status of itacns signature with CIE

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

status of itacns signature with CIE

Antonio Russo
Hi,
I'm owner of an Italian CIE issued in the past few months.
I'm trying to develop a service that uses it for authentication through a java applet, my code is an open source project on SF ("authentic").

I can see all the files on the card as pkcs11 data objects, read certificates, login on the card, but i have problems signing. Am i hitting a bug or an unimplemented feature?

I've compiled the latest head version from GitHub.
This is the line i use for sign:
/src/tools/pkcs11-tool --module=src/pkcs11/.libs/opensc-pkcs11.so --slot-index 1 -v -l -p *my_pin* -m SHA1-RSA-PKCS -s -i README -o README1

and here are the logs of the signature part:
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:236:sc_pkcs1_encode: hash algorithm 0x20, pad algorithm 0x2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:259:sc_pkcs1_encode: returning with: 0 (Success)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:93:sc_pkcs15_decipher: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:273:sc_get_encoding_flags: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:277:sc_get_encoding_flags: iFlags 0x21, card capabilities 0xC0001FE2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:298:sc_get_encoding_flags: raw encryption is not supported: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:132:sc_pkcs15_decipher: cannot encode security operation flags: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:415:sc_pkcs15_compute_signature: returning with: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:310:sc_pkcs15_compute_signature: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:311:sc_pkcs15_compute_signature: security operation flags 0x22
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:393:sc_pkcs15_compute_signature: supported algorithm flags 0xC0001FE2, private key usage 0x224
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:232:sc_pkcs1_encode: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:236:sc_pkcs1_encode: hash algorithm 0x20, pad algorithm 0x2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:259:sc_pkcs1_encode: returning with: 0 (Success)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:93:sc_pkcs15_decipher: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:273:sc_get_encoding_flags: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:277:sc_get_encoding_flags: iFlags 0x21, card capabilities 0xC0001FE2
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] padding.c:298:sc_get_encoding_flags: raw encryption is not supported: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:132:sc_pkcs15_decipher: cannot encode security operation flags: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] pkcs15-sec.c:415:sc_pkcs15_compute_signature: returning with: -1408 (Not supported)
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] card.c:402:sc_unlock: called
0x7f0482b13700 23:56:02.544 [opensc-pkcs11] reader-pcsc.c:554:pcsc_unlock: called
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] framework-pkcs15.c:3430:pkcs15_prkey_sign: Sign complete. Result -1408.
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] mechanism.c:444:sc_pkcs11_signature_final: returning with: 84
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] mechanism.c:309:sc_pkcs11_sign_final: returning with: 84
0x7f0482b13700 23:56:02.551 [opensc-pkcs11] pkcs11-object.c:683:C_Sign: C_Sign() = CKR_FUNCTION_NOT_SUPPORTED

I'm also willing to help. I have some (limited) experience with smartcards and C code.
Thanks in advance.
Antonio.

------------------------------------------------------------------------------
The Go Parallel Website, sponsored by Intel - in partnership with Geeknet,
is your hub for all things parallel software development, from weekly thought
leadership blogs to news, videos, case studies, tutorials, tech docs,
whitepapers, evaluation guides, and opinion stories. Check out the most
recent posts - join the conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: status of itacns signature with CIE

Roberto Resoli
2013/2/17 Antonio Russo <[hidden email]>:
> Hi,
> I'm owner of an Italian CIE issued in the past few months.
> I'm trying to develop a service that uses it for authentication through a
> java applet, my code is an open source project on SF ("authentic").
>
> I can see all the files on the card as pkcs11 data objects, read
> certificates, login on the card, but i have problems signing. Am i hitting a
> bug or an unimplemented feature?

Hello Antonio. Italian CIE should be functionally equivalent to a CNS, and so
perfectly usable (only the authentication keys/certificate) with
itacns OpenSC Driver .

I can do some test and report my findings.

In the meanwhile, may you try to authenticate,
configuring opensc-pkcs11.so in Firefox to an on-line test page such as:

https://webapps.comune.trento.it/ssltest

?

bye,
rob

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_feb
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel