pkcs15-init - asking for an SO pin - despite --so-pin provided on the command line

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

pkcs15-init - asking for an SO pin - despite --so-pin provided on the command line

Dirk-Willem van Gulik
Does below ring a bell with anyone - pkcs15-init wanting me to enter a SO Pin
despite it being provided with an SO pin on the command line.

Against master/head - with an Aventra MyEID card.

Thanks,

Dw.


$ pkcs15-init -E

$ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --puk 11111 --pin 1234 --label foobar --so-pin 1234
Using reader with a card: SCM Microsystems Inc. SPR 532

$ pkcs15-init --generate-key rsa/1024 --auth-id 01 -u sign --pin 1234 --so-pin 1234
Using reader with a card: SCM Microsystems Inc. SPR 532
Security officer PIN unlock key required.
Please enter Security officer PIN unlock key:
Security officer PIN unlock key required.
Please enter Security officer PIN unlock key:
$




------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs15-init - asking for an SO pin - despite --so-pin provided on the command line

Douglas E Engert
No, but a gdb stack trace might help.

Looks like the prompt is set in the get_pin_callback in tools/pkcs15-init.c




On 3/17/2015 12:33 PM, Dirk-Willem van Gulik wrote:

> Does below ring a bell with anyone - pkcs15-init wanting me to enter a SO Pin
> despite it being provided with an SO pin on the command line.
>
> Against master/head - with an Aventra MyEID card.
>
> Thanks,
>
> Dw.
>
>
> $ pkcs15-init -E
>
> $ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --puk 11111 --pin 1234 --label foobar --so-pin 1234
> Using reader with a card: SCM Microsystems Inc. SPR 532
>
> $ pkcs15-init --generate-key rsa/1024 --auth-id 01 -u sign --pin 1234 --so-pin 1234
> Using reader with a card: SCM Microsystems Inc. SPR 532
> Security officer PIN unlock key required.
> Please enter Security officer PIN unlock key:
> Security officer PIN unlock key required.
> Please enter Security officer PIN unlock key:
> $
>
>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs15-init - asking for an SO pin - despite --so-pin provided on the command line

Dirk-Willem van Gulik

> On 17 Mar 2015, at 19:34, Douglas E Engert <[hidden email]> wrote:
>
> No, but a gdb stack trace might help.
>
> Looks like the prompt is set in the get_pin_callback in tools/pkcs15-init.c

Turns out the Aventra MyEID card itself is at fault - or something specific with it.

Post the -C creation of the PKCS#15 structure one needs to explicitly create a PIN/PUK. As the —pin etc are silently ignored. Below sequence yields a valid card:

        set -e
        pkcs15-init -E

        # PIN/PUK ignored in this step - but must be provided.
        #
        pkcs15-init -C --pin $PIN --puk $PUK --so-pin $PIN --so-puk $PUK

        # Set the actual PIN
        pkcs15-init -P -a 1 -l “Some PIN" --pin $PIN --puk $PUK --so-pin $PIN

        pkcs15-init --generate-key rsa/1024 -u sign --pin $PIN --so-pin $PIN   --auth-id 1
        pkcs15-init --generate-key rsa/1024 -u sign --pin $PIN --so-pin $PIN   --auth-id 1
        pkcs15-init --generate-key rsa/1024 -u sign --pin $PIN --so-pin $PIN   --auth-id 1

So I guess this is something of a card limitation — as I do not see a way for ‘-C’ to detect that its —pin argument was gleefully ignored.

Dw.

>
>
> On 3/17/2015 12:33 PM, Dirk-Willem van Gulik wrote:
>> Does below ring a bell with anyone - pkcs15-init wanting me to enter a SO Pin
>> despite it being provided with an SO pin on the command line.
>>
>> Against master/head - with an Aventra MyEID card.
>>
>> Thanks,
>>
>> Dw.
>>
>>
>> $ pkcs15-init -E
>>
>> $ pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --puk 11111 --pin 1234 --label foobar --so-pin 1234
>> Using reader with a card: SCM Microsystems Inc. SPR 532
>>
>> $ pkcs15-init --generate-key rsa/1024 --auth-id 01 -u sign --pin 1234 --so-pin 1234
>> Using reader with a card: SCM Microsystems Inc. SPR 532
>> Security officer PIN unlock key required.
>> Please enter Security officer PIN unlock key:
>> Security officer PIN unlock key required.
>> Please enter Security officer PIN unlock key:
>> $
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
>> by Intel and developed in partnership with Slashdot Media, is your hub for all
>> things parallel software development, from weekly thought leadership blogs to
>> news, videos, case studies, tutorials and more. Take a look and join the
>> conversation now. http://goparallel.sourceforge.net/
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: pkcs15-init - asking for an SO pin - despite --so-pin provided on the command line

Michael Ströder
Dirk-Willem van Gulik wrote:

>
>> On 17 Mar 2015, at 19:34, Douglas E Engert <[hidden email]> wrote:
>>
>> No, but a gdb stack trace might help.
>>
>> Looks like the prompt is set in the get_pin_callback in tools/pkcs15-init.c
>
> Turns out the Aventra MyEID card itself is at fault - or something specific with it.
>
> Post the -C creation of the PKCS#15 structure one needs to explicitly create a PIN/PUK. As the —pin etc are silently ignored.
It seems to be like documented here:

https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card#initialization

"TIP: When initializing cards, specify the PIN and PUK (with “—pin” and “—puk”
parameters) to prevent OpenSC from unnecessarily asking for it several times.
You can use any values, because the PIN is not created here."

Ciao, Michael.



------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (5K) Download Attachment