Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben
OpenSC wrote:

>#33: pkcs11-spy dependency on readers
>--------------------+-------------------------------------------------------
>       Id:  33      |      Status:  new                    
>Component:  pkcs11  |    Modified:  Mon Aug 29 12:44:02 2005
> Severity:  minor   |   Milestone:                          
> Priority:  normal  |     Version:  devel                  
>    Owner:  devel   |    Reporter:  [hidden email]      
>--------------------+-------------------------------------------------------
> Pkcs11-spy will only work if you have support for a reader installed.
> This dependency should either be noted somewhere or possibly removed. The
> error message returned CKR_HOST_MEMORY is also confusing.
>
>  init_spy [pkcs11-spy.c] ->  sc_establish_context [ctx.c] ->
> sc_establish_context [ctx.c:672] returns SC_ERROR_NO_READERS_FOUND ->
> init_spy [pkcs11-spy.c:70] returns CKR_HOST_
>
Same problem with our pkcs11 lib: if there's no reader, C_Initialize
returns an error
(so it's e.g. not possible to add our pkcs11 lib to Mozilla if there's
no reader present.)

Here's a simple (though somewhat nasty) solution: if
sc_establish_context() returns
SC_ERROR_NO_READERS_FOUND, we know the context is intialised (config,
debug, drivers, ...) so we just ignore this error (it's actually a
warning) and let
the spy and pkcs11 continue.

Any objections?

Cheers,
Stef

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben

Stef Hoeben wrote:

> OpenSC wrote:
>
>> #33: pkcs11-spy dependency on readers
>> --------------------+-------------------------------------------------------
>>
>>       Id:  33      |      Status:  new                    
>> Component:  pkcs11  |    Modified:  Mon Aug 29 12:44:02 2005
>> Severity:  minor   |   Milestone:                          Priority:  
>> normal  |     Version:  devel                      Owner:  devel  
>> |    Reporter:  [hidden email]      
>> --------------------+-------------------------------------------------------
>>
>> Pkcs11-spy will only work if you have support for a reader installed.
>> This dependency should either be noted somewhere or possibly removed.
>> The
>> error message returned CKR_HOST_MEMORY is also confusing.
>>
>>  init_spy [pkcs11-spy.c] ->  sc_establish_context [ctx.c] ->
>> sc_establish_context [ctx.c:672] returns SC_ERROR_NO_READERS_FOUND ->
>> init_spy [pkcs11-spy.c:70] returns CKR_HOST_
>>
> Same problem with our pkcs11 lib: if there's no reader, C_Initialize
> returns an error
> (so it's e.g. not possible to add our pkcs11 lib to Mozilla if there's
> no reader present.)
>
> Here's a simple (though somewhat nasty) solution: if
> sc_establish_context() returns
> SC_ERROR_NO_READERS_FOUND, we know the context is intialised (config,
> debug, drivers, ...) so we just ignore this error (it's actually a
> warning) and let
> the spy and pkcs11 continue.
>
> Any objections?

Yes: doing this segfaults the pkcs11 lib because the sc_context_t is
free()-ed
before returning SC_ERROR_NO_READERS_FOUND.

Another proposal: let sc_establish_context not return an error (and do
no free())
in case there are no readers.

Note: this will require some smaller changes to most to tools/libs using
OpenSC.

How about this one?

(You know, it's a pretty annoying/confusing problem IMHO...)

Cheers,
Stef
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
In reply to this post by Stef Hoeben
Stef Hoeben wrote:

> OpenSC wrote:
>
>> #33: pkcs11-spy dependency on readers
>> --------------------+-------------------------------------------------------
>>
>>       Id:  33      |      Status:  new                     Component:  
>> pkcs11  |    Modified:  Mon Aug 29 12:44:02 2005
>> Severity:  minor   |   Milestone:                          Priority:  
>> normal  |     Version:  devel                      Owner:  devel  
>> |    Reporter:  [hidden email]      
>> --------------------+-------------------------------------------------------
>>
>> Pkcs11-spy will only work if you have support for a reader installed.
>> This dependency should either be noted somewhere or possibly removed. The
>> error message returned CKR_HOST_MEMORY is also confusing.
>>
>>  init_spy [pkcs11-spy.c] ->  sc_establish_context [ctx.c] ->
>> sc_establish_context [ctx.c:672] returns SC_ERROR_NO_READERS_FOUND ->
>> init_spy [pkcs11-spy.c:70] returns CKR_HOST_
>>
> Same problem with our pkcs11 lib: if there's no reader, C_Initialize
> returns an error
> (so it's e.g. not possible to add our pkcs11 lib to Mozilla if there's
> no reader present.)
>
> Here's a simple (though somewhat nasty) solution: if
> sc_establish_context() returns
> SC_ERROR_NO_READERS_FOUND, we know the context is intialised (config,
> debug, drivers, ...) so we just ignore this error (it's actually a
> warning) and let
> the spy and pkcs11 continue.

perhaps a dump question, but why is sc_establish_context used at all
in pkcs11-spy ? As far as I can see it's only used for getting
information out of the config file, but this should be possible with
scconf alone (the only problem I see at the moment might be to find
out where the config file is ...). In case there's interest I could
try writting a patch.

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
In reply to this post by Stef Hoeben
Stef Hoeben wrote:
...

>> Any objections?
>
>
> Yes: doing this segfaults the pkcs11 lib because the sc_context_t is
> free()-ed
> before returning SC_ERROR_NO_READERS_FOUND.
>
> Another proposal: let sc_establish_context not return an error (and do
> no free())
> in case there are no readers.
>
> Note: this will require some smaller changes to most to tools/libs using
> OpenSC.

I'm against changing the behaviour of sc_establish_context in this
way as it would break other applications. If you really need this
please create a new function. Btw: what's the use of a context without
a reader ?

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben
Nils Larsch wrote:

> Stef Hoeben wrote:
> ...
>
>>> Any objections?
>>
>>
>>
>> Yes: doing this segfaults the pkcs11 lib because the sc_context_t is
>> free()-ed
>> before returning SC_ERROR_NO_READERS_FOUND.
>>
>> Another proposal: let sc_establish_context not return an error (and
>> do no free())
>> in case there are no readers.
>>
>> Note: this will require some smaller changes to most to tools/libs
>> using OpenSC.
>
>
> I'm against changing the behaviour of sc_establish_context in this
> way as it would break other applications.

Hm, OK. Can't think of a good name however, perhaps
sc_establisch_context_ext() or so..

> If you really need this
> please create a new function. Btw: what's the use of a context without
> a reader ?

Ah:
- you can read the opensc.conf file (pkcs11-spy)
- you could register your pkcs11 without have a reader attached (Mozilla)
- you can log

Cheers,
Stef

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
Stef Hoeben wrote:
...

> Hm, OK. Can't think of a good name however, perhaps
> sc_establisch_context_ext() or so..
>
>> If you really need this
>> please create a new function. Btw: what's the use of a context without
>> a reader ?
>
>
> Ah:
> - you can read the opensc.conf file (pkcs11-spy)

this raises the question why pkcs15-spy uses the opensc.conf as it
should be independent of libopensc

> - you could register your pkcs11 without have a reader attached (Mozilla)

this might be useful, even though I never had the need for this so far

> - you can log

why should other apps use the libopensc logging facility ?

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben
Nils Larsch wrote:

> Stef Hoeben wrote:
> ...
>
>> Hm, OK. Can't think of a good name however, perhaps
>> sc_establisch_context_ext() or so..
>>
>>> If you really need this
>>> please create a new function. Btw: what's the use of a context without
>>> a reader ?
>>
>>
>>
>> Ah:
>> - you can read the opensc.conf file (pkcs11-spy)
>
>
> this raises the question why pkcs15-spy uses the opensc.conf as it
> should be independent of libopensc

Well, that would solve this issue indeed. But then we we wouldn't be
able to use scconf either, I guess?

>
>> - you could register your pkcs11 without have a reader attached
>> (Mozilla)
>
>
> this might be useful, even though I never had the need for this so far

Ah, that's because you have a reader attached most of the time, or don't
register your pkcs11 that often:-)
But for people supporting an army of unexperienced users, this will be a
pain
in the ass less..

>> - you can log
>

Actually, not the logging itself, but for example our nice ASN.1 and
PKCS15 parser
(which use the context for logging).

Cheers,
Stef

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
Stef Hoeben wrote:
...
>> this raises the question why pkcs15-spy uses the opensc.conf as it
>> should be independent of libopensc
>
>
> Well, that would solve this issue indeed. But then we we wouldn't be
> able to use scconf either, I guess?

scconf is a separate sub-project not depending on libopensc

>
>>
>>> - you could register your pkcs11 without have a reader attached
>>> (Mozilla)
>>
>>
>>
>> this might be useful, even though I never had the need for this so far
>
>
> Ah, that's because you have a reader attached most of the time, or don't
> register your pkcs11 that often:-)
> But for people supporting an army of unexperienced users, this will be a
> pain
> in the ass less..

ok

>
>>> - you can log
>>
>>
>
> Actually, not the logging itself, but for example our nice ASN.1 and
> PKCS15 parser
> (which use the context for logging).

this might be somewhat problematic as you normally don't want other
applications to dump their error messages in the default libopensc
error file (as the error file is normally a global parameter it's
difficult to tell which app caused which error (and what happens if
serveral apps are trying to dump errors concurrently ...)). It might
be better to allow a NULL context to disables logging.

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Andreas Jellinghaus-2
In reply to this post by Stef Hoeben
On Monday 29 August 2005 21:42, Stef Hoeben wrote:

> >> - you could register your pkcs11 without have a reader attached
> >> (Mozilla)
> >
> >
> > this might be useful, even though I never had the need for this so far
>
> Ah, that's because you have a reader attached most of the time, or don't
> register your pkcs11 that often:-)
> But for people supporting an army of unexperienced users, this will be a
> pain in the ass less..

agree. I only use openct with usb crypto tokens most of the time, so that
scenario should work well, too.

or people using serial towitoko readers - if it is not plugged in time,
there is no reader. but it should be easy to add that reader later,
preferable without restarting or reconfiguring mozilla/ff/tb.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
In reply to this post by Stef Hoeben
Stef Hoeben wrote:
...
> Hm, OK. Can't think of a good name however, perhaps
> sc_establisch_context_ext() or so..

yep, something like the attached patch. However I think the
code loading the reader drivers etc. needs to be changed as well
(perhaps we need something like sc_refresh_context(...) to
update the internal reader list etc.) and the logging code isn't
optimal here.

Cheers,
Nils

Index: src/libopensc/ctx.c
===================================================================
--- src/libopensc/ctx.c (Revision 2517)
+++ src/libopensc/ctx.c (Arbeitskopie)
@@ -639,26 +639,28 @@
  load_parameters(ctx, ctx->conf_blocks[i], opts);
 }
 
-int sc_establish_context(sc_context_t **ctx_out, const char *app_name)
+int sc_establish_context_ex(sc_context_t **ctx_out, const char *app_name,
+ unsigned long flags)
 {
  const char *default_app = "default";
- sc_context_t *ctx;
- struct _sc_ctx_options opts;
+        sc_context_t *ctx;
+        struct _sc_ctx_options opts;
 
- assert(ctx_out != NULL);
- ctx = (sc_context_t *) calloc(1, sizeof(sc_context_t));
- if (ctx == NULL)
- return SC_ERROR_OUT_OF_MEMORY;
- memset(&opts, 0, sizeof(opts));
- set_defaults(ctx, &opts);
- ctx->app_name = app_name ? strdup(app_name) : strdup(default_app);
- if (ctx->app_name == NULL) {
- sc_release_context(ctx);
- return SC_ERROR_OUT_OF_MEMORY;
- }
- process_config_file(ctx, &opts);
- ctx->mutex = sc_mutex_new();
- sc_debug(ctx, "===================================\n"); /* first thing in the log */
+        assert(ctx_out != NULL);
+        ctx = (sc_context_t *) calloc(1, sizeof(sc_context_t));
+        if (ctx == NULL)
+                return SC_ERROR_OUT_OF_MEMORY;
+        memset(&opts, 0, sizeof(opts));
+        set_defaults(ctx, &opts);
+        ctx->app_name = app_name ? strdup(app_name) : strdup(default_app);
+        if (ctx->app_name == NULL) {
+                sc_release_context(ctx);
+                return SC_ERROR_OUT_OF_MEMORY;
+        }
+        process_config_file(ctx, &opts);
+        ctx->mutex = sc_mutex_new();
+ /* first thing in the log */
+ sc_debug(ctx, "===================================\n");
  sc_debug(ctx, "opensc version: %s\n", sc_get_version());
  load_reader_drivers(ctx, &opts);
  load_card_drivers(ctx, &opts);
@@ -669,7 +671,7 @@
  }
  del_drvs(&opts, 0);
  del_drvs(&opts, 1);
- if (ctx->reader_count == 0) {
+ if (flags & SC_CTX_CHECK_READERS && ctx->reader_count == 0) {
  sc_release_context(ctx);
  return SC_ERROR_NO_READERS_FOUND;
  }
@@ -677,6 +679,11 @@
  return SC_SUCCESS;
 }
 
+int sc_establish_context(sc_context_t **ctx_out, const char *app_name)
+{
+ return sc_establish_context_ex(ctx_out, app_name, SC_CTX_CHECK_READERS);
+}
+
 int sc_release_context(sc_context_t *ctx)
 {
  int i;
Index: src/libopensc/opensc.h
===================================================================
--- src/libopensc/opensc.h (Revision 2517)
+++ src/libopensc/opensc.h (Arbeitskopie)
@@ -673,6 +673,11 @@
  */
 int sc_establish_context(sc_context_t **ctx, const char *app_name);
 
+#define SC_CTX_CHECK_READERS 0x0001UL
+
+int sc_establish_context_ex(sc_context_t **ctx, const char *app_name,
+ unsigned long flags);
+
 /**
  * Releases an established OpenSC context
  * @param ctx A pointer to the context structure to be released

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Peter Stuge
In reply to this post by Andreas Jellinghaus-2
On Tue, Aug 30, 2005 at 12:36:15AM +0200, Andreas Jellinghaus wrote:
> or people using serial towitoko readers - if it is not plugged in
> time, there is no reader. but it should be easy to add that reader
> later, preferable without restarting or reconfiguring
> mozilla/ff/tb.

I agree. And since this is the 21st century I'd like a callback,
notify or message mechanism for when lower level configuration
changes.


//Peter
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben
In reply to this post by Nils Larsch
Yeah, looks nice.

(The pkcs11 lib will still crash if you continue without a reader,
but I'll try to look at it, and once it's fixed, replace the old by
the new function.)

Cheers,
Stef


Nils Larsch wrote:

> Stef Hoeben wrote:
> ...
>
>> Hm, OK. Can't think of a good name however, perhaps
>> sc_establisch_context_ext() or so..
>
>
> yep, something like the attached patch. However I think the
> code loading the reader drivers etc. needs to be changed as well
> (perhaps we need something like sc_refresh_context(...) to
> update the internal reader list etc.) and the logging code isn't
> optimal here.
>
> Cheers,
> Nils
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Nils Larsch
Stef Hoeben wrote:
> Yeah, looks nice.

no, not really. I think more changes are required to make
this really usable.

> (The pkcs11 lib will still crash if you continue without a reader,

this doesn't really surprise me

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Martin Paljak
On 9/1/05, Nils Larsch <[hidden email]> wrote:
> no, not really. I think more changes are required to make
> this really usable.
True.

I tried to avoid the problem by dropping the reader requirement to
allow mozilla to load the module even if no readers are connected. But
then again - if one connects it after
module has been loaded it shall have no effect.


>
> > (The pkcs11 lib will still crash if you continue without a reader,
A loop in refresh_slot_attributes assumes at least 1 reader.


--
Martin Paljak
[hidden email]
http://martin.paljak.pri.ee/
+372.5156495 - phone
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Re: [opensc-commits] [OpenSC] #33: pkcs11-spy dependency on readers

Stef Hoeben
In reply to this post by Nils Larsch
Nils Larsch wrote:

> Stef Hoeben wrote:
>
>> OpenSC wrote:
>>
>>> #33: pkcs11-spy dependency on readers
>>> --------------------+-------------------------------------------------------
>>>
>>>       Id:  33      |      Status:  new                    
>>> Component:  pkcs11  |    Modified:  Mon Aug 29 12:44:02 2005
>>> Severity:  minor   |   Milestone:                          
>>> Priority:  normal  |     Version:  devel                      
>>> Owner:  devel   |    Reporter:  [hidden email]      
>>> --------------------+-------------------------------------------------------
>>>
>>> Pkcs11-spy will only work if you have support for a reader installed.
>>> This dependency should either be noted somewhere or possibly
>>> removed. The
>>> error message returned CKR_HOST_MEMORY is also confusing.
>>>
>>>  init_spy [pkcs11-spy.c] ->  sc_establish_context [ctx.c] ->
>>> sc_establish_context [ctx.c:672] returns SC_ERROR_NO_READERS_FOUND ->
>>> init_spy [pkcs11-spy.c:70] returns CKR_HOST_
>>>
>> Same problem with our pkcs11 lib: if there's no reader, C_Initialize
>> returns an error
>> (so it's e.g. not possible to add our pkcs11 lib to Mozilla if
>> there's no reader present.)
>>
>> Here's a simple (though somewhat nasty) solution: if
>> sc_establish_context() returns
>> SC_ERROR_NO_READERS_FOUND, we know the context is intialised (config,
>> debug, drivers, ...) so we just ignore this error (it's actually a
>> warning) and let
>> the spy and pkcs11 continue.
>
>
> perhaps a dump question, but why is sc_establish_context used at all
> in pkcs11-spy ? As far as I can see it's only used for getting

Yes, it's only for the config info.

> information out of the config file, but this should be possible with
> scconf alone (the only problem I see at the moment might be to find
> out where the config file is ...). In case there's interest I could
> try writting a patch.

Would be nice indeed.

Cheers,
Stef

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel