I also am having difficulty.
I used to have the key work 2 out of 3 times (every third time, it would fail) on 32 bit.
I have had the key work a single time on 64 bit.
Now, my 32 bit systems have failed, because of changes to the coolkey libraries, I suspect.
Since I am underutilised at work, I have been preparing my 32 and 64 bit systems for a serious debugging attempt (as well as reading up on the smart card protocols, refreshing debugging, learning the source, etc).
I will post any results, as I proceed (it's been a few years since I have done any serious debugging and I have to learn the smartcard protocols from scratch, so don't expect anything too soon).
...Lyall
On Mon, Feb 7, 2011 at 3:22 AM, guy zelck <gzelck@xxxxxxxxx> wrote:
HI,
I haven't had much respons to my previous posting "Coolkey use problems on opensuse 11.3 with latest coolkey & opensc packages", so here's another try.
I use ActivIdentity's Activkey Sim usb stick.
I switched to Fedora 14 to try my luck there but I still can't make pkcs1_inspect nor pkcs11_listcerts work. All I get is "no token available".
On an older system with Opensuse 11.0 (coolkey-1.1.0-79.1, pam_pkcs11-0.6.0-93.1) I am prompted for the device's password en get this :
[root@gz pam_pkcs11]# pkcs11_inspect debug
DEBUG:pam_config.c:208: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:94: Error parsing file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pam_config.c:298: argument pkcs11_listcerts is not supported by this module
DEBUG:pkcs11_lib.c:118: Initializing NSS ...
DEBUG:pkcs11_lib.c:128: Initializing NSS ... database=/etc/pam_pkcs11/nssdb
DEBUG:pkcs11_lib.c:146: ... NSS Complete
DEBUG:pkcs11_listcerts.c:64: loading pkcs #11 module...
DEBUG:pkcs11_listcerts.c:72: initialising pkcs #11 module...
PIN for token:
DEBUG:pkcs11_lib.c:47: PIN = [xxxxxxxx]
DEBUG:pkcs11_lib.c:528: cert 0: found (Guy Zelck:CAC ID Certificate), "E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company"
DEBUG:pkcs11_listcerts.c:112: Found '1' certificate(s)
DEBUG:pkcs11_listcerts.c:117: Certificate #1:
DEBUG:pkcs11_listcerts.c:119: - Subject: E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company
DEBUG:pkcs11_listcerts.c:121: - Issuer: CN=Hewlett-Packard Primary Class 2 Certification Authority,O=Hewlett-Packard Company,C=US,OU=IT Infrastructure,O=hp.com
DEBUG:pkcs11_listcerts.c:123: - Algorithm: PKCS #1 RSA Encryption
DEBUG:cert_vfy.c:32: Verifying Cert: Guy Zelck:CAC ID Certificate (E=guy.zelck@xxxxxx,CN=Guy Zelck,OU=VPN-WEB-H,OU=Employment Status - Employees,O=Hewlett-Packard Company)
DEBUG:pkcs11_listcerts.c:147: releasing pkcs #11 module...
DEBUG:pkcs11_listcerts.c:150: Process completed
On Fedora 14 I never get the prompt :
[root@gz pam_pkcs11]# pkcs11_inspect debug
DEBUG:pam_config.c:238: Using config file /etc/pam_pkcs11/pam_pkcs11.conf
DEBUG:pkcs11_lib.c:182: Initializing NSS ...
DEBUG:pkcs11_lib.c:192: Initializing NSS ... database=/etc/pki/nssdb
DEBUG:pkcs11_lib.c:210: ... NSS Complete
DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module...
DEBUG:pkcs11_lib.c:222: Looking up module in list
DEBUG:pkcs11_lib.c:225: modList = 0x8f556f0 next = 0x8f63fa8
DEBUG:pkcs11_lib.c:226: dllName= <null>
DEBUG:pkcs11_lib.c:225: modList = 0x8f63fa8 next = 0x0
DEBUG:pkcs11_lib.c:226: dllName= /usr/lib/libcoolkeypk11.so
DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module...
DEBUG:pkcs11_inspect.c:95: no token available
The coolkey log :
[root@gz pam_pkcs11]# cat /tmp/coolkey.txt
Initialize called, hello 5
C_GetInfo called
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 0 ms
time connnect: Begin transaction 0 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet: 68 ms
CAC Cert 0: fetch CAC Cert: 146 ms
CAC Cert 0: Fetch rest : 60700 ms
CAC Cert 0: Cert has been read: 60700 ms
CAC Cert 0: Cert has been uncompressed: 60700 ms
CAC Cert 1: select CAC applet: 72 ms
Connection Error = 0x0
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_GetSlotList called
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 0 ms
time connnect: Begin transaction 0 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet: 68 ms
CAC Cert 0: fetch CAC Cert: 146 ms
CAC Cert 0: Fetch rest : 639 ms
CAC Cert 0: Cert has been read: 639 ms
CAC Cert 0: Cert has been uncompressed: 639 ms
CAC Cert 1: select CAC applet: 70 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet: 67 ms
CAC Cert 0: fetch CAC Cert: 146 ms
CAC Cert 0: Fetch rest : 639 ms
CAC Cert 0: Cert has been read: 639 ms
CAC Cert 0: Cert has been uncompressed: 639 ms
CAC Cert 1: select CAC applet: 71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 1 ms
time connect: Read Slot 1 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet: 68 ms
CAC Cert 0: fetch CAC Cert: 146 ms
CAC Cert 0: Fetch rest : 639 ms
CAC Cert 0: Cert has been read: 639 ms
CAC Cert 0: Cert has been uncompressed: 639 ms
CAC Cert 1: select CAC applet: 72 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
Called C_GetSlotInfo
calling IsConnected
card changed
cleared all sessions
time connect: Connect Time 0 ms
time connect: Read Slot 0 ms
time connect: connection status 1 ms
time connnect: Begin transaction 1 ms
CoolKey Select failed 0x6
CAC Cert 0: select CAC applet: 67 ms
CAC Cert 0: fetch CAC Cert: 145 ms
CAC Cert 0: Fetch rest : 635 ms
CAC Cert 0: Cert has been read: 635 ms
CAC Cert 0: Cert has been uncompressed: 636 ms
CAC Cert 1: select CAC applet: 71 ms
Connection Error = 0x80100003
cleared all sessions
refreshTokenState: Failed to load objects.
isTokenPresent, card state is 0x1
C_CloseAllSessions(0x1) called
Finalizing...
My pam_pkcs11.conf :
pkcs11_module coolkey {
module = /usr/lib/libcoolkeypk11.so;
description = "Cool Key"
# Slot-number to use. One for the first, two for the second and so
# on. The default value is zero which means to use the first slot
# with an available token.
slot_description = "Activkey Sim 00 00";
#slot_num = 0;
# Path to the directory where the CA certificates are stored. The
# directory must contain an openssl hash-link to each certificate.
# The default value is /etc/pam_pkcs11/cacerts.
#ca_dir = /etc/pam_pkcs11/cacerts;
ca_dir = /etc/pki/CA/cacerts;
nss_dir = /etc/pki/nssdb;
# Path to the directory where the CRLs are stored. The directory
# must contain an openssl hash-link to each CRL. The default value
# is /etc/pam_pkcs11/crls.
#crl_dir = /etc/pam_pkcs11/crls;
crl_dir = /etc/pki/CA/crls;
# Sets the Certificate verification policy.
# "none" Performs no verification
# "ca" Does CA check
# "crl_online" Downloads the CRL form the location given by the
# CRL distribution point extension of the certificate
# "crl_offline" Uses the locally stored CRLs
# "crl_auto" Is a combination of online and offline; it first
# tries to download the CRL from a possibly given CRL
# distribution point and if this fails, uses the local
# CRLs
# "ocsp_on" Turn on OCSP.
# "signature" Does also a signature check to ensure that private
# and public key matches
# You can use a combination of ca,crl, and signature flags, or just
# use "none".
#cert_policy=ca, signature;
cert_policy=none;
}
Can anybody help?
Cheers,
Guy.
_______________________________________________
Coolkey-devel mailing list
Coolkey-devel@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/coolkey-devel
--
...Lyall
_______________________________________________ Coolkey-devel mailing list Coolkey-devel@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/coolkey-devel
