Cannot perform signing when multiple keys are present

classic Classic list List threaded Threaded
19 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot perform signing when multiple keys are present

Marcin Okraszewski
Hi,
Is it possible to work with libp11 and OpenSSL if there are multiple tokens inserted? I cannot make it work. 

I use Yubikey for performing signatures with OpenSSL. It works perfect if there is just Yubikey inserted into machine. But I have a problem when there is another token also inserted. OpenSSL always tells me it cannot find object or that token is empty. 

Normally I sign with such command:
openssl.exe smime -sign -engine pkcs11 -keyform engine -inkey "pkcs11:object=SIGN%20key;type=private;pin-value=XXXXXX" -in test.msg  -out test.smime -signer yubi-l1.pem

It works perfectly when there is just Yubikey. Now I have a machine, where there is also another token inserted (SafeNet). Then the command ends with output like this:

openssl.exe smime -sign -engine pkcs11 -keyform engine -inkey "pkcs11:object=SIGN%20key;type=private;pin-value=XXXXXX" -in test.msg  -out test.smime -signer yubi-l1.pem
Specified object not found
PKCS11_get_private_key returned NULL
engine "pkcs11" set.
cannot load signing key file from engine
1568:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:.\crypto\engine\eng_pkey.c:124:
unable to load signing key file

Here is the list of tokens:

> opensc-tool.exe -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             AKS ifdh 0
1    Yes             AKS ifdh 1
2    Yes             AKS VR 0
3    Yes             Rainbow Technologies iKeyVirtualReader 0
4    Yes             Rainbow Technologies iKeyVirtualReader 1
5    Yes             Yubico Yubikey 4 OTP+U2F+CCID 0


I tried various forms of key, like eg:
  • pkcs11:manufacturer=Yubico;object=SIGN%20key;type=private;pin-value=$pin
  • pkcs11:model=Yubico%20Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
  • pkcs11:model=Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
  • pkcs11:serial=BB6465375E5505273760A874579A76FB;object=SIGN%20key;type=private;pin-value=XXXXX
  • pkcs11:serial=BB:64:65:37:5E:55:05:27:37:60:A8:74:57:9A:76:FB;object=SIGN%20key;type=private;pin-value=XXXXX
With the same result. I also tried slot_0-id_2, but then it says "Found empty token".

Some other outputs:

> opensc-tool.exe -r 5 --serial
BB 64 65 37 5E 55 05 27 37 60 A8 74 57 9A 76 FB .de7^U.'7`.tW.v.

> pkcs15-tool.exe --reader 5 -k
Private EC Key [SIGN key]
        Object Flags   : [0x1], private
        Usage          : [0x204], sign, nonRepudiation
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local

        FieldLength    : 384
        Key ref        : 156 (0x9C)
        Native         : yes
        Auth ID        : 01
        ID             : 02
        MD:guid        : 0x'3032363436353337356535353035323733373630613837343537
3961373666620000000000000000'

Thank you for help!
Marcin Okraszewski


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

David Woodhouse
On Wed, 2016-12-14 at 20:11 +0100, Marcin Okraszewski wrote:
>
> I tried various forms of key, like eg:
> pkcs11:manufacturer=Yubico;object=SIGN%20key;type=private;pin-value=$pin
> pkcs11:model=Yubico%20Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
> pkcs11:model=Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
> pkcs11:serial=BB6465375E5505273760A874579A76FB;object=SIGN%20key;type=private;pin-value=XXXXX
> pkcs11:serial=BB:64:65:37:5E:55:05:27:37:60:A8:74:57:9A:76:FB;object=SIGN%20key;type=private;pin-value=XXXXX

$ p11tool --list-token-urls | grep piv
pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29

I usually use 'pkcs11:manufacturer=piv_II;…' as it's easy to type. Not
entirely sure why the serial number variant didn't work; perhaps that's
not precisely how OpenSC exposes it? Or could it be case sensitive?

--
dwmw2
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert
In reply to this post by Marcin Okraszewski


On 12/14/2016 1:11 PM, Marcin Okraszewski wrote:

> Hi,
> Is it possible to work with libp11 and OpenSSL if there are multiple tokens inserted? I cannot make it work.
>
> I use Yubikey for performing signatures with OpenSSL. It works perfect if there is just Yubikey inserted into machine. But I have a problem when there is another token also inserted. OpenSSL always
> tells me it cannot find object or that token is empty.
>
> Normally I sign with such command:
>
>     openssl.exe smime -sign -engine pkcs11 -keyform engine -inkey "pkcs11:object=SIGN%20key;type=private;pin-value=XXXXXX" -in test.msg  -out test.smime -signer yubi-l1.pem
>

It looks like the pkcs#11 will use the P11-kit, which can load multiple PKCS#11 modules, and and tries to find all objects that match "object=SIGN%20key;type=private"
If there is more then one card that can match the pattern, then it will fail as it is expecting the URI to select only a single object. (private key in this case)
p11-kit may load both the Yubico PIV PKCS#11 module and the OpenSC module that supports the PIV.

Safenet has a PIV application on the card and it could that the Yubico PKCS#11 or the OpenSC PKCS#11 is finding both cards, which then match object=SIGN%20key;type=private.
As both have a object=SIGN%20key;type=private.

>
> It works perfectly when there is just Yubikey. Now I have a machine, where there is also another token inserted (SafeNet). Then the command ends with output like this:
>
>     openssl.exe smime -sign -engine pkcs11 -keyform engine -inkey "pkcs11:object=SIGN%20key;type=private;pin-value=XXXXXX" -in test.msg  -out test.smime -signer yubi-l1.pem
>     Specified object not found
>     PKCS11_get_private_key returned NULL
>     engine "pkcs11" set.
>     cannot load signing key file from engine
>     1568:error:26096080:engine routines:ENGINE_load_private_key:failed loading private key:.\crypto\engine\eng_pkey.c:124:
>     unable to load signing key file
>
>
> Here is the list of tokens:
>
>     > opensc-tool.exe -l
>     # Detected readers (pcsc)
>     Nr.  Card  Features  Name
>     0    Yes             AKS ifdh 0
>     1    Yes             AKS ifdh 1
>     2    Yes             AKS VR 0
>     3    Yes             Rainbow Technologies iKeyVirtualReader 0
>     4    Yes             Rainbow Technologies iKeyVirtualReader 1
>     5    Yes             Yubico Yubikey 4 OTP+U2F+CCID 0
>

opensc-tool does not use p11-kit or the OpenSC PKCS#11 either.

>
>
> I tried various forms of key, like eg:
>
>   * pkcs11:manufacturer=Yubico;object=SIGN%20key;type=private;pin-value=$pin
>   * pkcs11:model=Yubico%20Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
>   * pkcs11:model=Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX

This looks like you are trying to use the YUBICO PKCS#11 module?

>   * pkcs11:serial=BB6465375E5505273760A874579A76FB;object=SIGN%20key;type=private;pin-value=XXXXX
>   * pkcs11:serial=BB:64:65:37:5E:55:05:27:37:60:A8:74:57:9A:76:FB;object=SIGN%20key;type=private;pin-value=XXXXX
>
> With the same result. I also tried slot_0-id_2, but then it says "Found empty token".
>
> Some other outputs:
>
>> opensc-tool.exe -r 5 --serial
> BB 64 65 37 5E 55 05 27 37 60 A8 74 57 9A 76 FB .de7^U.'7`.tW.v.
>
>> pkcs15-tool.exe --reader 5 -k
> Private EC Key [SIGN key]
>         Object Flags   : [0x1], private
>         Usage          : [0x204], sign, nonRepudiation
>         Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
>
>         FieldLength    : 384
>         Key ref        : 156 (0x9C)
>         Native         : yes
>         Auth ID        : 01
>         ID             : 02
>         MD:guid        : 0x'3032363436353337356535353035323733373630613837343537
> 3961373666620000000000000000'

pkcs15-tool also does not use PKCS#11 module either.

pkcs11-tool can be used with the --module to load p11-kit or a specific PKCS#11 module such as opensc-pkcs11.so
and slots can be listed and the tokens in the slots can be listed. This can be helpful to see
what the the "token manufacturer" is (as defined by the PKCS#11 module) to use with the p11-kit manufacturer= parameter.
With the the OpenSC PKCS#11 and a Yubico or PIV card, it would be manufacturer=piv_II The OpenSC tries to treat the Yubico as a PIV.

With the pkcs11-tool -O -l this will list the objects, and you will see:

Private Key Object; RSA
   label:      SIGN key
   ID:         02
   Usage:      decrypt, sign, non-repudiation
   Access:     always authenticate

The label is used by p11-kit for object=SIGN%20key;type=private comes from.

I do not use p11-kit, but wrote the OpenSC PIV driver.
I will leave it up to others to explain the p11-kit use of the URI.

Also see:
https://tools.ietf.org/html/rfc7512

>
> Thank you for help!
> Marcin Okraszewski
>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert
In reply to this post by David Woodhouse


On 12/14/2016 2:22 PM, David Woodhouse wrote:

> On Wed, 2016-12-14 at 20:11 +0100, Marcin Okraszewski wrote:
>>
>> I tried various forms of key, like eg:
>> pkcs11:manufacturer=Yubico;object=SIGN%20key;type=private;pin-value=$pin
>> pkcs11:model=Yubico%20Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:model=Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:serial=BB6465375E5505273760A874579A76FB;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:serial=BB:64:65:37:5E:55:05:27:37:60:A8:74:57:9A:76:FB;object=SIGN%20key;type=private;pin-value=XXXXX
>
> $ p11tool --list-token-urls | grep piv
> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29
>
> I usually use 'pkcs11:manufacturer=piv_II;…' as it's easy to type. Not
> entirely sure why the serial number variant didn't work; perhaps that's
> not precisely how OpenSC exposes it? Or could it be case sensitive?


With regards to the serial number.  NIST 800-73 (PIV) does not define a serial number. It defines a set of objects on a card
and allows for multiple manufactures who may or may not provide a serial number or a way to write a serial number.
So to simulate a serial number the CHUID object is read from the card.
Offical PIV cards have a CHUID.
Yubico provides a tool to write a CHUID to their tokens.
Note: the Microsoft PIV driver requires a CHUID too.

If the CHUID is present and (FASCN has agency code = 9999 or FASCN not present)  and the CHUID has a GUID, the GUID 1s used as the serial number (16 bytes).
Otherwise if the FASCN if present it is used as serial number (25 bytes)
If the CHUID is not present the serial returned is 00000000.
The above is printed but opensc-tool --serial.

See opensc:
  src/libopensc/card-piv.c piv_get_serial_nr_from_CHUI

But for PKCS#11 the serial number is 16 bytes or less See:
  src/pkcs11/framework-pkcs11.c piv_get_serial_nr_from_CHUI  takes the last 16 bytes. (The FASCN was 25.)


>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
David, Douglas,
Thank you for answers. It seems then there is some other problem there. Listing tokens with p11tool returns an empty list on that computer (while the other tools show 5 readers). I run the tool like this:

p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll

It provides no output, there. So, it looks like the p11 doesn't see the token at all (while other tools does). Removing the other token doesn't help too.

So the other token might be completely unrelated. Do you maybe have any idea why it happens so?

Best regards,
Marcin Okraszewski


On Thu, Dec 15, 2016 at 4:48 AM, Douglas E Engert <[hidden email]> wrote:


On 12/14/2016 2:22 PM, David Woodhouse wrote:
> On Wed, 2016-12-14 at 20:11 +0100, Marcin Okraszewski wrote:
>>
>> I tried various forms of key, like eg:
>> pkcs11:manufacturer=Yubico;object=SIGN%20key;type=private;pin-value=$pin
>> pkcs11:model=Yubico%20Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:model=Yubikey%204%20OTP%2BU2F%2BCCID;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:serial=BB6465375E5505273760A874579A76FB;object=SIGN%20key;type=private;pin-value=XXXXX
>> pkcs11:serial=BB:64:65:37:5E:55:05:27:37:60:A8:74:57:9A:76:FB;object=SIGN%20key;type=private;pin-value=XXXXX
>
> $ p11tool --list-token-urls | grep piv
> pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=108421384210c3f5;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29
>
> I usually use 'pkcs11:manufacturer=piv_II;…' as it's easy to type. Not
> entirely sure why the serial number variant didn't work; perhaps that's
> not precisely how OpenSC exposes it? Or could it be case sensitive?


With regards to the serial number.  NIST 800-73 (PIV) does not define a serial number. It defines a set of objects on a card
and allows for multiple manufactures who may or may not provide a serial number or a way to write a serial number.
So to simulate a serial number the CHUID object is read from the card.
Offical PIV cards have a CHUID.
Yubico provides a tool to write a CHUID to their tokens.
Note: the Microsoft PIV driver requires a CHUID too.

If the CHUID is present and (FASCN has agency code = 9999 or FASCN not present)  and the CHUID has a GUID, the GUID 1s used as the serial number (16 bytes).
Otherwise if the FASCN if present it is used as serial number (25 bytes)
If the CHUID is not present the serial returned is 00000000.
The above is printed but opensc-tool --serial.

See opensc:
  src/libopensc/card-piv.c piv_get_serial_nr_from_CHUI

But for PKCS#11 the serial number is 16 bytes or less See:
  src/pkcs11/framework-pkcs11.c piv_get_serial_nr_from_CHUI  takes the last 16 bytes. (The FASCN was 25.)


>
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Nikos Mavrogiannopoulos-2
On Thu, Dec 15, 2016 at 7:18 PM, Marcin Okraszewski <[hidden email]> wrote:
> David, Douglas,
> Thank you for answers. It seems then there is some other problem there.
> Listing tokens with p11tool returns an empty list on that computer (while
> the other tools show 5 readers). I run the tool like this:
> p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll

You can enable more p11-kit debugging using the P11_KIT_DEBUG=all
environment variable.

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

David Woodhouse
In reply to this post by Marcin Okraszewski
On Thu, 2016-12-15 at 19:18 +0100, Marcin Okraszewski wrote:
>
> It provides no output, there. So, it looks like the p11 doesn't see
> the token at all (while other tools does). Removing the other token
> doesn't help too.

Sounds like your PKCS#11 provider module is installed without a
corresponding p11-kit .module file to let applications know where to
find it automatically.

That is unfortunately the case even on poorly-maintained Linux
distributions; it's not surprising that it's the case on Windows.
You'll probably have to make the .module file manually.

https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
--
dwmw2
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
I think I have the root cause, which lies completely elsewhere. Apparently Yubikey driver doesn't install properly on this machine. Normally you Yubikey is visible in Device Manager under Smart cards section as "Identity Device (NIST SP 800-73 [PIV])". On that machine I see "Unknown Smart Card" (see attached screenshots). I don't know yet why is it so, but this is out of scope for this group I guess. Sorry, I was so mislead with the fact there are two tokens and that other tools does see Yubikey that I didn't even thought of checking it. Only the empty list from p11tool and together with Douglas pointing other tools are not use PKCS#11 module triggered finally the thought check it.

For completeness, here is the debug output from p11tool:

>\gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens
(p11-kit:2992) p11_library_init: initializing library
(p11-kit:2992) p11_kit_module_load: in: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) load_module_from_file_inlock: loading module from path: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) dlopen_and_get_function_list: opened module: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) p11_kit_module_load: out: success
(p11-kit:2992) p11_kit_module_release: in
(p11-kit:2992) p11_kit_module_release: out
(p11-kit:2992) uninit_common: uninitializing library

Thank you,
Marcin Okraszewski


On Thu, Dec 15, 2016 at 9:08 PM, David Woodhouse <[hidden email]> wrote:
On Thu, 2016-12-15 at 19:18 +0100, Marcin Okraszewski wrote:
>
> It provides no output, there. So, it looks like the p11 doesn't see
> the token at all (while other tools does). Removing the other token
> doesn't help too.

Sounds like your PKCS#11 provider module is installed without a
corresponding p11-kit .module file to let applications know where to
find it automatically.

That is unfortunately the case even on poorly-maintained Linux
distributions; it's not surprising that it's the case on Windows.
You'll probably have to make the .module file manually.

https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
--
dwmw2


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

recognized.png (158K) Download Attachment
unknown.png (228K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert


On 12/16/2016 8:54 AM, Marcin Okraszewski wrote:
> I think I have the root cause, which lies completely elsewhere. Apparently Yubikey driver doesn't install properly on this machine. Normally you Yubikey is visible in Device Manager under Smart cards
> section as "Identity Device (NIST SP 800-73 [PIV])".
> On that machine I see "Unknown Smart Card" (see attached screenshots). I don't know yet why is it so, but this is out of scope for this group I
> guess.

Microsoft has its own PIV smart card driver used with its CAPI and minidrivers.
Google for: microsoft PIV and for:microsoft minidriver

So for PIV cards at least, unless you need PKCS#11 you don't need third party software.
What I think you are seeing in device manager is the fact the Microsoft recognizes its a PIV card.
But the Microsoft code requires a CHUID on the card to recognize it as a PIV. The NIST 800-73 says the CHUID is a mandatory.
Yubico may or may not provide their own driver, but as I understand it, the reason for Yubico to present a PIV
interface is to not require additional software.

OpenSC and other vendors provide software that interfaces with smart cards at the PCSC level just like on the Linux.
so all that is needed is access the readers.
OpenSC and other vendors also provides a minidriver that can access any smartcard OpenSC supports, so one can get
CAPI access to card. But this also requires registry changes to list the ATRs of the cards supported.


> Sorry, I was so mislead with the fact there are two tokens and that other tools does see Yubikey that I didn't even thought of checking it. Only the empty list from p11tool and together with
> Douglas pointing other tools are not use PKCS#11 module triggered finally the thought check it.
>
> For completeness, here is the debug output from p11tool:
>
>>\gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens
> (p11-kit:2992) p11_library_init: initializing library
> (p11-kit:2992) p11_kit_module_load: in: c:\Windows\System32\opensc-pkcs11.dll
> (p11-kit:2992) load_module_from_file_inlock: loading module from path: c:\Windows\System32\opensc-pkcs11.dll
> (p11-kit:2992) dlopen_and_get_function_list: opened module: c:\Windows\System32\opensc-pkcs11.dll
> (p11-kit:2992) p11_kit_module_load: out: success
> (p11-kit:2992) p11_kit_module_release: in
> (p11-kit:2992) p11_kit_module_release: out
> (p11-kit:2992) uninit_common: uninitializing library
>
> Thank you,
> Marcin Okraszewski
>
>
> On Thu, Dec 15, 2016 at 9:08 PM, David Woodhouse <[hidden email] <mailto:[hidden email]>> wrote:
>
>     On Thu, 2016-12-15 at 19:18 +0100, Marcin Okraszewski wrote:
>     >
>     > It provides no output, there. So, it looks like the p11 doesn't see
>     > the token at all (while other tools does). Removing the other token
>     > doesn't help too.
>
>     Sounds like your PKCS#11 provider module is installed without a
>     corresponding p11-kit .module file to let applications know where to
>     find it automatically.
>
>     That is unfortunately the case even on poorly-maintained Linux
>     distributions; it's not surprising that it's the case on Windows.
>     You'll probably have to make the .module file manually.
>
>     https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html <https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html>
>     --
>     dwmw2
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
Hi Douglas,
Thank you for explanation. So, what I understand here, if only there is connection to the reader, I should be able to use the token from OpenSSL via libp11. The token is visible, as I'm able to initialize it, generate key, import certificate via Yubico's piv-tool. But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run "gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator. 

When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I can see the value being changed by status action. 

Thanks,
Marcin

On Fri, Dec 16, 2016 at 5:19 PM, Douglas E Engert <[hidden email]> wrote:


On 12/16/2016 8:54 AM, Marcin Okraszewski wrote:
I think I have the root cause, which lies completely elsewhere. Apparently Yubikey driver doesn't install properly on this machine. Normally you Yubikey is visible in Device Manager under Smart cards
section as "Identity Device (NIST SP 800-73 [PIV])".
On that machine I see "Unknown Smart Card" (see attached screenshots). I don't know yet why is it so, but this is out of scope for this group I
guess.

Microsoft has its own PIV smart card driver used with its CAPI and minidrivers.
Google for: microsoft PIV and for:microsoft minidriver

So for PIV cards at least, unless you need PKCS#11 you don't need third party software.
What I think you are seeing in device manager is the fact the Microsoft recognizes its a PIV card.
But the Microsoft code requires a CHUID on the card to recognize it as a PIV. The NIST 800-73 says the CHUID is a mandatory.
Yubico may or may not provide their own driver, but as I understand it, the reason for Yubico to present a PIV
interface is to not require additional software.

OpenSC and other vendors provide software that interfaces with smart cards at the PCSC level just like on the Linux.
so all that is needed is access the readers.
OpenSC and other vendors also provides a minidriver that can access any smartcard OpenSC supports, so one can get
CAPI access to card. But this also requires registry changes to list the ATRs of the cards supported.


Sorry, I was so mislead with the fact there are two tokens and that other tools does see Yubikey that I didn't even thought of checking it. Only the empty list from p11tool and together with
Douglas pointing other tools are not use PKCS#11 module triggered finally the thought check it.

For completeness, here is the debug output from p11tool:

\gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens
(p11-kit:2992) p11_library_init: initializing library
(p11-kit:2992) p11_kit_module_load: in: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) load_module_from_file_inlock: loading module from path: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) dlopen_and_get_function_list: opened module: c:\Windows\System32\opensc-pkcs11.dll
(p11-kit:2992) p11_kit_module_load: out: success
(p11-kit:2992) p11_kit_module_release: in
(p11-kit:2992) p11_kit_module_release: out
(p11-kit:2992) uninit_common: uninitializing library

Thank you,
Marcin Okraszewski


On Thu, Dec 15, 2016 at 9:08 PM, David Woodhouse <[hidden email] <mailto:[hidden email]>> wrote:

    On Thu, 2016-12-15 at 19:18 +0100, Marcin Okraszewski wrote:
    >
    > It provides no output, there. So, it looks like the p11 doesn't see
    > the token at all (while other tools does). Removing the other token
    > doesn't help too.

    Sounds like your PKCS#11 provider module is installed without a
    corresponding p11-kit .module file to let applications know where to
    find it automatically.

    That is unfortunately the case even on poorly-maintained Linux
    distributions; it's not surprising that it's the case on Windows.
    You'll probably have to make the .module file manually.

    https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html <https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html>
    --
    dwmw2



--

 Douglas E. Engert  <[hidden email]>



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert


On 12/19/2016 8:45 AM, Marcin Okraszewski wrote:
> Hi Douglas,
> Thank you for explanation. So, what I understand here, if only there is connection to the reader, I should be able to use the token from OpenSSL via libp11.

I believe I understand your comment, If only one PIV like card is present.


> The token is visible, as I'm able to
> initialize it, generate key, import certificate via Yubico's piv-tool.

Yes, these use PCSC but not any PKCS#11.



> But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run
> "gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator.

I can not speak to how p11tool should work.
Is there some 32 bit opensc-pkcs11.dll with 64 bit p11tool?
You are running in a cmd window?

What does the OpenSC pkcs11-tool.exe -O -l show?

Do you get any output?

>
> When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I can see the
> value being changed by status action.

When you regenerated the CHUID, did it tell you what it did?
There was a bug in in how Yubico created a CHUID It was fixed in 2014. Are you using an old version?
https://github.com/Yubico/yubico-piv-tool/issues/9

I believe there is a verbose option for yubico-piv-tool to list the chuid, or list it while it is created.


Also see:

https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC

on how to setup a opensc debug log and an opensc SPY log.

These would show what might be going on. It would also show if the CHUID was being read, and it binary value.


>
> Thanks,
> Marcin
>
> On Fri, Dec 16, 2016 at 5:19 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>
>     On 12/16/2016 8:54 AM, Marcin Okraszewski wrote:
>
>         I think I have the root cause, which lies completely elsewhere. Apparently Yubikey driver doesn't install properly on this machine. Normally you Yubikey is visible in Device Manager under
>         Smart cards
>         section as "Identity Device (NIST SP 800-73 [PIV])".
>         On that machine I see "Unknown Smart Card" (see attached screenshots). I don't know yet why is it so, but this is out of scope for this group I
>         guess.
>
>
>     Microsoft has its own PIV smart card driver used with its CAPI and minidrivers.
>     Google for: microsoft PIV and for:microsoft minidriver
>
>     So for PIV cards at least, unless you need PKCS#11 you don't need third party software.
>     What I think you are seeing in device manager is the fact the Microsoft recognizes its a PIV card.
>     But the Microsoft code requires a CHUID on the card to recognize it as a PIV. The NIST 800-73 says the CHUID is a mandatory.
>     Yubico may or may not provide their own driver, but as I understand it, the reason for Yubico to present a PIV
>     interface is to not require additional software.
>
>     OpenSC and other vendors provide software that interfaces with smart cards at the PCSC level just like on the Linux.
>     so all that is needed is access the readers.
>     OpenSC and other vendors also provides a minidriver that can access any smartcard OpenSC supports, so one can get
>     CAPI access to card. But this also requires registry changes to list the ATRs of the cards supported.
>
>
>         Sorry, I was so mislead with the fact there are two tokens and that other tools does see Yubikey that I didn't even thought of checking it. Only the empty list from p11tool and together with
>         Douglas pointing other tools are not use PKCS#11 module triggered finally the thought check it.
>
>         For completeness, here is the debug output from p11tool:
>
>             \gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens
>
>         (p11-kit:2992) p11_library_init: initializing library
>         (p11-kit:2992) p11_kit_module_load: in: c:\Windows\System32\opensc-pkcs11.dll
>         (p11-kit:2992) load_module_from_file_inlock: loading module from path: c:\Windows\System32\opensc-pkcs11.dll
>         (p11-kit:2992) dlopen_and_get_function_list: opened module: c:\Windows\System32\opensc-pkcs11.dll
>         (p11-kit:2992) p11_kit_module_load: out: success
>         (p11-kit:2992) p11_kit_module_release: in
>         (p11-kit:2992) p11_kit_module_release: out
>         (p11-kit:2992) uninit_common: uninitializing library
>
>         Thank you,
>         Marcin Okraszewski
>
>
>         On Thu, Dec 15, 2016 at 9:08 PM, David Woodhouse <[hidden email] <mailto:[hidden email]> <mailto:[hidden email] <mailto:[hidden email]>>> wrote:
>
>             On Thu, 2016-12-15 at 19:18 +0100, Marcin Okraszewski wrote:
>             >
>             > It provides no output, there. So, it looks like the p11 doesn't see
>             > the token at all (while other tools does). Removing the other token
>             > doesn't help too.
>
>             Sounds like your PKCS#11 provider module is installed without a
>             corresponding p11-kit .module file to let applications know where to
>             find it automatically.
>
>             That is unfortunately the case even on poorly-maintained Linux
>             distributions; it's not surprising that it's the case on Windows.
>             You'll probably have to make the .module file manually.
>
>             https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html <https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html> <https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html
>         <https://p11-glue.freedesktop.org/doc/p11-kit/pkcs11-conf.html>>
>             --
>             dwmw2
>
>
>
>     --
>
>      Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
Hi Douglas,
Thank you for your patience. I've tried with another Yubikey and now it shows proper name in Device Manager, but the problem persists, so it is not the root cause :( Further answers inline.

But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run
"gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator.

I can not speak to how p11tool should work.
Is there some 32 bit opensc-pkcs11.dll with 64 bit p11tool?
You are running in a cmd window?

I install everything in 64bit version. I first install OpenSC 0.16. The p11tool was mentioned here by David, as well as libp11 wiki (https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool). 

Should I switch to 32bit?
 
What does the OpenSC pkcs11-tool.exe -O -l show?

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -O -l
No slot with a token was found.

Output with OPENSC_DEBUG=9 is available here: http://pastebin.com/3D9qfgDp

The output of the PKCS11-Spy available here: http://pastebin.com/hJpyyhNG . From what I see, it doesn't see the Yubikey in the PKCS11 Spy output, while it is visible in debug output of the same command. 
 

When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I can see the
value being changed by status action.

When you regenerated the CHUID, did it tell you what it did?
There was a bug in in how Yubico created a CHUID It was fixed in 2014. Are you using an old version?
https://github.com/Yubico/yubico-piv-tool/issues/9

I believe there is a verbose option for yubico-piv-tool to list the chuid, or list it while it is created.

I'm using latest version, 1.4.2 from August 12, 2016. 

"yubico-piv-tool.exe -a set-chuid" returns "Successfully set new CHUID."

Verbose output from set-chuid and status available here: http://pastebin.com/x8gTtm43

I have also found error entries in System Event log. It appears for all readers (not only Yubikey) every time I use those PKCS#11 tools:

Log Name:      System

Source:        Microsoft-Windows-Smartcard-Server

Date:          19.12.2016 14:57:48

Description:

Smart Card Reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' rejected IOCTL 0x313520: Incorrect function.  If this error persists, your smart card or reader may not be functioning correctly.


Does it give any clue? I'm frankly completely lost!

Thank you!
Marcin Okraszewski




------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
You are running in a cmd window?


Yes, I run in cmd window.  

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert
In reply to this post by Marcin Okraszewski
The debug trace shows you have reach the default limits on readers and slots.
You have all those drivers that define their own readers which most people don't have.
I should have spotted that earlier.

opensc.conf has default limits on how many readers and slots per reader.
I think you have reached the limits, try changing them.

see the opensc.conf file in app opensc-pkcs11 section.

  # (max_virtual_slots/slots_per_card) limits the number of readers
  # that can be used on the system. Default is then 16/4=4 readers.

The libopensc can see the readers but the pkcs#11 can not see the slots.


On 12/20/2016 8:08 AM, Marcin Okraszewski wrote:

> Hi Douglas,
> Thank you for your patience. I've tried with another Yubikey and now it shows proper name in Device Manager, but the problem persists, so it is not the root cause :( Further answers inline.
>
>         But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run
>         "gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator.
>
>
>     I can not speak to how p11tool should work.
>     Is there some 32 bit opensc-pkcs11.dll with 64 bit p11tool?
>     You are running in a cmd window?
>
>
> I install everything in 64bit version. I first install OpenSC 0.16. The p11tool was mentioned here by David, as well as libp11 wiki
> (https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool <https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool>).
>
> Should I switch to 32bit?
>
>
>     What does the OpenSC pkcs11-tool.exe -O -l show?
>
>
> C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -O -l
> No slot with a token was found.
>
> Output with OPENSC_DEBUG=9 is available here: http://pastebin.com/3D9qfgDp
>
> The output of the PKCS11-Spy available here: http://pastebin.com/hJpyyhNG . From what I see, it doesn't see the Yubikey in the PKCS11 Spy output, while it is visible in debug output of the same command.
>
>
>         When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I can see the
>         value being changed by status action.
>
>
>     When you regenerated the CHUID, did it tell you what it did?
>     There was a bug in in how Yubico created a CHUID It was fixed in 2014. Are you using an old version?
>     https://github.com/Yubico/yubico-piv-tool/issues/9 <https://github.com/Yubico/yubico-piv-tool/issues/9>
>
>     I believe there is a verbose option for yubico-piv-tool to list the chuid, or list it while it is created.
>
>
> I'm using latest version, 1.4.2 from August 12, 2016.
>
> "yubico-piv-tool.exe -a set-chuid" returns "Successfully set new CHUID."
>
> Verbose output from set-chuid and status available here: http://pastebin.com/x8gTtm43
>
> I have also found error entries in System Event log. It appears for all readers (not only Yubikey) every time I use those PKCS#11 tools:
>
> Log Name:      System
>
> Source:        Microsoft-Windows-Smartcard-Server
>
> Date:          19.12.2016 14:57:48
>
> Description:
>
> Smart Card Reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' rejected IOCTL 0x313520: Incorrect function.  If this error persists, your smart card or reader may not be functioning correctly.
>
>
> Does it give any clue? I'm frankly completely lost!
>
> Thank you!
> Marcin Okraszewski
>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Marcin Okraszewski
Douglas,
That was it!!! I just uncommented the line "max_virtual_slots = 32;" and it works as charm!!! Everything - signing with openssl, listing tokens & objects by p11tool, the  pkcs11-tool -O -l. Everything just works! Christmas is coming!

I would have never found it myself. I really don't know how to thank you! Any wish? Of course, beer when you come to Gdansk/Poland is on me.

Thank you!
Marcin Okraszewski


On Tue, Dec 20, 2016 at 8:44 PM, Douglas E Engert <[hidden email]> wrote:
The debug trace shows you have reach the default limits on readers and slots.
You have all those drivers that define their own readers which most people don't have.
I should have spotted that earlier.

opensc.conf has default limits on how many readers and slots per reader.
I think you have reached the limits, try changing them.

see the opensc.conf file in app opensc-pkcs11 section.

 # (max_virtual_slots/slots_per_card) limits the number of readers
 # that can be used on the system. Default is then 16/4=4 readers.

The libopensc can see the readers but the pkcs#11 can not see the slots.


On 12/20/2016 8:08 AM, Marcin Okraszewski wrote:
Hi Douglas,
Thank you for your patience. I've tried with another Yubikey and now it shows proper name in Device Manager, but the problem persists, so it is not the root cause :( Further answers inline.

        But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run
        "gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator.


    I can not speak to how p11tool should work.
    Is there some 32 bit opensc-pkcs11.dll with 64 bit p11tool?
    You are running in a cmd window?


I install everything in 64bit version. I first install OpenSC 0.16. The p11tool was mentioned here by David, as well as libp11 wiki
(https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool <https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool>).

Should I switch to 32bit?


    What does the OpenSC pkcs11-tool.exe -O -l show?


C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -O -l
No slot with a token was found.

Output with OPENSC_DEBUG=9 is available here: http://pastebin.com/3D9qfgDp

The output of the PKCS11-Spy available here: http://pastebin.com/hJpyyhNG . From what I see, it doesn't see the Yubikey in the PKCS11 Spy output, while it is visible in debug output of the same command.


        When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I can see the
        value being changed by status action.


    When you regenerated the CHUID, did it tell you what it did?
    There was a bug in in how Yubico created a CHUID It was fixed in 2014. Are you using an old version?
    https://github.com/Yubico/yubico-piv-tool/issues/9 <https://github.com/Yubico/yubico-piv-tool/issues/9>

    I believe there is a verbose option for yubico-piv-tool to list the chuid, or list it while it is created.


I'm using latest version, 1.4.2 from August 12, 2016.

"yubico-piv-tool.exe -a set-chuid" returns "Successfully set new CHUID."

Verbose output from set-chuid and status available here: http://pastebin.com/x8gTtm43

I have also found error entries in System Event log. It appears for all readers (not only Yubikey) every time I use those PKCS#11 tools:

Log Name:      System

Source:        Microsoft-Windows-Smartcard-Server

Date:          19.12.2016 14:57:48

Description:

Smart Card Reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' rejected IOCTL 0x313520: Incorrect function.  If this error persists, your smart card or reader may not be functioning correctly.


Does it give any clue? I'm frankly completely lost!

Thank you!
Marcin Okraszewski




--

 Douglas E. Engert  <[hidden email]>



------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert
Your thank you note is more then enough. Glad I could help.


On 12/20/2016 3:25 PM, Marcin Okraszewski wrote:

> Douglas,
> That was it!!! I just uncommented the line "max_virtual_slots = 32;" and it works as charm!!! Everything - signing with openssl, listing tokens & objects by p11tool, the  pkcs11-tool -O -l. Everything
> just works! Christmas is coming!
>
> I would have never found it myself. I really don't know how to thank you! Any wish? Of course, beer when you come to Gdansk/Poland is on me.
>
> Thank you!
> Marcin Okraszewski
>
>
> On Tue, Dec 20, 2016 at 8:44 PM, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>
>     The debug trace shows you have reach the default limits on readers and slots.
>     You have all those drivers that define their own readers which most people don't have.
>     I should have spotted that earlier.
>
>     opensc.conf has default limits on how many readers and slots per reader.
>     I think you have reached the limits, try changing them.
>
>     see the opensc.conf file in app opensc-pkcs11 section.
>
>      # (max_virtual_slots/slots_per_card) limits the number of readers
>      # that can be used on the system. Default is then 16/4=4 readers.
>
>     The libopensc can see the readers but the pkcs#11 can not see the slots.
>
>
>     On 12/20/2016 8:08 AM, Marcin Okraszewski wrote:
>
>         Hi Douglas,
>         Thank you for your patience. I've tried with another Yubikey and now it shows proper name in Device Manager, but the problem persists, so it is not the root cause :( Further answers inline.
>
>                 But I'm not able even to list tokens with p11tool. Note, I don't specify any configuration. I just install OpenSC and run
>                 "gnutls-3.4.9\bin\p11tool.exe --provider c:\Windows\System32\opensc-pkcs11.dll  --list-tokens". I run it as administrator.
>
>
>             I can not speak to how p11tool should work.
>             Is there some 32 bit opensc-pkcs11.dll with 64 bit p11tool?
>             You are running in a cmd window?
>
>
>         I install everything in 64bit version. I first install OpenSC 0.16. The p11tool was mentioned here by David, as well as libp11 wiki
>         (https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool <https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool>
>         <https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool <https://github.com/OpenSC/libp11#using-the-engine-from-the-command-line-tool>>).
>
>         Should I switch to 32bit?
>
>
>             What does the OpenSC pkcs11-tool.exe -O -l show?
>
>
>         C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe -O -l
>         No slot with a token was found.
>
>         Output with OPENSC_DEBUG=9 is available here: http://pastebin.com/3D9qfgDp
>
>         The output of the PKCS11-Spy available here: http://pastebin.com/hJpyyhNG . From what I see, it doesn't see the Yubikey in the PKCS11 Spy output, while it is visible in debug output of the
>         same command.
>
>
>                 When it comes to Device Manager, the card is not being recognized even if I regenerate CHUID, unplug and plug token again or even reboot Windows (2012 R2). The CHUID is being set and I
>         can see the
>                 value being changed by status action.
>
>
>             When you regenerated the CHUID, did it tell you what it did?
>             There was a bug in in how Yubico created a CHUID It was fixed in 2014. Are you using an old version?
>             https://github.com/Yubico/yubico-piv-tool/issues/9 <https://github.com/Yubico/yubico-piv-tool/issues/9> <https://github.com/Yubico/yubico-piv-tool/issues/9
>         <https://github.com/Yubico/yubico-piv-tool/issues/9>>
>
>             I believe there is a verbose option for yubico-piv-tool to list the chuid, or list it while it is created.
>
>
>         I'm using latest version, 1.4.2 from August 12, 2016.
>
>         "yubico-piv-tool.exe -a set-chuid" returns "Successfully set new CHUID."
>
>         Verbose output from set-chuid and status available here: http://pastebin.com/x8gTtm43
>
>         I have also found error entries in System Event log. It appears for all readers (not only Yubikey) every time I use those PKCS#11 tools:
>
>         Log Name:      System
>
>         Source:        Microsoft-Windows-Smartcard-Server
>
>         Date:          19.12.2016 14:57:48
>
>         Description:
>
>         Smart Card Reader 'Yubico Yubikey 4 OTP+U2F+CCID 0' rejected IOCTL 0x313520: Incorrect function.  If this error persists, your smart card or reader may not be functioning correctly.
>
>
>         Does it give any clue? I'm frankly completely lost!
>
>         Thank you!
>         Marcin Okraszewski
>
>
>
>
>     --
>
>      Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Michal Trojnara
Hi Guys,

What is the rationale for the current default to be so low?  Does it
conserve a significant amount of memory or any other precious resource?

Best regards,
        Mike

On 12/21/2016 02:46 PM, Douglas E Engert wrote:

> Your thank you note is more then enough. Glad I could help.
>
>
> On 12/20/2016 3:25 PM, Marcin Okraszewski wrote:
>> Douglas,
>> That was it!!! I just uncommented the line "max_virtual_slots = 32;" and it works as charm!!! Everything - signing with openssl, listing tokens & objects by p11tool, the  pkcs11-tool -O -l. Everything
>> just works! Christmas is coming!
>>
>> I would have never found it myself. I really don't know how to thank you! Any wish? Of course, beer when you come to Gdansk/Poland is on me.
>>
>> Thank you!
>> Marcin Okraszewski

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Martin Paljak-4
Most of endusers have one, two, maybe three devices.

If you populate all slots (as was once the case with static PKCS#11
layout IIRC) it gets messy for some applications.

Martin


On 21/12/2016 17:14, Michał Trojnara wrote:

> Hi Guys,
>
> What is the rationale for the current default to be so low?  Does it
> conserve a significant amount of memory or any other precious resource?
>
> Best regards,
> Mike
>
> On 12/21/2016 02:46 PM, Douglas E Engert wrote:
>> Your thank you note is more then enough. Glad I could help.
>>
>>
>> On 12/20/2016 3:25 PM, Marcin Okraszewski wrote:
>>> Douglas,
>>> That was it!!! I just uncommented the line "max_virtual_slots = 32;" and it works as charm!!! Everything - signing with openssl, listing tokens & objects by p11tool, the  pkcs11-tool -O -l. Everything
>>> just works! Christmas is coming!
>>>
>>> I would have never found it myself. I really don't know how to thank you! Any wish? Of course, beer when you come to Gdansk/Poland is on me.
>>>
>>> Thank you!
>>> Marcin Okraszewski
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot perform signing when multiple keys are present

Douglas E Engert
In reply to this post by Michal Trojnara


On 12/21/2016 9:14 AM, Michał Trojnara wrote:
> Hi Guys,
>
> What is the rationale for the current default to be so low?  Does it
> conserve a significant amount of memory or any other precious resource?

Not that I know.

 From what I can, in his machine there are some Windows drivers for:
(3) Aladdin IDF Handlers
(1) Microsoft Usbccid Smartcard Reader (WUDF)
(3) Rainbow iKey readers

This could be 7 readers?

If you were using RDC/rdesktop you might have even more.

OpenSC sees all the readers, but the PKCS#11 code has the limit. Could we make it dynamic?
Or at least set the default limit to a few more then the number of readers already found?



>
> Best regards,
> Mike
>
> On 12/21/2016 02:46 PM, Douglas E Engert wrote:
>> Your thank you note is more then enough. Glad I could help.
>>
>>
>> On 12/20/2016 3:25 PM, Marcin Okraszewski wrote:
>>> Douglas,
>>> That was it!!! I just uncommented the line "max_virtual_slots = 32;" and it works as charm!!! Everything - signing with openssl, listing tokens & objects by p11tool, the  pkcs11-tool -O -l. Everything
>>> just works! Christmas is coming!
>>>
>>> I would have never found it myself. I really don't know how to thank you! Any wish? Of course, beer when you come to Gdansk/Poland is on me.
>>>
>>> Thank you!
>>> Marcin Okraszewski
>
> ------------------------------------------------------------------------------
> Developer Access Program for Intel Xeon Phi Processors
> Access to Intel Xeon Phi processor-based developer platforms.
> With one year of Intel Parallel Studio XE.
> Training and support from Colfax.
> Order your platform today.http://sdm.link/intel
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> .
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Developer Access Program for Intel Xeon Phi Processors
Access to Intel Xeon Phi processor-based developer platforms.
With one year of Intel Parallel Studio XE.
Training and support from Colfax.
Order your platform today.http://sdm.link/intel
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel