have such a file at all).

also could you please open a ticket at
	http://www.opensc.org/opensc/
so this issue is not lost? if you can reproduce it somehow,
that would be a big help.

Andreas
  

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Jan Schermer wrote:
> Hi,
> I'm hitting problems when re-initializing ikey3k token with pkcs15-init
> - I have to manualy erase certificate cache (~/.eid/cache) or
> pkcs15-init fails *occassionaly*.
> I think that pkcs15-init and other lower-level utilities should not use
> any kind of cache, at least not when writing.

please test the attached patch for pkcs15-init

Cheers,
Nils

Index: src/tools/pkcs15-init.c
===================================================================
--- src/tools/pkcs15-init.c (Revision 2639)
+++ src/tools/pkcs15-init.c (Arbeitskopie)
@@ -386,6 +386,9 @@
  break;
  }
 
+ /* disable caching */
+ p15card->opts.use_cache = 0;
+
  /* XXX: should compare card to profile here to make
  * sure we're not messing things up */
 

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user

Andreas Jellinghaus wrote:
yep we have ;-) even though it could be improved (and reading
from it is enabled by default "use_caching" option)

> anything in the config file to enable it? (on my system I don't
> have such a file at all).

currently you must fill the cache manually with "pkcs15-tool -L" ...
that needs to be changed as well

Cheers,
Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user