Picon

Decrypt with private key

Hi, a have file encrypted file with public key and want to decrypt with private key of my smartcard. I tried this command but it fail.

$ pkcs11-tool --module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so -l --pin MYPASSWD -m RSA-X-509 --usage-decrypt --id 10 -i /tmp/a -o /tmp/b

What's wrong? How to do that?

Some data:
$ pkcs11-tool --module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so -l --pin MYPASSWD -O
Using slot 0 with a present token (0x1)
Private Key Object; RSA
  label:     
  ID:         28313232393537302920454d4d414e55454c204e415a4152454e4f204445204c494d4120464552524f
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA
  label:     
  ID:         10
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA
  label:     
  ID:         10
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA
  label:     
  ID:         10
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA
  label:     
  ID:         10
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Private Key Object; RSA
  label:     
  ID:         10
  Usage:      decrypt, sign, unwrap
warning: PKCS11 function C_GetAttributeValue(ALWAYS_AUTHENTICATE) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)

Public Key Object; RSA 2048 bits
  label:     
  Usage:      encrypt, verify, wrap
Certificate Object, type = X.509 cert
  label:      (1229570) EMMANUEL NAZARENO DE LIMA FERRO
  ID:         28313232393537302920454d4d414e55454c204e415a4152454e4f204445204c494d4120464552524f
Public Key Object; RSA 1024 bits
  label:     
  ID:         10
  Usage:      encrypt, verify, wrap
Public Key Object; RSA 1024 bits
  label:     
  ID:         10
  Usage:      encrypt, verify, wrap
Public Key Object; RSA 1024 bits
  label:     
  ID:         10
  Usage:      encrypt, verify, wrap
Public Key Object; RSA 1024 bits
  label:     
  ID:         10
  Usage:      encrypt, verify, wrap
Public Key Object; RSA 1024 bits
  label:     
  ID:         10
  Usage:      encrypt, verify, wrap

$ pkcs11-tool --module /usr/lib/watchdata/ICP/lib/libwdpkcs_icp.so -l --pin MYPASSWD -M
Using slot 0 with a present token (0x1)
Supported mechanisms:
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,1024}, hw, generate_key_pair
  DES-KEY-GEN, hw, generate
  AES-KEY-GEN, hw, generate
  mechtype-2147483649, hw, generate
  DES3-KEY-GEN, hw, generate
  RSA-PKCS, keySize={1024,1024}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
  RSA-X-509, keySize={1024,1024}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
  MD2-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  MD5-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  SHA256-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  DES-ECB, hw, encrypt, decrypt, wrap, unwrap
  DES-CBC, hw, encrypt, decrypt, wrap, unwrap
  DES-CBC-PAD, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483650, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483651, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483652, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483655, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483656, hw, encrypt, decrypt, wrap, unwrap
  mechtype-2147483657, hw, encrypt, decrypt, wrap, unwrap
  AES-ECB, hw, encrypt, decrypt, wrap, unwrap
  AES-CBC, hw, encrypt, decrypt, wrap, unwrap
  AES-CBC-PAD, hw, encrypt, decrypt, wrap, unwrap
  DES3-ECB, hw, encrypt, decrypt, wrap, unwrap
  DES3-CBC, hw, encrypt, decrypt, wrap, unwrap
  DES3-CBC-PAD, hw, encrypt, decrypt, wrap, unwrap
  SHA-1, hw, digest
  SHA-1-HMAC, hw, sign, verify
  SHA-1-HMAC-GENERAL, hw, sign, verify
  MD2, hw, digest
  MD2-HMAC, hw, sign, verify
  MD2-HMAC-GENERAL, hw, sign, verify
  MD5, hw, digest
  MD5-HMAC, hw, sign, verify
  MD5-HMAC-GENERAL, hw, sign, verify
  SSL3-PRE-MASTER-KEY-GEN, keySize={48,48}, hw, generate
  SSL3-MASTER-KEY-DERIVE, keySize={48,48}, hw, derive
  SSL3-KEY-AND-MAC-DERIVE, keySize={48,48}, hw, derive
  SSL3-MD5-MAC, keySize={384,384}, hw, sign, verify
  SSL3-SHA1-MAC, keySize={384,384}, hw, sign, verify
  SHA256, hw, digest
  mechtype-593, hw, sign, verify
  mechtype-594, hw, sign, verify



