Tokend on Mac OS X (Intel)

classic Classic list List threaded Threaded
18 messages Options
Reply | Threaded
Open this post in threaded view
|

Tokend on Mac OS X (Intel)

Jan Schermer
Hi,
what is the reason behind tokend not working on Intel-based Macs? Is  
there anything I can do to help? I have a macbook and e-Gate
+CryptoFlex, and I'd love to get it working...

Thanks
Jan

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer a écrit :
> Hi,
> what is the reason behind tokend not working on Intel-based Macs? Is
> there anything I can do to help? I have a macbook and
> e-Gate+CryptoFlex, and I'd love to get it working...

Hi Jan,

There is no MacIntel Tokend actually simply because we can not compile
it...

You can request on Apple-cdsa mailing list the instruction on how to
compile the last available version of Tokend, but this only works on
PPC. It seems that Apple did not yet release the newest version of
Tokend, which can be compiled on MacIntel.

Please check this post on Apple-cdsa mailing list:
http://lists.apple.com/archives/Apple-cdsa/2006/May/msg00001.html

Regards,

Jean-Pierre

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
In reply to this post by Jan Schermer
Hi,
sorry I have missed the list messages somehow (is majordomo broken?  
or my mailserver? :)

It looks like there should be docs to building i386 Tokend "on the  
Darwin site" - according to apple ( http://lists.apple.com/archives/ 
Apple-cdsa/2006/Jun/msg00003.html ).
I tried looking for the docs but I have little clue what "the Darwin  
site is", hope you know... could you take a look and maybe give me  
some hope? :)

Thanks a lot
Jan

On 1.6.2006, at 13:35, Jan Schermer wrote:

Hi,
what is the reason behind tokend not working on Intel-based Macs? Is  
there anything I can do to help? I have a macbook and e-Gate
+CryptoFlex, and I'd love to get it working...

Thanks
Jan
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer a écrit :
> Hi,
> sorry I have missed the list messages somehow (is majordomo broken? or
> my mailserver? :)
Hi Jan,

My answer to your first message is archived here:
http://www.opensc-project.org/pipermail/opensc-user/2006-June/001005.html 
:-)
>
> It looks like there should be docs to building i386 Tokend "on the
> Darwin site" - according to apple (
> http://lists.apple.com/archives/Apple-cdsa/2006/Jun/msg00003.html ).
> I tried looking for the docs but I have little clue what "the Darwin
> site is", hope you know... could you take a look and maybe give me
> some hope? :)
This is a very recent and awaited news... We received last night the
document from Apple. As soon as we have a working Universal
OpenSC.Tokend, we will upload it to the usual url at
http://www.opensc-project.org/files/sca/experimental/.

Best Regards,

Jean-Pierre

>
> Thanks a lot
> Jan
>
> On 1.6.2006, at 13:35, Jan Schermer wrote:
>
> Hi,
> what is the reason behind tokend not working on Intel-based Macs? Is
> there anything I can do to help? I have a macbook and
> e-Gate+CryptoFlex, and I'd love to get it working...

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
In reply to this post by Jan Schermer
Jan Schermer a écrit :
>
> It looks like there should be docs to building i386 Tokend "on the
> Darwin site" - according to apple (
> http://lists.apple.com/archives/Apple-cdsa/2006/Jun/msg00003.html ).
> I tried looking for the docs but I have little clue what "the Darwin
> site is", hope you know... could you take a look and maybe give me
> some hope? :)
>
Hi Jan,

I just posted a new experimental release of SCA with Universal
OpenSC.Tokend. You will find it at
http://www.opensc-project.org/files/sca/experimental .

Reports are welcome...

Cheers,

Jean-Pierre
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
Hi,
great news, thanks!

I just tested it and it sort-of-works, but not completely:

1) keychain shows OpenSC card and all items (thawte cert. chain + my  
cert + my private key)

2) mail refuses to sign except for the first mail address in the  
certificate (if I import it into the sw keychain it works) (P.S.  
actually it now allows me to choose to sign this mail, BUT reports  
"Error MFMessageErrorDomain 1035" when I try to send it (after  
entering PIN))

3) sc_auth doesn't work (probably because of the cert. chain i have  
on the card), here's excerpt from the logs (I was running "sc_auth  
hash" and it does this for every cert on the card):

Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- he
lp!
Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- he
lp!
Jun  7 15:26:46 zviratko /System/Library/Security/tokend/
OpenSC.tokend/Contents/
MacOS/OpenSC: error writing cache file: /var/db/TokenCache/tokens/
com.apple.toke
nd.opensc:OpenSC Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/
CN=Jan Scherme
r/emailAddress=[hidden email]/emailAddress=[hidden email]/
emailAddress=jan.scherm
[hidden email]/emailAddress=[hidden email]/
emailAddress=zviratko@zviratk
o.eu/emailAddress=[hidden email]: No such file or directory\n
Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- he
lp!

When I create the directory structure by hand, it creates the file  
and seems to store the cache (look like the same .eid/cache I got on  
linux), however, sc_auth hash doesn't return any hashes from the card  
in the end.

Tell me if you need something more

Looking forward to the next version :)
Thanks
Jan


On 7.6.2006, at 14:31, Jean-Pierre Szikora wrote:

Jan Schermer a écrit :
>
> It looks like there should be docs to building i386 Tokend "on the  
> Darwin site" - according to apple ( http://lists.apple.com/archives/ 
> Apple-cdsa/2006/Jun/msg00003.html ).
> I tried looking for the docs but I have little clue what "the  
> Darwin site is", hope you know... could you take a look and maybe  
> give me some hope? :)
>
Hi Jan,

I just posted a new experimental release of SCA with Universal  
OpenSC.Tokend. You will find it at http://www.opensc-project.org/ 
files/sca/experimental .

Reports are welcome...

Cheers,

Jean-Pierre

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer a écrit :
> Hi,
> great news, thanks!
>
> I just tested it and it sort-of-works, but not completely:
>
> 1) keychain shows OpenSC card and all items (thawte cert. chain + my
> cert + my private key)
Hi Jan,

Good...
>
> 2) mail refuses to sign except for the first mail address in the
> certificate (if I import it into the sw keychain it works) (P.S.
> actually it now allows me to choose to sign this mail, BUT reports
> "Error MFMessageErrorDomain 1035" when I try to send it (after
> entering PIN))
As I can see below, you have a Thawte cert with multiple email adress on
it, right? Can you make first tests with something simpler like one
email on a cert :-) I tried with a thawte cert on a cryptoflex/e-gate
without problem.

>
> 3) sc_auth doesn't work (probably because of the cert. chain i have on
> the card), here's excerpt from the logs (I was running "sc_auth hash"
> and it does this for every cert on the card):
>
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- he
> lp!
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- he
> lp!
> Jun  7 15:26:46 zviratko
> /System/Library/Security/tokend/OpenSC.tokend/Contents/
> MacOS/OpenSC: error writing cache file:
> /var/db/TokenCache/tokens/com.apple.toke
> nd.opensc:OpenSC
> Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/CN=Jan Scherme
> r/emailAddress=[hidden email]/emailAddress=[hidden email]/emailAddress=jan.scherm
>
> [hidden email]/emailAddress=[hidden email]/emailAddress=zviratko@zviratk
>
> o.eu/emailAddress=[hidden email]: No such file or directory\n
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- he
> lp!
>
> When I create the directory structure by hand, it creates the file and
> seems to store the cache (look like the same .eid/cache I got on
> linux), however, sc_auth hash doesn't return any hashes from the card
> in the end.
I submitted few hours ago a bug report to apple concerning this.... You
can edit /usr/sbin/sc_auth (it's a bash script) and replace near line
line 70, the 0x00000001 by 0x01000000 and 0x00000006 by 0x06000000 ...

Best Regards,

Jean-Pierre

>
> Tell me if you need something more
>
> Looking forward to the next version :)
> Thanks
> Jan
>
>
> On 7.6.2006, at 14:31, Jean-Pierre Szikora wrote:
>
> Jan Schermer a écrit :
>>
>> It looks like there should be docs to building i386 Tokend "on the
>> Darwin site" - according to apple (
>> http://lists.apple.com/archives/Apple-cdsa/2006/Jun/msg00003.html ).
>> I tried looking for the docs but I have little clue what "the Darwin
>> site is", hope you know... could you take a look and maybe give me
>> some hope? :)
>>
> Hi Jan,
>
> I just posted a new experimental release of SCA with Universal
> OpenSC.Tokend. You will find it at
> http://www.opensc-project.org/files/sca/experimental .
>
> Reports are welcome...
>
> Cheers,
>
> Jean-Pierre
>
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
Hi,
sc_auth now works, but I still can't login with the smartcard:

...
Jun  7 17:48:58 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:48:58 zviratko /System/Library/Security/tokend/
OpenSC.tokend/Contents/MacOS/OpenSC: error writing cache file: /var
/db/TokenCache/tokens/com.apple.tokend.opensc:OpenSC  
Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/CN=Jan Schermer/emailA
ddress=[hidden email]/emailAddress=[hidden email]/
emailAddress=[hidden email]/
emailAddress=[hidden email]/e
mailAddress=[hidden email]/emailAddress=[hidden email]: No such file or  
directory\n
Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:49:09 zviratko crashdump[741]: SecurityAgent crashed
Jun  7 17:49:09 zviratko crashdump[741]: crash report written to: /
Library/Logs/CrashReporter/SecurityAgent.crash.log
Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
Jun  7 17:50:02 zviratko /System/Library/CoreServices/loginwindow.app/
Contents/MacOS/loginwindow: Login Window Application S
tarted
Jun  7 17:50:03 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
Jun  7 17:50:03 zviratko loginwindow[751]: Login Window Started  
Security Agent
Jun  7 17:50:10 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:50:11 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:50:12 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
Jun  7 17:50:14 zviratko /usr/sbin/pcscd: Buffer length probably  
incorrect -- help!
...

Loginwindow and securityagent both crash when I try to login,  
(crashdump attached)


I'll try making a one-mail cert  later (after work :)

Thanks
Jan



On 7.6.2006, at 17:38, Jean-Pierre Szikora wrote:

Jan Schermer a écrit :
> Hi,
> great news, thanks!
>
> I just tested it and it sort-of-works, but not completely:
>
> 1) keychain shows OpenSC card and all items (thawte cert. chain +  
> my cert + my private key)
Hi Jan,

Good...
>
> 2) mail refuses to sign except for the first mail address in the  
> certificate (if I import it into the sw keychain it works) (P.S.  
> actually it now allows me to choose to sign this mail, BUT reports  
> "Error MFMessageErrorDomain 1035" when I try to send it (after  
> entering PIN))
As I can see below, you have a Thawte cert with multiple email adress  
on it, right? Can you make first tests with something simpler like  
one email on a cert :-) I tried with a thawte cert on a cryptoflex/e-
gate without problem.

>
> 3) sc_auth doesn't work (probably because of the cert. chain i have  
> on the card), here's excerpt from the logs (I was running "sc_auth  
> hash" and it does this for every cert on the card):
>
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- he
> lp!
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- he
> lp!
> Jun  7 15:26:46 zviratko /System/Library/Security/tokend/
> OpenSC.tokend/Contents/
> MacOS/OpenSC: error writing cache file: /var/db/TokenCache/tokens/
> com.apple.toke
> nd.opensc:OpenSC Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/
> CN=Jan Scherme
> r/emailAddress=[hidden email]/emailAddress=[hidden email]/
> emailAddress=jan.scherm
> [hidden email]/emailAddress=[hidden email]/
> emailAddress=zviratko@zviratk
> o.eu/emailAddress=[hidden email]: No such file or directory\n
> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- he
> lp!
>
> When I create the directory structure by hand, it creates the file  
> and seems to store the cache (look like the same .eid/cache I got  
> on linux), however, sc_auth hash doesn't return any hashes from the  
> card in the end.
I submitted few hours ago a bug report to apple concerning this....  
You can edit /usr/sbin/sc_auth (it's a bash script) and replace near  
line line 70, the 0x00000001 by 0x01000000 and 0x00000006 by  
0x06000000 ...

Best Regards,

Jean-Pierre

>
> Tell me if you need something more
>
> Looking forward to the next version :)
> Thanks
> Jan
>
>
> On 7.6.2006, at 14:31, Jean-Pierre Szikora wrote:
>
> Jan Schermer a écrit :
>>
>> It looks like there should be docs to building i386 Tokend "on the  
>> Darwin site" - according to apple ( http://lists.apple.com/ 
>> archives/Apple-cdsa/2006/Jun/msg00003.html ).
>> I tried looking for the docs but I have little clue what "the  
>> Darwin site is", hope you know... could you take a look and maybe  
>> give me some hope? :)
>>
> Hi Jan,
>
> I just posted a new experimental release of SCA with Universal  
> OpenSC.Tokend. You will find it at http://www.opensc-project.org/ 
> files/sca/experimental .
>
> Reports are welcome...
>
> Cheers,
>
> Jean-Pierre
>
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

SecurityAgent.crash.log (34K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer wrote:

> Hi,
> sc_auth now works, but I still can't login with the smartcard:
>
> ...
> Jun  7 17:48:58 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:48:58 zviratko
> /System/Library/Security/tokend/OpenSC.tokend/Contents/MacOS/OpenSC:
> error writing cache file: /var
> /db/TokenCache/tokens/com.apple.tokend.opensc:OpenSC
> Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/CN=Jan Schermer/emailA
> ddress=[hidden email]/emailAddress=[hidden email]/emailAddress=[hidden email]/emailAddress=[hidden email]/e
>
> mailAddress=[hidden email]/emailAddress=[hidden email]: No such file or
> directory\n
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:49:09 zviratko crashdump[741]: SecurityAgent crashed
> Jun  7 17:49:09 zviratko crashdump[741]: crash report written to:
> /Library/Logs/CrashReporter/SecurityAgent.crash.log
> Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
> Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
> Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
> Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
> Jun  7 17:50:02 zviratko
> /System/Library/CoreServices/loginwindow.app/Contents/MacOS/loginwindow:
> Login Window Application S
> tarted
> Jun  7 17:50:03 zviratko kernel[0]: (54: coreservicesd)tfp: failed on 0:
> Jun  7 17:50:03 zviratko loginwindow[751]: Login Window Started
> Security Agent
> Jun  7 17:50:10 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:50:11 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:50:12 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> Jun  7 17:50:14 zviratko /usr/sbin/pcscd: Buffer length probably
> incorrect -- help!
> ...
>
> Loginwindow and securityagent both crash when I try to login,
> (crashdump attached)
Hi Jan,

I think that /tmp/opensc_tokend.log will help us more than the
crashdump. BTW, as you work with a cryptoflex, did you use a 1024 or a
2048 bits key? I'm not sure that Tokend support actually the 2048 bits
key :-(

Best Regards,

Jean-Pierre

>
> I'll try making a one-mail cert  later (after work :)
>
> Thanks
> Jan
>
>
>
> On 7.6.2006, at 17:38, Jean-Pierre Szikora wrote:
>
> Jan Schermer a écrit :
>> Hi,
>> great news, thanks!
>>
>> I just tested it and it sort-of-works, but not completely:
>>
>> 1) keychain shows OpenSC card and all items (thawte cert. chain + my
>> cert + my private key)
> Hi Jan,
>
> Good...
>>
>> 2) mail refuses to sign except for the first mail address in the
>> certificate (if I import it into the sw keychain it works) (P.S.
>> actually it now allows me to choose to sign this mail, BUT reports
>> "Error MFMessageErrorDomain 1035" when I try to send it (after
>> entering PIN))
> As I can see below, you have a Thawte cert with multiple email adress
> on it, right? Can you make first tests with something simpler like one
> email on a cert :-) I tried with a thawte cert on a cryptoflex/e-gate
> without problem.
>>
>> 3) sc_auth doesn't work (probably because of the cert. chain i have
>> on the card), here's excerpt from the logs (I was running "sc_auth
>> hash" and it does this for every cert on the card):
>>
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
>> incorrect -- he
>> lp!
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
>> incorrect -- he
>> lp!
>> Jun  7 15:26:46 zviratko
>> /System/Library/Security/tokend/OpenSC.tokend/Contents/
>> MacOS/OpenSC: error writing cache file:
>> /var/db/TokenCache/tokens/com.apple.toke
>> nd.opensc:OpenSC
>> Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/CN=Jan Scherme
>> r/emailAddress=[hidden email]/emailAddress=[hidden email]/emailAddress=jan.scherm
>>
>> [hidden email]/emailAddress=[hidden email]/emailAddress=zviratko@zviratk
>>
>> o.eu/emailAddress=[hidden email]: No such file or directory\n
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably
>> incorrect -- he
>> lp!
>>
>> When I create the directory structure by hand, it creates the file
>> and seems to store the cache (look like the same .eid/cache I got on
>> linux), however, sc_auth hash doesn't return any hashes from the card
>> in the end.
> I submitted few hours ago a bug report to apple concerning this....
> You can edit /usr/sbin/sc_auth (it's a bash script) and replace near
> line line 70, the 0x00000001 by 0x01000000 and 0x00000006 by
> 0x06000000 ...
>
> Best Regards,
>
> Jean-Pierre
>>
>> Tell me if you need something more
>>
>> Looking forward to the next version :)
>> Thanks
>> Jan
>>
>>
>> On 7.6.2006, at 14:31, Jean-Pierre Szikora wrote:
>>
>> Jan Schermer a écrit :
>>>
>>> It looks like there should be docs to building i386 Tokend "on the
>>> Darwin site" - according to apple (
>>> http://lists.apple.com/archives/Apple-cdsa/2006/Jun/msg00003.html ).
>>> I tried looking for the docs but I have little clue what "the Darwin
>>> site is", hope you know... could you take a look and maybe give me
>>> some hope? :)
>>>
>>


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
Hi,
yes, I have e-gate + cryptoflex 32k, and yes - I do have a 2048bit  
RSA key (that's the reason why I switched from ikey3k in the first  
place :(( )

Tokend apparently sees the key - it's just not able to use it? Is  
there another way to test it? (I'm not that experienced with keychain  
and such).

The log file is attached (still 2048bit RSA, 5-or-so-mail cert)

Regards
Jan



On 7.6.2006, at 21:41, JP Szikora wrote:

Jan Schermer wrote:

> Hi,
> sc_auth now works, but I still can't login with the smartcard:
>
> ...
> Jun  7 17:48:58 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:48:58 zviratko /System/Library/Security/tokend/
> OpenSC.tokend/Contents/MacOS/OpenSC: error writing cache file: /var
> /db/TokenCache/tokens/com.apple.tokend.opensc:OpenSC  
> Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/CN=Jan Schermer/
> emailA
> ddress=[hidden email]/emailAddress=[hidden email]/
> emailAddress=[hidden email]/
> emailAddress=[hidden email]/e
> mailAddress=[hidden email]/emailAddress=[hidden email]: No such file  
> or directory\n
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:49:01 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:49:09 zviratko crashdump[741]: SecurityAgent crashed
> Jun  7 17:49:09 zviratko crashdump[741]: crash report written to: /
> Library/Logs/CrashReporter/SecurityAgent.crash.log
> Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
> Jun  7 17:49:57 zviratko kernel[0]: (749: ps)tfp: failed on 0:
> Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed  
> on 0:
> Jun  7 17:49:59 zviratko kernel[0]: (54: coreservicesd)tfp: failed  
> on 0:
> Jun  7 17:50:02 zviratko /System/Library/CoreServices/
> loginwindow.app/Contents/MacOS/loginwindow: Login Window Application S
> tarted
> Jun  7 17:50:03 zviratko kernel[0]: (54: coreservicesd)tfp: failed  
> on 0:
> Jun  7 17:50:03 zviratko loginwindow[751]: Login Window Started  
> Security Agent
> Jun  7 17:50:10 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:50:11 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:50:12 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> Jun  7 17:50:14 zviratko /usr/sbin/pcscd: Buffer length probably  
> incorrect -- help!
> ...
>
> Loginwindow and securityagent both crash when I try to login,  
> (crashdump attached)
Hi Jan,

I think that /tmp/opensc_tokend.log will help us more than the  
crashdump. BTW, as you work with a cryptoflex, did you use a 1024 or  
a 2048 bits key? I'm not sure that Tokend support actually the 2048  
bits key :-(

Best Regards,

Jean-Pierre

>
> I'll try making a one-mail cert  later (after work :)
>
> Thanks
> Jan
>
>
>
> On 7.6.2006, at 17:38, Jean-Pierre Szikora wrote:
>
> Jan Schermer a écrit :
>> Hi,
>> great news, thanks!
>>
>> I just tested it and it sort-of-works, but not completely:
>>
>> 1) keychain shows OpenSC card and all items (thawte cert. chain +  
>> my cert + my private key)
> Hi Jan,
>
> Good...
>>
>> 2) mail refuses to sign except for the first mail address in the  
>> certificate (if I import it into the sw keychain it works) (P.S.  
>> actually it now allows me to choose to sign this mail, BUT reports  
>> "Error MFMessageErrorDomain 1035" when I try to send it (after  
>> entering PIN))
> As I can see below, you have a Thawte cert with multiple email  
> adress on it, right? Can you make first tests with something  
> simpler like one email on a cert :-) I tried with a thawte cert on  
> a cryptoflex/e-gate without problem.
>>
>> 3) sc_auth doesn't work (probably because of the cert. chain i  
>> have on the card), here's excerpt from the logs (I was running  
>> "sc_auth hash" and it does this for every cert on the card):
>>
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
>> incorrect -- he
>> lp!
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
>> incorrect -- he
>> lp!
>> Jun  7 15:26:46 zviratko /System/Library/Security/tokend/
>> OpenSC.tokend/Contents/
>> MacOS/OpenSC: error writing cache file: /var/db/TokenCache/tokens/
>> com.apple.toke
>> nd.opensc:OpenSC Card00007052FFFF0200/Cache/0-/SN=Schermer/GN=Jan/
>> CN=Jan Scherme
>> r/emailAddress=[hidden email]/emailAddress=[hidden email]/
>> emailAddress=jan.scherm
>> [hidden email]/emailAddress=[hidden email]/
>> emailAddress=zviratko@zviratk
>> o.eu/emailAddress=[hidden email]: No such file or directory\n
>> Jun  7 15:26:46 zviratko /usr/sbin/pcscd: Buffer length probably  
>> incorrect -- he
>> lp!
>>
>> When I create the directory structure by hand, it creates the file  
>> and seems to store the cache (look like the same .eid/cache I got  
>> on linux), however, sc_auth hash doesn't return any hashes from  
>> the card in the end.
> I submitted few hours ago a bug report to apple concerning this....  
> You can edit /usr/sbin/sc_auth (it's a bash script) and replace  
> near line line 70, the 0x00000001 by 0x01000000 and 0x00000006 by  
> 0x06000000 ...
>
> Best Regards,
>
> Jean-Pierre
>>
>> Tell me if you need something more
>>
>> Looking forward to the next version :)
>> Thanks
>> Jan
>>
>>
>> On 7.6.2006, at 14:31, Jean-Pierre Szikora wrote:
>>
>> Jan Schermer a écrit :
>>>
>>> It looks like there should be docs to building i386 Tokend "on  
>>> the Darwin site" - according to apple ( http://lists.apple.com/ 
>>> archives/Apple-cdsa/2006/Jun/msg00003.html ).
>>> I tried looking for the docs but I have little clue what "the  
>>> Darwin site is", hope you know... could you take a look and maybe  
>>> give me some hope? :)
>>>
>>


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

opensc_tokend.log (2K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer a écrit :

> Hi,
> yes, I have e-gate + cryptoflex 32k, and yes - I do have a 2048bit RSA
> key (that's the reason why I switched from ikey3k in the first place
> :(( )
>
> Tokend apparently sees the key - it's just not able to use it? Is
> there another way to test it? (I'm not that experienced with keychain
> and such).
>
> The log file is attached (still 2048bit RSA, 5-or-so-mail cert)
>
>
Hi Jan,

Looking in your log, the problem is at the signature with the 2048bits
key. Actually, OpenSC.Tokend does not work with 2048bits key. We need to
check our code to try to solve this.

To test, you can always do a: /Library/OpenSC/bin/pkcs11-tool -l -t
(this is not really a Tokend test, but more an opensc one...) It will be
interesting if you can test a multi-email cert but with a 1024 bits key.
 
Cheers,

Jean-Pierre

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
Hi,

test returns:
C_SeedRandom() and C_GenerateRandom():
   not implemented
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (Private Key)
   all 4 signature functions seem to work
   testing signature mechanisms:
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
   testing key 0 (Private Key)
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Key unwrap (RSA)
   testing key 0 (Private Key)
     DES-CBC: OK
     DES-EDE3-CBC: OK
     BF-CBC: OK
     CAST5-CFB: OK
Decryption (RSA)
   testing key 0 (Private Key)
     RSA-X-509: OK
     RSA-PKCS: OK
Testing card detection
Please press return to continue, x to exit:
Available slots:
Slot 0           E-Gate 0 0
   token label:   OpenSC Card (Zviratko)
   token manuf:   OpenSC Project
   token model:   PKCS #15 SCard
   token flags:   rng, login required, PIN initialized, token  
initialized
   serial num  :  00007052FFFF0200

  - Still with 2048bit RSA and multimail cert.

I'm really gonna generate a 1024bit one...

Why does Tokend actually care about the key length? It just gets the  
signature and the signature is the same, isn't it?

Will let you know :)

Thanks
Jan

On 8.6.2006, at 10:47, Jean-Pierre Szikora wrote:

Jan Schermer a écrit :

> Hi,
> yes, I have e-gate + cryptoflex 32k, and yes - I do have a 2048bit  
> RSA key (that's the reason why I switched from ikey3k in the first  
> place :(( )
>
> Tokend apparently sees the key - it's just not able to use it? Is  
> there another way to test it? (I'm not that experienced with  
> keychain and such).
>
> The log file is attached (still 2048bit RSA, 5-or-so-mail cert)
>
>
Hi Jan,

Looking in your log, the problem is at the signature with the  
2048bits key. Actually, OpenSC.Tokend does not work with 2048bits  
key. We need to check our code to try to solve this.

To test, you can always do a: /Library/OpenSC/bin/pkcs11-tool -l -t  
(this is not really a Tokend test, but more an opensc one...) It will  
be interesting if you can test a multi-email cert but with a 1024  
bits key.
Cheers,

Jean-Pierre

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

Jan Schermer
Hi,
so - when using a 1024bit RSA key in a cert with about 10 mail  
addresses in it :) everything works. The only thing I now miss is  
object manipulation via keychain - but it's quite usable already. Is  
object manipulation in todo?

Thanks!

Jan

On 8.6.2006, at 11:05, Jan Schermer wrote:

Hi,

test returns:
C_SeedRandom() and C_GenerateRandom():
   not implemented
Digests:
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (Private Key)
   all 4 signature functions seem to work
   testing signature mechanisms:
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
   testing key 0 (Private Key)
     RSA-X-509: OK
     RSA-PKCS: OK
     SHA1-RSA-PKCS: OK
     MD5-RSA-PKCS: OK
     RIPEMD160-RSA-PKCS: OK
Key unwrap (RSA)
   testing key 0 (Private Key)
     DES-CBC: OK
     DES-EDE3-CBC: OK
     BF-CBC: OK
     CAST5-CFB: OK
Decryption (RSA)
   testing key 0 (Private Key)
     RSA-X-509: OK
     RSA-PKCS: OK
Testing card detection
Please press return to continue, x to exit:
Available slots:
Slot 0           E-Gate 0 0
   token label:   OpenSC Card (Zviratko)
   token manuf:   OpenSC Project
   token model:   PKCS #15 SCard
   token flags:   rng, login required, PIN initialized, token  
initialized
   serial num  :  00007052FFFF0200

  - Still with 2048bit RSA and multimail cert.

I'm really gonna generate a 1024bit one...

Why does Tokend actually care about the key length? It just gets the  
signature and the signature is the same, isn't it?

Will let you know :)

Thanks
Jan

On 8.6.2006, at 10:47, Jean-Pierre Szikora wrote:

Jan Schermer a écrit :

> Hi,
> yes, I have e-gate + cryptoflex 32k, and yes - I do have a 2048bit  
> RSA key (that's the reason why I switched from ikey3k in the first  
> place :(( )
>
> Tokend apparently sees the key - it's just not able to use it? Is  
> there another way to test it? (I'm not that experienced with  
> keychain and such).
>
> The log file is attached (still 2048bit RSA, 5-or-so-mail cert)
>
>
Hi Jan,

Looking in your log, the problem is at the signature with the  
2048bits key. Actually, OpenSC.Tokend does not work with 2048bits  
key. We need to check our code to try to solve this.

To test, you can always do a: /Library/OpenSC/bin/pkcs11-tool -l -t  
(this is not really a Tokend test, but more an opensc one...) It will  
be interesting if you can test a multi-email cert but with a 1024  
bits key.
Cheers,

Jean-Pierre

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokend on Mac OS X (Intel)

JP Szikora
Jan Schermer a écrit :
> Hi,
> so - when using a 1024bit RSA key in a cert with about 10 mail
> addresses in it :) everything works. The only thing I now miss is
> object manipulation via keychain - but it's quite usable already. Is
> object manipulation in todo?
Hi Jan,

There are some limitations with Tokend... but not always in our code.
For the 2048bits key support, OpenSC.Tokend is based on BELPIC.Tokend
source, which uses 1024bits key. At a first look, it is not an easy task
to bypass this. That will take some time.

Cheers,

Jean-Pierre


_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

opensc-0.11.1 build on OS X

Dan Grassi
In reply to this post by Jan Schermer
Hi,

I just built opensc-0.11.1 build on OS X but had two problems and work-arounds might well be added to the wiki page <http://www.opensc-project.org/opensc/wiki/CompilingInstalling>.  They were:

1) libtoolize is not part of OS X but glibtoolize is, I sym linked libtoolize to glibtoolize.
ln -s /bin/libtoolize /bin/glibtoolize

2) link errors for ltdl function such as lt_dlopen.  Not understanding the make file creation process I added -lltdl to the OPENSSL_LIBS environment:
export OPENSSL_LIBS="-L/usr/lib -lcrypto -lltdl"

OK, these probably are not the best fixes and I'm sure that some of you can come up with better fixes.

Dan

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-0.11.1 build on OS X

JP Szikora
Dan Grassi wrote:

> Hi,
>
> I just built opensc-0.11.1 build on OS X but had two problems and
> work-arounds might well be added to the wiki page
> <http://www.opensc-project.org/opensc/wiki/CompilingInstalling>.  They
> were:
>
> 1) libtoolize is not part of OS X but glibtoolize is, I sym
> linked libtoolize to glibtoolize.
> ln -s /bin/libtoolize /bin/glibtoolize
>
> 2) link errors for ltdl function such as lt_dlopen.  Not understanding
> the make file creation process I added -lltdl to the OPENSSL_LIBS
> environment:
> export OPENSSL_LIBS="-L/usr/lib -lcrypto -lltdl"
>
Hi Dan,

That wiki page is outdated for the MacOSX part and was a rest of the
pre-SCA era :-). Thanks to remind us that we need to fix it ;-) If you
just want the last OpenSC 0.11.1 installed on your MacOSX, the easiest
is to install the last experimental release avalaible at
http://www.opensc-project.org/files/sca/experimental and some
explanation for it is available at http://www.opensc-project.org/sca .

If you prefer to compile the all lot yourself, the best place is to
start to read the http://www.opensc-project.org/sca/file/trunk/howto.

Best Regards,

Jean-Pierre

> OK, these probably are not the best fixes and I'm sure that some of
> you can come up with better fixes.
>
> Dan
> ------------------------------------------------------------------------
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user


--
Dr Jean-Pierre Szikora                   e-mail: [hidden email]
                                            tel: 32-2-764.75.00
74, av. Hippocrate - UCL 7459               fax: 32-2-764.65.65
1200 Brussels - Belgium                 PGP key: 0x6FCD7405

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-0.11.1 build on OS X

Andreas Jellinghaus-2
In reply to this post by Dan Grassi
Am Montag, 12. Juni 2006 18:52 schrieb Dan Grassi:
> Hi,
>
> I just built opensc-0.11.1 build on OS X but had two problems and
> work-arounds might well be added to the wiki page <http://www.opensc-
> project.org/opensc/wiki/CompilingInstalling>.  They were:
>
> 1) libtoolize is not part of OS X but glibtoolize is, I sym linked
> libtoolize to glibtoolize.
> ln -s /bin/libtoolize /bin/glibtoolize

why did you need it? if you check out the raw source from svn, yes
then you do. but if you use the tar file opensc-0.11.1.tar.gz you
should be fine without (no need to run the bootstrap script...).

> 2) link errors for ltdl function such as lt_dlopen.  Not
> understanding the make file creation process I added -lltdl to the
> OPENSSL_LIBS environment:
> export OPENSSL_LIBS="-L/usr/lib -lcrypto -lltdl"

could you post a more detailed bug report? maybe try compiling
once more without that export line, and cut&paste? it looks to me
like a makefile but, we need to add $(LIBLTDL) somewhere, but
I need to know where.

in case you build from svn source and/or have autotools installed:
if you find out where the compiling doesn't work, can you edit
the Makefile.am to add $(LIBLDTL) to whatever_LIBADD or AM_LDFLAGS
and see if that solves the problem?

thanks for helping us narrow down the problem!

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-0.11.1 build on OS X

Dan Grassi

On Jun 12, 2006, at 4:44 PM, Andreas Jellinghaus wrote:

could you post a more detailed bug report? maybe try compiling

once more without that export line, and cut&paste?


The source came from:
<http://www.opensc-project.org/files/opensc/opensc-0.11.1.tar.gz

Here is the error report without the -lltdl export:


--- begin ---
source='pkcs11-tool.c' object='pkcs11-tool.o' libtool=no \
depfile='.deps/pkcs11-tool.Po' tmpdepfile='.deps/pkcs11-tool.TPo' \
depmode=gcc3 /bin/sh ../../depcomp \
gcc -DHAVE_CONFIG_H -I. -I. -I../..   -I../../src/include   -Wall -fno-strict-aliasing -g -O2 -no-cpp-precomp  -c `test -f 'pkcs11-tool.c' || echo './'`pkcs11-tool.c

pkcs11-tool.c: In function 'read_object':
pkcs11-tool.c:1805: warning: 'len' may be used uninitialized in this function
/bin/sh ../../libtool --mode=link gcc  -Wall -fno-strict-aliasing -g -O2 -no-cpp-precomp  ../../src/libopensc/libopensc.la  -o pkcs11-tool  pkcs11-tool.o util.o ../pkcs11/libpkcs11.la -L/usr/lib -lcrypto  -Wl,-framework,CoreFoundation -lz

gcc -Wall -fno-strict-aliasing -g -O2 -no-cpp-precomp -o .libs/pkcs11-tool pkcs11-tool.o util.o -Wl,-framework -Wl,CoreFoundation  ../../src/libopensc/.libs/libopensc.2.0.0.dylib /Volumes/UserRAID/Users/dgrassi/Desktop/Test/opensc-0.11.1/src/scconf/.libs/libscconf.2.0.0.dylib -L/usr/lib ../pkcs11/.libs/libpkcs11.a -lcrypto -lz

/usr/bin/ld: Undefined symbols:
_lt_dlclose
_lt_dlinit
_lt_dlopen
_lt_dlsym
--- end ---


Dan Grassi

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user