Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.

From: Patrik Martinsson <Patrik Martinsson smhi se>
To: Ray Strode <halfline gmail com>
Cc: gdm-list gnome org
Subject: Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
Date: Tue, 24 Aug 2010 17:22:07 +0200

Hey Ray,

Thanks for the quick answer.

>> Ah, I've never tried opensc with pam_pkcs11

What is the recommended way ? I thought i needed opensc here tocommunicate with my card ?

>> Okay, that should work if you're using the multi-stack branch (whichyou must be if insertion is working...)

Yeah, that's the one i use.

>> Yea the slot id can't be 0. Something must have gone awry.

Ah ok, yeah something was fishy with that version of opensc, now usingthe latest. (the returning with: Unsupported INS byte in APDU is now gone).

And without have done anything with the gdm-smartcard-worker code, thisis my output.


*** DEBUG: watching for smartcard insertion and removal events
*** DEBUG: initializing smartcard manager
*** DEBUG: attempting to load NSS database '/etc/pki/nssdb'
*** DEBUG: NSS database sucessfully loaded
*** DEBUG: attempting to load driver...

*** DEBUG: loading smartcard driver using spec'library="/usr/lib64/pkcs11/libcoolkeypk11.so"'

*** DEBUG: waiting for card event
*** DEBUG: initializing smartcard
*** DEBUG: smartcard manager started
*** DEBUG: got spurious remove event
*** DEBUG: waiting for card event

# Pulled out the card....
*** DEBUG: got spurious remove event
*** DEBUG: waiting for card event

# inserted the card...
*** DEBUG: got spurious remove event
*** DEBUG: waiting for card event

# Pulled it out again.....
*** DEBUG: got spurious remove event
*** DEBUG: waiting for card event

Question is, gdm-smartcard-worker here says that nss db successfullyloaded, but still it loading the libcoolkeypk11.so, is that right ?I figure coolkeypk11 didn't play nice with my card, since its not acoolkey card. (Im not really read-up on this area so correct me if I'mwrong, but we use SetCOS on our cards, therefore i use opensc instead....)So i removed /usr/lib64/pkcs11/libcoolkeypk11.so and made a symlink to/usr/local/lib/opensc-pkcs11.so instead (just to not recompile andchange it there).


Here's the output of that experiment,

*** DEBUG: watching for smartcard insertion and removal events
*** DEBUG: initializing smartcard manager
*** DEBUG: attempting to load NSS database '/etc/pki/nssdb'
*** DEBUG: NSS database sucessfully loaded
*** DEBUG: attempting to load driver...

*** DEBUG: loading smartcard driver using spec'library="/usr/lib64/pkcs11/libcoolkeypk11.so"'

*** DEBUG: waiting for card event
*** DEBUG: initializing smartcard
*** DEBUG: initializing smartcard
*** DEBUG: initializing smartcard
*** DEBUG: initializing smartcard
*** DEBUG: initializing smartcard
*** DEBUG: smartcard manager started

*** DEBUG: could not process card event - encountered unexpected errorwhile waiting for smartcard events

Clearly it seems to load that module instead, but it seems like someother issue here... Any ideas ?

 That's only a fallback.  Normally, the procedure is to register the pkcs11 driver in the secmod database in /etc/pki/nssdb using pk11install.  Packages should be doing this in their %post scripts.
 Then the smartcard worker will automatically pick it up.


Well i manually registered the opensc library to the secmod database, using the modutil command as follows,
$ /usr/bin/modutil -force -dbdir /etc/pki/nssdb -add OpenSC -libfile /usr/local/lib/opensc-pkcs11.so

>> Ah, are you using RHEL 6?
Yes, the beta 2-refresh release.

Here's the output of the secmod,
$ /usr/bin/modutil -list -dbdir /etc/pki/nssdb/

Listing of PKCS #11 Modules
-----------------------------------------------------------
  1. NSS Internal PKCS #11 Module
     slots: 2 slots attached
    status: loaded

     slot: NSS Internal Cryptographic Services
    token: NSS Generic Crypto Services

     slot: NSS User Private Key and Certificate Services
    token: NSS Certificate DB

  2. OpenSC
    library name: /usr/local/lib/opensc-pkcs11.so
     slots: 5 slots attached
    status: loaded

     slot: Virtual hotplug slot
    token:

     slot: OmniKey CardMan 3121 01 00
    token: Instant EID IP8 (identification)

     slot: OmniKey CardMan 3121 01 00
    token: Instant EID IP8 (signature)

     slot: OmniKey CardMan 3121 01 00
    token: Instant EID IP8

     slot: OmniKey CardMan 3121 01 00
    token:

>> Do you know if the smartcard worker is crashing as soon as youinsert the card? or is it crashing right after you remove the card?With the latest opensc, gdm-smartard-worker doesnt crash...It justdoesnt work as expected, the only thing i see there is the output ipastet earlier in this message.

Appreciate all help I can get, it would be really nice to have thisworking as expected....


/Patrik Martinsson,
Sweden.



On 08/24/2010 04:35 PM, Ray Strode wrote:

Hi,

I'm trying to use the opensc-pkcs11 module together with our smart-cards,
I've successfully managed to use it together with pam_pkcs11. pkcs11_inspect
and login works. (The login part work with gdm, but that's not the issue)

Ah, I've never tried opensc with pam_pkcs11

When I insert my card the first time (or if its inserted when gdm starts) I
successfully get asked about my pin, this is what you would expect. However
if I remove my smart-card whiteout typing my pin I would assume that gdm
detects
this and throws me back to the initial login (where i can choose between
smartcard&    other), that's the part that doesn't work.

Okay, that should work if you're using the multi-stack branch (which
you must be if insertion is working...)

I ran gdm-smart-card-worker from the terminal and attaching the log-file.
You can see at the end of the log that gdm-smart-card-worker is expecting
slot_id not be 0, which it is in my case, don't really know why (if that is
normal or if my setup is wrong), I've also posted this on the opensc list
tosee if they have an idea.

Yea the slot id can't be 0.  Something must have gone awry.

I added the code if (slot_id == 0) {slot_id = 1}; just to see how
gdm-smart-card-worker reacted,  it didn't die and actually reported that it
detected each insert/removal, however gdm didn't do anything different.
(throw
me back to the "initial" login screen when card is being removed etc).

That's odd.

I would really like to have this working. Earlier we used a module from our
cardvendors together gdm (with a small hack i did myself to get it working),
however due too theirs negligent and incompetent support, I would like to
use
opensc driver instead.

I'm able to test any suggestions/patches or whatever that's necessary to get
this working as expected.

Two questions directly comes to my mind,
# 1, Smartcard driver using spec 'library=/foo/' is configured at compile
time, right ? This should really be configurable at run time, shouldn't it ?
Not everyone is using the libcoolkeypk11.so that is used as default, or am
wrong ?

That's only a fallback.  Normally, the procedure is to register the
pkcs11 driver in the secmod database in /etc/pki/nssdb using
pk11install.  Packages should be doing this in their %post scripts.

Then the smartcard worker will automatically pick it up.

# 2, Wouldn't it be a good idea to remove the smart-card patch (and others
too) from the huuuge multistack patch ? I'm no programmer so i don't know if
there is a specific reason for why it's like this, but I find it rather hard
to work
with, but again, maybe there is a reason for this.

Well, there's no good way to "upstream" the smartcard work cleanly
without a plugin system.  The multistack patch adds the plugin system.
  We need to merge the multistack work to master, but it's not ready
yet.

It is a bit painful, but it's temporary.

I don't really know if gdm-plugin-smartcard is a part of gdm or if that is
something thats been added by Red Hat, however i posted a bug about this on
their bugzilla, https://bugzilla.redhat.com/show_bug.cgi?id=626744 .

Ah, are you using RHEL 6?

In your log I see this:

[opensc-pkcs11] iso7816.c:99:iso7816_check_sw: Instruction code not
supported or invalid
[opensc-pkcs11] card.c:588:sc_get_challenge: returning with:
Unsupported INS byte in APDU
[opensc-pkcs11] misc.c:80:sc_to_cryptoki_error: opensc error:
Unsupported INS byte in APDU (-1204)
[opensc-pkcs11] pkcs11-object.c:237:C_FindObjectsInit:
C_FindObjectsInit(slot = 1)
[opensc-pkcs11] pkcs11-object.c:238:C_FindObjectsInit:
C_FindObjectsInit(): CKA_CLASS = 0xce534354
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/1:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/2:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/5:
Private object and not logged in.
[opensc-pkcs11] pkcs11-object.c:267:C_FindObjectsInit: Object 1/6:
Private object and not logged in.

That problem could be what's leading to the chain of events that end
in the smartcard worker crashing.

APDU is a protocol for talking to the smartcard.  The INS byte is an
instruction that combined with the CLA byte tells the smartcard what
to do.  It seems like the card is getting fed an instruction it
doesn't understand and from there things are going belly-up.

Do you know if the smartcard worker is crashing as soon as you insert
the card? or is it crashing right after you remove the card?

--Ray

Follow-Ups:
- Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
  - From: Ray Strode

References:
- [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
  - From: Patrik Martinsson
- Re: [gdm-list] Cannot get /usr/local/lib/opensc-pkcs11.so to work with gdm-smartcard-worker.
  - From: Ray Strode

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]