playing with smartcard: rsa key upload?

Danny De Cock godot at ulyssis.org
Thu Oct 31 07:11:22 EST 2002


hi,

some additional information after some straightforward debugging learns me
this:

the segmentation fault occurs in the openssl-package source file
crypto/engine/engine_lib.c. more precisely, it happens the second time
ENGINE_init(...) is called when trying to accomplish the assignment:
        if((e->funct_ref == 0) && e->init){
                /* This is the first functional reference and the engine
                 * requires initialisation so we do it now. */
                to_return = e->init();
                }

so the first time ENGINE_init(...) is executed, there is no problem, and
the second time is triggered by sc_read_pubkey(), which calls
RSA_set_method.  it is this RSA_set_method that triggers the segmentation
fault.

for the record: I am using the binaries produced by opensc-snap-20021029,
openssl-engine-0.9.6g.tar.gz and openssh-3.5p1.tar.gz.

cu, danny.

On Wed, 30 Oct 2002, Danny De Cock wrote:

> hi,
>
> my the subscription to this list is still in progress, i.e., could you
> include my emailaddress when replying to this email.
>
> I am using the opensc-cvs-snapshot of october 29th, in combination
> with openssh 3.5p1 on a woody debian machine with pcsclite-1.1.2, and
> have been trying to get a gemplus gpk16000 smartcard working with
> openssh.
>
> the problem I am faced with is a segmentation fault of a command such
> as `ssh -I 0 server`
>
> the commands I have been using are these:
>
> pkcs15-init -dddddd -E -C
> pkcs15-init -dddddd -P -a 45 -i 45
> pkcs15-init -dddddd -S privkey.pem -a 45 -i 45
> pkcs15-init -dddddd -X cert.pem
> ssh -I 0 192.168.1.2 -v
>
> the log file /var/log/auth.log of the other machine indicates this after
> the ssh-client has failed:
> Oct 30 13:00:13 g sshd[24750]: Did not receive identification string from 192.168.1.11
>
> fyi: the led of the smartcard reader starts to blink just before the
> segmentation fault.
>
> does any of you have any idea how to solve this problem?
>
> many thanks, danny.
>
> ---------------------------
>
> the first four these commands have accomplished their tasks
> succesfully:
>
> <output of pkcs15-tool --list-pins  -c -k>
> Connecting to card in reader Towitoko Chipdrive Reader 0 0...
> Using card driver: Gemplus GPK driver
> Trying to find a PKCS#15 compatible card...
> Found OpenSC Card!
> Card has 1 certificate(s).
>
> X.509 Certificate [Certificate]
>         Flags    : 2
>         Authority: no
>         Path     : 3F0050159000
>         ID       : 45
>
> Card has 1 private key(s).
>
> Private RSA Key [Private Key]
>         Com. Flags  : 1D
>         Usage       : [0x4], sign
>         Access Flags: [0x0]
>         ModLength   : 1024
>         Key ref     : 0
>         Native      : yes
>         Path        : 3F0050150006
>         Auth ID     : 45
>         ID          : 45
>
> Card has 2 PIN code(s).
>
> PIN [Security Officer PIN]
>         Com. Flags: 0x3
>         Auth ID   : FF
>         Flags     : [0xB2], local, initialized, needs-padding, soPin
>         Length    : 6..8
>         Pad char  : 0x00
>         Reference : 8
>         Type      : 1
>         Path      : 3F005015
>
> PIN []
>         Com. Flags: 0x3
>         Auth ID   : 45
>         Flags     : [0x32], local, initialized, needs-padding
>         Length    : 4..8
>         Pad char  : 0x00
>         Reference : 12
>         Type      : 1
>         Path      : 3F005015
>
> but the fifth command fails badly:
> <output>
> ssh -I 0 192.168.1.2 -v
> OpenSSH_3.5p1, SSH protocols 1.5/2.0, OpenSSL 0x0090607f
> debug1: Reading configuration data /usr/local/etc/ssh_config
> debug1: Rhosts Authentication disabled, originating port will not be trusted.
> debug1: ssh_connect: needpriv 0
> debug1: Connecting to lien [192.168.1.2] port 22.
> debug1: Connection established.
> debug1: sc_get_keys called: id = 0
> debug1: sc_read_pubkey() with cert id 45
> Segmentation fault
> </output>
>
> > On Thu, 17 Oct 2002, Andreas Hasenack wrote:
> >
> > > Is there a tool to upload an openssh rsa key to a smart card so that I
> > > can use it with ssh -I later on? Should I just upload it as a regular
> > > file? Any pointers to some documentation explaining how to do this with
> > > openssh?
> >
> > The current SC related code in openssh is a bit absurd anyway.
> > I'm currently rewriting the code into some more generic,
> > like pkcs#11 support. After this you can use opensc-pkcs11.so
> > to upload your keys.
> >
> > Hopefully Theo and the rest of OpenSSH guys are willing to
> > ditch the current code base, ugly sectok and less ugly opensc
> > support entirely.
> >
> > -Antti
> >
> > _______________________________________________
> > openssh-unix-dev at mindrot.org mailing list
> > http://www.mindrot.org/mailman/listinfo/openssh-unix-dev
>
>
>
>

-- 
-----------------------------------------------------------------------------
Don't kid yourself.  Little is relevant, and nothing lasts forever.
-----------------------------------------------------------------------------
Mail : Danny.DeCock at esat.kuleuven.ac.be              daniel.decock at postbox.be
WWW  : http://ace.ulyssis.org/~godot                        godot at advalvas.be




More information about the openssh-unix-dev mailing list