Yubico Forum :: View topic - [SOLVED] NEO PIV gives CKR_USER_NOT_LOGGED

*************** OpenSC PKCS#11 spy *****************
Loaded: "/usr/lib64/opensc-pkcs11.so"

0: C_GetFunctionList
2014-11-06 16:32:24.165
Returned: 0 CKR_OK

1: C_Initialize
2014-11-06 16:32:24.168
[in] pInitArgs = 0x23ca380
flags: 2
CKF_OS_LOCKING_OK
Returned: 0 CKR_OK

2: C_GetInfo
2014-11-06 16:32:24.339
[out] pInfo:
cryptokiVersion: 2.20
manufacturerID: 'OpenSC (www.opensc-project.org) '
flags: 0
libraryDescription: 'Smart card PKCS#11 API '
libraryVersion: 0.0
Returned: 0 CKR_OK

3: C_GetSlotList
2014-11-06 16:32:24.486
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK

4: C_GetTokenInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
label: 'PIV_II (PIV Card Holder pin) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: '00000000 '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK

5: C_GetSlotInfo
2014-11-06 16:32:24.866
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0'
'0 '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK
Using certificate file /home/dwmw2/.cert/certificate.pem
Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-source=openconnect%3a0x23c1240

6: C_GetSlotList
2014-11-06 16:32:24.867
[in] tokenPresent = 0x1
[out] pSlotList:
Slot 1
[out] *pulCount = 0x1
Returned: 0 CKR_OK

7: C_GetTokenInfo
2014-11-06 16:32:24.867
[in] slotID = 0x1
[out] pInfo:
label: 'PIV_II (PIV Card Holder pin) '
manufacturerID: 'piv_II '
model: 'PKCS#15 emulated'
serialNumber: '00000000 '
ulMaxSessionCount: 0
ulSessionCount: 0
ulMaxRwSessionCount: 0
ulRwSessionCount: 0
ulMaxPinLen: 8
ulMinPinLen: 4
ulTotalPublicMemory: -1
ulFreePublicMemory: -1
ulTotalPrivateMemory: -1
ulFreePrivateMemory: -1
hardwareVersion: 0.0
firmwareVersion: 0.0
time: ' '
flags: 40d
CKF_RNG
CKF_LOGIN_REQUIRED
CKF_USER_PIN_INITIALIZED
CKF_TOKEN_INITIALIZED
Returned: 0 CKR_OK

8: C_GetSlotInfo
2014-11-06 16:32:24.868
[in] slotID = 0x1
[out] pInfo:
slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0'
'0 '
manufacturerID: 'OpenSC (www.opensc-project.org) '
hardwareVersion: 0.0
firmwareVersion: 0.0
flags: 7
CKF_TOKEN_PRESENT
CKF_REMOVABLE_DEVICE
CKF_HW_SLOT
Returned: 0 CKR_OK

9: C_OpenSession
2014-11-06 16:32:24.868
[in] slotID = 0x1
[in] flags = 0x4
pApplication=(nil)
Notify=(nil)
[out] *phSession = 0x28a1560
Returned: 0 CKR_OK

10: C_GetSessionInfo
2014-11-06 16:32:24.868
[in] hSession = 0x28a1560
[out] pInfo:
slotID: 1
state: ' CKS_RO_PUBLIC_SESSION'
flags: 4
CKF_SERIAL_SESSION
ulDeviceError: 0
Returned: 0 CKR_OK
PIN required for PIV_II (PIV Card Holder pin)
Enter PIN:

11: C_Login
2014-11-06 16:32:38.333
[in] hSession = 0x28a1560
[in] userType = CKU_USER
[in] pPin[ulPinLen] 0000000002baeb30 / 6
00000000 31 32 33 34 35 36 123456
Returned: 0 CKR_OK

12: C_FindObjectsInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pTemplate[3]:
CKA_ID 00000000029b29c0 / 1
00000000 02 .
CKA_LABEL 00000000024a4d10 / 8
5349474E 206B6579
S I G N . k e y
CKA_CLASS CKO_PRIVATE_KEY
Returned: 0 CKR_OK

13: C_FindObjects
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] ulMaxObjectCount = 0x1
[out] ulObjectCount = 0x1
Object 0x2a3b950 matches
Returned: 0 CKR_OK

14: C_FindObjectsFinal
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
Returned: 0 CKR_OK

15: C_GetAttributeValue
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] hObject = 0x2a3b950
[in] pTemplate[1]:
CKA_KEY_TYPE 00007fff6dbbf548 / 8
[out] pTemplate[1]:
CKA_KEY_TYPE CKK_RSA
Returned: 0 CKR_OK

16: C_SignInit
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
pMechanism->type=CKM_RSA_PKCS
[in] hKey = 0x2a3b950
Returned: 0 CKR_OK

17: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+.........
00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g>
00000020 13 15 35 ..5
[out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)]
Returned: 0 CKR_OK

18: C_Sign
2014-11-06 16:32:38.368
[in] hSession = 0x28a1560
[in] pData[ulDataLen] 00000000029a4ca0 / 35
00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+.........
00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g>
00000020 13 15 35 ..5
[out] pSignature[*pulSignatureLen] 00000000028f89f0 / 256
00000000 09 90 5C B2 B2 A2 8E DF 00 79 A1 34 08 7F 54 6B ..\......y.4Tk
00000010 AA FC 60 DB 4E 1B 6B 0D EF 73 CB C3 EA EE 96 60 ..`.N.k..s.....`
00000020 5C 1E 15 3C 18 5D 76 43 14 39 05 BC 3B 60 99 B8 \..<.]vC.9..;`..
00000030 1E 7D 0A 73 E2 B4 78 1B 40 87 96 21 E8 90 9D 0B .}.s..x.@..!....
00000040 A2 14 27 5B AE 75 97 FE 4E 5F 81 F7 7D 68 17 5D ..'[.u..N_..}h.]
00000050 B8 23 4F 13 CE 3F 2B 6B 68 25 3D 70 39 D7 34 EA .#O..?+kh%=p9.4.
00000060 BD 15 D7 4D A9 EF 10 1C 1D 2F 35 CB 09 30 F4 0C ...M...../5..0..
00000070 1C 18 63 98 79 A6 5F 57 57 DC BA C6 F6 9F D2 F0 ..c.y._WW.......
00000080 D0 88 60 15 68 A3 08 BA C2 06 4B A9 10 2B B1 55 ..`.h.....K..+.U
00000090 8B 9C 07 7F 40 93 75 32 10 66 9B 6F 68 88 C4 BD ..@.u2.f.oh...
000000A0 46 1D 6E C9 3C 3C 85 C6 3D 55 9F 54 30 5C A3 80 F.n.<<..=U.T0\..
000000B0 04 0F 55 69 66 F3 C3 09 CB 7C 94 FB E9 E1 B5 19 ..Uif....|......
000000C0 56 9E 86 00 5C 36 F0 B8 C3 8A 33 39 4E 58 1A 90 V...\6....39NX..
000000D0 F5 B6 49 77 26 00 2F AC 71 0F FD 28 71 0B FA 90 ..Iw&./.q..(q...
000000E0 5B 25 04 73 A1 EF 7E FC DE 84 97 4C 6D E7 74 DD [%.s..~....Lm.t.
000000F0 81 61 B1 1D D5 5B A5 87 80 6F C2 5F E5 9B EA 8F .a...[...o._....
Returned: 0 CKR_OK
Using client certificate 'Woodhouse\, David'

