Enable debug problem

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Enable debug problem

Alejandro Díaz
Hi all!!

I need enable debugging on OpenSC, but I can't do it.

I've tested with Ubuntu Oneiric package (opensc_0.12.1-1ubuntu1_amd64.deb)

~$ opensc-tool --info
opensc 0.12.1 [gcc  4.6.1]
Enabled features: zlib openssl pcsc(/lib/libpcsclite.so.1)
~$ pcscd --version
pcsc-lite version 1.7.2.
Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email]>.
Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
Report bugs to <[hidden email]>.
Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d

And compiling and installing from last source on github:

$ opensc-tool --info
opensc 0.12.3-pre1 [gcc  4.6.1]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
$ pcscd --version
pcsc-lite version 1.7.2.
Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email]>.
Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
Report bugs to <[hidden email]>.
Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
~$ pkcs11-tool --login --test --module /usr/lib/opensc-pkcs11.so
Using slot 1 with a present token (0x1)
Logging in to "Alejandro Díaz (User PIN)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (Private Key) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
  testing key 1 (2048 bits, label=Private Key) with 1 signature mechanism
    MD5-RSA-PKCS: OK
  testing key 2 (2048 bits, label=Private Key) with 1 signature mechanism
    MD5-RSA-PKCS: OK
Verify (currently only for RSA):
  testing key 0 (Private Key)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
  testing key 1 (Private Key) with 1 mechanism
    RSA-X-509: OK
  testing key 2 (Private Key) with 1 mechanism
    RSA-X-509: OK
Unwrap: not implemented
Decryption (RSA)
  testing key 0 (Private Key)  -- can't be used to decrypt, skipping
  testing key 1 (Private Key)  -- can't be used to decrypt, skipping
  testing key 2 (Private Key) 
    RSA-X-509: OK
    RSA-PKCS: OK
No errors
~$ opensc-tool -s 00:c0:00::00
Using reader with a card: C3PO LTC31 (80060327) 00 00
Sending: 00 C0 00 00 00 
Received (SW1=0x90, SW2=0x00):
6F 0E 84 07 00 00 00 70 D2 50 01 A5 03 88 01 00 o......p.P......


When i use pkcs11-tool test, opensc-tool or use the card from Firefox all work fine:  

~$ opensc-tool -n
Using reader with a card: C3PO LTC31 (80060327) 00 00
entersafe


but the debug file does not appear at /tmp dir.

I've edited /etc/opensc/opensc.conf file as the attached files.

Can you help me?

Thanks!

Alejandro Díaz Torres
Área de Proyectos
Emergya Consultoría Tfno: <a href="tel:%2B34%20954%2051%2075%2077" value="+34954517577" target="_blank">+34 954 51 75 77
Fax: <a href="tel:%2B34%20954%2051%2064%2073" value="+34954516473" target="_blank">+34 954 51 64 73 www.emergya.es


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

opensc.conf_from_github (19K) Download Attachment
opensc.conf_deb (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Enable debug problem

Douglas E. Engert
Is /etc/opensc/opensc.conf world readable?
Try adding -v -v -v -v to the opensc-tool command.

Debian changes the location of the opensc.conf, so if you compile, it
might be in /etc/opensc.conf


On 06/14/12 02:13, Alejandro Díaz wrote:

> Hi all!!
>
> I need enable debugging on OpenSC, but I can't do it.
>
> I've tested with Ubuntu Oneiric package (opensc_0.12.1-1ubuntu1_amd64.deb)
>
>     ~$ opensc-tool --info
>     opensc 0.12.1 [gcc  4.6.1]
>     Enabled features: zlib openssl pcsc(/lib/libpcsclite.so.1)
>     ~$ pcscd --version
>     pcsc-lite version 1.7.2.
>     Copyright (C) 1999-2002 by David Corcoran <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2003-2004 by Damien Sauveron <[hidden email] <mailto:[hidden email]>>.
>     Report bugs to <[hidden email] <mailto:[hidden email]>>.
>     Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
>
>
> And compiling and installing from last source on github:
>
>     $ opensc-tool --info
>     opensc 0.12.3-pre1 [gcc  4.6.1]
>     Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>     $ pcscd --version
>     pcsc-lite version 1.7.2.
>     Copyright (C) 1999-2002 by David Corcoran <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2003-2004 by Damien Sauveron <[hidden email] <mailto:[hidden email]>>.
>     Report bugs to <[hidden email] <mailto:[hidden email]>>.
>     Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
>     ~$ pkcs11-tool --login --test --module /usr/lib/opensc-pkcs11.so
>     Using slot 1 with a present token (0x1)
>     Logging in to "Alejandro Díaz (User PIN)".
>     Please enter User PIN:
>     C_SeedRandom() and C_GenerateRandom():
>        seeding (C_SeedRandom) not supported
>        seems to be OK
>     Digests:
>        all 4 digest functions seem to work
>        MD5: OK
>        SHA-1: OK
>        RIPEMD160: OK
>     Signatures (currently only RSA signatures)
>        testing key 0 (Private Key)
>        all 4 signature functions seem to work
>        testing signature mechanisms:
>          RSA-X-509: OK
>          RSA-PKCS: OK
>          SHA1-RSA-PKCS: OK
>          MD5-RSA-PKCS: OK
>          RIPEMD160-RSA-PKCS: OK
>        testing key 1 (2048 bits, label=Private Key) with 1 signature mechanism
>          MD5-RSA-PKCS: OK
>        testing key 2 (2048 bits, label=Private Key) with 1 signature mechanism
>          MD5-RSA-PKCS: OK
>     Verify (currently only for RSA):
>        testing key 0 (Private Key)
>          RSA-X-509: OK
>          RSA-PKCS: OK
>          SHA1-RSA-PKCS: OK
>          MD5-RSA-PKCS: OK
>          RIPEMD160-RSA-PKCS: OK
>        testing key 1 (Private Key) with 1 mechanism
>          RSA-X-509: OK
>        testing key 2 (Private Key) with 1 mechanism
>          RSA-X-509: OK
>     Unwrap: not implemented
>     Decryption (RSA)
>        testing key 0 (Private Key)  -- can't be used to decrypt, skipping
>        testing key 1 (Private Key)  -- can't be used to decrypt, skipping
>        testing key 2 (Private Key)
>          RSA-X-509: OK
>          RSA-PKCS: OK
>     No errors
>     ~$ opensc-tool -s 00:c0:00::00
>     Using reader with a card: C3PO LTC31 (80060327) 00 00
>     Sending: 00 C0 00 00 00
>     Received (SW1=0x90, SW2=0x00):
>     6F 0E 84 07 00 00 00 70 D2 50 01 A5 03 88 01 00 o......p.P......
>
>
> When i use pkcs11-tool test, opensc-tool or use the card from Firefox all work fine:
>
>
>     ~$ opensc-tool -n
>     Using reader with a card: C3PO LTC31 (80060327) 00 00
>     entersafe
>
>
> but the debug file does not appear at /tmp dir.
>
> I've edited /etc/opensc/opensc.conf file as the attached files.
>
> Can you help me?
>
> Thanks!
>
> Alejandro Díaz Torres
> Área de Proyectos
>
> Emergya Consultoría
> Tfno:+34 954 51 75 77  <tel:%2B34%20954%2051%2075%2077>
> Fax:+34 954 51 64 73  <tel:%2B34%20954%2051%2064%2073>
> www.emergya.es  <http://www.emergya.es>
>
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Enable debug problem

Alejandro Díaz
Thank you very much!!

Something was corrupt on the system. I've cleared the system upgradiing to ubuntu 12.04, reinstalled all from source and the debug file has appeared.
Alejandro Díaz Torres
Área de Proyectos
Emergya Consultoría Tfno: +34 954 51 75 77
Fax: +34 954 51 64 73 www.emergya.es



2012/6/14 Douglas E. Engert <[hidden email]>
Is /etc/opensc/opensc.conf world readable?
Try adding -v -v -v -v to the opensc-tool command.

Debian changes the location of the opensc.conf, so if you compile, it
might be in /etc/opensc.conf


On 06/14/12 02:13, Alejandro Díaz wrote:
> Hi all!!
>
> I need enable debugging on OpenSC, but I can't do it.
>
> I've tested with Ubuntu Oneiric package (opensc_0.12.1-1ubuntu1_amd64.deb)
>
>     ~$ opensc-tool --info
>     opensc 0.12.1 [gcc  4.6.1]
>     Enabled features: zlib openssl pcsc(/lib/libpcsclite.so.1)
>     ~$ pcscd --version
>     pcsc-lite version 1.7.2.
>     Copyright (C) 1999-2002 by David Corcoran <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2003-2004 by Damien Sauveron <[hidden email] <mailto:[hidden email]>>.
>     Report bugs to <[hidden email] <mailto:[hidden email]>>.
>     Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
>
>
> And compiling and installing from last source on github:
>
>     $ opensc-tool --info
>     opensc 0.12.3-pre1 [gcc  4.6.1]
>     Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>     $ pcscd --version
>     pcsc-lite version 1.7.2.
>     Copyright (C) 1999-2002 by David Corcoran <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2001-2010 by Ludovic Rousseau <[hidden email] <mailto:[hidden email]>>.
>     Copyright (C) 2003-2004 by Damien Sauveron <[hidden email] <mailto:[hidden email]>>.
>     Report bugs to <[hidden email] <mailto:[hidden email]>>.
>     Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
>     ~$ pkcs11-tool --login --test --module /usr/lib/opensc-pkcs11.so
>     Using slot 1 with a present token (0x1)
>     Logging in to "Alejandro Díaz (User PIN)".
>     Please enter User PIN:
>     C_SeedRandom() and C_GenerateRandom():
>        seeding (C_SeedRandom) not supported
>        seems to be OK
>     Digests:
>        all 4 digest functions seem to work
>        MD5: OK
>        SHA-1: OK
>        RIPEMD160: OK
>     Signatures (currently only RSA signatures)
>        testing key 0 (Private Key)
>        all 4 signature functions seem to work
>        testing signature mechanisms:
>          RSA-X-509: OK
>          RSA-PKCS: OK
>          SHA1-RSA-PKCS: OK
>          MD5-RSA-PKCS: OK
>          RIPEMD160-RSA-PKCS: OK
>        testing key 1 (2048 bits, label=Private Key) with 1 signature mechanism
>          MD5-RSA-PKCS: OK
>        testing key 2 (2048 bits, label=Private Key) with 1 signature mechanism
>          MD5-RSA-PKCS: OK
>     Verify (currently only for RSA):
>        testing key 0 (Private Key)
>          RSA-X-509: OK
>          RSA-PKCS: OK
>          SHA1-RSA-PKCS: OK
>          MD5-RSA-PKCS: OK
>          RIPEMD160-RSA-PKCS: OK
>        testing key 1 (Private Key) with 1 mechanism
>          RSA-X-509: OK
>        testing key 2 (Private Key) with 1 mechanism
>          RSA-X-509: OK
>     Unwrap: not implemented
>     Decryption (RSA)
>        testing key 0 (Private Key)  -- can't be used to decrypt, skipping
>        testing key 1 (Private Key)  -- can't be used to decrypt, skipping
>        testing key 2 (Private Key)
>          RSA-X-509: OK
>          RSA-PKCS: OK
>     No errors
>     ~$ opensc-tool -s 00:c0:00::00
>     Using reader with a card: C3PO LTC31 (80060327) 00 00
>     Sending: 00 C0 00 00 00
>     Received (SW1=0x90, SW2=0x00):
>     6F 0E 84 07 00 00 00 70 D2 50 01 A5 03 88 01 00 o......p.P......
>
>
> When i use pkcs11-tool test, opensc-tool or use the card from Firefox all work fine:
>
>
>     ~$ opensc-tool -n
>     Using reader with a card: C3PO LTC31 (80060327) 00 00
>     entersafe
>
>
> but the debug file does not appear at /tmp dir.
>
> I've edited /etc/opensc/opensc.conf file as the attached files.
>
> Can you help me?
>
> Thanks!
>
> Alejandro Díaz Torres
> Área de Proyectos
>
> Emergya Consultoría
> Tfno:<a href="tel:%2B34%20954%2051%2075%2077" value="+34954517577">+34 954 51 75 77  <tel:%2B34%20954%2051%2075%2077>
> Fax:<a href="tel:%2B34%20954%2051%2064%2073" value="+34954516473">+34 954 51 64 73  <tel:%2B34%20954%2051%2064%2073>
> www.emergya.es  <http://www.emergya.es>
>
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

 Douglas E. Engert  <[hidden email]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 <a href="tel:%28630%29%20252-5444" value="+16302525444">(630) 252-5444
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Enable debug problem

Brian Thomas-10
In reply to this post by Douglas E. Engert
Hello Everybody,

My company is developing a laptop running Windows XP SP3 which will be
joined to a Windows Server Enterprise 2008 RC2 domain controller in the
field.  A minidriver has been implemented to provide an interface to the
Athena ASE smartcard formatted with the PKCS#15 profile.  For our laptop
recovery image, we basically take the original Windows XP CD, perform
some minor customization, then seal it using SysPrep.  When the new
image is installed on the laptop, the user is presented with the Windows
XP First Run Wizard.  The user can successfully join the domain at this
point using an administrator account with password authentication.  The
problem occurs at first login--when the system boots, users cannot
authenticate to the system using their smart cards.  The following error
is presented: "Your credentials cannot be verified".  If during the
creation of the recovery image--sysprep is not used to seal the image;
the domain can be joined and smart card authentication does work.  Has
anybody ever encountered any issue such as this or know what could
possibly be causing this issue?

Thanks,

Brian Thomas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Enable debug problem

Douglas E. Engert


On 6/19/2012 8:30 AM, Brian Thomas wrote:
> Hello Everybody,
>
> My company is developing a laptop running Windows XP SP3 which will be
> joined to a Windows Server Enterprise 2008 RC2 domain controller in the
> field.  A minidriver has been implemented to provide an interface to the
> Athena ASE smartcard formatted with the PKCS#15 profile.

Is this the OpenSC minidriver? Is it signed?

> For our laptop
> recovery image, we basically take the original Windows XP CD, perform
> some minor customization, then seal it using SysPrep.  When the new
> image is installed on the laptop, the user is presented with the Windows
> XP First Run Wizard.  The user can successfully join the domain at this
> point using an administrator account with password authentication.  The
> problem occurs at first login--when the system boots, users cannot
> authenticate to the system using their smart cards.  The following error
> is presented: "Your credentials cannot be verified".  If during the
> creation of the recovery image--sysprep is not used to seal the image;
> the domain can be joined and smart card authentication does work.  Has
> anybody ever encountered any issue such as this or know what could
> possibly be causing this issue?

Since no one has answered your question, I will just make some comments.
I have no experience with SysPprep, but use OpenSC on Windows.

It sounds like sysprep is removing something, which could be the
minidriver, if it is not signed. It could also be removing
the registry entries used by the minidriver.

Some things to try after login using a password with the user or admin
Then with the card plugged in:

  (1) See if the "Internet Options" can read the user's certificates on the card.

  (2) Then in a cmd window try:

   runas /smartcard /user:user@domain cmd.exe
   or
   runas /smartcard /user:user@domain /netonly cmd.exe

   to see if smart card login works at all.

If during your tests, you are testing before the image is created,
with a card, then after a new image is created you are testing
with the same card, it could be that the user's certificate or CA
certificates have been saved in the cert store in the image.
SysPrep would most likely clean these out and remove any local users
when you do a seal.

It could also be your minidriver is not handling login correctly,
as it needs to read certificates off the card before the user
logins.

>
> Thanks,
>
> Brian Thomas
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel