Coolkey use problems on opensuse 11.3 with latest coolkey & opensc packages

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

I'm trying to use my Actividentity ACTIVEKEY SIM (a usb stick) in order to authenticate myself in various domains (pam_pkcs11, company vpn, websites via Firefox).
With the stock opensuse 11.3 setup I couldn't get pkcs11_inspect (from pam_pkcs11 pkg) to work. The sim has a number-only password but I'm never asked for it.
So I decided to upgrade to all the latest packages.
Result is that it still doesn't work, neither pksc11_inpspect nor Firefox seem to be happy (the latter freezes for a minute or more).

Opensuse 11.3 had just recently released rpm packages with all the latest opensc, pcsc-lite, ... versions, including the latest coolkey build (there where some issues : https://bugzilla.novell.com/show_bug.cgi?id=661643#c4).
I've downloaded the source packages and compiled them to make sure they complied with my system (http://download.opensuse.org/source/distribution/11.3/repo/oss/suse/src/).

These are the packages I've installed :

coolkey-1.1.0-259.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
engine_pkcs11-0.1.8-8.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
libp11-0.2.7-17.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
openct-0.6.20-21.1.src.rpm
opensc-0.12.0-27.1.src.rpm
pam_p11-0.1.5-13.1.src.rpm
pam_pkcs11-0.6.6-11.1.src.rpm
pcsc-ccid-1.4.1-18.1.src.rpm
pcsc-lite-1.6.6-41.1.src.rpm
pcsc-perl-1.4.11.tar.bz2
pcsc-tools-1.4.17.tar.gz

The coolkey srpm contains these patches :
# PATCH-FIX-FEDORA coolkey-gcc43.patch bnc661643 sbrabec@xxxxxxx -- Fix for gcc-4.3.
Patch2:ÂÂÂÂÂÂÂÂ coolkey-gcc43.patch
# PATCH-FEATURE-FEDORA coolkey-latest.patch bnc661643 sbrabec@xxxxxxx -- The head branch patch.
Patch3:ÂÂÂÂÂÂÂÂ coolkey-latest.patch
# PATCH-FIX-FEDORA coolkey-simple-bugs.patch bnc661643 sbrabec@xxxxxxx -- Fix imported from Fedora, mostly merging former SUSE fixes.
Patch4:ÂÂÂÂÂÂÂÂ coolkey-simple-bugs.patch
# PATCH-FIX-FEDORA coolkey-thread-fix.patch bnc661643 sbrabec@xxxxxxx -- Fix threading.
Patch5:ÂÂÂÂÂÂÂÂ coolkey-thread-fix.patch
# PATCH-FEATURE-FEDORA coolkey-cac.patch bnc661643 sbrabec@xxxxxxx -- Support for CAC cards.
Patch6:ÂÂÂÂÂÂÂÂ coolkey-cac.patch
# PATCH-FIX-FEDORA coolkey-cac-1.patch bnc661643 sbrabec@xxxxxxx -- Fixes of CAC support patch.
Patch7:ÂÂÂÂÂÂÂÂ coolkey-cac-1.patch
# PATCH-FIX-FEDORA coolkey-pcsc-lite-fix.patch bnc661643 sbrabec@xxxxxxx -- Port to the latest pcsc-lite.
Patch8:ÂÂÂÂÂÂÂÂ coolkey-pcsc-lite-fix.patch
# SUSE specific patches:
# PATCH-FEATURE-SLES coolkey-1.1.0-evoandooo.patch jberkman@xxxxxxxxxx -- Teach pk11install about evolution and openoffice.
Patch53:ÂÂÂÂÂÂÂ coolkey-1.1.0-evoandooo.patch
# PATCH-FIX-SECURITY coolkey-cache-dir-move.patch sbrabec@xxxxxxx bnc304180 CVE-2007-4129 -- Fix file and directory permission flaw.
Patch54:ÂÂÂÂÂÂÂ coolkey-cache-dir-move.patch
# PATCH-FIX-UPSTREAM coolkey-null.patch redhat356971 sbrabec@xxxxxxx -- Fix invalid NULL declaration.
Patch55:ÂÂÂÂÂÂÂ coolkey-null.patch
BuildRoot:ÂÂÂÂÂ %{_tmppath}/%{name}-%{version}-build
BuildRequires:Â gcc-c++ mozilla-nss-devel pcsc-lite-devel pkg-config zlib-devel
#Requires:ÂÂÂÂÂÂ pcsc-lite
# Requires: ifd-egate
Requires:ÂÂÂÂÂÂ pcsc-ccid
# 390 does not have libusb or smartCards
ExcludeArch:ÂÂÂ s390 s390x

The pcscd daemon starts up from withing /etc/init.d but then shuts itself down (light = red)Â and comes on (light = green) on demand since the latest pcsc-lite version and I can get some information using the various tool commands but I'm unable to retrieve the key from it.
My linux box contains an nss database which I set up and has a slew of .pem certificates and a bundle file containing all of them. I have no binary .der equivalents.

Here is some output :

# pkcs11-tool --module /usr/lib/libcoolkeypk11.so --list-slots (--pin xxxxxx) supplying pin makes no difference.
Available slots:
Slot 0 (0x1): Generic CCID Reader 00 00
 (empty)
Slot 1 (0x2): Activkey Sim 00 00
 (empty)


# pkcs11-tool --list-slots
Available slots:
Slot 0 (0xffffffff): Virtual hotplug slot
 (empty)
Slot 1 (0x1): Generic CCID Reader 00 00
 (empty)
Slot 2 (0x2): Generic CCID Reader 00 00
 (empty)
Slot 3 (0x3): Generic CCID Reader 00 00
 (empty)
Slot 4 (0x4): Generic CCID Reader 00 00
 (empty)
Slot 5 (0x5): Activkey Sim 00 00
 (empty)
Slot 6 (0x6): Activkey Sim 00 00
 (empty)
Slot 7 (0x7): Activkey Sim 00 00
 (empty)
Slot 8 (0x8): Activkey Sim 00 00

(Why these different results?)


# opensc-tool -list-readers
opensc 0.12.0 [gcc 4.5.0 20100604 [gcc-4_5-branch revision 160292]]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
# Detected readers (pcsc)
Nr. Card Features Name
0ÂÂÂ YesÂÂÂÂÂÂÂÂÂÂÂÂ Activkey Sim 00 00
Using reader with a card: Activkey Sim 00 00
APDU too short (must be at least 4 bytes).

Never is there any request for a password at any time


# pcsc_scan
PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@xxxxxxx>
Compiled with PC/SC lite version: 1.6.6
Scanning present readers...
0: Activkey Sim 00 00

Tue Jan 25 21:35:27 2011
ÂReader 0: Activkey Sim 00 00
 Card state: Card inserted,
 ATR: 3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F

ATR: 3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F
+ TS = 3B --> Direct Convention
+ T0 = FD, Y(1): 1111, K: 13 (historical bytes)
 TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
ÂÂÂ 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/sÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
 TB(1) = 00 --> VPP is not electrically connected
 TC(1) = FF --> Extra guard time: 255 (special value)
 TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
 TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
 TA(3) = FE --> IFSC: 254
 TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
 TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
 TA(4) = 07 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V C 1.8VÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
+ Historical bytes: 80 73 00 21 13 57 4A 54 48 61 31 47 00
 Category indicator byte: 80 (compact TLV data object)
ÂÂÂ Tag: 7, len: 3 (card capabilities)
ÂÂÂÂÂ Selection methods: 00
ÂÂÂÂÂ Data coding byte: 21
ÂÂÂÂÂÂÂ - Behaviour of write functions: proprietary
ÂÂÂÂÂÂÂ - Value 'FF' for the first byte of BER-TLV tag fields: invalid
ÂÂÂÂÂÂÂ - Data unit in quartets: 2
ÂÂÂÂÂ Command chaining, length fields and logical channels: 13
ÂÂÂÂÂÂÂ - Logical channel number assignment: by the card
ÂÂÂÂÂÂÂ - Maximum number of logical channels: 4
ÂÂÂ Tag: 5, len: 7 (card issuer's data)
ÂÂÂÂÂ Card issuer data: 4A 54 48 61 31 47 00
+ TCK = 5F (correct checksum)

Possibly identified card (using /usr/local/share/pcsc/smartcard_list.txt):
3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F
ÂÂÂÂÂÂÂ Activkey Sim
ÂÂÂÂÂÂÂ http://www.actividentity.com/products/activkey_usb_tokens__home.php

Using export COOL_KEY_LOG_FILE=/tmp/coolkey.log I collected some coolkey logging (see attachments).

Further usefull info :

#uname -a
Linux gz 2.6.34-12-desktop #1 SMP PREEMPT 2010-06-29 02:39:08 +0200 i686 i686 i386 GNU/Linux7

I've upgrade libusb-1 too :
libusbmuxd1-1.0.4-1.6.i586
libusb-0_1-4-0.1.13-6.1.i586
libusb-1_0-devel-1.0.8-3.9.i586
libusb-1_0-0-1.0.8-3.9.i586
libusbmuxd-devel-1.0.4-1.6.i586
libusb-compat-devel-0.1.3-6.1.i586


I hope this is useful information and that one of you clever people can shed some light on this.

Cheers,
Guy.




Initialize called, hello 5
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 68 ms
time connect: Read Slot 68 ms
time connect: connection status 68 ms
time connnect: Begin transaction 68 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  67 ms
CAC Cert 0: fetch CAC Cert:  145 ms
CAC Cert 0: Fetch rest :  637 ms
CAC Cert 0: Cert has been read:  637 ms
CAC Cert 0: Cert has been uncompressed:  638 ms
CAC Cert 1: select CAC applet:  71 ms
Connection Error = 0x0
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 2 ms
time connect: Read Slot 2 ms
time connect: connection status 2 ms
time connnect: Begin transaction 2 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  68 ms
CAC Cert 0: fetch CAC Cert:  146 ms
CAC Cert 0: Fetch rest :  638 ms
CAC Cert 0: Cert has been read:  638 ms
CAC Cert 0: Cert has been uncompressed:  639 ms
CAC Cert 1: select CAC applet:  70 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 1 ms
time connect: Read Slot 1 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  68 ms
CAC Cert 0: fetch CAC Cert:  146 ms
CAC Cert 0: Fetch rest :  639 ms
CAC Cert 0: Cert has been read:  639 ms
CAC Cert 0: Cert has been uncompressed:  640 ms
CAC Cert 1: select CAC applet:  70 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Finalizing...
Initialize called, hello 5
C_GetInfo called
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 64 ms
time connect: Read Slot 64 ms
time connect: connection status 64 ms
time connnect: Begin transaction 64 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  67 ms
CAC Cert 0: fetch CAC Cert:  145 ms
CAC Cert 0: Fetch rest :  637 ms
CAC Cert 0: Cert has been read:  638 ms
CAC Cert 0: Cert has been uncompressed:  638 ms
CAC Cert 1: select CAC applet:  71 ms
Connection Error = 0x0
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 1 ms
time connect: Read Slot 1 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  67 ms
CAC Cert 0: fetch CAC Cert:  144 ms
CAC Cert 0: Fetch rest :  638 ms
CAC Cert 0: Cert has been read:  638 ms
CAC Cert 0: Cert has been uncompressed:  638 ms
CAC Cert 1: select CAC applet:  71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 2 ms
time connect: Read Slot 2 ms
time connect: connection status 2 ms
time connnect: Begin transaction 2 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  67 ms
CAC Cert 0: fetch CAC Cert:  145 ms
CAC Cert 0: Fetch rest :  639 ms
CAC Cert 0: Cert has been read:  639 ms
CAC Cert 0: Cert has been uncompressed:  639 ms
CAC Cert 1: select CAC applet:  71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 1 ms
time connect: Read Slot 1 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet:  69 ms
CAC Cert 0: fetch CAC Cert:  147 ms
CAC Cert 0: Fetch rest :  640 ms
CAC Cert 0: Cert has been read:  645 ms
CAC Cert 0: Cert has been uncompressed:  646 ms
CAC Cert 1: select CAC applet:  70 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1

Attachment: pcsd_while_inspect.out
Description: Binary data

Attachment: usb_insertion_messages.out
Description: Binary data

_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel

[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]     [Fedora Women]

  Powered by Linux