-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Invalid ASN.1 object error when using myeid profile in pkcs15-init -C command #2963
Comments
Can you please try it with the file cache disabled? |
Tried with the following opensc.conf, but still got the same error. app default { |
The same thing happens on linux, it doesn't depend on the file cache. Fail:
OK:
I'll look into it. |
It seems that this error has been around for a long time, I just compiled older versions of opensc and it turned out like this:
Initialization works without problems if I'm not completely familiar with the part of the OpenSC code that works with "profile", I'll see what I can find. |
Debug, without
This is loaded if
I assume that it is not good if the myeid profile is loaded twice.. |
Can you confirm if this solves the issue? If so, I will prepare a PR.
|
I have come across one discrepancy in the MyEID profile regarding the pkcs#15 profile:
I'm not sure what to do with it.. |
Tested and the command succeeds after this change. |
After some more testing, we found out that some settings set in the profile file do not take effect. For example, we tried changing Update, Delete and Generate ACLs to SOPIN for private keys like this: EF template-private-key { ... but all ACs were still set to PIN 1. |
Thank you for looking into that @popovec . Unfortunately documentation around profiles is suboptimal and syntax undocumented [1]. I think the profiles work in a way that the default generic profile is loaded first (see the comment in pkcs15.profile) and then on top of that, card-specific changes are applied to avoid a need to copy&paste all of the generic stuff into every card profile ( Reading the My proposal would be to improve and clarify the documentation regarding this. For now just grepping through the wiki and documentaiton which proposes to use [1] https://github.com/OpenSC/OpenSC/blob/master/doc/files/pkcs15-profile.5.xml#L40 |
I believe that the user should not use the Examples: this corresponds to the default (when neither using specific profile: Using myeid and myeid_new:
For the "--profile" switch, you can use the "+" sign as an "option", an example is "pkcs15+onepin" - more in the file pkcs15.profile I am looking to see if the myeid profile could be trimmed in such a way that only those things that myeid changes are recorded in the myeid profile.. but it would be a problem, almost every file would need a change, see for example AODF:
In the current state, I really wouldn't change anything more than to fix the myeid profile so that it also works independently, without the pkcs15 profile. |
I'll look into it, these things might need to be checked in |
What's the status of this topic, is there anything to do? |
@hhonkanen
The patch omits part of the code in the
Please verify that the modified code works as expected. Well thank you. |
@popovec Thank you for your effort to resolve this issue! The ACLs look correct and exactly what we are trying to achieve, so looks like your patch resolves the problem. |
…ile. Another issue regarding setting the ACL to a private key was raised in issue OpenSC#2963. This patch removes a part of the code that makes it impossible to set the ACL according to the selected profile.
Problem Description
When using the MyEID profile file, pkcs-init -C command fails with error message "Failed to create PKCS #15 meta structure: Invalid ASN.1 object"
Tested with MyEID 4.5.5 and OpenSC 0.24.0 on Windows.
Steps to reproduce
pkcs15-init -C --profile myeid --pin 1111 --puk 1111
Logs
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] card.c:885:sc_select_file: returning with: 0 (Success)
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] encoding 'dirRecord'
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] type=129, tag=0x60000001, parm=000000EBBDAFED50, len=0
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] encoding 'aid'
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] type=4, tag=0x4000000f, parm=000000EBBDAFEC68, len=0
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] cannot encode empty non-optional ASN.1 object
P:92432; T:81956 2023-12-18 12:08:58.703 [pkcs15-init] encoding of ASN.1 object 'dirRecord' failed: Invalid ASN.1 object
P:92432; T:81956 2023-12-18 12:08:58.704 [pkcs15-init] dir.c:303:encode_dir_record: Encode DIR record error: -1401 (Invalid ASN.1 object)
P:92432; T:81956 2023-12-18 12:08:58.704 [pkcs15-init] pkcs15-lib.c:3154:sc_pkcs15init_update_dir: returning with: -1401 (Invalid ASN.1 object)
The text was updated successfully, but these errors were encountered: