I'm trying to use my Actividentity ACTIVEKEY SIM (a usb stick) in order to authenticate myself in various domains (pam_pkcs11, company vpn, websites via Firefox).
With the stock opensuse 11.3 setup I couldn't get pkcs11_inspect (from pam_pkcs11 pkg) to work. The sim has a number-only password but I'm never asked for it.
So I decided to upgrade to all the latest packages.
Result is that it still doesn't work, neither pksc11_inpspect nor Firefox seem to be happy (the latter freezes for a minute or more).
Opensuse 11.3 had just recently released rpm packages with all the latest opensc, pcsc-lite, ... versions, including the latest coolkey build (there where some issues : https://bugzilla.novell.com/show_bug.cgi?id=661643#c4).
I've downloaded the source packages and compiled them to make sure they complied with my system (http://download.opensuse.org/source/distribution/11.3/repo/oss/suse/src/).
These are the packages I've installed :
coolkey-1.1.0-259.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
engine_pkcs11-0.1.8-8.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
libp11-0.2.7-17.1.src.rpmÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
openct-0.6.20-21.1.src.rpm
opensc-0.12.0-27.1.src.rpm
pam_p11-0.1.5-13.1.src.rpm
pam_pkcs11-0.6.6-11.1.src.rpm
pcsc-ccid-1.4.1-18.1.src.rpm
pcsc-lite-1.6.6-41.1.src.rpm
pcsc-perl-1.4.11.tar.bz2
pcsc-tools-1.4.17.tar.gz
The coolkey srpm contains these patches :
# PATCH-FIX-FEDORA coolkey-gcc43.patch bnc661643 sbrabec@xxxxxxx -- Fix for gcc-4.3.
Patch2:ÂÂÂÂÂÂÂÂ coolkey-gcc43.patch
# PATCH-FEATURE-FEDORA coolkey-latest.patch bnc661643 sbrabec@xxxxxxx -- The head branch patch.
Patch3:ÂÂÂÂÂÂÂÂ coolkey-latest.patch
# PATCH-FIX-FEDORA coolkey-simple-bugs.patch bnc661643 sbrabec@xxxxxxx -- Fix imported from Fedora, mostly merging former SUSE fixes.
Patch4:ÂÂÂÂÂÂÂÂ coolkey-simple-bugs.patch
# PATCH-FIX-FEDORA coolkey-thread-fix.patch bnc661643 sbrabec@xxxxxxx -- Fix threading.
Patch5:ÂÂÂÂÂÂÂÂ coolkey-thread-fix.patch
# PATCH-FEATURE-FEDORA coolkey-cac.patch bnc661643 sbrabec@xxxxxxx -- Support for CAC cards.
Patch6:ÂÂÂÂÂÂÂÂ coolkey-cac.patch
# PATCH-FIX-FEDORA coolkey-cac-1.patch bnc661643 sbrabec@xxxxxxx -- Fixes of CAC support patch.
Patch7:ÂÂÂÂÂÂÂÂ coolkey-cac-1.patch
# PATCH-FIX-FEDORA coolkey-pcsc-lite-fix.patch bnc661643 sbrabec@xxxxxxx -- Port to the latest pcsc-lite.
Patch8:ÂÂÂÂÂÂÂÂ coolkey-pcsc-lite-fix.patch
# SUSE specific patches:
# PATCH-FEATURE-SLES coolkey-1.1.0-evoandooo.patch jberkman@xxxxxxxxxx -- Teach pk11install about evolution and openoffice.
Patch53:ÂÂÂÂÂÂÂ coolkey-1.1.0-evoandooo.patch
# PATCH-FIX-SECURITY coolkey-cache-dir-move.patch sbrabec@xxxxxxx bnc304180 CVE-2007-4129 -- Fix file and directory permission flaw.
Patch54:ÂÂÂÂÂÂÂ coolkey-cache-dir-move.patch
# PATCH-FIX-UPSTREAM coolkey-null.patch redhat356971 sbrabec@xxxxxxx -- Fix invalid NULL declaration.
Patch55:ÂÂÂÂÂÂÂ coolkey-null.patch
BuildRoot:ÂÂÂÂÂ %{_tmppath}/%{name}-%{version}-build
BuildRequires:Â gcc-c++ mozilla-nss-devel pcsc-lite-devel pkg-config zlib-devel
#Requires:ÂÂÂÂÂÂ pcsc-lite
# Requires: ifd-egate
Requires:ÂÂÂÂÂÂ pcsc-ccid
# 390 does not have libusb or smartCards
ExcludeArch:ÂÂÂ s390 s390x
The pcscd daemon starts up from withing /etc/init.d but then shuts itself down (light = red)Â and comes on (light = green) on demand since the latest pcsc-lite version and I can get some information using the various tool commands but I'm unable to retrieve the key from it.
My linux box contains an nss database which I set up and has a slew of .pem certificates and a bundle file containing all of them. I have no binary .der equivalents.
Here is some output :
# pkcs11-tool --module /usr/lib/libcoolkeypk11.so --list-slots (--pin xxxxxx) supplying pin makes no difference.
Available slots:
Slot 0 (0x1): Generic CCID Reader 00 00
 (empty)
Slot 1 (0x2): Activkey Sim 00 00
 (empty)
# pkcs11-tool --list-slots
Available slots:
Slot 0 (0xffffffff): Virtual hotplug slot
 (empty)
Slot 1 (0x1): Generic CCID Reader 00 00
 (empty)
Slot 2 (0x2): Generic CCID Reader 00 00
 (empty)
Slot 3 (0x3): Generic CCID Reader 00 00
 (empty)
Slot 4 (0x4): Generic CCID Reader 00 00
 (empty)
Slot 5 (0x5): Activkey Sim 00 00
 (empty)
Slot 6 (0x6): Activkey Sim 00 00
 (empty)
Slot 7 (0x7): Activkey Sim 00 00
 (empty)
Slot 8 (0x8): Activkey Sim 00 00
(Why these different results?)
# opensc-tool -list-readers
opensc 0.12.0 [gcc 4.5.0 20100604 [gcc-4_5-branch revision 160292]]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
# Detected readers (pcsc)
Nr. Card Features Name
0ÂÂÂ YesÂÂÂÂÂÂÂÂÂÂÂÂ Activkey Sim 00 00
Using reader with a card: Activkey Sim 00 00
APDU too short (must be at least 4 bytes).
Never is there any request for a password at any time
# pcsc_scan
PC/SC device scanner
V 1.4.17 (c) 2001-2009, Ludovic Rousseau <ludovic.rousseau@xxxxxxx>
Compiled with PC/SC lite version: 1.6.6
Scanning present readers...
0: Activkey Sim 00 00
Tue Jan 25 21:35:27 2011
ÂReader 0: Activkey Sim 00 00
 Card state: Card inserted,
 ATR: 3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F
ATR: 3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F
+ TS = 3B --> Direct Convention
+ T0 = FD, Y(1): 1111, K: 13 (historical bytes)
 TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
ÂÂÂ 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/sÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
 TB(1) = 00 --> VPP is not electrically connected
 TC(1) = FF --> Extra guard time: 255 (special value)
 TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
-----
 TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
-----
 TA(3) = FE --> IFSC: 254
 TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
 TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
-----
 TA(4) = 07 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V C 1.8VÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂÂ
+ Historical bytes: 80 73 00 21 13 57 4A 54 48 61 31 47 00
 Category indicator byte: 80 (compact TLV data object)
ÂÂÂ Tag: 7, len: 3 (card capabilities)
ÂÂÂÂÂ Selection methods: 00
ÂÂÂÂÂ Data coding byte: 21
ÂÂÂÂÂÂÂ - Behaviour of write functions: proprietary
ÂÂÂÂÂÂÂ - Value 'FF' for the first byte of BER-TLV tag fields: invalid
ÂÂÂÂÂÂÂ - Data unit in quartets: 2
ÂÂÂÂÂ Command chaining, length fields and logical channels: 13
ÂÂÂÂÂÂÂ - Logical channel number assignment: by the card
ÂÂÂÂÂÂÂ - Maximum number of logical channels: 4
ÂÂÂ Tag: 5, len: 7 (card issuer's data)
ÂÂÂÂÂ Card issuer data: 4A 54 48 61 31 47 00
+ TCK = 5F (correct checksum)
Possibly identified card (using /usr/local/share/pcsc/smartcard_list.txt):
3B FD 18 00 FF 80 B1 FE 45 1F 07 80 73 00 21 13 57 4A 54 48 61 31 47 00 5F
ÂÂÂÂÂÂÂ Activkey Sim
ÂÂÂÂÂÂÂ http://www.actividentity.com/products/activkey_usb_tokens__home.php
Using export COOL_KEY_LOG_FILE=/tmp/coolkey.log I collected some coolkey logging (see attachments).
Further usefull info :
#uname -a
Linux gz 2.6.34-12-desktop #1 SMP PREEMPT 2010-06-29 02:39:08 +0200 i686 i686 i386 GNU/Linux7
I've upgrade libusb-1 too :
libusbmuxd1-1.0.4-1.6.i586
libusb-0_1-4-0.1.13-6.1.i586
libusb-1_0-devel-1.0.8-3.9.i586
libusb-1_0-0-1.0.8-3.9.i586
libusbmuxd-devel-1.0.4-1.6.i586
libusb-compat-devel-0.1.3-6.1.i586
I hope this is useful information and that one of you clever people can shed some light on this.
Cheers,
Guy.
Initialize called, hello 5 C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 calling IsConnected card changed cleared all sessions time connect: Connect Time 68 ms time connect: Read Slot 68 ms time connect: connection status 68 ms time connnect: Begin transaction 68 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 67 ms CAC Cert 0: fetch CAC Cert: 145 ms CAC Cert 0: Fetch rest : 637 ms CAC Cert 0: Cert has been read: 637 ms CAC Cert 0: Cert has been uncompressed: 638 ms CAC Cert 1: select CAC applet: 71 ms Connection Error = 0x0 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 calling IsConnected card changed cleared all sessions time connect: Connect Time 2 ms time connect: Read Slot 2 ms time connect: connection status 2 ms time connnect: Begin transaction 2 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 68 ms CAC Cert 0: fetch CAC Cert: 146 ms CAC Cert 0: Fetch rest : 638 ms CAC Cert 0: Cert has been read: 638 ms CAC Cert 0: Cert has been uncompressed: 639 ms CAC Cert 1: select CAC applet: 70 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions time connect: Connect Time 1 ms time connect: Read Slot 1 ms time connect: connection status 1 ms time connnect: Begin transaction 1 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 68 ms CAC Cert 0: fetch CAC Cert: 146 ms CAC Cert 0: Fetch rest : 639 ms CAC Cert 0: Cert has been read: 639 ms CAC Cert 0: Cert has been uncompressed: 640 ms CAC Cert 1: select CAC applet: 70 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 Finalizing...
Initialize called, hello 5 C_GetInfo called C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 calling IsConnected card changed cleared all sessions time connect: Connect Time 64 ms time connect: Read Slot 64 ms time connect: connection status 64 ms time connnect: Begin transaction 64 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 67 ms CAC Cert 0: fetch CAC Cert: 145 ms CAC Cert 0: Fetch rest : 637 ms CAC Cert 0: Cert has been read: 638 ms CAC Cert 0: Cert has been uncompressed: 638 ms CAC Cert 1: select CAC applet: 71 ms Connection Error = 0x0 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 C_GetSlotList called calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 calling IsConnected card changed cleared all sessions time connect: Connect Time 1 ms time connect: Read Slot 1 ms time connect: connection status 1 ms time connnect: Begin transaction 1 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 67 ms CAC Cert 0: fetch CAC Cert: 144 ms CAC Cert 0: Fetch rest : 638 ms CAC Cert 0: Cert has been read: 638 ms CAC Cert 0: Cert has been uncompressed: 638 ms CAC Cert 1: select CAC applet: 71 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions time connect: Connect Time 2 ms time connect: Read Slot 2 ms time connect: connection status 2 ms time connnect: Begin transaction 2 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 67 ms CAC Cert 0: fetch CAC Cert: 145 ms CAC Cert 0: Fetch rest : 639 ms CAC Cert 0: Cert has been read: 639 ms CAC Cert 0: Cert has been uncompressed: 639 ms CAC Cert 1: select CAC applet: 71 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions isTokenPresent, card state is 0x1 Called C_GetSlotInfo calling IsConnected card changed cleared all sessions time connect: Connect Time 1 ms time connect: Read Slot 1 ms time connect: connection status 1 ms time connnect: Begin transaction 1 ms CoolKey Select failed 0x6 CAC Cert 0: select CAC applet: 69 ms CAC Cert 0: fetch CAC Cert: 147 ms CAC Cert 0: Fetch rest : 640 ms CAC Cert 0: Cert has been read: 645 ms CAC Cert 0: Cert has been uncompressed: 646 ms CAC Cert 1: select CAC applet: 70 ms Connection Error = 0x80100003 cleared all sessions refreshTokenState: Failed to load objects. isTokenPresent, card state is 0x1
Attachment:
pcsd_while_inspect.out
Description: Binary data
Attachment:
usb_insertion_messages.out
Description: Binary data
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
