Engine does not ask for password when using slot 1

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

Engine does not ask for password when using slot 1

Peter Koch-3
Hi!

I'm trying to sign a certificate request with a private key
that is stored on a smartcard. This has worked last year
when I was using older versions of opensc, openssl, libp11
and engine_pkcs11.

Here's my openssl config file:


[openssl_init]
engines = engine_list

[engine_list]
pkcs11 = engine_pkcs11

[engine_pkcs11]
engine_id    = pkcs11
dynamic_path = /usr/opensc/lib/engines/engine_pkcs11.so
MODULE_PATH  = /usr/opensc/lib/opensc-pkcs11.so
init         = 0


And here's the command that I use to create cert.pem:

openssl x509 -engine pkcs11 \
        -in request.pem -req -out cert.pem \
        -CA ca_cert.pem -CAkey 1:01 -CAkeyform engine \
        -set_serial 01 -days 100

This fails with the following messages:

Getting CA Private Key
iso7816.c:98:iso7816_check_sw: Security status not satisfied
card-tcos.c:742:tcos_compute_signature: returning with: Security status not
satisfied
sec.c:53:sc_compute_signature: returning with: Security status not satisfied
pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed:
Security status not satisfied
18735:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged
in:p11_ops.c:96:

The reason is obvious: engine_pkcs11 tries to use the key without
verifying its pin.

Now if I try the same command with a key from slot 0

openssl x509 -engine pkcs11 \
        -in request.pem -req -out cert.pem \
        -CA ca_cert.pem -CAkey 0:04 -CAkeyform engine \
        -set_serial 01 -days 100

it will ask for my PIN, but the the command fails with

Getting CA Private Key
PKCS#11 token PIN: ******
CA certificate and CA private key do not match

This is correct behaviour. Bbut in this case the private
key was used and the resulting signature was verified
with the public key from ca_cert.pem. So I'm sure the
whole thing would work if only key 04 was visible on
slot 0 too.

Let's see wjat pkcs11-tool tells us:

$ pkcs11-tool --module /usr/opensc/lib/opensc-pkcs11.so -L
Available slots:
Slot 0           Kobil Card Terminal 00 00
  token label:   Netkey E4 Card (Netkey PIN0)
  token manuf:   TeleSec GmbH
  token model:   PKCS #15 SCard
  token flags:   login required, PIN initialized, token initialized
  serial num  :  9017230000277917
Slot 1           Kobil Card Terminal 00 00
  token label:   Netkey E4 Card
  token manuf:   TeleSec GmbH
  token model:   PKCS #15 SCard
  token flags:   PIN initialized, token initialized
  serial num  :  9017230000277917
Slot 2           Kobil Card Terminal 00 00
  token label:   Netkey E4 Card
  token manuf:   TeleSec GmbH
  token model:   PKCS #15 SCard
  token flags:   token initialized
  serial num  :  9017230000277917
Slot 3           Kobil Card Terminal 00 00
  token label:   Netkey E4 Card
  token manuf:   TeleSec GmbH
  token model:   PKCS #15 SCard
  token flags:   token initialized
  serial num  :  9017230000277917
Slot 4           (empty)
Slot 5           (empty)
Slot 6           (empty)
Slot 7           (empty)

Why is login required on slot 0 only? Can I change that?
Or is this a bug?

Thanks

Peter Koch

--
10 GB Mailbox, 100 FreeSMS/Monat http://www.gmx.net/de/go/topmail
+++ GMX - die erste Adresse für Mail, Message, More +++
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Engine does not ask for password when using slot 1

Nils Larsch
Peter Koch wrote:

> Hi!
>
> I'm trying to sign a certificate request with a private key
> that is stored on a smartcard. This has worked last year
> when I was using older versions of opensc, openssl, libp11
> and engine_pkcs11.
>
> Here's my openssl config file:
>
>
> [openssl_init]
> engines = engine_list
>
> [engine_list]
> pkcs11 = engine_pkcs11
>
> [engine_pkcs11]
> engine_id    = pkcs11
> dynamic_path = /usr/opensc/lib/engines/engine_pkcs11.so
> MODULE_PATH  = /usr/opensc/lib/opensc-pkcs11.so
> init         = 0
>
>
> And here's the command that I use to create cert.pem:
>
> openssl x509 -engine pkcs11 \
>         -in request.pem -req -out cert.pem \
>         -CA ca_cert.pem -CAkey 1:01 -CAkeyform engine \
>         -set_serial 01 -days 100
>
> This fails with the following messages:
>
> Getting CA Private Key
> iso7816.c:98:iso7816_check_sw: Security status not satisfied
> card-tcos.c:742:tcos_compute_signature: returning with: Security status not
> satisfied
> sec.c:53:sc_compute_signature: returning with: Security status not satisfied
> pkcs15-sec.c:331:sc_pkcs15_compute_signature: sc_compute_signature() failed:
> Security status not satisfied
> 18735:error:8000A101:Vendor defined:PKCS11_rsa_sign:User not logged
> in:p11_ops.c:96:
>
> The reason is obvious: engine_pkcs11 tries to use the key without
> verifying its pin.
>
> Now if I try the same command with a key from slot 0
>
> openssl x509 -engine pkcs11 \
>         -in request.pem -req -out cert.pem \
>         -CA ca_cert.pem -CAkey 0:04 -CAkeyform engine \
>         -set_serial 01 -days 100
>
> it will ask for my PIN, but the the command fails with
>
> Getting CA Private Key
> PKCS#11 token PIN: ******
> CA certificate and CA private key do not match
>
> This is correct behaviour. Bbut in this case the private
> key was used and the resulting signature was verified
> with the public key from ca_cert.pem. So I'm sure the
> whole thing would work if only key 04 was visible on
> slot 0 too.
>
> Let's see wjat pkcs11-tool tells us:
>
> $ pkcs11-tool --module /usr/opensc/lib/opensc-pkcs11.so -L
> Available slots:
> Slot 0           Kobil Card Terminal 00 00
>   token label:   Netkey E4 Card (Netkey PIN0)
>   token manuf:   TeleSec GmbH
>   token model:   PKCS #15 SCard
>   token flags:   login required, PIN initialized, token initialized
>   serial num  :  9017230000277917
> Slot 1           Kobil Card Terminal 00 00
>   token label:   Netkey E4 Card
>   token manuf:   TeleSec GmbH
>   token model:   PKCS #15 SCard
>   token flags:   PIN initialized, token initialized
>   serial num  :  9017230000277917
> Slot 2           Kobil Card Terminal 00 00
>   token label:   Netkey E4 Card
>   token manuf:   TeleSec GmbH
>   token model:   PKCS #15 SCard
>   token flags:   token initialized
>   serial num  :  9017230000277917
> Slot 3           Kobil Card Terminal 00 00
>   token label:   Netkey E4 Card
>   token manuf:   TeleSec GmbH
>   token model:   PKCS #15 SCard
>   token flags:   token initialized
>   serial num  :  9017230000277917
> Slot 4           (empty)
> Slot 5           (empty)
> Slot 6           (empty)
> Slot 7           (empty)
>
> Why is login required on slot 0 only? Can I change that?

need to look at the pkcs11 code. Could you send me the
"pkcs15-tool --dump" output ?

> Or is this a bug?

as it works last year it definitely looks like a bug

Cheers,
Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel