CKR_ARGUMENTS_BAD

classic Classic list List threaded Threaded
24 messages Options
12
Reply | Threaded
Open this post in threaded view
|

CKR_ARGUMENTS_BAD

Francesco Muzio
Hello,

I have some trouble with a smartcard that should be structured as a
standard italian CNS.

this problem renders unusable the smart card for usages like strong
authentication and strong signature. It seems related to the error
produced with this command:

$ pkcs11-tool --module=opensc-pkcs11.so -t -l
Using slot 1 with a present token (0x1)
Logging in to "TEST CARD (PIN CNS".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (CNS0)
error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7)

this smartcard is provided with two different PIN (the first to access
into the smartcard, the second to authorize the signature) but during
the test performed above only the first PIN is requested.

-----------

some useful information:

$ opensc-tool --verbose --info
OpenSC 0.14.0 [gcc  4.9.0]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

$ opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes   PIN pad   SCM Microsystems Inc. SPR 532 [Vendor Interface]
(21221213203345) 00 00

$ opensc-tool --reader 0 --atr
3b:ff:18:00:ff:81:31:fe:55:00:6b:02:09:13:01:01:11:01:43:4e:53:11:31:80:9e

$ pkcs15-tool --dump
Using reader with a card: SCM Microsystems Inc. SPR 532 [Vendor
Interface] (21221213203345) 00 00
PKCS#15 Card [TEST CARD]:
         Version        : 0
         Serial number  : 0000000000000009
         Manufacturer ID: IC: STMicroelectronics; mask: STIncard
         Flags :

PIN [PIN CNS0]
         Object Flags   : [0x3], private, modifiable
         Auth ID        : a0
         ID             : 01
         Flags          : [0x11], case-sensitive, initialized
         Length         : min_len:5, max_len:8, stored_len:8
         Pad char       : 0xFF
         Reference      : 16 (0x10)
         Type           : ascii-numeric
         Tries left     : 0

PIN [PUK CNS0]
         Object Flags   : [0x1], private
         ID             : a0
         Flags          : [0x59], case-sensitive, unblock-disabled,
initialized, unblockingPin
         Length         : min_len:5, max_len:8, stored_len:8
         Pad char       : 0xFF
         Reference      : 17 (0x11)
         Type           : ascii-numeric
         Tries left     : 0

Private RSA Key [CNS0]
         Object Flags   : [0x1], private
         Usage          : [0x24], sign, unwrap
         Access Flags   : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
         ModLength      : 1024
         Key ref        : 1 (0x1)
         Native         : yes
         Auth ID        : 01
         ID             : 01

Public RSA Key [CNS0]
         Object Flags   : [0x0]
         Usage          : [0x50], wrap, verify
         Access Flags   : [0x2], extract
         ModLength      : 1024
         Key ref        : 1 (0x1)
         Native         : no
         Path           : 3f003f01
         ID             : 01
         DirectValue    : <absent>

X.509 Certificate [CNS0]
         Object Flags   : [0x0]
         Authority      : no
         Path           : 3f0011001101
         ID             : 01
         Encoded serial : 02 08 581254B166D79C4F
Data object 'EF_DatiProcessore'
         applicationName: EF_DatiProcessore
         Path:            3f0010001002
         Data (54 bytes):
303530383031303054455354303030303900303030303030303030303030303030303030303030303030303030303030
                   303030303030
Data object 'EF_IDCarta'
         applicationName: EF_IDCarta
         Path:            3f0010001003
         Data (16 bytes): 30303030303030303030303030303039
Data object 'EF_DatiPersonali'
         applicationName: EF_DatiPersonali
         Path:            3f0011001102
         Data (400 bytes):
30303030393130343030303030383330303532303134303831363130323031383044434F474E4F4D4520534554544530
394E4F4D4553455454453038313631303139393030314D3033313930313043474E4E535439305235364D313538453033
49544130344D313538303030374955593536383730344D31353831335649414C45204D414E492044414C492720313030
300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                    00000000000000000000000000000000
Data object 'EF_DatiPersonaliAggiuntivi'
         applicationName: EF_DatiPersonaliAggiuntivi
         Path:            3f0012001201
         Data (100 bytes):
303030303141303654455354454930303035363938373030314E00000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                    00000000
Data object 'EF_MemoriaResidua'
         applicationName: EF_MemoriaResidua
         Path:            3f0012001202
         Data (2 bytes): 8000
Data object 'EF_ServiziInstallati'
         applicationName: EF_ServiziInstallati
         Path:            3f0012001203
         Data (160 bytes):
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
                    00000000000000000000000000000000
Data object 'EF_INST_FILE'
         applicationName: EF_INST_FILE
         Path:            3f0012004142
         Data (128 bytes):
4FE9836BA5F3247D4D9F3DF896AC7963333B7BC63D03ACACCEBDC9B64910FDF1D0AE3D2E053F114C5E5D174D68832F51
31BEA3B150B9B20F76924E385D152DD766D150BA33E7C7304C8AA4B4D1773BF8E5F5B3E5F7E9F990CE13583DBAE4517A
3B2DCBD5CD0AEDB63CC753B0A9FBB3053AB48EA757ADD1392A9E734356B04635
Data object 'EF_CardStatus'
         applicationName: EF_CardStatus
         Path:            3f003f02
         Data (20 bytes): 0000000000000000000000000000000000000000
Data object 'EF_GDO'
         applicationName: EF_GDO
         Path:            3f002f02
         Data (105 bytes):
5A1C80380009120000000000000009095F2017434F474E4F4D45205345545445204E4F4D455345545445531B50444330
333030D10102BCD20107D0D30104B0D40107D0D501006400000000000000000000000000000000000000000000000000
                    000000000000000000
Data object 'EF_RootInstFile'
         applicationName: EF_RootInstFile
         Path:            3f000405
         Data (128 bytes):
9C62EC7DF6974433A5B182211A1E1E81EC0ABD1568F50BB67390FEA0D4ADF9F7F6581538DADAB387A5CAF0CE757CAE4E
69A6F732506204D4E290897A0D869788AA97FF5D7F661B8438FB1EE920400E9607C09E0BBFD2E6814F80B2394474605E
B0AB3D44DF1AB5EDAE84C3792A24D0645EDC75DB8C26C425A39BFAD23EEB3A49


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert


On 8/28/2014 3:39 AM, Francesco Muzio wrote:

> Hello,
>
> I have some trouble with a smartcard that should be structured as a
> standard italian CNS.
>
> this problem renders unusable the smart card for usages like strong
> authentication and strong signature. It seems related to the error
> produced with this command:
>
> $ pkcs11-tool --module=opensc-pkcs11.so -t -l
> Using slot 1 with a present token (0x1)
> Logging in to "TEST CARD (PIN CNS".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
>     seeding (C_SeedRandom) not supported
>     seems to be OK
> Digests:
>     all 4 digest functions seem to work
>     MD5: OK
>     SHA-1: OK
>     RIPEMD160: OK
> Signatures (currently only RSA signatures)
>     testing key 0 (CNS0)
> error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7)
>
> this smartcard is provided with two different PIN (the first to access
> into the smartcard, the second to authorize the signature) but during
> the test performed above only the first PIN is requested.

What might be more helpful is a OpenSC debug log and pkcs11-spy log.

If there are 2 different pins, that could complicate it.

PKCS#11 does have a CKA_ALWAYS_AUTHENTICATE flag, that says
that the pin must be entered just before the use of keys that
have this attribute. PIN caching might be hiding the problem,
or the card is enforcing CKA_ALWAYS_AUTHENTICATE but the
OpenSC code does not know the card is enforcing it.


>
> -----------
>
> some useful information:
>
> $ opensc-tool --verbose --info
> OpenSC 0.14.0 [gcc  4.9.0]
> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>
> $ opensc-tool -l
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0    Yes   PIN pad   SCM Microsystems Inc. SPR 532 [Vendor Interface]
> (21221213203345) 00 00
>
> $ opensc-tool --reader 0 --atr
> 3b:ff:18:00:ff:81:31:fe:55:00:6b:02:09:13:01:01:11:01:43:4e:53:11:31:80:9e
>
> $ pkcs15-tool --dump
> Using reader with a card: SCM Microsystems Inc. SPR 532 [Vendor
> Interface] (21221213203345) 00 00
> PKCS#15 Card [TEST CARD]:
>           Version        : 0
>           Serial number  : 0000000000000009
>           Manufacturer ID: IC: STMicroelectronics; mask: STIncard
>           Flags :
>
> PIN [PIN CNS0]
>           Object Flags   : [0x3], private, modifiable
>           Auth ID        : a0
>           ID             : 01
>           Flags          : [0x11], case-sensitive, initialized
>           Length         : min_len:5, max_len:8, stored_len:8
>           Pad char       : 0xFF
>           Reference      : 16 (0x10)
>           Type           : ascii-numeric
>           Tries left     : 0
>
> PIN [PUK CNS0]
>           Object Flags   : [0x1], private
>           ID             : a0
>           Flags          : [0x59], case-sensitive, unblock-disabled,
> initialized, unblockingPin
>           Length         : min_len:5, max_len:8, stored_len:8
>           Pad char       : 0xFF
>           Reference      : 17 (0x11)
>           Type           : ascii-numeric
>           Tries left     : 0
>
> Private RSA Key [CNS0]
>           Object Flags   : [0x1], private
>           Usage          : [0x24], sign, unwrap
>           Access Flags   : [0x1D], sensitive, alwaysSensitive,
> neverExtract, local
>           ModLength      : 1024
>           Key ref        : 1 (0x1)
>           Native         : yes
>           Auth ID        : 01
>           ID             : 01
>
> Public RSA Key [CNS0]
>           Object Flags   : [0x0]
>           Usage          : [0x50], wrap, verify
>           Access Flags   : [0x2], extract
>           ModLength      : 1024
>           Key ref        : 1 (0x1)
>           Native         : no
>           Path           : 3f003f01
>           ID             : 01
>           DirectValue    : <absent>
>
> X.509 Certificate [CNS0]
>           Object Flags   : [0x0]
>           Authority      : no
>           Path           : 3f0011001101
>           ID             : 01
>           Encoded serial : 02 08 581254B166D79C4F
> Data object 'EF_DatiProcessore'
>           applicationName: EF_DatiProcessore
>           Path:            3f0010001002
>           Data (54 bytes):
> 303530383031303054455354303030303900303030303030303030303030303030303030303030303030303030303030
>                     303030303030
> Data object 'EF_IDCarta'
>           applicationName: EF_IDCarta
>           Path:            3f0010001003
>           Data (16 bytes): 30303030303030303030303030303039
> Data object 'EF_DatiPersonali'
>           applicationName: EF_DatiPersonali
>           Path:            3f0011001102
>           Data (400 bytes):
> 30303030393130343030303030383330303532303134303831363130323031383044434F474E4F4D4520534554544530
> 394E4F4D4553455454453038313631303139393030314D3033313930313043474E4E535439305235364D313538453033
> 49544130344D313538303030374955593536383730344D31353831335649414C45204D414E492044414C492720313030
> 300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000000000000000000000000000
> Data object 'EF_DatiPersonaliAggiuntivi'
>           applicationName: EF_DatiPersonaliAggiuntivi
>           Path:            3f0012001201
>           Data (100 bytes):
> 303030303141303654455354454930303035363938373030314E00000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000
> Data object 'EF_MemoriaResidua'
>           applicationName: EF_MemoriaResidua
>           Path:            3f0012001202
>           Data (2 bytes): 8000
> Data object 'EF_ServiziInstallati'
>           applicationName: EF_ServiziInstallati
>           Path:            3f0012001203
>           Data (160 bytes):
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000000000000000000000000000
> Data object 'EF_INST_FILE'
>           applicationName: EF_INST_FILE
>           Path:            3f0012004142
>           Data (128 bytes):
> 4FE9836BA5F3247D4D9F3DF896AC7963333B7BC63D03ACACCEBDC9B64910FDF1D0AE3D2E053F114C5E5D174D68832F51
> 31BEA3B150B9B20F76924E385D152DD766D150BA33E7C7304C8AA4B4D1773BF8E5F5B3E5F7E9F990CE13583DBAE4517A
> 3B2DCBD5CD0AEDB63CC753B0A9FBB3053AB48EA757ADD1392A9E734356B04635
> Data object 'EF_CardStatus'
>           applicationName: EF_CardStatus
>           Path:            3f003f02
>           Data (20 bytes): 0000000000000000000000000000000000000000
> Data object 'EF_GDO'
>           applicationName: EF_GDO
>           Path:            3f002f02
>           Data (105 bytes):
> 5A1C80380009120000000000000009095F2017434F474E4F4D45205345545445204E4F4D455345545445531B50444330
> 333030D10102BCD20107D0D30104B0D40107D0D501006400000000000000000000000000000000000000000000000000
>                      000000000000000000
> Data object 'EF_RootInstFile'
>           applicationName: EF_RootInstFile
>           Path:            3f000405
>           Data (128 bytes):
> 9C62EC7DF6974433A5B182211A1E1E81EC0ABD1568F50BB67390FEA0D4ADF9F7F6581538DADAB387A5CAF0CE757CAE4E
> 69A6F732506204D4E290897A0D869788AA97FF5D7F661B8438FB1EE920400E9607C09E0BBFD2E6814F80B2394474605E
> B0AB3D44DF1AB5EDAE84C3792A24D0645EDC75DB8C26C425A39BFAD23EEB3A49
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert
In reply to this post by Francesco Muzio
P.S.

pkcs15-tool --dump shows only one user PIN, If there is another,
I would expect it to show up in the PKCS15 profile.

(I know nothing about the Italian CNS, so others may better ideas
on what needs to be fixed.)

On 8/28/2014 3:39 AM, Francesco Muzio wrote:

> Hello,
>
> I have some trouble with a smartcard that should be structured as a
> standard italian CNS.
>
> this problem renders unusable the smart card for usages like strong
> authentication and strong signature. It seems related to the error
> produced with this command:
>
> $ pkcs11-tool --module=opensc-pkcs11.so -t -l
> Using slot 1 with a present token (0x1)
> Logging in to "TEST CARD (PIN CNS".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
>     seeding (C_SeedRandom) not supported
>     seems to be OK
> Digests:
>     all 4 digest functions seem to work
>     MD5: OK
>     SHA-1: OK
>     RIPEMD160: OK
> Signatures (currently only RSA signatures)
>     testing key 0 (CNS0)
> error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7)
>
> this smartcard is provided with two different PIN (the first to access
> into the smartcard, the second to authorize the signature) but during
> the test performed above only the first PIN is requested.
>
> -----------
>
> some useful information:
>
> $ opensc-tool --verbose --info
> OpenSC 0.14.0 [gcc  4.9.0]
> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>
> $ opensc-tool -l
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0    Yes   PIN pad   SCM Microsystems Inc. SPR 532 [Vendor Interface]
> (21221213203345) 00 00
>
> $ opensc-tool --reader 0 --atr
> 3b:ff:18:00:ff:81:31:fe:55:00:6b:02:09:13:01:01:11:01:43:4e:53:11:31:80:9e
>
> $ pkcs15-tool --dump
> Using reader with a card: SCM Microsystems Inc. SPR 532 [Vendor
> Interface] (21221213203345) 00 00
> PKCS#15 Card [TEST CARD]:
>           Version        : 0
>           Serial number  : 0000000000000009
>           Manufacturer ID: IC: STMicroelectronics; mask: STIncard
>           Flags :
>
> PIN [PIN CNS0]
>           Object Flags   : [0x3], private, modifiable
>           Auth ID        : a0
>           ID             : 01
>           Flags          : [0x11], case-sensitive, initialized
>           Length         : min_len:5, max_len:8, stored_len:8
>           Pad char       : 0xFF
>           Reference      : 16 (0x10)
>           Type           : ascii-numeric
>           Tries left     : 0
>
> PIN [PUK CNS0]
>           Object Flags   : [0x1], private
>           ID             : a0
>           Flags          : [0x59], case-sensitive, unblock-disabled,
> initialized, unblockingPin
>           Length         : min_len:5, max_len:8, stored_len:8
>           Pad char       : 0xFF
>           Reference      : 17 (0x11)
>           Type           : ascii-numeric
>           Tries left     : 0
>
> Private RSA Key [CNS0]
>           Object Flags   : [0x1], private
>           Usage          : [0x24], sign, unwrap
>           Access Flags   : [0x1D], sensitive, alwaysSensitive,
> neverExtract, local
>           ModLength      : 1024
>           Key ref        : 1 (0x1)
>           Native         : yes
>           Auth ID        : 01
>           ID             : 01
>
> Public RSA Key [CNS0]
>           Object Flags   : [0x0]
>           Usage          : [0x50], wrap, verify
>           Access Flags   : [0x2], extract
>           ModLength      : 1024
>           Key ref        : 1 (0x1)
>           Native         : no
>           Path           : 3f003f01
>           ID             : 01
>           DirectValue    : <absent>
>
> X.509 Certificate [CNS0]
>           Object Flags   : [0x0]
>           Authority      : no
>           Path           : 3f0011001101
>           ID             : 01
>           Encoded serial : 02 08 581254B166D79C4F
> Data object 'EF_DatiProcessore'
>           applicationName: EF_DatiProcessore
>           Path:            3f0010001002
>           Data (54 bytes):
> 303530383031303054455354303030303900303030303030303030303030303030303030303030303030303030303030
>                     303030303030
> Data object 'EF_IDCarta'
>           applicationName: EF_IDCarta
>           Path:            3f0010001003
>           Data (16 bytes): 30303030303030303030303030303039
> Data object 'EF_DatiPersonali'
>           applicationName: EF_DatiPersonali
>           Path:            3f0011001102
>           Data (400 bytes):
> 30303030393130343030303030383330303532303134303831363130323031383044434F474E4F4D4520534554544530
> 394E4F4D4553455454453038313631303139393030314D3033313930313043474E4E535439305235364D313538453033
> 49544130344D313538303030374955593536383730344D31353831335649414C45204D414E492044414C492720313030
> 300000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000000000000000000000000000
> Data object 'EF_DatiPersonaliAggiuntivi'
>           applicationName: EF_DatiPersonaliAggiuntivi
>           Path:            3f0012001201
>           Data (100 bytes):
> 303030303141303654455354454930303035363938373030314E00000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000
> Data object 'EF_MemoriaResidua'
>           applicationName: EF_MemoriaResidua
>           Path:            3f0012001202
>           Data (2 bytes): 8000
> Data object 'EF_ServiziInstallati'
>           applicationName: EF_ServiziInstallati
>           Path:            3f0012001203
>           Data (160 bytes):
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
> 000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
>                      00000000000000000000000000000000
> Data object 'EF_INST_FILE'
>           applicationName: EF_INST_FILE
>           Path:            3f0012004142
>           Data (128 bytes):
> 4FE9836BA5F3247D4D9F3DF896AC7963333B7BC63D03ACACCEBDC9B64910FDF1D0AE3D2E053F114C5E5D174D68832F51
> 31BEA3B150B9B20F76924E385D152DD766D150BA33E7C7304C8AA4B4D1773BF8E5F5B3E5F7E9F990CE13583DBAE4517A
> 3B2DCBD5CD0AEDB63CC753B0A9FBB3053AB48EA757ADD1392A9E734356B04635
> Data object 'EF_CardStatus'
>           applicationName: EF_CardStatus
>           Path:            3f003f02
>           Data (20 bytes): 0000000000000000000000000000000000000000
> Data object 'EF_GDO'
>           applicationName: EF_GDO
>           Path:            3f002f02
>           Data (105 bytes):
> 5A1C80380009120000000000000009095F2017434F474E4F4D45205345545445204E4F4D455345545445531B50444330
> 333030D10102BCD20107D0D30104B0D40107D0D501006400000000000000000000000000000000000000000000000000
>                      000000000000000000
> Data object 'EF_RootInstFile'
>           applicationName: EF_RootInstFile
>           Path:            3f000405
>           Data (128 bytes):
> 9C62EC7DF6974433A5B182211A1E1E81EC0ABD1568F50BB67390FEA0D4ADF9F7F6581538DADAB387A5CAF0CE757CAE4E
> 69A6F732506204D4E290897A0D869788AA97FF5D7F661B8438FB1EE920400E9607C09E0BBFD2E6814F80B2394474605E
> B0AB3D44DF1AB5EDAE84C3792A24D0645EDC75DB8C26C425A39BFAD23EEB3A49
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

NdK-3
Il 28/08/2014 15:25, Douglas E Engert ha scritto:

> pkcs15-tool --dump shows only one user PIN, If there is another,
> I would expect it to show up in the PKCS15 profile.
>
> (I know nothing about the Italian CNS, so others may better ideas
> on what needs to be fixed.)
IIRC it needs to use SM for signature-related ops. Might it be that the
signature pin is hidden when accessing the card without SM?

BYtE,
 Diego


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
I have done two tests and for both I have logged the messages produced
by  opensc and pkcs11-spy

as attachment of this mail four logs are contained in a tar.gz archive

these are produced with the command
pkcs11-tool --module=pkcs11-spy.so -t -l

opensc-debug-pkcs11-tool.log
spy_output_pkcs11-tool.log

and these are produced after an SSL Client authentication attempt

opensc-debug-SSL.log
spy_output_SSL.log


if you need other info or request some test, I'm not so skilled, but
always available.

What are the meaning for the acronyms IIRC and SM ?

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

debug.tar.gz (152K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert
The problem appears to be in iso7816.c were it is trying to send 257 bytes,
but the ISO7816.c is not supporting extended APDU or command chaining.

Frank Morgner has a patch that may address this problem.

  https://github.com/OpenSC/OpenSC/pull/260

Can you try this patch?
Frank can you look at this problem closer?


0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:881:iso7816_decipher: called
6492 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
6493 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
6494 cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
6495 resp=0x7fff965d8a30 resplen=1024 data=0xf28d00 datalen=257
6496 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:909:iso7816_decipher: APDU transmit failed: -1300 (Invalid arguments)
6497 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] sec.c:42:sc_decipher: returning with: -1300 (Invalid arguments)
6498 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
6499 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:167:sc_pkcs15_decipher: sc_decipher() failed: -1300 (Invalid arguments)
6500 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:400:sc_pkcs15_compute_signature: returning with: -1300 (Invalid arguments)
6501 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
6502 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] reader-pcsc.c:554:pcsc_unlock: called
6503 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] framework-pkcs15.c:3601:pkcs15_prkey_sign: Sign complete. Result -1300.
6504 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300 (Invalid arguments)
6505 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:444:sc_pkcs11_signature_final: returning with: 7
6506 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:309:sc_pkcs11_sign_final: returning with: 7
6507 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] pkcs11-object.c:744:C_SignFinal: C_SignFinal() = CKR_ARGUMENTS_BAD




On 8/29/2014 4:43 AM, Francesco Muzio wrote:

> I have done two tests and for both I have logged the messages produced by  opensc and pkcs11-spy
>
> as attachment of this mail four logs are contained in a tar.gz archive
>
> these are produced with the command
> pkcs11-tool --module=pkcs11-spy.so -t -l
>
> opensc-debug-pkcs11-tool.log
> spy_output_pkcs11-tool.log
>
> and these are produced after an SSL Client authentication attempt
>
> opensc-debug-SSL.log
> spy_output_SSL.log
>
>
> if you need other info or request some test, I'm not so skilled, but always available.
>
> What are the meaning for the acronyms IIRC and SM ?
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Frank Morgner
Actually raw deciphering with RSA 2048 was exactly what I used the patch
for.

Francesco, could you verify if my patch fixes your issue?

On Friday, August 29 at 10:37AM, Douglas E Engert wrote:

> The problem appears to be in iso7816.c were it is trying to send 257 bytes,
> but the ISO7816.c is not supporting extended APDU or command chaining.
>
> Frank Morgner has a patch that may address this problem.
>
>   https://github.com/OpenSC/OpenSC/pull/260
>
> Can you try this patch?
> Frank can you look at this problem closer?
>
>
> 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:881:iso7816_decipher: called
> 6492 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
> 6493 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
> 6494 cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
> 6495 resp=0x7fff965d8a30 resplen=1024 data=0xf28d00 datalen=257
> 6496 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:909:iso7816_decipher: APDU transmit failed: -1300 (Invalid arguments)
> 6497 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] sec.c:42:sc_decipher: returning with: -1300 (Invalid arguments)
> 6498 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
> 6499 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:167:sc_pkcs15_decipher: sc_decipher() failed: -1300 (Invalid arguments)
> 6500 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:400:sc_pkcs15_compute_signature: returning with: -1300 (Invalid arguments)
> 6501 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
> 6502 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] reader-pcsc.c:554:pcsc_unlock: called
> 6503 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] framework-pkcs15.c:3601:pkcs15_prkey_sign: Sign complete. Result -1300.
> 6504 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300 (Invalid arguments)
> 6505 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:444:sc_pkcs11_signature_final: returning with: 7
> 6506 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:309:sc_pkcs11_sign_final: returning with: 7
> 6507 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] pkcs11-object.c:744:C_SignFinal: C_SignFinal() = CKR_ARGUMENTS_BAD
>
>
>
>
> On 8/29/2014 4:43 AM, Francesco Muzio wrote:
> > I have done two tests and for both I have logged the messages produced by  opensc and pkcs11-spy
> >
> > as attachment of this mail four logs are contained in a tar.gz archive
> >
> > these are produced with the command
> > pkcs11-tool --module=pkcs11-spy.so -t -l
> >
> > opensc-debug-pkcs11-tool.log
> > spy_output_pkcs11-tool.log
> >
> > and these are produced after an SSL Client authentication attempt
> >
> > opensc-debug-SSL.log
> > spy_output_SSL.log
> >
> >
> > if you need other info or request some test, I'm not so skilled, but always available.
> >
> > What are the meaning for the acronyms IIRC and SM ?
> >
> >
> > ------------------------------------------------------------------------------
> > Slashdot TV.
> > Video for Nerds.  Stuff that matters.
> > http://tv.slashdot.org/
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
The attached archive contains two files:

APDUEXT                                                               (contains two patches)
opensc-debug-pkcs11-tool-iso7816patch.log    (contains the opensc-debug.log generated)

I have test two patches to cascade:

iso7816: propagate the length of the computed signature
iso7816: allow extended length APDUs

I have applied the patch APDUEXT to the latest source available in the Debian testing branch (0.14.0) and I have used the builded files to perform the standard test:

LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ./debian/opensc/usr/bin/pkcs11-tool --module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -t
 
the result (showed in the file opensc-debug-pkcs11-tool-iso7816patch.log) does not change

If I have wrong some steps please tell me where.

      Il 30/08/2014 01:15, Frank Morgner ha scritto:
Actually raw deciphering with RSA 2048 was exactly what I used the patch
for.

Francesco, could you verify if my patch fixes your issue?

On Friday, August 29 at 10:37AM, Douglas E Engert wrote:
The problem appears to be in iso7816.c were it is trying to send 257 bytes,
but the ISO7816.c is not supporting extended APDU or command chaining.

Frank Morgner has a patch that may address this problem.

  https://github.com/OpenSC/OpenSC/pull/260

Can you try this patch?
Frank can you look at this problem closer?


0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:881:iso7816_decipher: called
6492 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
6493 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
6494 cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
6495 resp=0x7fff965d8a30 resplen=1024 data=0xf28d00 datalen=257
6496 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] iso7816.c:909:iso7816_decipher: APDU transmit failed: -1300 (Invalid arguments)
6497 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] sec.c:42:sc_decipher: returning with: -1300 (Invalid arguments)
6498 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
6499 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:167:sc_pkcs15_decipher: sc_decipher() failed: -1300 (Invalid arguments)
6500 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] pkcs15-sec.c:400:sc_pkcs15_compute_signature: returning with: -1300 (Invalid arguments)
6501 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock: called
6502 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] reader-pcsc.c:554:pcsc_unlock: called
6503 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] framework-pkcs15.c:3601:pkcs15_prkey_sign: Sign complete. Result -1300.
6504 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300 (Invalid arguments)
6505 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:444:sc_pkcs11_signature_final: returning with: 7
6506 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] mechanism.c:309:sc_pkcs11_sign_final: returning with: 7
6507 0x7f05454ef700 10:43:39.273 [opensc-pkcs11] pkcs11-object.c:744:C_SignFinal: C_SignFinal() = CKR_ARGUMENTS_BAD




On 8/29/2014 4:43 AM, Francesco Muzio wrote:
I have done two tests and for both I have logged the messages produced by  opensc and pkcs11-spy

as attachment of this mail four logs are contained in a tar.gz archive

these are produced with the command
pkcs11-tool --module=pkcs11-spy.so -t -l

opensc-debug-pkcs11-tool.log
spy_output_pkcs11-tool.log

and these are produced after an SSL Client authentication attempt

opensc-debug-SSL.log
spy_output_SSL.log


if you need other info or request some test, I'm not so skilled, but always available.

What are the meaning for the acronyms IIRC and SM ?


------------------------------------------------------------------------------
Slashdot TV.
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/



_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

  Douglas E. Engert  [hidden email]


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


      

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/


_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

test_patch.tar.gz (45K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Frank Morgner
The critical part from the new log is this one:

0x7f45bce26700 10:47:14.168 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
resp=0x7fff03c37880 resplen=1024 data=0xa7b310 datalen=257

The underlying layer assumes that the driver is only capable of
handeling short length APDUs.  Apart from a card driver which is capable
of extended length APDUs, you also need to propagate this capability.
You need to correctly initialize max_recv_size and max_send_size in your
driver to something bigger than
256 bytes (maybe SC_MAX_EXT_APDU_BUFFER_SIZE?).


Greets, Frank.


On Monday, September 01 at 11:29AM, Francesco Muzio wrote:

>  The attached archive contains two files:
>
>  APDUEXT (contains two patches)
>  opensc-debug-pkcs11-tool-iso7816patch.log    (contains the opensc-debug.log
>  generated)
>
>  I have test two patches to cascade:
>
>  iso7816: propagate the length of the computed signature
>  iso7816: allow extended length APDUs
>
>  I have applied the patch APDUEXT to the latest source available in the
>  Debian testing branch (0.14.0) and I have used the builded files to perform
>  the standard test:
>
>  LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3
>  ./debian/opensc/usr/bin/pkcs11-tool
>  --module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l
>  -t
>
>  the result (showed in the file opensc-debug-pkcs11-tool-iso7816patch.log)
>  does not change
>
>  If I have wrong some steps please tell me where.
>
>  Il 30/08/2014 01:15, Frank Morgner ha scritto:
> > Actually raw deciphering with RSA 2048 was exactly what I used the patch
> > for.
> >
> > Francesco, could you verify if my patch fixes your issue?
> >
> > On Friday, August 29 at 10:37AM, Douglas E Engert wrote:
> >> The problem appears to be in iso7816.c were it is trying to send 257
> >> bytes,
> >> but the ISO7816.c is not supporting extended APDU or command chaining.
> >>
> >> Frank Morgner has a patch that may address this problem.
> >>
> >>    https://github.com/OpenSC/OpenSC/pull/260
> >>
> >> Can you try this patch?
> >> Frank can you look at this problem closer?
> >>
> >>
> >> 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> iso7816.c:881:iso7816_decipher: called
> >> 6492 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> apdu.c:559:sc_transmit_apdu: called
> >> 6493 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] apdu.c:348:sc_check_apdu:
> >> Invalid Case 4 short APDU:
> >> 6494 cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
> >> 6495 resp=0x7fff965d8a30 resplen=1024 data=0xf28d00 datalen=257
> >> 6496 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> iso7816.c:909:iso7816_decipher: APDU transmit failed: -1300 (Invalid
> >> arguments)
> >> 6497 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] sec.c:42:sc_decipher:
> >> returning with: -1300 (Invalid arguments)
> >> 6498 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock:
> >> called
> >> 6499 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> pkcs15-sec.c:167:sc_pkcs15_decipher: sc_decipher() failed: -1300 (Invalid
> >> arguments)
> >> 6500 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> pkcs15-sec.c:400:sc_pkcs15_compute_signature: returning with: -1300
> >> (Invalid arguments)
> >> 6501 0x7f05454ef700 10:43:39.268 [opensc-pkcs11] card.c:361:sc_unlock:
> >> called
> >> 6502 0x7f05454ef700 10:43:39.268 [opensc-pkcs11]
> >> reader-pcsc.c:554:pcsc_unlock: called
> >> 6503 0x7f05454ef700 10:43:39.273 [opensc-pkcs11]
> >> framework-pkcs15.c:3601:pkcs15_prkey_sign: Sign complete. Result -1300.
> >> 6504 0x7f05454ef700 10:43:39.273 [opensc-pkcs11]
> >> misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1300
> >> (Invalid arguments)
> >> 6505 0x7f05454ef700 10:43:39.273 [opensc-pkcs11]
> >> mechanism.c:444:sc_pkcs11_signature_final: returning with: 7
> >> 6506 0x7f05454ef700 10:43:39.273 [opensc-pkcs11]
> >> mechanism.c:309:sc_pkcs11_sign_final: returning with: 7
> >> 6507 0x7f05454ef700 10:43:39.273 [opensc-pkcs11]
> >> pkcs11-object.c:744:C_SignFinal: C_SignFinal() = CKR_ARGUMENTS_BAD
> >>
> >>
> >>
> >>
> >> On 8/29/2014 4:43 AM, Francesco Muzio wrote:
> >>> I have done two tests and for both I have logged the messages produced by
> >>>  opensc and pkcs11-spy
> >>>
> >>> as attachment of this mail four logs are contained in a tar.gz archive
> >>>
> >>> these are produced with the command
> >>> pkcs11-tool --module=pkcs11-spy.so -t -l
> >>>
> >>> opensc-debug-pkcs11-tool.log
> >>> spy_output_pkcs11-tool.log
> >>>
> >>> and these are produced after an SSL Client authentication attempt
> >>>
> >>> opensc-debug-SSL.log
> >>> spy_output_SSL.log
> >>>
> >>>
> >>> if you need other info or request some test, I'm not so skilled, but
> >>> always available.
> >>>
> >>> What are the meaning for the acronyms IIRC and SM ?
> >>>
> >>>
> >>> ------------------------------------------------------------------------------
> >>> Slashdot TV.
> >>> Video for Nerds.  Stuff that matters.
> >>> http://tv.slashdot.org/
> >>>
> >>>
> >>>
> >>> _______________________________________________
> >>> Opensc-devel mailing list
> >>> [hidden email]
> >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>>
> >> --
> >>
> >>    Douglas E. Engert  <[hidden email]>
> >>
> >>
> >> ------------------------------------------------------------------------------
> >> Slashdot TV.
> >> Video for Nerds.  Stuff that matters.
> >> http://tv.slashdot.org/
> >> _______________________________________________
> >> Opensc-devel mailing list
> >> [hidden email]
> >> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >>
> >
> >
> > ------------------------------------------------------------------------------
> > Slashdot TV.
> > Video for Nerds.  Stuff that matters.
> > http://tv.slashdot.org/
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > [hidden email]
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

>          compressed        uncompressed  ratio uncompressed_name
>               34022              351744  90.3% /tmp/test_patch.tar

> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
Maybe I haven't understood, but I have tried to patch the file
card-itacns.c: in the function itacns_init() I have added two lines to
assign the value 65538 to the variables max_recv_size and max_send_size.

I have tried again the command
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 /debian/opensc/usr/bin/pkcs11-tool
--module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l
-t
but it fails again with the same error (see the logs)

I have attached at this email a tar.gz archive with two files:
opensc-debug-pkcs11-tool-card-itacns-patch.log contains the log of the
operation
MAXSIZE contains the patch applied

Il 01/09/2014 20:26, Frank Morgner ha scritto:

> The critical part from the new log is this one:
>
> 0x7f45bce26700 10:47:14.168 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
> cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
> resp=0x7fff03c37880 resplen=1024 data=0xa7b310 datalen=257
>
> The underlying layer assumes that the driver is only capable of
> handeling short length APDUs.  Apart from a card driver which is capable
> of extended length APDUs, you also need to propagate this capability.
> You need to correctly initialize max_recv_size and max_send_size in your
> driver to something bigger than
> 256 bytes (maybe SC_MAX_EXT_APDU_BUFFER_SIZE?).
>
>
> Greets, Frank.

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

maxsize.tar.gz (40K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert


On 9/2/2014 8:46 AM, Francesco Muzio wrote:
> Maybe I haven't understood, but I have tried to patch the file card-itacns.c: in the function itacns_init() I have added two lines to assign the value 65538 to the variables max_recv_size and
> max_send_size.
>
> I have tried again the command
> LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 /debian/opensc/usr/bin/pkcs11-tool --module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -t
> but it fails again with the same error (see the logs)

You have a relative path in two places, but an absolute in other. Which is correct?
(correct my examples below too.)
To verify what is being loaded:

LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd /debian/opensc/usr/bin/pkcs11-tool
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd ./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


Rather then using LD_PRELOAD can you try:
export PATH=./debian/opensc/usr/bin:$PATH
export LD_LIBRARY_PATH=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu:$LD_LIBRARY_PATH


Then to see what libs are being used:
ldd pkcs11-tool
ldd ./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

>
> I have attached at this email a tar.gz archive with two files:
> opensc-debug-pkcs11-tool-card-itacns-patch.log contains the log of the operation
> MAXSIZE contains the patch applied
>
> Il 01/09/2014 20:26, Frank Morgner ha scritto:
>> The critical part from the new log is this one:
>>
>> 0x7f45bce26700 10:47:14.168 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
>> cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
>> resp=0x7fff03c37880 resplen=1024 data=0xa7b310 datalen=257
>>
>> The underlying layer assumes that the driver is only capable of
>> handeling short length APDUs.  Apart from a card driver which is capable
>> of extended length APDUs, you also need to propagate this capability.
>> You need to correctly initialize max_recv_size and max_send_size in your
>> driver to something bigger than
>> 256 bytes (maybe SC_MAX_EXT_APDU_BUFFER_SIZE?).
>>
>>
>> Greets, Frank.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert
In reply to this post by Francesco Muzio


On 9/2/2014 8:46 AM, Francesco Muzio wrote:
> Maybe I haven't understood, but I have tried to patch the file card-itacns.c: in the function itacns_init() I have added two lines to assign the value 65538 to the variables max_recv_size and
> max_send_size.

Did you also apply Frank's patch from
  https://github.com/OpenSC/OpenSC/pull/260/files

line 846 sc_format_apdu(card, &apdu, SC_APDU_CASE_4_SHORT, 0x2A, 0x9E, 0x9A);
gets replaced by:
line 824 sc_format_apdu(card, &apdu, SC_APDU_CASE_4, 0x2A, 0x9E, 0x9A);

This line indicates Frank's patch was not applied.
3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11] iso7816.c:855:iso7816_decipher: called

Tis line indicates that you did set the max sizes:
  622 0x7f1ed301f700 14:35:52.022 [opensc-pkcs11] card.c:239:sc_connect_card: card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:65538/65538



>
> I have tried again the command
> LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 /debian/opensc/usr/bin/pkcs11-tool --module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l -t
> but it fails again with the same error (see the logs)
>
> I have attached at this email a tar.gz archive with two files:
> opensc-debug-pkcs11-tool-card-itacns-patch.log contains the log of the operation
> MAXSIZE contains the patch applied
>
> Il 01/09/2014 20:26, Frank Morgner ha scritto:
>> The critical part from the new log is this one:
>>
>> 0x7f45bce26700 10:47:14.168 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
>> cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
>> resp=0x7fff03c37880 resplen=1024 data=0xa7b310 datalen=257
>>
>> The underlying layer assumes that the driver is only capable of
>> handeling short length APDUs.  Apart from a card driver which is capable
>> of extended length APDUs, you also need to propagate this capability.
>> You need to correctly initialize max_recv_size and max_send_size in your
>> driver to something bigger than
>> 256 bytes (maybe SC_MAX_EXT_APDU_BUFFER_SIZE?).
>>
>>
>> Greets, Frank.
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
In reply to this post by Douglas E Engert
Sorry, it's only a typo. I haven't a debian directory on my root.

the correct command used is:
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ./debian/opensc/usr/bin/pkcs11-tool
--module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -l
-t

however I provide to you the requested outputs

$
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd
./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
         linux-vdso.so.1 (0x00007fffe35fe000)
./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3
(0x00007f1579e6b000)
         libcrypto.so.1.0.0 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007f1579a4b000)
         libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007f1579846000)
         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007f157962a000)
         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007f157927e000)
         libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007f1579066000)
         /lib64/ld-linux-x86-64.so.2 (0x00007f157a425000)

$
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd
./debian/opensc/usr/bin/pkcs11-tool
         linux-vdso.so.1 (0x00007fffb87fe000)
./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3
(0x00007fc512b86000)
         libcrypto.so.1.0.0 =>
/usr/lib/x86_64-linux-gnu/libcrypto.so.1.0.0 (0x00007fc512766000)
         libdl.so.2 => /lib/x86_64-linux-gnu/libdl.so.2 (0x00007fc512561000)
         libpthread.so.0 => /lib/x86_64-linux-gnu/libpthread.so.0
(0x00007fc512345000)
         libc.so.6 => /lib/x86_64-linux-gnu/libc.so.6 (0x00007fc511f99000)
         libz.so.1 => /lib/x86_64-linux-gnu/libz.so.1 (0x00007fc511d81000)
         /lib64/ld-linux-x86-64.so.2 (0x00007fc512f11000)

Il 02/09/2014 16:39, Douglas E Engert ha scritto:
> You have a relative path in two places, but an absolute in other. Which is correct?
> (correct my examples below too.)
> To verify what is being loaded:
>
> LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd /debian/opensc/usr/bin/pkcs11-tool
> LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ldd ./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
In reply to this post by Douglas E Engert
I have correctly applied both patches, because without the Frank's patch
the istruction:

SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);

who prints this line in the logs

"3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11]
iso7816.c:855:iso7816_decipher: called"

is located at the line 881 of the file iso7816.c, otherwise is located
at line 855

Il 02/09/2014 16:55, Douglas E Engert ha scritto:
> This line indicates Frank's patch was not applied.
> 3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11] iso7816.c:855:iso7816_decipher: called


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert
Are you saying that with the 2 patches everything works?


On 9/3/2014 4:44 AM, Francesco Muzio wrote:

> I have correctly applied both patches, because without the Frank's patch
> the istruction:
>
> SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
>
> who prints this line in the logs
>
> "3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11]
> iso7816.c:855:iso7816_decipher: called"
>
> is located at the line 881 of the file iso7816.c, otherwise is located
> at line 855
>
> Il 02/09/2014 16:55, Douglas E Engert ha scritto:
>> This line indicates Frank's patch was not applied.
>> 3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11] iso7816.c:855:iso7816_decipher: called
>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
No, I saying that the last report/logs posted this are generated by an
opensc compiled with both patch and, during that test, the trouble still
exists. No improvements seems to be reached.



Il 03/09/2014 15:31, Douglas E Engert ha scritto:
> Are you saying that with the 2 patches everything works?


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Douglas E Engert
In reply to this post by Francesco Muzio


On 9/3/2014 4:44 AM, Francesco Muzio wrote:

> I have correctly applied both patches, because without the Frank's patch
> the istruction:
>
> SC_FUNC_CALLED(card->ctx, SC_LOG_DEBUG_NORMAL);
>
> who prints this line in the logs
>
> "3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11]
> iso7816.c:855:iso7816_decipher: called"
>
> is located at the line 881 of the file iso7816.c, otherwise is located
> at line 855
>
> Il 02/09/2014 16:55, Douglas E Engert ha scritto:
>> This line indicates Frank's patch was not applied.
>> 3250 0x7f1ed301f700 14:36:01.887 [opensc-pkcs11] iso7816.c:855:iso7816_decipher: called

OK, You are right:

This is what I saw in your trace from maxsize.tar.gz:

3188 0x7f1ed301f700 14:36:01.875 [opensc-pkcs11] iso7816.c:855:iso7816_decipher: called
3189 0x7f1ed301f700 14:36:01.875 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
3190 0x7f1ed301f700 14:36:01.875 [opensc-pkcs11] apdu.c:348:sc_check_apdu: Invalid Case 4 short APDU:
3191 cse=04 cla=00 ins=2a p1=80 p2=86 lc=257 le=1024
3192 resp=0x7fff694c56d0 resplen=1024 data=0x6f5310 datalen=257
3193 0x7f1ed301f700 14:36:01.875 [opensc-pkcs11] iso7816.c:883:iso7816_decipher: APDU transmit failed: -1300 (Invalid arguments)
3194 0x7f1ed301f700 14:36:01.875 [opensc-pkcs11] sec.c:42:sc_decipher: returning with: -1300 (Invalid arguments)

Line 3191 says cse=04 which is a short APDU.  Frank' patch uses SC_APDU_CASE_4 = 24

In apdu.c the sc_detect_apdu_cse() routine checks for:  card->caps & SC_CARD_CAP_APDU_EXT
and forces short if the card does not support extended setting bytpe, and apdu->cse = btype;

So you may need to add to your patch
card->caps |= SC_CARD_CAP_APDU_EXT;


P.S. I will not be checking e-mail after Thursday morning for a week or so.
So best to work with Frank.







>
>
> ------------------------------------------------------------------------------
> Slashdot TV.
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
> So you may need to add to your patch
> card->caps |= SC_CARD_CAP_APDU_EXT;

I have added the istruction
card->caps |= SC_CARD_CAP_APDU_EXT;
in the function int itacns_init() in the file card-itacns.c

With this patch the error message is changed, see below.

in this message is attached a tar.gz archive who contains

- the file opensc-debug-pkcs11-tool_CAPS.log   with debug output
- the file spy_output_CAPS.log                              with
pkcs11-spy output
- the file CAPS                                                        
with the last patch

Before this patch I have applied also the other two patches (APDUEXT e
MAXSIZE) on cascade

the command:

$
LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3 ./debian/opensc/usr/bin/pkcs11-tool
--module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/pkcs11-spy.so -t -l


the output:

Using slot 1 with a present token (0x1)
C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (CNS0)
error: PKCS11 function C_SignFinal failed: rv = CKR_FUNCTION_FAILED (0x6)

Aborting.

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

caps.tar.gz (48K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Frank Morgner
Hi, Francesco!

Now the extended length APDU for deciphering is correctly created (see
opensc-debug-pkcs11-tool_CAPS.log:3196 and
opensc-debug-pkcs11-tool_CAPS.log:3289).

However, your card always responds with 6986 ("command not allowed, no
current EF"). This seems to be a problem with the card driver itself (who
is the maintainer of the itacns driver?). Is the private key for
deciphering correctly selected with the MSE command beforehand?

Greets, Frank.


On Thursday, September 04 at 04:01PM, Francesco Muzio wrote:

> > So you may need to add to your patch
> > card->caps |= SC_CARD_CAP_APDU_EXT;
>
>  I have added the istruction
>  card->caps |= SC_CARD_CAP_APDU_EXT;
>  in the function int itacns_init() in the file card-itacns.c
>
>  With this patch the error message is changed, see below.
>
>  in this message is attached a tar.gz archive who contains
>
>  - the file opensc-debug-pkcs11-tool_CAPS.log   with debug output
>  - the file spy_output_CAPS.log                              with pkcs11-spy
>  output
>  - the file CAPS                                                         with
>  the last patch
>
>  Before this patch I have applied also the other two patches (APDUEXT e
>  MAXSIZE) on cascade
>
>  the command:
>
>  $ LD_PRELOAD=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/libopensc.so.3
>  ./debian/opensc/usr/bin/pkcs11-tool
>  --module=./debian/opensc-pkcs11/usr/lib/x86_64-linux-gnu/pkcs11-spy.so -t -l
>
>
>  the output:
>
>  Using slot 1 with a present token (0x1)
>  C_SeedRandom() and C_GenerateRandom():
>    seeding (C_SeedRandom) not supported
>    seems to be OK
>  Digests:
>    all 4 digest functions seem to work
>    MD5: OK
>    SHA-1: OK
>    RIPEMD160: OK
>  Signatures (currently only RSA signatures)
>    testing key 0 (CNS0)
>  error: PKCS11 function C_SignFinal failed: rv = CKR_FUNCTION_FAILED (0x6)
>
>  Aborting.

>          compressed        uncompressed  ratio uncompressed_name
>               36252              346112  89.5% /tmp/caps.tar

> ------------------------------------------------------------------------------
> Slashdot TV.  
> Video for Nerds.  Stuff that matters.
> http://tv.slashdot.org/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

------------------------------------------------------------------------------
Slashdot TV.  
Video for Nerds.  Stuff that matters.
http://tv.slashdot.org/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

attachment0 (985 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: CKR_ARGUMENTS_BAD

Francesco Muzio
The itacns driver was written four years ago by Emanuele Pucciarelli,
but I don't know if he is the official maintainer.

I have seen that this developer has followed these documents:

for card-itacns.c
http://archivio.cnipa.gov.it/html/docs/CNS%20Functional%20Specification%201.1.5_11012010.pdf

for pkcs15-itacns.c
http://www.servizidemografici.interno.it/sitoCNSD/documentazioneRicerca.do?metodo=contenutoDocumento&servizio=documentazione&ID_DOCUMENTO=1043

On this webpage I have found updated information about CNS
http://www.agid.gov.it/identita-digitali/carta-nazionale-servizi/specifiche-tecniche

especially the "functional specification" v1.1.6
http://www.agid.gov.it/sites/default/files/documentazione_trasparenza/cns_functional_specification_1.1.6_02042011.pdf

But nowadays I'm unable to understand very well the speicification.

The only thing that I can tell is related to the sign operation: before
a signature the smartcard reader should ask me the "signature pin" but
it fails without any request.

Il 04/09/2014 17:47, Frank Morgner ha scritto:
> However, your card always responds with 6986 ("command not allowed, no
> current EF"). This seems to be a problem with the card driver itself (who
> is the maintainer of the itacns driver?). Is the private key for
> deciphering correctly selected with the MSE command beforehand?


------------------------------------------------------------------------------
Want excitement?
Manually upgrade your production database.
When you want reliability, choose Perforce
Perforce version control. Predictably reliable.
http://pubads.g.doubleclick.net/gampad/clk?id=157508191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
12