--
--
“Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)
--------------------------------------------------------------------------------
Emmanuel Ferro
SERPRO - Escritório São Luís
SUPOP/OPFLA/OPSLS
Comitê Regional de Software Livre
--------------------------------------------------------------------------------


-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."
------------------------------------------------------------------------------
Monitor Your Dynamic Infrastructure at Any Scale With Datadog!
Get real-time metrics from all of your servers, apps and tools
in one place.
SourceForge users - Click here to start your Free Trial of Datadog now!
http://pubads.g.doubleclick.net/gampad/clk?id=241902991&iu=/4140
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert | 1 Sep 17:52 2015
Picon

Yubico Neo with OpenPGP and PIV applets

There has been a discussion among the OpenSC developers on how to support the Neo with the PIV application
and the OpenPGP applications.

https://github.com/OpenSC/OpenSC/pull/507

https://github.com/OpenSC/OpenSC/issues/538

Some of the issues include:

How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
Is one default?
How is the default set?
Can the default be set on the card?

The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.

Are there end users who want to use both, at the same time?

Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
OpenPGP and PIV applications? (Historical bytes including the AID?)

The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to
address this.

The OpenSC developer community consists mostly of individual developers or companies that are
interested in only one card or application.
Very few have the ability to test more then a few cards with their favorite application or how modifications
to OpenSC affect other
cards or other applications they don't have.

Does Yubico developers follow the OpenSC discussions?
Do they test OpenSC with their devices?

I would like to hear from Yubico on these issues.
Either on the OpenSC-devel list or via comments on the above Gihhub issues.

Thanks.

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Douglas E Engert | 1 Sep 17:43 2015
Picon

Yubico Neo with OpenPGP and PIV applets

There has been a discussion among the OpenSC developers on how to support the Neo with the PIV application
and the OpenPGP applications.

https://github.com/OpenSC/OpenSC/pull/507

https://github.com/OpenSC/OpenSC/issues/538

Some of the issues include:

How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
Is one default?
How is the default set?
Can the default be set on the card?

The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.

Are there end users who want to use both, at the same time?

Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
OpenPGP and PIV applications? (Historical bytes including the AID?)

The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to
address this.

The OpenSC developer community consists mostly of individual developers or companies that are
interested in only one card or application.
Very few have the ability to test more then a few cards with their favorite application or how modifications
to OpenSC affect other
cards or other applications they don't have.

Does Yubico developers follow the OpenSC discussions?
Do they test OpenSC with their devices?

I would like to hear from Yubico on these issues.
Either on the OpenSC-devel list or via comments on the above Gihhub issues.

Thanks.

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Douglas E Engert | 1 Sep 15:14 2015
Picon

Yubico Neo with OpenPGP and PIV applets

There has been a discussion among the OpenSC developers on how to support the Neo with the PIV application
and the OpenPGP applications.

https://github.com/OpenSC/OpenSC/pull/507

https://github.com/OpenSC/OpenSC/issues/538

Some of the issues include:

How does Yubico see the Neo being used if it has both a PIV and OpenPGP application?
Is one default?
How is the default set?
Can the default be set on the card?

The Neo presents the same ATR for both. The Neo does not take advantage of the ATR Historical bytes.

Are there end users who want to use both, at the same time?

Has Yubico look at presenting the Neo as two devices on the UCB bus with a different ATRs for the
OpenPGP and PIV applications? (Historical bytes including the AID?)

The OpenSC PIV drivers checks for the PIV AID. The OpenSC OpenPGP driver has not, but issue #507 is trying to
address this.

The OpenSC developer community consists mostly of individual developers or companies that are
interested in only one card or application.
Very few have the ability to test more then a few cards with their favorite application or how modifications
to OpenSC affect other
cards or other applications they don't have.

Does Yubico developers follow the OpenSC discussions?
Do they test OpenSC with their devices?

I would like to hear from Yubico on these issues.
Either on the OpenSC-devel list or via comments on the above Gihhub issues.

Thanks.

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Nikos Mavrogiannopoulos | 24 Aug 10:15 2015
Picon

libp11 + engine_pkcs11

Hello,
 These two projects had several years to have a release and as it is
now distributions ship versions of it with various different patches
applied each, enabling different features each. Fortunately (or not)
there is popular software depending on engine_pkcs11 (and thus
libp11), making these two libraries quite important. I've opened [0]
and [1], but I'm not sure whether there is any developer active on
these components. If there is, would it be possible to have a release
on these components? Otherwise,  would it make sense to mark these
projects as obsolete or abandonware so that no new projects start
depending on them?

regards,
Nikos

[0]. https://github.com/OpenSC/libp11/issues/20
[1]. https://github.com/OpenSC/engine_pkcs11/issues/18

------------------------------------------------------------------------------
Martin Paljak | 23 Aug 23:15 2015
Picon

www.opensc-project.org website

Hello,

I created a repository for hosting static content with Github pages and
will forward the domain as well after some discussion here.

My proposal would be to make a "landing page" for OpenSC (a visually
more appealing version of https://github.com/OpenSC/OpenSC/releases)

Any thoughts?

Martin

------------------------------------------------------------------------------
Bruno Bonfils | 15 Aug 18:58 2015
Picon

about ePass2003 token

Hello folks,

I just bougth some ePass2003 tokens but I screw one of them by trying to
reformat it with a SO-Pin.

By chance, anyone have a copy of [1]?

And by the way, the profile epass2003 in OpenSC 0.15 (Debian Sid) gave
me the following error:

0x7f7a6d7eb700 23:40:58.040 [pkcs15-init] profile.c:2453:parse_error:
/usr/share/opensc/epass2003.profile: No path/fileid set for parent DF

Should I fill a bug?

Thanks

[1] http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz

--

-- 
http://asyd.net/home/    - Home Page
http://netvibes.com/asyd - Portal

------------------------------------------------------------------------------
Douglas E Engert | 2 Aug 20:59 2015
Picon

OpenSC Github Pull Requests and Jenkins builds for Windows

Github used to show both Jenkins and Travis-ci checks for a pull request.
Today it is only showing the travis-ci.

The ability for a developer to submit a pull request and get a windows MSI file for testing is a big advantage to
doing self testing without having to have a full windows build environment.

What happened to the Jenkins checks?

For pull requests, it looks Jenkins was working as of July 27:

     https://opensc.fr/jenkins/view/OpenSC-pull-request/
     https://opensc.fr/jenkins/view/OpenSC-pull-request/job/OpenSC-pr-win64/

     https://github.com/OpenSC/OpenSC/pull/483
     Shows:
      All checks have passed
     2 successful checks

Clicking on "Show All Requests":
   continuous-integration/travis-ci/pr  — The Travis CI build passed     Details
   default  — Merged build finished.    Details

The last Details points at:
https://opensc.fr/jenkins/job/OpenSC-pr-master/573/

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
J.Witvliet | 16 Jul 14:10 2015
Picon

Re: Fwd: Smart Card support

Question remains _if_ you want to use the ssh-keys directly from openssh....

In the commercial version of openssh you seems to be able to use the entire openssl-tool chain for key's and certificates
And there used to be a patch for the community version of openssh (Roumen Petrov) with the possibility of tokens/smartcards
See: http://roumenpetrov.info/openssh latest patch version: 1 jul 2015, so it is still maintained.

Hw

-----Original Message-----
From: Douglas E Engert [mailto:deengert <at> gmail.com] 
Sent: donderdag 16 juli 2015 13:39
To: OpenSC-devel
Subject: [Opensc-devel] Fwd: Smart Card support

OpenSC developers may wish to comment on this OpenSSH note.

-------- Forwarded Message --------
Subject: Smart Card support
Date: Thu, 16 Jul 2015 10:37:10 +0200
From: Jakub Jelen <jjelen <at> redhat.com>
To: openssh-unix-dev <at> mindrot.org

Hi all,
I was investigating openssh functionality with Smart Cards of different types from different vendors and
there appeared few problems that would be great if they would be solved before 7.0 release. I filled bugs
for them to keep track of them in openssh bugzilla

Bug 2427 - ssh keygen is trying to read uninitialized slots on smart card (and is failing) [1] Bug 2429 -
ssh-keygen ignores keys that have CKA_ID == 0 [2] Bug 2430 - ssh-keygen should allow to login before
reading public key from smart card [3]

Is there somebody who would be able to review the proposed changes and comment on the last one, what solution
would be better? Then I can propose also some patch.

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=2427
[2] https://bugzilla.mindrot.org/show_bug.cgi?id=2429
[3] https://bugzilla.mindrot.org/show_bug.cgi?id=2430

Best regards,

--
Jakub Jelen
Security Technologies
Red Hat

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev <at> mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that you need to offload your IT needs and
focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit
bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this
message was sent to you by mistake, you are requested to inform the sender and delete the message. The State
accepts no liability for damage of any kind resulting from the risks inherent in the electronic
transmission of messages.

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
Andrea Dell'Anna | 7 Jul 12:55 2015
Picon

x509 cert aliases loading problems using opensc-pkcs11.so

Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Frank Morgner | 6 Jul 11:25 2015
Picon

Re: C_Login returns CKR_GENERAL_ERROR / SCardBeginTransaction failed: 0x8010001d


Yes, this would at least resolve the memory handling. However, the second copy of the handle would still be
useless though release has never been called by the second client.

Do you know how this is solved in Apple's implementation?

Am 6. Juli 2015 09:27:09 MESZ, schrieb Ludovic Rousseau <ludovic.rousseau <at> gmail.com>:
>2015-07-06 2:07 GMT+02:00 Frank Morgner
><morgner <at> informatik.hu-berlin.de>:
>> I think we have two problems here:
>>
>> 1. The only thing we should do is freeing the memory which gets
>copied
>>    into the child's address space. And that's where I think we have a
>>    problem in pcsc-lite:
>>
>>    I don't know the inner workings of pcsc-lite but I suppose when
>>    calling SCardEstablishContext there will be some memory that can
>only
>>    be free'd by calling SCardReleaseContext. This memory will exist
>in
>>    the parent's and in the child's address space. But with David's
>log
>>    it looks like pcsc-lite has a sanity check that disallows freeing
>the
>>    same handle twice in SCardReleaseContext.
>
>You are right.
>pcsc-lite allocates some memory on the client side and also on the
>server side.
>After a fork the memory on the client side is duplicated, but nothing
>changes on the server side.
>
>Calling SCardReleaseContext will release the memory on 1 client and on
>the server.
>A second call to SCardReleaseContext will try to free resources on the
>server side but the server will then return an error (resources
>already freed). The memory on the client side will then NOT be freed.
>
>I can change the pcsc-lite code to free memory on the client side
>first before asking the server to free its memory. With this change a
>second call to SCardReleaseContext would still return an error but the
>memory on the client would be freed.
>
>That would solve a memory leak when fork() is used.
>I created a ticket
>https://alioth.debian.org/tracker/index.php?func=detail&aid=315106&group_id=30105&atid=410085
>
>Bye
>
>-- 
> Dr. Ludovic Rousseau
>
>------------------------------------------------------------------------------
>Don't Limit Your Business. Reach for the Cloud.
>GigeNET's Cloud Solutions provide you with the tools and support that
>you need to offload your IT needs and focus on growing your business.
>Configured For All Businesses. Start Your Cloud Today.
>https://www.gigenetcloud.com/
>_______________________________________________
>Opensc-devel mailing list
>Opensc-devel <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 
Frank Morgner
--

-- 
Frank Morgner

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/

Gmane