mozilla/firefox and pam

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

mozilla/firefox and pam

Dominik Fischer
Hi!
I've run into a problem while using opensc with mozilla and pam. Since
mozilla
locks the smartcard other applications using pkcs11 get blocked. In my
situation
xscreensaver (with pam_opensc) locks the screen and never gets unlocked.

In opensc.conf there's a switch "lock_login". If I set this to false,
I get an error (as far
as I remember it was number "-12222") when i load a ssl secured page,
but I can
unlock xscreensaver.

Currently I'm using opensc-0.9.6. Does anyone know how I could solve this
problem? Is there a relating change in the trunk-version?

Kind regards,
Dominik fischer
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: mozilla/firefox and pam

Ludovic Rousseau
Hello,

On 25/08/05, Dominik Fischer <[hidden email]> wrote:
> I've run into a problem while using opensc with mozilla and pam. Since
> mozilla
> locks the smartcard other applications using pkcs11 get blocked. In my
> situation
> xscreensaver (with pam_opensc) locks the screen and never gets unlocked.

I have also seen this problem. But I have not yet worked on it.
Anybody has a good idea to solve this?

Bye,

--
 Dr. Ludovic Rousseau
 For private mail use [hidden email] and not "big brother" Google
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: mozilla/firefox and pam

Nils Larsch
In reply to this post by Dominik Fischer
Dominik Fischer wrote:

> Hi!
> I've run into a problem while using opensc with mozilla and pam. Since
> mozilla
> locks the smartcard other applications using pkcs11 get blocked. In my
> situation
> xscreensaver (with pam_opensc) locks the screen and never gets unlocked.
>
> In opensc.conf there's a switch "lock_login". If I set this to false,
> I get an error (as far
> as I remember it was number "-12222") when i load a ssl secured page,
> but I can
> unlock xscreensaver.

afaiak does -12222 mean that the pkcs11 was unable to create a
signature. Could you send me the opensc debug log, perhaps it
contains a more precise description what went wrong.

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: mozilla/firefox and pam

Dominik Fischer
Here it comes...

Am 26.8.2005 schrieb "Nils Larsch" <[hidden email]>:

>Dominik Fischer wrote:
>> Hi!
>> I've run into a problem while using opensc with mozilla and pam. Since
>> mozilla
>> locks the smartcard other applications using pkcs11 get blocked. In my
>> situation
>> xscreensaver (with pam_opensc) locks the screen and never gets unlocked.
>>
>> In opensc.conf there's a switch "lock_login". If I set this to false,
>> I get an error (as far
>> as I remember it was number "-12222") when i load a ssl secured page,
>> but I can
>> unlock xscreensaver.
>
>afaiak does -12222 mean that the pkcs11 was unable to create a
>signature. Could you send me the opensc debug log, perhaps it
>contains a more precise description what went wrong.
>
>Nils
>

opensc-debug.log (60K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: mozilla/firefox and pam

Nils Larsch
In reply to this post by Dominik Fischer
...

> 00 A4 00 0C 02 50 15 .....P.
> card.c:249:sc_transmit_apdu: Received 0 bytes (SW1=90 SW2=00)
> card-starcos.c:386:starcos_select_fid: returning with: 0
> card.c:713:sc_select_file: returning with: 0
> framework-pkcs15.c:1770:pkcs15_prkey_sign: Selected flags 12. Now computing signature for 36 bytes. 128 bytes reserved.
> pkcs15-sec.c:162:sc_pkcs15_compute_signature: called
> sec.c:63:sc_set_security_env: called
> card.c:229:sc_transmit_apdu: called
> card.c:196:sc_transceive: Sending 11 bytes (resp. 2 bytes):
> 00 22 41 A4 06 84 01 84 80 01 01 ."A........
> card.c:249:sc_transmit_apdu: Received 0 bytes (SW1=69 SW2=82)
> card-starcos.c:1324:starcos_check_sw: sw1 = 0x69, sw2 = 0x82
> framework-pkcs15.c:2202:revalidate_pin: revalidate_pin called
> card.c:488:sc_unlock: called
> card.c:493:sc_unlock: Calling card logout function

that seems to be the interesting part: MSE fails as the security
condition isn't satisfied and pin revalidation fails. Is the
"cache_pins" set to true in the opensc.conf ?

Nils
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: mozilla/firefox and pam

Dominik Fischer
Am Freitag, den 26.08.2005, 17:50 +0200 schrieb Nils Larsch:
> > framework-pkcs15.c:2202:revalidate_pin: revalidate_pin called
> > card.c:488:sc_unlock: called
> > card.c:493:sc_unlock: Calling card logout function
>
> that seems to be the interesting part: MSE fails as the security
> condition isn't satisfied and pin revalidation fails. Is the
> "cache_pins" set to true in the opensc.conf ?

"cache_pins = true" fixes (or works around?)  that error. In the
meantime I figured this out by accident :-)

My next problem to solve is: personalisation of a card through our PKI.
Then we are ready to bury the proprietary PKCS#11-lib we have in use
today. I will try some things out and make a new thread on this.

Thanks!

Regards
Dominik Fischer


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel