PAM-PKCS#11 & GnuPG/scdaemon, two readers

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
Hello,

I have a system with two card readers:

$ opensc-tool -l
Readers known about:
Nr.    Driver     Name
0      pcsc       SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
1      pcsc       REINER SCT CyberJack pp_a (8928928328) 00 00

I want to use one of my readers with GnuPG/scdaemon exclusively, and
the other one with OpenSC's PAM-PKCS#11 module.

I have set

    reader-port "REINER SCT CyberJack pp_a (8928928328) 00 00"

in my ~/.gnupg/scdaemon.conf, and

    slot_description = "SCM SPR 532 [Vendor Interface] (21250837209929) 00 00";

in /etc/pam_pkcs11/pam_pkcs11.conf.

GnuPG/scdaemon can now flawlessly access the OpenPGP card in the
"REINER SCT" reader.
However, when trying to use PAM-PKCS#11, pcscd tells me
"SCardConnect() Error Reader Exclusive".

Once I unplug the "REINER SCT" reader, PAM-PKCS#11 can access the "SCM
SPR 532" just fine.

I don't know what's going wrong here? Is it GnuPG's scdaemon which
opens _all_PC/SC readers exclusively, even if told to only use one
specific reader? Or is it PAM-PKCS#11, which tries to open/access
every attached reader, fails (since one of the readers is lockes
thanks to scdaemon), and gets stuck somehow?

Any help would be appreciated,

    Richard
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Jean-Michel Pouré - GOOZE
On Thu, 2010-08-12 at 19:00 +0200, Richard wrote:
> Once I unplug the "REINER SCT" reader, PAM-PKCS#11 can access the "SCM
> SPR 532" just fine.

In my humble opinion, Reiner SCT is not well supported by libccid:
http://pcsclite.alioth.debian.org/unsupported.html
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (8K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
Hi,

On 08/12/2010 07:50 PM, Jean-Michel Pouré - GOOZE wrote:
> In my humble opinion, Reiner SCT is not well supported by libccid:
> http://pcsclite.alioth.debian.org/unsupported.html

I installed their binary PC/SC drivers, which are said to work at
least "okay-ish". Is my problem driver-related, anyway?

Regards,

    Richard

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard Höchenberger
On Thu, Aug 12, 2010 at 19:55, Richard <[hidden email]> wrote:

> I installed their binary PC/SC drivers, which are said to work at
> least "okay-ish". Is my problem driver-related, anyway?
>

I forgot to mention that each of my readers is working flawlessly as
long as its the only reader connected. :) That is, even the Reiner SCT
works properly with PAM-PKCS#11 if I use the proper slot_description
setting in /etc/pam_pkcs11/pam_pkcs11.conf. Problems only occur when
scdaemon claims exclusive reader access. That's why I got a second
reader (the SCM) and now want to use both in parellel: One (Reiner)
exclusively with GnuPG/OpenPGP; the other one (SCM) with PAM-PKCS#11.

    Richard
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Alon Bar-Lev
Try to use gnupg-pkcs11, so that access to readers will be done by PKCS#11 only.

On Thu, Aug 12, 2010 at 9:03 PM, Richard Höchenberger
<[hidden email]> wrote:

>
> On Thu, Aug 12, 2010 at 19:55, Richard <[hidden email]> wrote:
>
> > I installed their binary PC/SC drivers, which are said to work at
> > least "okay-ish". Is my problem driver-related, anyway?
> >
>
> I forgot to mention that each of my readers is working flawlessly as
> long as its the only reader connected. :) That is, even the Reiner SCT
> works properly with PAM-PKCS#11 if I use the proper slot_description
> setting in /etc/pam_pkcs11/pam_pkcs11.conf. Problems only occur when
> scdaemon claims exclusive reader access. That's why I got a second
> reader (the SCM) and now want to use both in parellel: One (Reiner)
> exclusively with GnuPG/OpenPGP; the other one (SCM) with PAM-PKCS#11.
>
>    Richard
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
Hi Alon,

On Fri, Aug 13, 2010 at 06:23, Alon Bar-Lev <[hidden email]> wrote:
> Try to use gnupg-pkcs11, so that access to readers will be done by PKCS#11 only.

I don't see how using gnupg-pkcs11, which is only a "drop-in
replacement" for scdaemon, is going to help me here? As I get it, it
is meant to access PKCS#11 devices via GnuPG.

The OpenPGP card (which I want to use) is not a PKCS#11-compatible
card, thus cannot be accessed by means of PKCS#11 applications.

    Richard
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Ludovic Rousseau
In reply to this post by Richard-309
2010/8/12 Richard <[hidden email]>:
> Hello,

hello,

> I have a system with two card readers:
>
> $ opensc-tool -l
> Readers known about:
> Nr.    Driver     Name
> 0      pcsc       SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
> 1      pcsc       REINER SCT CyberJack pp_a (8928928328) 00 00
>
> I want to use one of my readers with GnuPG/scdaemon exclusively, and
> the other one with OpenSC's PAM-PKCS#11 module.
>
> I have set
>
>    reader-port "REINER SCT CyberJack pp_a (8928928328) 00 00"
>
> in my ~/.gnupg/scdaemon.conf, and
>
>    slot_description = "SCM SPR 532 [Vendor Interface] (21250837209929) 00 00";
>
> in /etc/pam_pkcs11/pam_pkcs11.conf.
>
> GnuPG/scdaemon can now flawlessly access the OpenPGP card in the
> "REINER SCT" reader.
> However, when trying to use PAM-PKCS#11, pcscd tells me
> "SCardConnect() Error Reader Exclusive".
>
> Once I unplug the "REINER SCT" reader, PAM-PKCS#11 can access the "SCM
> SPR 532" just fine.
>
> I don't know what's going wrong here? Is it GnuPG's scdaemon which
> opens _all_PC/SC readers exclusively, even if told to only use one
> specific reader? Or is it PAM-PKCS#11, which tries to open/access
> every attached reader, fails (since one of the readers is lockes
> thanks to scdaemon), and gets stuck somehow?
>
> Any help would be appreciated,

You should try to generate a trace of PCSC calls done by GnuPG's
scdaemon to know what the program is doing.
I just documented [1] the use of ltrace for that on my blog.

Post the result here so we can have a look.

Bye

[1] http://ludovicrousseau.blogspot.com/2010/08/pcsc-api-spy-for-gnu-systems.html

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
Hello,

On 08/13/2010 10:12 AM, Ludovic Rousseau wrote:

> You should try to generate a trace of PCSC calls done by GnuPG's
> scdaemon to know what the program is doing.
> I just documented [1] the use of ltrace for that on my blog.
>
> Post the result here so we can have a look.

I have not yet installed ltrae, but in the meantime figures out the
following:

No programs accessing the cards/readers (except the PC/SC middleware
are running.

If I place my PKCS#11 card in the 1st reader, pkcs11-tool -L lists:

------------------------------
Available slots:
Slot 0           SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
  token label:   Login (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token
                 initialized
  serial num  :  2828150414090610
------------------------------

and all other slots as "(empty)".


If I place the card in the 2nd reader,  pkcs11-tool -L lists:

------------------------------
Slot 4           REINER SCT CyberJack pp_a (8928928328) 00 00
  token label:   Login (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token
                 initialized
  serial num  :  2828150414090610
------------------------------

and all other slots as "(empty)".


At this stage, having set

------------------------------
slot_description = "none"
------------------------------

in /etc/pam_pkcs11/pam_pkcs11.conf, PAM-PKCS#11 works with both
readers: It just picks the one which contains the required card.

If I set

------------------------------
slot_description = "SCM SPR 532 [Vendor Interface] (21250837209929) 00
00";
------------------------------

as expected PAM-PKCS#11 only works if the card is placed in that
specific reader.


Not look what happens if I fire up GnuPG's scdaemon, which I tell to
only listen on the "REINER SCT" reader (i.e. the reader that
PAM-PKCS#11 shall ignore):

Placing the PKCS#11 card in the correct reader ("SCM SPR"),
pkcs11-tool -L lists

------------------------------
Available slots:
Slot 0           SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
  token label:   Login (User PIN)
  token manuf:   EnterSafe
  token model:   PKCS#15
  token flags:   rng, login required, PIN initialized, token
                 initialized
  serial num  :  2828150414090610
[...]
Slot 4           (GetSlotInfo failed, error 5)
------------------------------

That is, that PKCS#11 card is indeed accessible! Only the reader which
I specified for use with GnuPG is being blocked -- as expected!

But if I try to use PAM-PKCS#11 _now_, it will fail:

------------------------------
ERROR:pam_pkcs11.c:324: init_pkcs11_module() failed: C_GetSlotInfo()
failed: 0x00000005
------------------------------


So this seems like a bug in PAM-PKCS#11 to me.

Any suggestions on how to work around this?

If the ltrace output is still required, I am going to send it to the
list. Please just give me a short note.

Thanks,

    Richard


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Martin Paljak-2
Hello,

This is a bug of OpenSC PKCS#11 module.

As scdaemon locks the reader in exclusive mode, OpenSC, which tries to cater all readers in the system by default, barfs.
0x00000005 is in fact CKR_GENERAL_ERROR which is returned by OpenSC when it can't probe the reader because of the exclusive mode.

Just for the reference, can you also send the opensc-debug.log when this happens?

I came across a similar problem where a  reader should be hidden from OpenSC (at least the PKCS#11 module) when a javax.smartcardio and PKCS#11 application both run in longrunning applications and the PKCS#11 application does not have filtering capabilities.

The attached patch (against trunk) should help against the case.


Best,

Martin


On Aug 13, 2010, at 5:33 PM, Richard wrote:

> On 08/13/2010 10:12 AM, Ludovic Rousseau wrote:
>
>> You should try to generate a trace of PCSC calls done by GnuPG's
>> scdaemon to know what the program is doing.
>> I just documented [1] the use of ltrace for that on my blog.
>>
>> Post the result here so we can have a look.
>
> I have not yet installed ltrae, but in the meantime figures out the
> following:
>
> No programs accessing the cards/readers (except the PC/SC middleware
> are running.
>
> If I place my PKCS#11 card in the 1st reader, pkcs11-tool -L lists:
>
> ------------------------------
> Available slots:
> Slot 0           SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
>  token label:   Login (User PIN)
>  token manuf:   EnterSafe
>  token model:   PKCS#15
>  token flags:   rng, login required, PIN initialized, token
>                 initialized
>  serial num  :  2828150414090610
> ------------------------------
>
> and all other slots as "(empty)".
>
>
> If I place the card in the 2nd reader,  pkcs11-tool -L lists:
>
> ------------------------------
> Slot 4           REINER SCT CyberJack pp_a (8928928328) 00 00
>  token label:   Login (User PIN)
>  token manuf:   EnterSafe
>  token model:   PKCS#15
>  token flags:   rng, login required, PIN initialized, token
>                 initialized
>  serial num  :  2828150414090610
> ------------------------------
>
> and all other slots as "(empty)".
>
>
> At this stage, having set
>
> ------------------------------
> slot_description = "none"
> ------------------------------
>
> in /etc/pam_pkcs11/pam_pkcs11.conf, PAM-PKCS#11 works with both
> readers: It just picks the one which contains the required card.
>
> If I set
>
> ------------------------------
> slot_description = "SCM SPR 532 [Vendor Interface] (21250837209929) 00
> 00";
> ------------------------------
>
> as expected PAM-PKCS#11 only works if the card is placed in that
> specific reader.
>
>
> Not look what happens if I fire up GnuPG's scdaemon, which I tell to
> only listen on the "REINER SCT" reader (i.e. the reader that
> PAM-PKCS#11 shall ignore):
>
> Placing the PKCS#11 card in the correct reader ("SCM SPR"),
> pkcs11-tool -L lists
>
> ------------------------------
> Available slots:
> Slot 0           SCM SPR 532 [Vendor Interface] (21250837209929) 00 00
>  token label:   Login (User PIN)
>  token manuf:   EnterSafe
>  token model:   PKCS#15
>  token flags:   rng, login required, PIN initialized, token
>                 initialized
>  serial num  :  2828150414090610
> [...]
> Slot 4           (GetSlotInfo failed, error 5)
> ------------------------------
>
> That is, that PKCS#11 card is indeed accessible! Only the reader which
> I specified for use with GnuPG is being blocked -- as expected!
>
> But if I try to use PAM-PKCS#11 _now_, it will fail:
>
> ------------------------------
> ERROR:pam_pkcs11.c:324: init_pkcs11_module() failed: C_GetSlotInfo()
> failed: 0x00000005
> ------------------------------
>
>
> So this seems like a bug in PAM-PKCS#11 to me.
>
> Any suggestions on how to work around this?
>
> If the ltrace output is still required, I am going to send it to the
> list. Please just give me a short note.
>
> Thanks,
>
>    Richard
>
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
Hello,

On 08/13/2010 04:59 PM, Martin Paljak wrote:

> Just for the reference, can you also send the opensc-debug.log when this happens?
>

Please find attached the opensc-debug.log which is produced when
invoking "pkcs11-tool -L" (debug level set to "1" in opensc.conf).


> The attached patch (against trunk) should help against the case.

Your mail didn't have any files attached.

    Richard



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

opensc-debug.log (19K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Martin Paljak-2
Hello,
On Aug 13, 2010, at 6:18 PM, Richard wrote:
> On 08/13/2010 04:59 PM, Martin Paljak wrote:
>
>> Just for the reference, can you also send the opensc-debug.log when this happens?
>>
>
> Please find attached the opensc-debug.log which is produced when
> invoking "pkcs11-tool -L" (debug level set to "1" in opensc.conf).
Debugging should be set to something higher, 9 is a good number.

>> The attached patch (against trunk) should help against the case.
>
> Your mail didn't have any files attached.
Ups. Here's the patch. You need to add parts of the reader name (serial is best) into opensc.conf

Configure file reading could probably be moved to misc.c as well. And the configure parameter itself might be renamed to "excluded_readers" maybe?




--
Martin Paljak
@martinpaljak.net
+3725156495


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

reader-ignore.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
On 08/13/2010 05:31 PM, Martin Paljak wrote:

> Debugging should be set to something higher, 9 is a good number.

I have attached a newly created log file with debug level 9.

>
>>> The attached patch (against trunk) should help against the case.
>>
>> Your mail didn't have any files attached.
> Ups. Here's the patch. You need to add parts of the reader name (serial is best) into opensc.conf

Thanks, gonna try that patch later today.

    Richard


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

opensc-debug.log.bz2 (14K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Richard-309
On Fri, Aug 13, 2010 at 18:20, Richard <[hidden email]> wrote:
> On 08/13/2010 05:31 PM, Martin Paljak wrote:

>>>> The attached patch (against trunk) should help against the case.

> Thanks, gonna try that patch later today.

Heya, it is working now :)

Thanks a lot for your help! -- I hope this patch is going to be
included in the next OpenSC release? :)

    Richard
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Martin Paljak-2
In reply to this post by Richard-309

On Aug 13, 2010, at 8:19 AM, Richard wrote:
> I don't see how using gnupg-pkcs11, which is only a "drop-in
> replacement" for scdaemon, is going to help me here? As I get it, it
> is meant to access PKCS#11 devices via GnuPG.
>
> The OpenPGP card (which I want to use) is not a PKCS#11-compatible
> card, thus cannot be accessed by means of PKCS#11 applications.
A card itself can not directly support PKCS#11, which is a software API.

I don't speak German but there might be a PKCS#11 module already available for OpenPGP v2.0:

https://www.privacyfoundation.de/wiki/CryptoStickSoftware#PKCS.2311_Treiber

--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: PAM-PKCS#11 & GnuPG/scdaemon, two readers

Jean-Michel Pouré - GOOZE
On Sat, 2010-08-14 at 14:03 +0300, Martin Paljak wrote:
> I don't speak German but there might be a PKCS#11 module already
> available for OpenPGP v2.0:
>
> https://www.privacyfoundation.de/wiki/CryptoStickSoftware#PKCS.2311_Treiber 

In German, it is written that a proprietary PKCS11 extension is
available and is still in development. The English version is available
here: http://smartcard-auth.de

I still think it is possible to have Feitian PKI smarcarts work with
GnuPG and will try to publish a HOWTO shortly.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (8K) Download Attachment