Hi,
I'm hitting problems when re-initializing ikey3k token with pkcs15-init - I have to manualy erase certificate cache (~/.eid/cache) or pkcs15-init fails *occassionaly*. I think that pkcs15-init and other lower-level utilities should not use any kind of cache, at least not when writing. Jan _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
On Wednesday 12 October 2005 19:38, Jan Schermer wrote:
> I'm hitting problems when re-initializing ikey3k token with pkcs15-init > - I have to manualy erase certificate cache (~/.eid/cache) or > pkcs15-init fails *occassionaly*. > I think that pkcs15-init and other lower-level utilities should not use > any kind of cache, at least not when writing. hmm. we have such a cache? didn't even know. did you change anything in the config file to enable it? (on my system I don't have such a file at all). also could you please open a ticket at http://www.opensc.org/opensc/ so this issue is not lost? if you can reproduce it somehow, that would be a big help. Andreas _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
I don't remember enabling it specificaly, I usually don't change anything apart from lock_login=false (btw how insecure is that? I do it just because of Thundebird keeping the card locked all the time, but on the other hand, not locking it may be even bigger security problem just because of that?) I just do pkcs15-tool -L that caches the info about certs to filesystem (I assume it then looks up the certificates by looking into the cache first and then asking for a specific ID, instead of unlocking every PIN and examining the certs). I hit it every time when using my script (attached), it really gives some strange errors, sometimes even refuses to create the first PIN. Maybe I'm hitting some race condition because of so many certs and scripted initialization. It also occured to me when I tried initialization by hand - Btw when I began using opensc, I spent two days trying to get it working. Then I deleted the cache and wanted to kill someone :) Below is the output from my script. Thunderbird was running at the time, cache was in place, I'm absolutely certain that my script works :) Erasing Card: Success! Creating PKCS#15 structures: Success! This might take a moment. Sit back and enjoy the ride... Creating new auth-id 1 with label [hidden email] Failed to store PIN: Invalid arguments Failed! Storing certificate [hidden email] with auth-id 1: iso7816.c:98:iso7816_check_sw: Referenced data not found sec.c:204:sc_pin_cmd: returning with: Data object not found pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x83) pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile Failed to store private key: Object not valid Failed! Creating new auth-id 2 with label [hidden email] Failed to store PIN: Invalid arguments Failed! Storing certificate [hidden email] with auth-id 2: iso7816.c:98:iso7816_check_sw: Referenced data not found sec.c:204:sc_pin_cmd: returning with: Data object not found pkcs15-lib.c:2502:do_get_and_verify_secret: Failed to verify PIN (ref=0x85) pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 835, have 657) - please increase size in profile pkcs15-lib.c:2748:sc_pkcs15init_update_file: File 3f0050153149 too small (require 817, have 657) - please increase size in profile Failed to store private key: Object not valid Failed! Creating new auth-id 3 with label [hidden email] Failed to store PIN: Invalid arguments Failed! Storing certificate [hidden email] with auth-id 3: iso7816.c:98:iso7816_check_sw: No precise diagnosis card.c:836:sc_card_ctl: returning with: Card command failed Failed to store private key: Card command failed Failed! Creating new auth-id 4 with label [hidden email] Failed to store PIN: Invalid arguments Failed! Storing certificate [hidden email] with auth-id 4: iso7816.c:98:iso7816_check_sw: No precise diagnosis card.c:836:sc_card_ctl: returning with: Card command failed Failed to store private key: Card command failed Failed! Creating new auth-id 5 with label rootCA: Failed to store PIN: Invalid arguments Failed! Storing certificate rootCA.p12 with auth-id 5: iso7816.c:98:iso7816_check_sw: No precise diagnosis card.c:836:sc_card_ctl: returning with: Card command failed Failed to store private key: Card command failed Failed! I can create debug on demand, but only if you ask, I need the card now :) I can create the ticket later, on demand ;) Thanks! Jan Andreas Jellinghaus wrote: On Wednesday 12 October 2005 19:38, Jan Schermer wrote:I'm hitting problems when re-initializing ikey3k token with pkcs15-init - I have to manualy erase certificate cache (~/.eid/cache) or pkcs15-init fails *occassionaly*. I think that pkcs15-init and other lower-level utilities should not use any kind of cache, at least not when writing.hmm. we have such a cache? didn't even know. did you change anything in the config file to enable it? (on my system I don't have such a file at all). also could you please open a ticket at http://www.opensc.org/opensc/ so this issue is not lost? if you can reproduce it somehow, that would be a big help. Andreas _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Jan Schermer wrote:
_______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
In reply to this post by Jan Schermer
Jan Schermer wrote:
> Hi, > I'm hitting problems when re-initializing ikey3k token with pkcs15-init > - I have to manualy erase certificate cache (~/.eid/cache) or > pkcs15-init fails *occassionaly*. > I think that pkcs15-init and other lower-level utilities should not use > any kind of cache, at least not when writing. please test the attached patch for pkcs15-init Cheers, Nils Index: src/tools/pkcs15-init.c =================================================================== --- src/tools/pkcs15-init.c (Revision 2639) +++ src/tools/pkcs15-init.c (Arbeitskopie) @@ -386,6 +386,9 @@ break; } + /* disable caching */ + p15card->opts.use_cache = 0; + /* XXX: should compare card to profile here to make * sure we're not messing things up */ _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
In reply to this post by Andreas Jellinghaus-2
Andreas Jellinghaus wrote:
> On Wednesday 12 October 2005 19:38, Jan Schermer wrote: > >>I'm hitting problems when re-initializing ikey3k token with pkcs15-init >>- I have to manualy erase certificate cache (~/.eid/cache) or >>pkcs15-init fails *occassionaly*. >>I think that pkcs15-init and other lower-level utilities should not use >>any kind of cache, at least not when writing. > > > hmm. we have such a cache? didn't even know. did you change yep we have ;-) even though it could be improved (and reading from it is enabled by default "use_caching" option) > anything in the config file to enable it? (on my system I don't > have such a file at all). currently you must fill the cache manually with "pkcs15-tool -L" ... that needs to be changed as well Cheers, Nils _______________________________________________ opensc-user mailing list [hidden email] http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user |
Free forum by Nabble | Edit this page |