Problem with firefox login when using pki card Authentication method blocked

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with firefox login when using pki card Authentication method blocked

Josef Pražák
Hello,

I'm trying to login in web application wiht PKI card. PKCS#11 modul is loaded to firefox, (opensc-pkcs11.so). Card is Siemens Card CardOS M4.4. Firefox know reader and detect card. On card I can use 2 PINs. In firefox edit/preferences/security device: Card PIN (works OK), Signature PIN - this doest'n work. shoud be problem in configuration?

Thanks for any help.

======================================================================
0x7f5670cae740 09:52:29.805 [opensc-pkcs11] card.c:330:sc_unlock: called
0x7f5670cae740 09:52:29.805 [opensc-pkcs11] card-cardos.c:268:cardos_check_sw: bs object blocked
0x7f5670cae740 09:52:29.805 [opensc-pkcs11] sec.c:204:sc_pin_cmd: returning with: -1212 (Authentication method blocked)
0x7f5670cae740 09:52:29.805 [opensc-pkcs11] card.c:330:sc_unlock: called
0x7f5670cae740 09:52:29.805 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called
0x7f5670cae740 09:52:29.813 [opensc-pkcs11] pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: -1212 (Authentication method blocked)
0x7f5670cae740 09:52:29.813 [opensc-pkcs11] framework-pkcs15.c:1186:pkcs15_login: PKCS15 verify PIN returned -1212
0x7f5670cae740 09:52:29.813 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1212 (Authentication method blocked)
0x7f5636009700 09:52:29.816 [opensc-pkcs11] pkcs11-global.c:375:C_GetSlotList: C_GetSlotList(token=0, plug-n-play)


-----------------------------
0cae740 09:51:41.385 [opensc-pkcs11] card.c:292:sc_lock: called
0x7f5670cae740 09:51:41.385 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: reader 'Gemalto PC Twin Reader (2892E3CE) 00 00'
0x7f5670cae740 09:51:41.385 [opensc-pkcs11] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [    7 bytes] =====================================
00 A4 00 00 02 3F 00 .....?.
======================================================================
0x7f5670cae740 09:51:41.385 [opensc-pkcs11] reader-pcsc.c:176:pcsc_internal_transmit: called
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] card.c:330:sc_unlock: called
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] iso7816.c:480:iso7816_select_file: returning with: 0 (Success)
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] card-cardos.c:443:cardos_select_file: returning with: 0 (Success)
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] card.c:597:sc_select_file: returning with: 0 (Success)
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] sec.c:157:sc_pin_cmd: called
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:525:sc_transmit_apdu: called
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] card.c:292:sc_lock: called
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] reader-pcsc.c:243:pcsc_transmit: reader 'Gemalto PC Twin Reader (2892E3CE) 00 00'
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [   11 bytes] =====================================
00 20 00 81 06 37 35 30 34 31 39 . ...000000
======================================================================
0x7f5670cae740 09:51:41.401 [opensc-pkcs11] reader-pcsc.c:176:pcsc_internal_transmit: called
0x7f5670cae740 09:51:41.439 [opensc-pkcs11] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
90 00 ..
======================================================================
0x7f5670cae740 09:51:41.439 [opensc-pkcs11] card.c:330:sc_unlock: called
0x7f5670cae740 09:51:41.439 [opensc-pkcs11] sec.c:204:sc_pin_cmd: returning with: 0 (Success)
0x7f5670cae740 09:51:41.439 [opensc-pkcs11] pkcs15-pin.c:509:sc_pkcs15_pincache_add: called
0x7f5670cae740 09:51:41.440 [opensc-pkcs11] pkcs15-pin.c:543:sc_pkcs15_pincache_add: PIN(Card PIN) cached
0x7f5670cae740 09:51:41.440 [opensc-pkcs11] card.c:330:sc_unlock: called
0x7f5670cae740 09:51:41.440 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called
0x7f5670cae740 09:51:41.449 [opensc-pkcs11] pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)
0x7f5670cae740 09:51:41.449 [opensc-pkcs11] framework-pkcs15.c:1186:pkcs15_login: PKCS15 verify PIN returned 0
0x7f5670cae740 09:51:41.449 [opensc-pkcs11] framework-pkcs15.c:1195:pkcs15_login: Check if pkcs15 object list can be completed.



opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Gemalto PC Twin Reader (2892E3CE) 00 00

-------------------------------------------
opensc-tool -a
Using reader with a card: Gemalto PC Twin Reader (2892E3CE) 00 00
3b:d2:18:02:c1:0a:31:fe:58:c8:0d:51
-------------------------------------------
opensc-tool -n
Using reader with a card: Gemalto PC Twin Reader (2892E3CE) 00 00
CardOS M4
-------------------------------------------
pcsc-lite version 1.8.8.
Copyright (C) 1999-2002 by David Corcoran <[hidden email]>.
Copyright (C) 2001-2011 by Ludovic Rousseau <[hidden email]>.
Copyright (C) 2003-2004 by Damien Sauveron <[hidden email]>.
Report bugs to <[hidden email]>.
Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib64/readers/usb ipcdir=/run/pcscd configdir=/etc/reader.conf.d

------------------------------------------
PC/SC device scanner
V 1.4.21 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
Compiled with PC/SC lite version: 1.8.6
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto PC Twin Reader (2892E3CE) 00 00

Fri Apr  5 11:13:51 2013
Reader 0: Gemalto PC Twin Reader (2892E3CE) 00 00
  Card state: Card inserted, 
  ATR: 3B D2 18 02 C1 0A 31 FE 58 C8 0D 51

ATR: 3B D2 18 02 C1 0A 31 FE 58 C8 0D 51
+ TS = 3B --> Direct Convention
+ T0 = D2, Y(1): 1101, K: 2 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = 02 --> Extra guard time: 2
  TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1 
-----
  TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
  TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TB(3) = 58 --> Block Waiting Integer: 5 - Character Waiting Integer: 8
+ Historical bytes: C8 0D
  Category indicator byte: C8 (proprietary format)
+ TCK = 51 (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D2 18 02 C1 0A 31 FE 58 C8 0D 51
        Siemens Card CardOS M4.4

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with firefox login when using pki card Authentication method blocked

Martin Paljak-4
Hello,

This is a common problem with NSS/Firefox (asking all PIN codes) and
the absence of the "onepin" module that was in OpenSC (which only
exported a single PIN and associated keys/certificates to firefox).

> edit/preferences/security device: Card PIN (works OK), Signature PIN - this
> doest'n work.

You don't want to use your signature PIN/certificate for SSL anyway, I hope ?

> framework-pkcs15.c:1186:pkcs15_login: PKCS15 verify PIN returned -1212
> 0x7f5670cae740 09:52:29.813 [opensc-pkcs11]
> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1212
> (Authentication method blocked)
> 0x7f5636009700 09:52:29.816 [opensc-pkcs11]

One of your PIN codes is blocked (pkcs15-tool --list-pins shows which one)


> 0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
> Outgoing APDU data [   11 bytes] =====================================
> 00 20 00 81 06 37 35 30 34 31 39 . ...000000
> ======================================================================


Do change your PIN from 750419 to something else now.


Martin

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with firefox login when using pki card Authentication method blocked

Josef Pražák
Hello,
thank you very much for answer. So problem should be somewhere else.  I open web page, enter a pin, small window with information about certificate appears, press OK and error occured:

An error occurred during a connection to webpage.
security library: invalid algorithm.
(Error code: sec_error_invalid_algorithm)

On Windows  OK (IE tested, firefox + pkcs module trustware should work but I have not tested it yet).

pkcs15-tool --list-pins
Using reader with a card: Gemalto PC Twin Reader (2892E3CE) 00 00
PIN [Card PIN]
        Object Flags   : [0x3], private, modifiable
        Auth ID        : 12
        ID             : 01
        Flags          : [0x30], initialized, needs-padding
        Length         : min_len:6, max_len:6, stored_len:6
        Pad char       : 0x00
        Reference      : 1 (0x01)
        Type           : UTF-8
        Path           : 3f00

PIN [Signature PIN]
        Object Flags   : [0x3], private, modifiable
        Auth ID        : 12
        ID             : 02
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:6, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 130 (0x82)
        Type           : UTF-8
        Path           : 3f005015



---------- Původní zpráva ----------
Od: Martin Paljak <[hidden email]>
Datum: 5. 4. 2013
Předmět: Re: [Opensc-devel] Problem with firefox login when using pki card Authentication method blocked


Hello,

This is a common problem with NSS/Firefox (asking all PIN codes) and
the absence of the "onepin" module that was in OpenSC (which only
exported a single PIN and associated keys/certificates to firefox).

> edit/preferences/security device: Card PIN (works OK), Signature PIN - this
> doest'n work.

You don't want to use your signature PIN/certificate for SSL anyway, I hope ?

> framework-pkcs15.c:1186:pkcs15_login: PKCS15 verify PIN returned -1212
> 0x7f5670cae740 09:52:29.813 [opensc-pkcs11]
> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1212
> (Authentication method blocked)
> 0x7f5636009700 09:52:29.816 [opensc-pkcs11]

One of your PIN codes is blocked (pkcs15-tool --list-pins shows which one)


> 0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
> Outgoing APDU data [ 11 bytes] =====================================
> 00 20 00 81 06 37 35 30 34 31 39 . ...000000
> ======================================================================


Do change your PIN from 750419 to something else now.


Martin

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

opensc-debug.part (15K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with firefox login when using pki card Authentication method blocked

Viktor Tarasov-3
In reply to this post by Martin Paljak-4
Hello,

Le 05/04/2013 13:39, Martin Paljak a écrit :
> This is a common problem with NSS/Firefox (asking all PIN codes) and
> the absence of the "onepin" module that was in OpenSC (which only
> exported a single PIN and associated keys/certificates to firefox).

The 'onepin' mode is obtained by tuning the OpenSC configuration.
Look the 'create_slots_for_pins' option.

With 'create_slots_for_pins = "user";'
only slot for user PIN is created.



>> edit/preferences/security device: Card PIN (works OK), Signature PIN - this
>> doest'n work.
> You don't want to use your signature PIN/certificate for SSL anyway, I hope ?
>
>> framework-pkcs15.c:1186:pkcs15_login: PKCS15 verify PIN returned -1212
>> 0x7f5670cae740 09:52:29.813 [opensc-pkcs11]
>> misc.c:59:sc_to_cryptoki_error_common: libopensc return value: -1212
>> (Authentication method blocked)
>> 0x7f5636009700 09:52:29.816 [opensc-pkcs11]
> One of your PIN codes is blocked (pkcs15-tool --list-pins shows which one)
>
>
>> 0x7f5670cae740 09:51:41.401 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
>> Outgoing APDU data [   11 bytes] =====================================
>> 00 20 00 81 06 37 35 30 34 31 39 . ...000000
>> ======================================================================
>
> Do change your PIN from 750419 to something else now.
>
>
> Martin
>
> ------------------------------------------------------------------------------
> Minimize network downtime and maximize team effectiveness.
> Reduce network management and security costs.Learn how to hire
> the most talented Cisco Certified professionals. Visit the
> Employer Resources Portal
> http://www.cisco.com/web/learning/employer_resources/index.html
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel