opensc under xen domu

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

opensc under xen domu

MMarc
Hi,
I tried to use egate 32k under xen domu hvm, but could not succeed.
I could add the usb token via openct ifdhandler, and also could format the card, generate keys etc. but it looks like signing is not working.
pkcs11-tool -t -l shows, that keys are there, hashing is working but signing and en/de crypting not.

The token is working well on physical system.

Does anybody has experience with smartcards/tokens under xen?

Thanks for any help in advance!


Marc


 

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: opensc under xen domu

MMarc
Sorry, i was not precise enough.

I run the test with pkcs11-tool -t -l, an it gave me an ok on the physical system, and several errors on the virtual.
The system is the same. Token is also the same (egate 32k)

Here is the output from the physical system:

good

------------

# pkcs11-tool -t -l --slot 0

Please enter User PIN:

C_SeedRandom() and C_GenerateRandom():

seeding (C_SeedRandom) not supported

seems to be OK

Digests:

all 4 digest functions seem to work

MD5: OK

SHA-1: OK

RIPEMD160: OK

Signatures (currently only RSA signatures)

testing key 0 (Private Key)

all 4 signature functions seem to work

testing signature mechanisms:

RSA-X-509: OK

RSA-PKCS: OK

SHA1-RSA-PKCS: OK

MD5-RSA-PKCS: OK

RIPEMD160-RSA-PKCS: OK

Verify (currently only for RSA):

testing key 0 (Private Key)

RSA-X-509: OK

RSA-PKCS: OK

SHA1-RSA-PKCS: OK

MD5-RSA-PKCS: OK

RIPEMD160-RSA-PKCS: OK

Key unwrap (RSA)

testing key 0 (Private Key) -- can't be used to unwrap, skipping

Decryption (RSA)

testing key 0 (Private Key)

RSA-X-509: OK

RSA-PKCS: OK


and here the same test with the same token on the virtual:



bad


# pkcs11-tool -t -l --slot 0

Please enter User PIN:

C_SeedRandom() and C_GenerateRandom():

seeding (C_SeedRandom) not supported

seems to be OK

Digests:

all 4 digest functions seem to work

MD5: OK

SHA-1: OK

RIPEMD160: OK

Signatures (currently only RSA signatures)

testing key 0 (Private Key)

all 4 signature functions seem to work

testing signature mechanisms:

RSA-X-509: ERR: verification failed

RSA-PKCS: ERR: verification failed

SHA1-RSA-PKCS: ERR: verification failed

MD5-RSA-PKCS: ERR: verification failed

RIPEMD160-RSA-PKCS: ERR: verification failed

Verify (currently only for RSA):

testing key 0 (Private Key)

RSA-X-509: ERR: verification failed ERR: C_Verify() returned CKR_SIGNATURE_INVALID (0xc0)

Key unwrap (RSA)

testing key 0 (Private Key) -- can't be used to unwrap, skipping

Decryption (RSA)

testing key 0 (Private Key)

RSA-X-509: resulting cleartext doesn't match input

Original: 61 62 63 64 65 66 67 68 69 00

Decrypted: 21 82 bd 54 7c ab 79 ea b6 30 29 36 cb 5a 6c d1 fe a8 6a 06 08 18 62 ed 5f 82 a8 09 61 ee 9e a9 eb d1 6e 2d 95 b1 2a 2c 6c 1e 3f 92 ac 0c 0f 4d 08 8b 75 6a 39 00 61 62 63 64 65 66 67 68 69 00 21 82 bd 54 7c ab 79 ea b6 30 29 36 cb 5a 6c d1 fe a8 6a 06 08 18 62 ed 5f 82 a8 09 61 ee 9e a9 eb d1 6e 2d 95 b1 2a 2c 6c 1e 3f 92 ac 0c 0f 4d 08 8b 75 6a 39 00 61 62 63 64 65 66 67 68 69 00

error: PKCS11 function C_Decrypt failed: rv = CKR_GENERAL_ERROR (0x5)


Aborting.

RSA-PKCS:


----------------------------



I was migrating a system from physical to virtual and i realised that my application could not initialise the token anymore.

Afterwards i run some test and found out the result above. So it looks like some functions do no work under xen domu.
Does anybody has experince with opensc under xen? Maybe th eproblem can be fixed by a simple reconfiguration.....

Any help is warmly welcome:)



Marc


 




> Subject: Re: [opensc-user] opensc under xen domu
> From: [hidden email]
> To: [hidden email]
> Date: Fri, 7 Jan 2011 16:32:00 +0100
>
> Le vendredi 07 janvier 2011 à 14:46 +0000, Marc M. a écrit :
> > but it looks like signing is not working.
>
> Sorry, I did not read your email very well.
> Signing is not supported very well for cards.
> You should use OpenSSL with PKCS#11 interface.
>
> Kind regards,
> --
> Jean-Michel Pouré - Gooze - http://www.gooze.eu
>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user