opensc-pkcs11.so should not handle card (SuisseID)

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

opensc-pkcs11.so should not handle card (SuisseID)

Markus Wernig
Hi all

I have a strange problem with opensc-pkcs11.so, Mozilla (ff and tb) and
the SuisseID card by the Swiss Post:

The card has a custom ATR and card operations should be handled by a
special pkcs#11 library shipped with the card (libcvP11.so from
CryptoVision).

Calling opensc-tool from the command line seems to indicate that it does
not recognize the card (which is inserted):

# opensc-tool -i -a -n -l
opensc 0.11.13 [gcc  4.4.3]
Enabled features: zlib readline iconv openssl openct
pcsc(/usr/lib/libpcsclite.so.1)
Readers known about:
Nr.    Driver     Name
0      openct     OpenCT reader (detached)
1      openct     OpenCT reader (detached)
2      pcsc       ACS ACR 38U-CCID 00 00
Using reader with a card: ACS ACR 38U-CCID 00 00
3b:fa:18:00:02:c1:0a:31:fe:58:4b:53:77:69:73:73:53:69:67:6e:89
Unidentified card

# pkcs11-tool -t
C_SeedRandom() and C_GenerateRandom():
error: PKCS11 function C_OpenSession failed: rv = CKR_TOKEN_NOT_PRESENT
(0xe0)

Aborting.

But in both Mozilla programs, where I have a "Security Device"
associated with each pkcs#11 library (opensc-pkcs11.so and libcvP11.so),
the card shows up under the device handled by opensc-pkcs11.so, and it
doesn't work (PIN gets asked, and login seems successful when using the
"Log in" button in the device manager. But as soon as a key is needed
from the token (eg. when authenticating to a web site), the pin gets
asked again, and this time login never succeeds, pin gets asked in
continuation, without any activity showing in the log of the status LED
of the token).

Running pcscd in the foreground shows this:

Insert card:

07404765 hotplug_libhal.c:320:get_driver() Looking a driver for VID:
0x072F, PID: 0x90CC
00000022 hotplug_libhal.c:368:HPAddDevice() Adding USB device:
usb_device_72f_90cc_noserial_if0
01001996 readerfactory.c:980:RFInitializeReader() Attempting startup of
ACS ACR 38U-CCID 00 00 using
/usr/lib/readers/usb/ifd-ccid.bundle/Contents/Linux/libccid.so

00000516 readerfactory.c:849:RFBindFunctions() Loading IFD Handler 3.0
00000089 ifdhandler.c:1715:init_driver() Driver version: 1.3.13
00000714 ifdhandler.c:1728:init_driver() LogLevel: 0x0003
00000577 ifdhandler.c:1748:init_driver() DriverOptions: 0x0000
00000024 ifdhandler.c:82:IFDHCreateChannelByName() lun: 0, device:
usb:072f/90cc:libhal:/org/freedesktop/Hal/devices/usb_device_72f_90cc_noserial_if0

00129648 ccid_usb.c:284:OpenUSBByName() Manufacturer: Ludovic Rousseau
([hidden email])
00000631 ccid_usb.c:294:OpenUSBByName() ProductString: Generic CCID driver
00000583 ccid_usb.c:300:OpenUSBByName() Copyright: This driver is
protected by terms of the GNU Lesser General Public License version 2.1,
or (at your option) any later version.
00038025 ccid_usb.c:514:OpenUSBByName() Found Vendor/Product: 072F/90CC
(ACS ACR 38U-CCID)
00000011 ccid_usb.c:516:OpenUSBByName() Using USB bus/device: 007/003
00002373 ccid_usb.c:922:get_data_rates() IFD does not support
GET_DATA_RATES request: No error
00014985 ifdhandler.c:395:IFDHGetCapabilities() tag: 0xFB0,
usb:072f/90cc:libhal:/org/freedesktop/Hal/devices/usb_device_72f_90cc_noserial_if0
(lun: 0)
00000020 readerfactory.c:273:RFAddReader() Using the pcscd polling thread
00002011 ifdhandler.c:395:IFDHGetCapabilities() tag: 0xFAE,
usb:072f/90cc:libhal:/org/freedesktop/Hal/devices/usb_device_72f_90cc_noserial_if0
(lun: 0)
00000010 ifdhandler.c:483:IFDHGetCapabilities() Reader supports 1 slot(s)
00003957 ifdhandler.c:1135:IFDHPowerICC() action: PowerUp,
usb:072f/90cc:libhal:/org/freedesktop/Hal/devices/usb_device_72f_90cc_noserial_if0
(lun: 0)
00199067 Card ATR: 3B FA 18 00 02 C1 0A 31 FE 58 4B 53 77 69 73 73 53 69
67 6E 89


Now I'm not sure if this is a Mozilla or opensc problem. Does anybody
have an idea how I could find out where the problem is?

Thx /markus
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11.so should not handle card (SuisseID)

Ludovic Rousseau
2010/8/23 Markus Wernig <[hidden email]>:
> Hi all

Hello,

> I have a strange problem with opensc-pkcs11.so, Mozilla (ff and tb) and
> the SuisseID card by the Swiss Post:
>
> The card has a custom ATR and card operations should be handled by a
> special pkcs#11 library shipped with the card (libcvP11.so from
> CryptoVision).

You should ask for help to CryptoVision since you are using their
(proprietary?) software.

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11.so should not handle card (SuisseID)

Markus Wernig
Hello again

On 08/24/10 11:35, Ludovic Rousseau wrote:

>> I have a strange problem with opensc-pkcs11.so, Mozilla (ff and tb) and
>> the SuisseID card by the Swiss Post:
>>
>> The card has a custom ATR and card operations should be handled by a
>> special pkcs#11 library shipped with the card (libcvP11.so from
>> CryptoVision).
>
> You should ask for help to CryptoVision since you are using their
> (proprietary?) software.

Yes, that's what I thought, too. But then I realized that the (yes,
proprietary) Lib is not used, but opensc-pkcs11.so seems to claim the
card even if it cannot really handle it. The problem is that I would in
fact _like_ to use the other library, but cannot.

I was wondering if it is possible to configure opensc in a way that
- either it does not try to handle the card at all
- or I can "tell" it to use the foreign lib for pkcs#11 operations

The card appears under the opensc-pkcs11.so device also if the other
library is not installed at all. By what mechanism does opensc-pkcs11.so
determine whether it can handle a card or not? The card itself is
detected as (and is, in fact) Siemens CardOS V4.3B:

# cardos-info
Running cardos-tool --info
Using reader with a card: ACS ACR 38U-CCID 00 00
3b:fa:18:00:02:c1:0a:31:fe:58:4b:53:77:69:73:73:53:69:67:6e:89
Info : CardOS V4.3B (C) Siemens AG 1994-2004
Chip type: 123
Serial number: 56 0f a7 17 21 0d
Full prom dump:
33 66 00 40 EB EB EB EB 7B FF 56 0F A7 17 21 0D 3f.@....{.V...!.
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.8 (that's CardOS M4.3B)
Current life cycle: 16 (operational)
Security Status of current DF:
Free memory : 1108
ATR Status: 0x128 unknown
Packages installed:
E1 09 01 04 07 01 C8 08 8F 01 01 E1 09 01 04 1F ................
03 C8 08 8F 01 01 E1 09 01 04 13 03 C8 08 8F 01 ................
01                                              .
Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
Free eeprom memory: 601
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:

I would be grateful If you could still consider the problem ;-)

thx /markus
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc-pkcs11.so should not handle card (SuisseID)

Ludovic Rousseau
2010/8/25 Markus Wernig <[hidden email]>:

> Hello again
>
> On 08/24/10 11:35, Ludovic Rousseau wrote:
>
>>> I have a strange problem with opensc-pkcs11.so, Mozilla (ff and tb) and
>>> the SuisseID card by the Swiss Post:
>>>
>>> The card has a custom ATR and card operations should be handled by a
>>> special pkcs#11 library shipped with the card (libcvP11.so from
>>> CryptoVision).
>>
>> You should ask for help to CryptoVision since you are using their
>> (proprietary?) software.
>
> Yes, that's what I thought, too. But then I realized that the (yes,
> proprietary) Lib is not used, but opensc-pkcs11.so seems to claim the
> card even if it cannot really handle it. The problem is that I would in
> fact _like_ to use the other library, but cannot.

You have configured Mozilla Firefox and Thunderbird to use both
opensc-pkcs11.so from OpenSC and libcvP11.so from
CryptoVision.

Can't you just remove opensc-pkcs11.so and only use libcvP11.so?

PKCS#11 has no mechanism to select the best library if two (or more)
library can support a token.

Bye

--
 Dr. Ludovic Rousseau
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user