OpenSC has trouble using keys stored several subdirs down on the card. Telia's eID is one card with this structure. A bug has been filed in OpenSC's trac: https://www.opensc-project.org/opensc/ticket/162
"Implementation" of this bug consists of checking that we have a recent enough version of OpenSC, and verifying that it is indeed fixed.
The issue indicates that fixes are included in version 0.12.3 and our tarball vendordrop used in client is 0.12.2
(In reply to comment #2) > The issue indicates that fixes are included in version 0.12.3 and our tarball > vendordrop used in client is 0.12.2 Next stable release available after 0.12.2 is 0.13.0
Release 1.3.0 has two problems that makes it fail: 1. Size for certificate is wrong which makes out libtasn parser to fail. Fedora have a backported fix for this regression which works fine. http://pkgs.fedoraproject.org/cgit/opensc.git/tree/0001-pkcs15-regression-in-e35febe-compute-cert-length.patch 2. A config file needs to be present to initialize default values. If not present only first certificate/key slot is available. Fix is in PR upstream: https://github.com/OpenSC/OpenSC/pull/223
(In reply to comment #4) Upgrade opensc to version 0.13.0 in vendordrop commit r28604. > 1. Size for certificate is wrong which makes out libtasn parser to > fail. Fedora have a backported fix for this regression which works fine. > > > http://pkgs.fedoraproject.org/cgit/opensc.git/tree/0001-pkcs15-regression-in-e35febe-compute-cert-length.patch Applied patch in commit r28605. > 2. A config file needs to be present to initialize default values. > If not present only first certificate/key slot is available. > Fix is in PR upstream: https://github.com/OpenSC/OpenSC/pull/223 Applied patch in commit r28607. Commit r28606 will bring unlock of pin functionality back to vendordrop which was excluded from merge due to heavy conflicts..
Cross compile using mingw fails with following error: Creating library file: .libs/opensc-pkcs11.dll.a .libs/framework-pkcs15.o: In function `pkcs15_skey_destroy': framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object' collect2: ld returned 1 exit status make[6]: *** [opensc-pkcs11.la] Error 1
(In reply to comment #6) > Cross compile using mingw fails with following error: > > Creating library file: .libs/opensc-pkcs11.dll.a > .libs/framework-pkcs15.o: In function `pkcs15_skey_destroy': > framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object' > collect2: ld returned 1 exit status > make[6]: *** [opensc-pkcs11.la] Error 1 Upstream commit 9a05414f fixes this problem, lets back port it.
Windows build fails with: pkcs11-tool.o: In function `main': pkcs11-tool.c:392: undefined reference to `_set_fmode' collect2: ld returned 1 exit status make[4]: *** [pkcs11-tool.exe] Error 1
(In reply to comment #7) > (In reply to comment #6) > > Cross compile using mingw fails with following error: > > > > Creating library file: .libs/opensc-pkcs11.dll.a > > .libs/framework-pkcs15.o: In function `pkcs15_skey_destroy': > > framework-pkcs15.c:2749: undefined reference to `___pkcs15_delete_object' > > collect2: ld returned 1 exit status > > make[6]: *** [opensc-pkcs11.la] Error 1 > > Upstream commit 9a05414f fixes this problem, lets back port it. Fixed in commit 28609
(In reply to comment #8) > Windows build fails with: > > pkcs11-tool.o: In function `main': > pkcs11-tool.c:392: undefined reference to `_set_fmode' > collect2: ld returned 1 exit status > make[4]: *** [pkcs11-tool.exe] Error 1 set_fmode is a msvc specific function and does not exists in gcc/mingw. Commit 28610 solves the issue setting _fmode explicitly when using mingw. Upstream has change this code to use _setmode on stdin/stdout which shoudl work with both msvc and mingw...
Tested with both x86_64 and win32 build of opensc-pkcs11.so/dll and it works as expected.
Build for OSX fails with the following message: > CCLD pkcs11-tool >/usr/lib/gcc/i686-apple-darwin8/4.5.4/../../../../i686-apple-darwin8/bin/ld: Undefined symbols: >_EVP_sha256 >collect2: ld returned 1 exit status >make[7]: *** [pkcs11-tool] Error 1
(In reply to comment #12) > Build for OSX fails with the following message: > > > CCLD pkcs11-tool > >/usr/lib/gcc/i686-apple-darwin8/4.5.4/../../../../i686-apple-darwin8/bin/ld: Undefined symbols: > >_EVP_sha256 > >collect2: ld returned 1 exit status > >make[7]: *** [pkcs11-tool] Error 1 Fixed in commit r28615.
Build fails on solaris... iasecc-sm.c:30:2: error: #error "Need OpenSSL" CC pkcs15-infocamere.lo iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used iasecc-sm.c:131:1: warning: 'sm_release' defined but not used iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but not used iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used make[7]: *** [iasecc-sm.lo] Error 1
(In reply to comment #14) > Build fails on solaris... > > iasecc-sm.c:30:2: error: #error "Need OpenSSL" > CC pkcs15-infocamere.lo > iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used > iasecc-sm.c:131:1: warning: 'sm_release' defined but not used > iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but > not used > iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used > iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used > make[7]: *** [iasecc-sm.lo] Error 1 Looks like this has been fixed upstream, backport of fix is needed.
(In reply to comment #15) > (In reply to comment #14) > > Build fails on solaris... > > > > iasecc-sm.c:30:2: error: #error "Need OpenSSL" > > CC pkcs15-infocamere.lo > > iasecc-sm.c:88:1: warning: 'iasecc_sm_transmit_apdus' defined but not used > > iasecc-sm.c:131:1: warning: 'sm_release' defined but not used > > iasecc-sm.c:225:1: warning: 'iasecc_sm_se_mutual_authentication' defined but > > not used > > iasecc-sm.c:279:1: warning: 'iasecc_sm_get_challenge' defined but not used > > iasecc-sm.c:367:1: warning: 'iasecc_sm_cmd' defined but not used > > make[7]: *** [iasecc-sm.lo] Error 1 > > Looks like this has been fixed upstream, backport of fix is needed. Fixed in commit 28617.
OSX build cant read smartcard.
(In reply to comment #17) > OSX build cant read smartcard. Diffing debug log of OSX and linux Client I found the point were it breaks. Just after decoding the TokenInfo ASN and where a slot should be created, OSX version fails with: 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind: cannot register mechanisms; CKR 0x70 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan 3121 00 00: cannot bind Telia EID IP5a token. 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan 3121 00 00: Binding Telia EID IP5a-Sign token. 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind: Bind PKCS#15 'Telia EID IP5a-Sign' application 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind: application(aid:'A000000167455349474E') And the rest of the log will differ from this point...
(In reply to comment #18) > (In reply to comment #17) > > OSX build cant read smartcard. > > Diffing debug log of OSX and linux Client I found the point were it breaks. > Just after decoding the TokenInfo ASN and where a slot should be created, OSX > version fails with: > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind: > cannot register mechanisms; CKR 0x70 > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan > 3121 00 00: cannot bind Telia EID IP5a token. > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan > 3121 00 00: Binding Telia EID IP5a-Sign token. > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind: > Bind PKCS#15 'Telia EID IP5a-Sign' application > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind: > application(aid:'A000000167455349474E') > > And the rest of the log will differ from this point... CKR 0x70 == CKR_MECHANISM_INVALID
(In reply to comment #19) > (In reply to comment #18) > > (In reply to comment #17) > > > OSX build cant read smartcard. > > > > Diffing debug log of OSX and linux Client I found the point were it breaks. > > Just after decoding the TokenInfo ASN and where a slot should be created, OSX > > version fails with: > > > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:239:pkcs15_bind: > > cannot register mechanisms; CKR 0x70 > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:284:card_detect: OmniKey CardMan > > 3121 00 00: cannot bind Telia EID IP5a token. > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] slot.c:281:card_detect: OmniKey CardMan > > 3121 00 00: Binding Telia EID IP5a-Sign token. > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] framework-pkcs15.c:220:pkcs15_bind: > > Bind PKCS#15 'Telia EID IP5a-Sign' application > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1134:sc_pkcs15_bind: called > > 0xa167f1a8 07:42:56.989 [opensc-pkcs11] pkcs15.c:1135:sc_pkcs15_bind: > > application(aid:'A000000167455349474E') > > > > And the rest of the log will differ from this point... > > CKR 0x70 == CKR_MECHANISM_INVALID Fixed in commit 28643.
Verified using my Telia e-leg. With 4.1.1, I was not able to authenticate with the signing certificate. With build 4325, this works perfectly fine. I've verified that the PIN for this cert is located in a deeper path: PIN [legitimering] Object Flags : [0x3], private, modifiable ID : 01 Flags : [0x32], local, initialized, needs-padding Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 129 (0x81) Type : ascii-numeric Path : 3f00 PIN [underskrift] Object Flags : [0x3], private, modifiable ID : 02 Flags : [0x32], local, initialized, needs-padding Length : min_len:6, max_len:8, stored_len:8 Pad char : 0x00 Reference : 130 (0x82) Type : ascii-numeric Path : 3f005016
