-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenSC 0.13.0 is not working correctly with Feitian cards formatted in Windows #173
Comments
Ok, i did some debugging and found the source of the problem. I have Fetian PKI card formatted in Windows. Problem is with pin protected attributes and pin id. see this dump:
And now - keys:
As you could see - Auth ID is 0xFF00, but id of the PIN is 0xFF. This makes associations of the KEY and PIN fail in pkcs11. Previous version was adding all non-matched key, thats why this bug was not seen.
This fixing issue for me. Could you please review this bug? |
Also i have found that card formatted in Linux (OpenSC) do not have such problems, auth id length is always one byte. |
As far as I understand the reason of this bug is not in the OpenSC MW, Usually we are trying to avoid the card specific in the common part of OpenSC (common pkcs11 framework), |
@viktorTarasov - yes, it is. I understand your concern and it would be great if you can help somehow to solve it inside card driver. Because now card formatted by native tool is unusable with OpenSC PKCS11, and it is clear regression from 0.12.x. |
I do not see it as a clear regression. Normally, for the non-standard PKCS#15 content you should implement the emulator of PKCS#15. Grep sources for fix_starcos_pkcs15_card. This procedure is called on behalf of starcos card immediately after card is binded and thus allows to touch up the pkcs15 data after read-out the on-card data. I propose you to implement some similar function, taking into account that it will be called at the same place as fix_starcos_pkcs15_card. |
@viktorTarasov thank you for suggestions, i`ll try to do this next days. From user point of view regression is clear - it was working in .12 and not working in .13. But i am agree that proposed fix is much better. |
Once more, for the most obstinate. The vocation of generic part of the project is to support the standard PKCS#15 (and some others specifications) content. |
@viktorTarasov as far as i could see fix_starcos_pkcs15_card is called before any data is actually read from card, and it is only settings some flags w/o modification of any real data. Sorry, i am a newbie in OpenSC source code and architecture, but it is unclear how to do this using method proposed by you. About regression and standards - i never read that OpenSC should support only 100% standard compliant cards (why do we have so many drivers then?). Term regression for user indicates that some hardware was working in version x.y, and not working in x+1.y without any other changes. |
Please, read attentively what I'm wrote:
You have used the non-standard card with generic procedures for your own risk and responsibility. |
I found that OpenSC 0.13.0 opensc-pkcs11.so is not working correctly with Firefox. If i am compiling 0.13 - firefox asks for card PIN but not showing any certificates available. Also card fails with thunderbird and Java apps.
With 0.12.2 everything works as expected. I can provide additional information if needed.
The text was updated successfully, but these errors were encountered: