using MyEID without a PIN

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

using MyEID without a PIN

Frederic Van De Velde
Hi,

I'm using MyEID smartcard to authenticate against an SSH server using private/public key authentication.

Currently it is need to enter a PIN code before authenticating but I want to be able to create cards without a PIN code.

Beside the fact that it is not safe to create such a setup I can't manage to do it.

Here is the current procedure to initialise a card with a PIN:

pkcs15-init -E
pkcs15-init -C --pin 123456 --puk 123456 --so-pin "" --so-puk ""
pkcs15-init --store-pin --auth-id 01 --label "Basic PIN" --pin 123456 --puk 123456
pkcs15-init --store-private-key key.pem --id 45 --auth-id 01 --passphrase password --pin 123456
pkcs15-init --store-certificate cert.pem --id 45 --auth-id 01 --pin 123456

I have tried using --insecure flag but opensc keep asking me to enter the USER PIN or the SO PIN.

Regards,
Frederic.




------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

NdK-3
Il 21/05/2014 16:36, Frederic Van De Velde ha scritto:

> I have tried using --insecure flag but opensc keep asking me to enter the USER PIN or the SO PIN.
It's just one of the problems with PINs I've had.
Another is that using different PINs is quite hard and error-prone,
requiring to tamper with myeid.profile.

Aventra has been quite collaborative in the past, but these problems
haven't been fixed in the last two years or so... :( Actually my thread
about --insecure is dated April *2011*:
-8<--

> -----Original Message-----
> Subject: Re: [opensc-devel] --insecure ?
>
> Il 26/04/2011 08:41, Martin Paljak ha scritto:
>
>> problem is that it is not equally supported by card drivers and always
>> not well supported by applications (which insist on using C_Login
>> before any operations, disregarding CKF_LOGIN_REQUIRED)
> That's an app bug and to be reported as such. Trying to "fix" it at the
> wrong level doesn't do any good. But, for example, ssh doesn't require
> it unless the key is protected (but then it leaves the card in unusable
> state).
> But generating a protected key when --insecure is specified is a bug in
> opensc (or in the card driver). IMHO.
> Since you used --insecure, can you confirm that its misbehaviour is only
> for MyEID cards?

I think that this feature is just missing from the drivers code.
Can you Martin say which card you have used the --insecure option with?
This could help find the missing code (for us that that are not that
familiar with the OpenSC code structure and all that .
-8<--
(the "unquoted" text was fron Toni Sjoblom from Aventra, quoted text
from me and doubly-quoted from Martin Paljak).

It *could* be possible to fix you problem editing myeid.profile, but
then you'd need to use that card only on systems with the modified
profile...
Profile should be used only when objects are created... but if profiles
don't match you risk bricking your card :(

BYtE.

------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

Douglas E Engert
Some cards can have a private key that does not require a  C_Login.
The PIV card for example as a Card Authentication cert and key so
the card can authenticate itself, and not the user.

The problem is that 99% of code assumes that to use any key on the
card requires a call to C_Login.

But pkcs11-tool is one of these programs that assumed you must login to use
a key. The patch below can be used to test if the login is really required with
your card. It comments out the code that forced a login when doing a sign operation.
(The --login option can still force a login.)

I tried this against one of the NIST test cards that has a Card Authenticate
key, and it does produce a signature using these commands:

openssl sha256 -binary -out /tmp/test.hash < test.data
pkcs11-tool --slot 1 --module /opt/smartcard/lib/opensc-pkcs11.so \
   -sign -m RSA-X-509 --id 04 -i /tmp/test.hash -o /tmp/test.signature
Using signature algorithm RSA-X-509


So at least with the PIV card, OpenSC supports the use a key with out using a PIN.
The PIV card is not a true PKCS#15 card, so there may be code in the pkcs15 code
that needs to be fixed.

The first thing to try is see if pkcs11-tool -O shows a private key without using
the --login option. If it does it should be usable with out a PIN.

Then try and use the key with a patched  pkcs11-toot and the commands above.

If you get these working, then you will need to look at your applications
to see how to get them to not call C_Login.

Good luck, and keep the list posted on your progress.

diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 61a665a..d1c091f 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -738,8 +738,13 @@ int main(int argc, char * argv[])
                 get_token_info(opt_slot, &info);
                 if (!(info.flags & CKF_TOKEN_INITIALIZED))
                         util_fatal("Token not initialized\n");
+#if 0
+/* DEE some cards have a card authneticatio cert, so don't
+ * require login User can still add -l or --login flag
+ */
                 if (info.flags & CKF_LOGIN_REQUIRED)
                         opt_login++;
+#endif
         }

         if (do_init_token)


(A better patch would have been to test if the key was visible without
a login, then skip this code.)


On 5/23/2014 5:59 AM, NdK wrote:

> Il 21/05/2014 16:36, Frederic Van De Velde ha scritto:
>
>> I have tried using --insecure flag but opensc keep asking me to enter the USER PIN or the SO PIN.
> It's just one of the problems with PINs I've had.
> Another is that using different PINs is quite hard and error-prone,
> requiring to tamper with myeid.profile.
>
> Aventra has been quite collaborative in the past, but these problems
> haven't been fixed in the last two years or so... :( Actually my thread
> about --insecure is dated April *2011*:
> -8<--
>> -----Original Message-----
>> Subject: Re: [opensc-devel] --insecure ?
>>
>> Il 26/04/2011 08:41, Martin Paljak ha scritto:
>>
>>> problem is that it is not equally supported by card drivers and always
>>> not well supported by applications (which insist on using C_Login
>>> before any operations, disregarding CKF_LOGIN_REQUIRED)
>> That's an app bug and to be reported as such. Trying to "fix" it at the
>> wrong level doesn't do any good. But, for example, ssh doesn't require
>> it unless the key is protected (but then it leaves the card in unusable
>> state).
>> But generating a protected key when --insecure is specified is a bug in
>> opensc (or in the card driver). IMHO.
>> Since you used --insecure, can you confirm that its misbehaviour is only
>> for MyEID cards?
>
> I think that this feature is just missing from the drivers code.
> Can you Martin say which card you have used the --insecure option with?
> This could help find the missing code (for us that that are not that
> familiar with the OpenSC code structure and all that .
> -8<--
> (the "unquoted" text was fron Toni Sjoblom from Aventra, quoted text
> from me and doubly-quoted from Martin Paljak).
>
> It *could* be possible to fix you problem editing myeid.profile, but
> then you'd need to use that card only on systems with the modified
> profile...
> Profile should be used only when objects are created... but if profiles
> don't match you risk bricking your card :(
>
> BYtE.
>
> ------------------------------------------------------------------------------
> "Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
> Instantly run your Selenium tests across 300+ browser/OS combos.
> Get unparalleled scalability from the best Selenium testing platform available
> Simple to use. Nothing to install. Get started now for free."
> http://p.sf.net/sfu/SauceLabs
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
"Accelerate Dev Cycles with Automated Cross-Browser Testing - For FREE
Instantly run your Selenium tests across 300+ browser/OS combos.
Get unparalleled scalability from the best Selenium testing platform available
Simple to use. Nothing to install. Get started now for free."
http://p.sf.net/sfu/SauceLabs
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

NdK-3
Il 23/05/2014 16:39, Douglas E Engert ha scritto:
> Some cards can have a private key that does not require a  C_Login.
> The PIV card for example as a Card Authentication cert and key so
> the card can authenticate itself, and not the user.

> The problem is that 99% of code assumes that to use any key on the
> card requires a call to C_Login.
Just because 99% of the code is not well-written doesn't mean the
remaining 1% should not work...

> @@ -738,8 +738,13 @@ int main(int argc, char * argv[])
>                  get_token_info(opt_slot, &info);
>                  if (!(info.flags & CKF_TOKEN_INITIALIZED))
>                          util_fatal("Token not initialized\n");
> +#if 0
> +/* DEE some cards have a card authneticatio cert, so don't
> + * require login User can still add -l or --login flag
> + */
>                  if (info.flags & CKF_LOGIN_REQUIRED)
>                          opt_login++;
> +#endif
>          }
>
>          if (do_init_token)
>
>
> (A better patch would have been to test if the key was visible without
> a login, then skip this code.)
Shouldn't it already be reported by info.flags (rendering the patch
useless) ?
To me it seems the infrastructure is in place, but maybe some (most?)
drivers don't implement all the needed bits, taking shortcuts...

BYtE,
 Diego.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

Douglas E Engert


On 5/26/2014 3:59 AM, NdK wrote:
> Il 23/05/2014 16:39, Douglas E Engert ha scritto:
>> Some cards can have a private key that does not require a  C_Login.
>> The PIV card for example as a Card Authentication cert and key so
>> the card can authenticate itself, and not the user.
>
>> The problem is that 99% of code assumes that to use any key on the
>> card requires a call to C_Login.
> Just because 99% of the code is not well-written doesn't mean the
> remaining 1% should not work...

The point I was making, is that pkcs11-tool is one of the 99%, making
the assumption that you must login to use any key.  pkcs11-tool has
a --login option to allow the user to specify if login should be done.
In the current source The --sign option in effect always adds the --login
option.

The patch below was for testing to see if Frederic could get past
this point in the code, as there may be other places in the code that
might also make assumptions.  It was not meant to be in the base code.

>
>> @@ -738,8 +738,13 @@ int main(int argc, char * argv[])
>>                   get_token_info(opt_slot, &info);
>>                   if (!(info.flags & CKF_TOKEN_INITIALIZED))
>>                           util_fatal("Token not initialized\n");
>> +#if 0
>> +/* DEE some cards have a card authneticatio cert, so don't
>> + * require login User can still add -l or --login flag
>> + */
>>                   if (info.flags & CKF_LOGIN_REQUIRED)
>>                           opt_login++;
>> +#endif
>>           }
>>
>>           if (do_init_token)
>>
>>
>> (A better patch would have been to test if the key was visible without
>> a login, then skip this code.)
> Shouldn't it already be reported by info.flags (rendering the patch
> useless) ?

info.flags indicates the status and capabilities of the device.
the  CKF_LOGIN_REQUIRED  "TRUE if there are some cryptographic functions
that a user must be logged in to perform".  Frederic is trying to use
one of the cryptographic functions that does not require login.

> To me it seems the infrastructure is in place, but maybe some (most?)
> drivers don't implement all the needed bits, taking shortcuts...

Correct, but its not the driver, it is the caller of PKCS#11 that is making
the assumptions.


This might be a better patch that preserves the pkcs11-tool user interface
in that --sign does not require --login. But the patch make it optional for keys
that are not private, i.e.  SC_PKCS15_CO_FLAG_PRIVATE is not set for the key.
pkcs15-tool -k , look for the Object Flags without the "private" flag.
PKCS#15 standard "4.1.3 Access methods"



diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 61a665a..28afdcd 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -732,14 +732,12 @@ int main(int argc, char * argv[])
         if (do_list_mechs)
                 list_mechs(opt_slot);

-       if (do_sign) {
+       if (do_sign || do_derive) {
                 CK_TOKEN_INFO   info;

                 get_token_info(opt_slot, &info);
                 if (!(info.flags & CKF_TOKEN_INITIALIZED))
                         util_fatal("Token not initialized\n");
-               if (info.flags & CKF_LOGIN_REQUIRED)
-                       opt_login++;
         }

         if (do_init_token)
@@ -756,6 +754,20 @@ int main(int argc, char * argv[])
                         p11_fatal("C_OpenSession", rv);
         }

+       /*
+        * most keys require login but not all. If key not visable assume login is needed
+        * we will try later to get the key. This preserves the user interface that
+        * --login is not needed for a --sign operation
+        */
+       if (do_sign || do_derive) {
+               if (opt_login == 0) {
+                       if (!find_object(session, CKO_PRIVATE_KEY, &object,
+                                       opt_object_id_len ? opt_object_id : NULL,
+                                       opt_object_id_len, 0))
+                               opt_login++;
+               }
+       }
+
         if (opt_login) {
                 int r;

>
> BYtE,
>   Diego.
>
> ------------------------------------------------------------------------------
> The best possible search technologies are now affordable for all companies.
> Download your FREE open source Enterprise Search Engine today!
> Our experts will assist you in its installation for $59/mo, no commitment.
> Test it for FREE on our Cloud platform anytime!
> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

Frederic Van De Velde
I gave it a try and bad news my card is not showing up the private key using pkcs11-tool -O

# pkcs11-tool --slot 1 --module /usr/lib/opensc-pkcs11.so -O --id 45
Public Key Object; RSA 1024 bits
  label:      Public Key
  ID:         45
  Usage:      verify
Certificate Object, type = X.509 cert
  label:      Certificate
  ID:         45

I also patched pkcs11-tool but it still ask me for the PIN.

Do you have any advice on smart card that will support to have no PIN ?

Regards,
Frederic.


On 26 May 2014, at 15:09, Douglas E Engert <[hidden email]> wrote:



On 5/26/2014 3:59 AM, NdK wrote:
Il 23/05/2014 16:39, Douglas E Engert ha scritto:
Some cards can have a private key that does not require a  C_Login.
The PIV card for example as a Card Authentication cert and key so
the card can authenticate itself, and not the user.

The problem is that 99% of code assumes that to use any key on the
card requires a call to C_Login.
Just because 99% of the code is not well-written doesn't mean the
remaining 1% should not work...

The point I was making, is that pkcs11-tool is one of the 99%, making
the assumption that you must login to use any key.  pkcs11-tool has
a --login option to allow the user to specify if login should be done.
In the current source The --sign option in effect always adds the --login
option.

The patch below was for testing to see if Frederic could get past
this point in the code, as there may be other places in the code that
might also make assumptions.  It was not meant to be in the base code.


@@ -738,8 +738,13 @@ int main(int argc, char * argv[])
                 get_token_info(opt_slot, &info);
                 if (!(info.flags & CKF_TOKEN_INITIALIZED))
                         util_fatal("Token not initialized\n");
+#if 0
+/* DEE some cards have a card authneticatio cert, so don't
+ * require login User can still add -l or --login flag
+ */
                 if (info.flags & CKF_LOGIN_REQUIRED)
                         opt_login++;
+#endif
         }

         if (do_init_token)


(A better patch would have been to test if the key was visible without
a login, then skip this code.)
Shouldn't it already be reported by info.flags (rendering the patch
useless) ?

info.flags indicates the status and capabilities of the device.
the  CKF_LOGIN_REQUIRED  "TRUE if there are some cryptographic functions
that a user must be logged in to perform".  Frederic is trying to use
one of the cryptographic functions that does not require login.

To me it seems the infrastructure is in place, but maybe some (most?)
drivers don't implement all the needed bits, taking shortcuts...

Correct, but its not the driver, it is the caller of PKCS#11 that is making
the assumptions.


This might be a better patch that preserves the pkcs11-tool user interface
in that --sign does not require --login. But the patch make it optional for keys
that are not private, i.e.  SC_PKCS15_CO_FLAG_PRIVATE is not set for the key.
pkcs15-tool -k , look for the Object Flags without the "private" flag.
PKCS#15 standard "4.1.3 Access methods"



diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 61a665a..28afdcd 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -732,14 +732,12 @@ int main(int argc, char * argv[])
        if (do_list_mechs)
                list_mechs(opt_slot);

-       if (do_sign) {
+       if (do_sign || do_derive) {
                CK_TOKEN_INFO   info;

                get_token_info(opt_slot, &info);
                if (!(info.flags & CKF_TOKEN_INITIALIZED))
                        util_fatal("Token not initialized\n");
-               if (info.flags & CKF_LOGIN_REQUIRED)
-                       opt_login++;
        }

        if (do_init_token)
@@ -756,6 +754,20 @@ int main(int argc, char * argv[])
                        p11_fatal("C_OpenSession", rv);
        }

+       /*
+        * most keys require login but not all. If key not visable assume login is needed
+        * we will try later to get the key. This preserves the user interface that
+        * --login is not needed for a --sign operation
+        */
+       if (do_sign || do_derive) {
+               if (opt_login == 0) {
+                       if (!find_object(session, CKO_PRIVATE_KEY, &object,
+                                       opt_object_id_len ? opt_object_id : NULL,
+                                       opt_object_id_len, 0))
+                               opt_login++;
+               }
+       }
+
        if (opt_login) {
                int r;


BYtE,
 Diego.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 

 Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

Frederic Van De Velde
Hi,

I have received information from Aventra on how to create a MyEID card without protection on private key by changing the myeid.profile file of OpenSC.

But now I try one step further to use the card without PIN to authentication using SSH:

 ssh -vvvv -I /home/frederic/opensc/lib/opensc-pkcs11.so [hidden email]

If I try with a PIN protected card it's working after I enter the PIN.
With the card without PIN the key is not sent to the SSH server and I get the next authentication method which is password.

I made an trace with OPENSC_DEBUG=9 and it seems that the framework-pkcs15.c file only return keys that have a PIN associated

Here is the output with the PIN CODE:

0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:673:pkcs15_create_pkcs11_objects: Found 0 data objects
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 0
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:688:__pkcs15_prkey_bind_related: Object is a private key and has id 45
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:713:__pkcs15_prkey_bind_related: Associating object 1 as public key
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 1
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 2
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:730:__pkcs15_cert_bind_related: Object is a certificate and has id 45
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:759:__pkcs15_cert_bind_related: Associating object 0 as private key
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1013:_pkcs15_create_typed_objects: found 3 FW objects
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1222:pkcs15_create_tokens: Found 3 FW objects objects
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 1 authentication objects
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1247:pkcs15_create_tokens: Found authentication object 'Basic PIN'
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] slot.c:330:slot_allocate: Allocated slot 0x1 for card in reader Pertosmart Card Reader 00 00
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:939:pkcs15_init_slot: Initialized token 'MyEID (Basic PIN)' in slot 0x1
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1104:_add_pin_related_objects: Add objects related to PIN('Basic PIN',ID:01)
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1116:_add_pin_related_objects: ObjID(0x7f3d1585a270,Private Key,101):01
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1123:_add_pin_related_objects: Slot:0x7f3d15857b80, obj:0x7f3d1585a270  Adding private key 0 to PIN 'Basic PIN'
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585a270
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585bbd0
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585bda0
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1160:_add_public_objects: 3 public objects to process
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1313:pkcs15_create_tokens: All tokens created
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] slot.c:298:card_detect: Pertosmart Card Reader 00 00: Detection ended
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:259:C_Initialize: C_Initialize() = CKR_OK
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:329:C_GetInfo: C_GetInfo()
debug1: manufacturerID <OpenSC (www.opensc-project.org)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0
0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:375:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)

And without the PIN code:

0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:673:pkcs15_create_pkcs11_objects: Found 0 data objects
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 0
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:688:__pkcs15_prkey_bind_related: Object is a private key and has id 45
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:713:__pkcs15_prkey_bind_related: Associating object 1 as public key
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 1
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 2
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:730:__pkcs15_cert_bind_related: Object is a certificate and has id 45
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:759:__pkcs15_cert_bind_related: Associating object 0 as private key
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1013:_pkcs15_create_typed_objects: found 3 FW objects
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1222:pkcs15_create_tokens: Found 3 FW objects objects
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 0 authentication objects
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1313:pkcs15_create_tokens: All tokens created
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] slot.c:298:card_detect: Pertosmart Card Reader 00 00: Detection ended
0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] pkcs11-global.c:411:C_GetSlotList: was only a size inquiry (0)
no slots

Notice the difference  on authentication object found:

0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 1 authentication objects

0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 0 authentication objects

I tried to how I could change the logic in framework-pkcs15.c file but wasn't able to figure out.

Regards,
Frederic.

On 27 May 2014, at 11:13, Frederic Van De Velde <[hidden email]> wrote:

I gave it a try and bad news my card is not showing up the private key using pkcs11-tool -O

# pkcs11-tool --slot 1 --module /usr/lib/opensc-pkcs11.so -O --id 45
Public Key Object; RSA 1024 bits
  label:      Public Key
  ID:         45
  Usage:      verify
Certificate Object, type = X.509 cert
  label:      Certificate
  ID:         45

I also patched pkcs11-tool but it still ask me for the PIN.

Do you have any advice on smart card that will support to have no PIN ?

Regards,
Frederic.


On 26 May 2014, at 15:09, Douglas E Engert <[hidden email]> wrote:



On 5/26/2014 3:59 AM, NdK wrote:
Il 23/05/2014 16:39, Douglas E Engert ha scritto:
Some cards can have a private key that does not require a  C_Login.
The PIV card for example as a Card Authentication cert and key so
the card can authenticate itself, and not the user.

The problem is that 99% of code assumes that to use any key on the
card requires a call to C_Login.
Just because 99% of the code is not well-written doesn't mean the
remaining 1% should not work...

The point I was making, is that pkcs11-tool is one of the 99%, making
the assumption that you must login to use any key.  pkcs11-tool has
a --login option to allow the user to specify if login should be done.
In the current source The --sign option in effect always adds the --login
option.

The patch below was for testing to see if Frederic could get past
this point in the code, as there may be other places in the code that
might also make assumptions.  It was not meant to be in the base code.


@@ -738,8 +738,13 @@ int main(int argc, char * argv[])
                 get_token_info(opt_slot, &info);
                 if (!(info.flags & CKF_TOKEN_INITIALIZED))
                         util_fatal("Token not initialized\n");
+#if 0
+/* DEE some cards have a card authneticatio cert, so don't
+ * require login User can still add -l or --login flag
+ */
                 if (info.flags & CKF_LOGIN_REQUIRED)
                         opt_login++;
+#endif
         }

         if (do_init_token)


(A better patch would have been to test if the key was visible without
a login, then skip this code.)
Shouldn't it already be reported by info.flags (rendering the patch
useless) ?

info.flags indicates the status and capabilities of the device.
the  CKF_LOGIN_REQUIRED  "TRUE if there are some cryptographic functions
that a user must be logged in to perform".  Frederic is trying to use
one of the cryptographic functions that does not require login.

To me it seems the infrastructure is in place, but maybe some (most?)
drivers don't implement all the needed bits, taking shortcuts...

Correct, but its not the driver, it is the caller of PKCS#11 that is making
the assumptions.


This might be a better patch that preserves the pkcs11-tool user interface
in that --sign does not require --login. But the patch make it optional for keys
that are not private, i.e.  SC_PKCS15_CO_FLAG_PRIVATE is not set for the key.
pkcs15-tool -k , look for the Object Flags without the "private" flag.
PKCS#15 standard "4.1.3 Access methods"



diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
index 61a665a..28afdcd 100644
--- a/src/tools/pkcs11-tool.c
+++ b/src/tools/pkcs11-tool.c
@@ -732,14 +732,12 @@ int main(int argc, char * argv[])
        if (do_list_mechs)
                list_mechs(opt_slot);

-       if (do_sign) {
+       if (do_sign || do_derive) {
                CK_TOKEN_INFO   info;

                get_token_info(opt_slot, &info);
                if (!(info.flags & CKF_TOKEN_INITIALIZED))
                        util_fatal("Token not initialized\n");
-               if (info.flags & CKF_LOGIN_REQUIRED)
-                       opt_login++;
        }

        if (do_init_token)
@@ -756,6 +754,20 @@ int main(int argc, char * argv[])
                        p11_fatal("C_OpenSession", rv);
        }

+       /*
+        * most keys require login but not all. If key not visable assume login is needed
+        * we will try later to get the key. This preserves the user interface that
+        * --login is not needed for a --sign operation
+        */
+       if (do_sign || do_derive) {
+               if (opt_login == 0) {
+                       if (!find_object(session, CKO_PRIVATE_KEY, &object,
+                                       opt_object_id_len ? opt_object_id : NULL,
+                                       opt_object_id_len, 0))
+                               opt_login++;
+               }
+       }
+
        if (opt_login) {
                int r;


BYtE,
 Diego.

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


-- 

 Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
The best possible search technologies are now affordable for all companies.
Download your FREE open source Enterprise Search Engine today!
Our experts will assist you in its installation for $59/mo, no commitment.
Test it for FREE on our Cloud platform anytime!
http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

Douglas E Engert
Most likly the

On 6/6/2014 7:32 AM, Frederic Van De Velde wrote:

> Hi,
>
> I have received information from Aventra on how to create a MyEID card without protection on private key by changing the myeid.profile file of OpenSC.
>
> But now I try one step further to use the card without PIN to authentication using SSH:
>
>   ssh -vvvv -I /home/frederic/opensc/lib/opensc-pkcs11.so olivier@10.211.55.10 <mailto:olivier@10.211.55.10>
>
> If I try with a PIN protected card it's working after I enter the PIN.
> With the card without PIN the key is not sent to the SSH server and I get the next authentication method which is password.
>
> I made an trace with OPENSC_DEBUG=9 and it seems that the framework-pkcs15.c file only return keys that have a PIN associated
>

Most likely the SC_PKCS15_CO_FLAG_PRIVATE is set on the key.



> Here is the output with the PIN CODE:
>
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:673:pkcs15_create_pkcs11_objects: Found 0 data objects
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 0
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:688:__pkcs15_prkey_bind_related: Object is a private key and has id 45
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:713:__pkcs15_prkey_bind_related: Associating object 1 as public key
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 1
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 2
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:730:__pkcs15_cert_bind_related: Object is a certificate and has id 45
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:759:__pkcs15_cert_bind_related: Associating object 0 as private key
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1013:_pkcs15_create_typed_objects: found 3 FW objects
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1222:pkcs15_create_tokens: Found 3 FW objects objects
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 1 authentication objects
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1247:pkcs15_create_tokens: Found authentication object 'Basic PIN'
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] slot.c:330:slot_allocate: Allocated slot 0x1 for card in reader Pertosmart Card Reader 00 00
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:939:pkcs15_init_slot: Initialized token 'MyEID (Basic PIN)' in slot 0x1
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1104:_add_pin_related_objects: Add objects related to PIN('Basic PIN',ID:01)
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1116:_add_pin_related_objects: ObjID(0x7f3d1585a270,Private Key,101):01
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1123:_add_pin_related_objects: Slot:0x7f3d15857b80, obj:0x7f3d1585a270  Adding private key 0 to PIN 'Basic PIN'
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585a270
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585bbd0
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:837:pkcs15_add_object: Slot:1 Setting object handle of 0x0 to 0x7f3d1585bda0
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1160:_add_public_objects: 3 public objects to process
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1313:pkcs15_create_tokens: All tokens created
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] slot.c:298:card_detect: Pertosmart Card Reader 00 00: Detection ended
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:259:C_Initialize: C_Initialize() = CKR_OK
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:329:C_GetInfo: C_GetInfo()
> debug1: manufacturerID <OpenSC (www.opensc-project.org <http://www.opensc-project.org>)> cryptokiVersion 2.20 libraryDescription <Smart card PKCS#11 API> libraryVersion 0.0
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] pkcs11-global.c:375:C_GetSlotList: C_GetSlotList(token=1, plug-n-play)
>
> And without the PIN code:
>
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:673:pkcs15_create_pkcs11_objects: Found 0 data objects
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 0
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:688:__pkcs15_prkey_bind_related: Object is a private key and has id 45
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:713:__pkcs15_prkey_bind_related: Associating object 1 as public key
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 1
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:780:pkcs15_bind_related_objects: Looking for objects related to object 2
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:730:__pkcs15_cert_bind_related: Object is a certificate and has id 45
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:759:__pkcs15_cert_bind_related: Associating object 0 as private key
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1013:_pkcs15_create_typed_objects: found 3 FW objects
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1222:pkcs15_create_tokens: Found 3 FW objects objects
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 0 authentication objects

Look at the "if" code just after the above line. It is expecting at least one pin. You situation is unusual as there are no pins.
The code may need to create at least one slot, even if no pins.

You could add a PIN that is not associated with the key you want to use,to see if this is the case.

Make sure the SC_PKCS15_CO_FLAG_PRIVATE flag is not set on the key. If it is set, then it can not be seen without using a PIN first.


> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1313:pkcs15_create_tokens: All tokens created
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] slot.c:298:card_detect: Pertosmart Card Reader 00 00: Detection ended
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] pkcs11-global.c:411:C_GetSlotList: was only a size inquiry (0)
> no slots
>
> Notice the difference  on authentication object found:
>
> 0x7f3d144f77c0 14:17:25.213 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 1 authentication objects
>
> 0x7ff2fe47d7c0 14:12:43.241 [opensc-pkcs11] framework-pkcs15.c:1238:pkcs15_create_tokens: Found 0 authentication objects
>
> I tried to how I could change the logic in framework-pkcs15.c file but wasn't able to figure out.
>
> Regards,
> Frederic.
>
> On 27 May 2014, at 11:13, Frederic Van De Velde <[hidden email] <mailto:[hidden email]>> wrote:
>
>> I gave it a try and bad news my card is not showing up the private key using pkcs11-tool -O
>>
>> # pkcs11-tool --slot 1 --module /usr/lib/opensc-pkcs11.so -O --id 45
>> Public Key Object; RSA 1024 bits
>>   label:      Public Key
>>   ID:         45
>>   Usage:      verify
>> Certificate Object, type = X.509 cert
>>   label:      Certificate
>>   ID:         45
>>
>> I also patched pkcs11-tool but it still ask me for the PIN.
>>
>> Do you have any advice on smart card that will support to have no PIN ?
>>
>> Regards,
>> Frederic.
>>
>>
>> On 26 May 2014, at 15:09, Douglas E Engert <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>>
>>>
>>> On 5/26/2014 3:59 AM, NdK wrote:
>>>> Il 23/05/2014 16:39, Douglas E Engert ha scritto:
>>>>> Some cards can have a private key that does not require a  C_Login.
>>>>> The PIV card for example as a Card Authentication cert and key so
>>>>> the card can authenticate itself, and not the user.
>>>>
>>>>> The problem is that 99% of code assumes that to use any key on the
>>>>> card requires a call to C_Login.
>>>> Just because 99% of the code is not well-written doesn't mean the
>>>> remaining 1% should not work...
>>>
>>> The point I was making, is that pkcs11-tool is one of the 99%, making
>>> the assumption that you must login to use any key.  pkcs11-tool has
>>> a --login option to allow the user to specify if login should be done.
>>> In the current source The --sign option in effect always adds the --login
>>> option.
>>>
>>> The patch below was for testing to see if Frederic could get past
>>> this point in the code, as there may be other places in the code that
>>> might also make assumptions.  It was not meant to be in the base code.
>>>
>>>>
>>>>> @@ -738,8 +738,13 @@ int main(int argc, char * argv[])
>>>>>                  get_token_info(opt_slot, &info);
>>>>>                  if (!(info.flags & CKF_TOKEN_INITIALIZED))
>>>>>                          util_fatal("Token not initialized\n");
>>>>> +#if 0
>>>>> +/* DEE some cards have a card authneticatio cert, so don't
>>>>> + * require login User can still add -l or --login flag
>>>>> + */
>>>>>                  if (info.flags & CKF_LOGIN_REQUIRED)
>>>>>                          opt_login++;
>>>>> +#endif
>>>>>          }
>>>>>
>>>>>          if (do_init_token)
>>>>>
>>>>>
>>>>> (A better patch would have been to test if the key was visible without
>>>>> a login, then skip this code.)
>>>> Shouldn't it already be reported by info.flags (rendering the patch
>>>> useless) ?
>>>
>>> info.flags indicates the status and capabilities of the device.
>>> the  CKF_LOGIN_REQUIRED  "TRUE if there are some cryptographic functions
>>> that a user must be logged in to perform".  Frederic is trying to use
>>> one of the cryptographic functions that does not require login.
>>>
>>>> To me it seems the infrastructure is in place, but maybe some (most?)
>>>> drivers don't implement all the needed bits, taking shortcuts...
>>>
>>> Correct, but its not the driver, it is the caller of PKCS#11 that is making
>>> the assumptions.
>>>
>>>
>>> This might be a better patch that preserves the pkcs11-tool user interface
>>> in that --sign does not require --login. But the patch make it optional for keys
>>> that are not private, i.e.  SC_PKCS15_CO_FLAG_PRIVATE is not set for the key.
>>> pkcs15-tool -k , look for the Object Flags without the "private" flag.
>>> PKCS#15 standard "4.1.3 Access methods"
>>>
>>>
>>>
>>> diff --git a/src/tools/pkcs11-tool.c b/src/tools/pkcs11-tool.c
>>> index 61a665a..28afdcd 100644
>>> --- a/src/tools/pkcs11-tool.c
>>> +++ b/src/tools/pkcs11-tool.c
>>> @@ -732,14 +732,12 @@ int main(int argc, char * argv[])
>>>         if (do_list_mechs)
>>>                 list_mechs(opt_slot);
>>>
>>> -       if (do_sign) {
>>> +       if (do_sign || do_derive) {
>>>                 CK_TOKEN_INFO   info;
>>>
>>>                 get_token_info(opt_slot, &info);
>>>                 if (!(info.flags & CKF_TOKEN_INITIALIZED))
>>>                         util_fatal("Token not initialized\n");
>>> -               if (info.flags & CKF_LOGIN_REQUIRED)
>>> -                       opt_login++;
>>>         }
>>>
>>>         if (do_init_token)
>>> @@ -756,6 +754,20 @@ int main(int argc, char * argv[])
>>>                         p11_fatal("C_OpenSession", rv);
>>>         }
>>>
>>> +       /*
>>> +        * most keys require login but not all. If key not visable assume login is needed
>>> +        * we will try later to get the key. This preserves the user interface that
>>> +        * --login is not needed for a --sign operation
>>> +        */
>>> +       if (do_sign || do_derive) {
>>> +               if (opt_login == 0) {
>>> +                       if (!find_object(session, CKO_PRIVATE_KEY, &object,
>>> +                                       opt_object_id_len ? opt_object_id : NULL,
>>> +                                       opt_object_id_len, 0))
>>> +                               opt_login++;
>>> +               }
>>> +       }
>>> +
>>>         if (opt_login) {
>>>                 int r;
>>>
>>>>
>>>> BYtE,
>>>>  Diego.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> The best possible search technologies are now affordable for all companies.
>>>> Download your FREE open source Enterprise Search Engine today!
>>>> Our experts will assist you in its installation for $59/mo, no commitment.
>>>> Test it for FREE on our Cloud platform anytime!
>>>> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email] <mailto:[hidden email]>
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>> --
>>>
>>>  Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> The best possible search technologies are now affordable for all companies.
>>> Download your FREE open source Enterprise Search Engine today!
>>> Our experts will assist you in its installation for $59/mo, no commitment.
>>> Test it for FREE on our Cloud platform anytime!
>>> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email] <mailto:[hidden email]>
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>> ------------------------------------------------------------------------------
>> The best possible search technologies are now affordable for all companies.
>> Download your FREE open source Enterprise Search Engine today!
>> Our experts will assist you in its installation for $59/mo, no commitment.
>> Test it for FREE on our Cloud platform anytime!
>> http://pubads.g.doubleclick.net/gampad/clk?id=145328191&iu=/4140/ostg.clktrk_______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
> ------------------------------------------------------------------------------
> Learn Graph Databases - Download FREE O'Reilly Book
> "Graph Databases" is the definitive new guide to graph databases and their
> applications. Written by three acclaimed leaders in the field,
> this first edition is now available. Download your free book today!
> http://p.sf.net/sfu/NeoTech
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and their
applications. Written by three acclaimed leaders in the field,
this first edition is now available. Download your free book today!
http://p.sf.net/sfu/NeoTech
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: using MyEID without a PIN

hiwk
In reply to this post by Frederic Van De Velde
> I have received information from Aventra on how to create a MyEID card without protection on private key by changing the myeid.profile file of OpenSC.


Care to share how? I would like to play around with cards without PIN.