Re: opensc-0.9.4 and Oberthur AuthentIC

Andreas Steffen wrote:

> Hi,
>
> I'm trying to use the Linux strongSwan IPsec software with an
> Oberthur AuthentIC smartcard and have encountered a couple of
> obstacles:
>
> The pkcs11-tool doesn't seem to work at all:
>
> pkcs11-tool --list-slots
>
> iso7816.c:101:iso7816_check_sw: Unknown SWs; SW1=A2, SW2=C8
> card-oberthur.c:1742:auth_read_component: Card returned error:
>                      Card command failed
> card.c:594:sc_read_binary: returning with: Card command failed
> card.c:579:sc_read_binary: sc_read_binary() failed: Card command failed
> card.c:203:sc_transceive: Unable to transmit: Transmit failed
> card.c:238:sc_transmit_apdu: transceive() failed: Transmit failed
> card.c:203:sc_transceive: Unable to transmit: Card removed
> card.c:238:sc_transmit_apdu: transceive() failed: Card removed
> pkcs15-pubkey.c:399:sc_pkcs15_read_pubkey: Failed to read public key 
> file.
> reader-pcsc.c:433:pcsc_lock: SCardBeginTransaction failed:
>                   Reader/s is unavailable.
> pkcs15.c:1272:sc_pkcs15_read_file: sc_lock() failed: Unknown error
> pkcs15.c:724:__sc_pkcs15_search_objects: DF parsing failed: Unknown error
> pkcs15.c:647:sc_pkcs15_bind: returning with: Wrong card
> Available slots:
> Slot 0           Schlumberger Reflex 60 0 0
>   token state:   uninitialized
> Slot 1           Schlumberger Reflex 60 0 0
>   token state:   uninitialized
> Slot 2           Schlumberger Reflex 60 0 0
>   token state:   uninitialized
> Slot 3           Schlumberger Reflex 60 0 0
>   token state:   uninitialized
>
> Here some infos on my card:
>
> opensc-tool --name --reader 0
> AuthentIC v5
>
> opensc-tool --atr --reader 0
> 3B 7D 18 00 00 00 31 80 71 8E 64 77 E3 02 00 82 ;}....1.q.dw....
> 90 00                                           ..
>
> Thus I gave up to use strongswan-2.4.1 which has a PKCS#11 interface
> and reverted to strongswan-2.3.2 which uses OpenSC-specific PKCS#15
> functions.
>
> The pkcs15-tool and opensc-explorer work without problems:
>
> --------------------------------------------------------------------
> pkcs15-tool --list-certificates
>
> X.509 Certificate [dummy User1's authentication certificate.]
>         Flags    : 2
>         Authority: no
>         Path     : 3F00501190012000
>         ID       : fdc11d7ac2f8c95006e35b063c1cc1de32032451
>
> X.509 Certificate [dummy User1's signature  certificate.]
>         Flags    : 2
>         Authority: no
>         Path     : 3F00501190012001
>         ID       : f6057605356a2ff7f09ee1a4b1ed33278074bfa8
>
> X.509 Certificate [dummy User1's encryption certificate.]
>         Flags    : 2
>         Authority: no
>         Path     : 3F00501190012002
>         ID       : 3081df7366d29eb113882539a3ca61618fc3546f
>
> --------------------------------------------------------------------
> pkcs15-tool --list-keys
>
> Private RSA Key [SCM: imported key]
>         Com. Flags  : 3
>         Usage       : [0x32E], decrypt, sign, signRecover, unwrap, 
> derive,
>                                nonRepudiation
>         Access Flags: [0x1D], sensitive, alwaysSensitive, 
> neverExtract, local
>         ModLength   : 2048
>         Key ref     : 0
>         Native      : yes
>         Path        : 3F00501190023000
>         Auth ID     : 53434d
>         ID          : fdc11d7ac2f8c95006e35b063c1cc1de32032451
>
> Private RSA Key [SCM: imported key]
>         Com. Flags  : 3
>         Usage       : [0x32E], decrypt, sign, signRecover, unwrap, 
> derive,
>                                nonRepudiation
>         Access Flags: [0x1D], sensitive, alwaysSensitive, 
> neverExtract, local
>         ModLength   : 2048
>         Key ref     : 0
>         Native      : yes
>         Path        : 3F00501190023001
>         Auth ID     : 53434d
>         ID          : f6057605356a2ff7f09ee1a4b1ed33278074bfa8
>
> Private RSA Key [SCM: imported key]
>         Com. Flags  : 3
>         Usage       : [0x32E], decrypt, sign, signRecover, unwrap, 
> derive,
>                                nonRepudiation
>         Access Flags: [0x1D], sensitive, alwaysSensitive, 
> neverExtract, local
>         ModLength   : 2048
>         Key ref     : 0
>         Native      : yes
>         Path        : 3F00501190023002
>         Auth ID     : 53434d
>         ID          : 3081df7366d29eb113882539a3ca61618fc3546f
>
> --------------------------------------------------------------------
> pkcs15-tool --list-pins
>
> PIN [SCM]
>         Com. Flags: 0x3
>         Auth ID   : 53434d
>         Flags     : [0x30], initialized, needs-padding
>         Length    : min_len:4, max_len:64, stored_len:64
>         Pad char  : 0xFF
>         Reference : 1
>         Type      : 1
>         Path      : 3F005011
>         Tries left: -1
>
> strongswan-2.3.2 is able to read the certificate from the card
> and can successfully verify the PIN. What fails is the RSA signature:
>
> --------------------------------------------------------------------
> /var/log/warn
>
> : loaded cert from smartcard (reader: 0,
>         id: fdc11d7ac2f8c95006e35b063c1cc1de32032451)
> : added connection description "net"
> : listening for IKE messages
> : adding interface ipsec0/wlan0 160.85.106.4:500
> : loading secrets from "/etc/ipsec.secrets"
> :   valid PIN for reader: 0, id: fdc11d7ac2f8c95006e35b063c1cc1de32032451
> : "net" #1: initiating Main Mode
> : "net" #1: ignoring Vendor ID payload [strongSwan 2.3.2]
> : "net" #1: received Vendor ID payload [Dead Peer Detection]
> : "net" #1: compute signature failed: Card command failed
> : "net" #1: unable to locate my private key for RSA Signature
> : "net" #1: sending encrypted notification AUTHENTICATION_FAILED to
>              160.85.106.1:500
>
> I also get an error if I try to do a manual signature using pkcs15-crypt:
>
> openssl md5 -binary test.txt > test.md5
>
> pkcs15-crypt --key fdc11d7ac2f8c95006e35b063c1cc1de32032451 --pkcs1 --md5
>              --sign -i test.md5 -o test.sig
> Enter PIN [SCM]:
> iso7816.c:101:iso7816_check_sw: Unknown SWs; SW1=69, SW2=A5

Hmm,
it's bewildering. In the card specification that I have there is no such SW.
Can you send me debug-log, please?
I will ask Oberthur for the meaning of this SW.

> iso7816.c:581:iso7816_get_response: returning with: Card command failed
> card.c:279:sc_transmit_apdu: returning with: Card command failed
> card-oberthur.c:1338:auth_compute_signature: APDU transmit failed:
>                      Card command failed
> sec.c:53:sc_compute_signature: returning with: Card command failed
> pkcs15-sec.c:330:sc_pkcs15_compute_signature: sc_compute_signature() 
> failed:
>                   Card command failed
> Compute signature failed: Card command failed
> card.c:203:sc_transceive: Unable to transmit: Transmit failed
> card.c:238:sc_transmit_apdu: transceive() failed: Transmit failed
> card.c:203:sc_transceive: Unable to transmit: Card removed
> card.c:238:sc_transmit_apdu: transceive() failed: Card removed
>
> With an Aladdin etoken this works flawlessly:
>
> pkcs15-crypt --reader 1 --key 45 --pkcs1 --md5 --sign -i test.md5 -o 
> test.sig
> Enter PIN [strongSec PIN]:
>
> ls -l test.sig
> -rw-r--r--    1 root     root          128 Mar 16 23:43 test.sig
>
> Any hints what could be the cause?


I cannot reproduce this error, for me it works.

Can you send me the commands that you have used to initilise your card 
and to import the keys/certificates?
Try to re-initialise your card and to import the keys using OpenSC-0.9.4 .
For example:
# pkcs15-init -E -C -P --pin 9999 --puk 1234 -a 01 --label "Test SC"
# openssl genrsa -out test_key.pem 2048
# pkcs15-init -S ./test_key.pem --format PEM -a 01
# pkcs15-crypt --key 45 --pkcs1 --md5 --sign -i test.md5 -o test.sig 
--pin 9999

Best regards,
Viktor.