Author:	dwmw2 [ Thu Nov 06, 2014 5:38 pm ]
Post subject:	[SOLVED] NEO PIV gives CKR_USER_NOT_LOGGED_IN
I have a NEO which appears to have the PIV applet installed. I can't get 'ykneomgr -a' to admit that, mind you: Code: $ ykneomgr -d -a Trying reader 0: Yubico Yubikey NEO OTP+CCID 00 00 --> 13: 00 a4 04 00 08 a0 00 00 05 27 20 01 01 <-- 12: 03 02 00 01 85 07 82 00 00 00 90 00 versionMajor 3 versionMinor 2 versionBuild 0 pgmSeq 1 touchLevel 34055 mode 82 crTimeout 0 autoEjectTime 0 --> 4: 00 01 10 00 <-- 6: 00 2d ca f3 90 00 serialno 3001075 --> 13: 00 a4 04 00 08 a0 00 00 00 03 00 00 00 <-- 105: 6f 65 84 08 a0 00 00 00 03 00 00 00 a5 59 9f 65 01 ff 9f 6e 06 47 91 12 10 38 00 73 4a 06 07 2a 86 48 86 fc 6b 01 60 0c 06 0a 2a 86 48 86 fc 6b 02 02 01 01 63 09 06 07 2a 86 48 86 fc 6b 03 64 0b 06 09 2a 86 48 86 fc 6b 04 02 55 65 0b 06 09 2b 85 10 86 48 64 02 01 03 66 0c 06 0a 2b 06 01 04 01 2a 02 6e 01 02 90 00 --> 13: 80 50 00 00 08 01 02 03 04 05 06 07 08 <-- 30: 00 00 33 17 01 41 49 97 09 12 ff 02 00 03 4b ae 77 56 ee 49 56 66 ea 14 f5 6f 14 84 90 00 error: ykneomgr_authenticate (-4): Backend error But I can install a private key with yubico-piv-tool: Code: $ yubico-piv-tool -a import-key -s 9c -p $PASSPHRASE -i ~/.cert/certificate.p12 -K PKCS12 Successfully imported a new private key. (The corresponding cert is larger than 2KiB so I can't install that but that shouldn't matter). Now I can attempt to connect to my VPN server with openconnect: Code: $ openconnect -c ~/.cert/certificate.pem -k 'pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private' $VPNSERVER -v -v This appears to work fine, to start with. I'm asked for the PIN, and it doesa test signature to check that the key and certificate that I've given it are a correct match: Code: ************* OpenSC PKCS#11 spy *************** Loaded: "/usr/lib64/opensc-pkcs11.so" 0: C_GetFunctionList 2014-11-06 16:32:24.165 Returned: 0 CKR_OK 1: C_Initialize 2014-11-06 16:32:24.168 [in] pInitArgs = 0x23ca380 flags: 2 CKF_OS_LOCKING_OK Returned: 0 CKR_OK 2: C_GetInfo 2014-11-06 16:32:24.339 [out] pInfo: cryptokiVersion: 2.20 manufacturerID: 'OpenSC (www.opensc-project.org) ' flags: 0 libraryDescription: 'Smart card PKCS#11 API ' libraryVersion: 0.0 Returned: 0 CKR_OK 3: C_GetSlotList 2014-11-06 16:32:24.486 [in] tokenPresent = 0x1 [out] pSlotList: Slot 1 [out] pulCount = 0x1 Returned: 0 CKR_OK 4: C_GetTokenInfo 2014-11-06 16:32:24.866 [in] slotID = 0x1 [out] pInfo: label: 'PIV_II (PIV Card Holder pin) ' manufacturerID: 'piv_II ' model: 'PKCS#15 emulated' serialNumber: '00000000 ' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 40d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 5: C_GetSlotInfo 2014-11-06 16:32:24.866 [in] slotID = 0x1 [out] pInfo: slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0' '0 ' manufacturerID: 'OpenSC (www.opensc-project.org) ' hardwareVersion: 0.0 firmwareVersion: 0.0 flags: 7 CKF_TOKEN_PRESENT CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK Using certificate file /home/dwmw2/.cert/certificate.pem Using PKCS#11 key pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=00000000;token=PIV_II%20%28PIV%20Card%20Holder%20pin%29;id=%02;object=SIGN%20key;object-type=private;pin-source=openconnect%3a0x23c1240 6: C_GetSlotList 2014-11-06 16:32:24.867 [in] tokenPresent = 0x1 [out] pSlotList: Slot 1 [out] pulCount = 0x1 Returned: 0 CKR_OK 7: C_GetTokenInfo 2014-11-06 16:32:24.867 [in] slotID = 0x1 [out] pInfo: label: 'PIV_II (PIV Card Holder pin) ' manufacturerID: 'piv_II ' model: 'PKCS#15 emulated' serialNumber: '00000000 ' ulMaxSessionCount: 0 ulSessionCount: 0 ulMaxRwSessionCount: 0 ulRwSessionCount: 0 ulMaxPinLen: 8 ulMinPinLen: 4 ulTotalPublicMemory: -1 ulFreePublicMemory: -1 ulTotalPrivateMemory: -1 ulFreePrivateMemory: -1 hardwareVersion: 0.0 firmwareVersion: 0.0 time: ' ' flags: 40d CKF_RNG CKF_LOGIN_REQUIRED CKF_USER_PIN_INITIALIZED CKF_TOKEN_INITIALIZED Returned: 0 CKR_OK 8: C_GetSlotInfo 2014-11-06 16:32:24.868 [in] slotID = 0x1 [out] pInfo: slotDescription: 'Yubico Yubikey NEO OTP+CCID 00 0' '0 ' manufacturerID: 'OpenSC (www.opensc-project.org) ' hardwareVersion: 0.0 firmwareVersion: 0.0 flags: 7 CKF_TOKEN_PRESENT CKF_REMOVABLE_DEVICE CKF_HW_SLOT Returned: 0 CKR_OK 9: C_OpenSession 2014-11-06 16:32:24.868 [in] slotID = 0x1 [in] flags = 0x4 pApplication=(nil) Notify=(nil) [out] phSession = 0x28a1560 Returned: 0 CKR_OK 10: C_GetSessionInfo 2014-11-06 16:32:24.868 [in] hSession = 0x28a1560 [out] pInfo: slotID: 1 state: ' CKS_RO_PUBLIC_SESSION' flags: 4 CKF_SERIAL_SESSION ulDeviceError: 0 Returned: 0 CKR_OK PIN required for PIV_II (PIV Card Holder pin) Enter PIN: 11: C_Login 2014-11-06 16:32:38.333 [in] hSession = 0x28a1560 [in] userType = CKU_USER [in] pPin[ulPinLen] 0000000002baeb30 / 6 00000000 31 32 33 34 35 36 123456 Returned: 0 CKR_OK 12: C_FindObjectsInit 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 [in] pTemplate[3]: CKA_ID 00000000029b29c0 / 1 00000000 02 . CKA_LABEL 00000000024a4d10 / 8 5349474E 206B6579 S I G N . k e y CKA_CLASS CKO_PRIVATE_KEY Returned: 0 CKR_OK 13: C_FindObjects 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 [in] ulMaxObjectCount = 0x1 [out] ulObjectCount = 0x1 Object 0x2a3b950 matches Returned: 0 CKR_OK 14: C_FindObjectsFinal 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 Returned: 0 CKR_OK 15: C_GetAttributeValue 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 [in] hObject = 0x2a3b950 [in] pTemplate[1]: CKA_KEY_TYPE 00007fff6dbbf548 / 8 [out] pTemplate[1]: CKA_KEY_TYPE CKK_RSA Returned: 0 CKR_OK 16: C_SignInit 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 pMechanism->type=CKM_RSA_PKCS [in] hKey = 0x2a3b950 Returned: 0 CKR_OK 17: C_Sign 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 [in] pData[ulDataLen] 00000000029a4ca0 / 35 00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+......... 00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g> 00000020 13 15 35 ..5 [out] pSignature[pulSignatureLen] NULL [size : 0x100 (256)] Returned: 0 CKR_OK 18: C_Sign 2014-11-06 16:32:38.368 [in] hSession = 0x28a1560 [in] pData[ulDataLen] 00000000029a4ca0 / 35 00000000 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 14 85 0!0...+......... 00000010 AF 1A B7 B2 8B 75 9C 38 47 BC 34 BA AF 3A 67 3E .....u.8G.4..:g> 00000020 13 15 35 ..5 [out] pSignature[pulSignatureLen] 00000000028f89f0 / 256 00000000 09 90 5C B2 B2 A2 8E DF 00 79 A1 34 08 7F 54 6B ..\......y.4Tk 00000010 AA FC 60 DB 4E 1B 6B 0D EF 73 CB C3 EA EE 96 60 ..`.N.k..s.....` 00000020 5C 1E 15 3C 18 5D 76 43 14 39 05 BC 3B 60 99 B8 \..<.]vC.9..;`.. 00000030 1E 7D 0A 73 E2 B4 78 1B 40 87 96 21 E8 90 9D 0B .}.s..x.@..!.... 00000040 A2 14 27 5B AE 75 97 FE 4E 5F 81 F7 7D 68 17 5D ..'[.u..N_..}h.] 00000050 B8 23 4F 13 CE 3F 2B 6B 68 25 3D 70 39 D7 34 EA .#O..?+kh%=p9.4. 00000060 BD 15 D7 4D A9 EF 10 1C 1D 2F 35 CB 09 30 F4 0C ...M...../5..0.. 00000070 1C 18 63 98 79 A6 5F 57 57 DC BA C6 F6 9F D2 F0 ..c.y._WW....... 00000080 D0 88 60 15 68 A3 08 BA C2 06 4B A9 10 2B B1 55 ..`.h.....K..+.U 00000090 8B 9C 07 7F 40 93 75 32 10 66 9B 6F 68 88 C4 BD ..@.u2.f.oh... 000000A0 46 1D 6E C9 3C 3C 85 C6 3D 55 9F 54 30 5C A3 80 F.n.<<..=U.T0\.. 000000B0 04 0F 55 69 66 F3 C3 09 CB 7C 94 FB E9 E1 B5 19 ..Uif....\|...... 000000C0 56 9E 86 00 5C 36 F0 B8 C3 8A 33 39 4E 58 1A 90 V...\6....39NX.. 000000D0 F5 B6 49 77 26 00 2F AC 71 0F FD 28 71 0B FA 90 ..Iw&./.q..(q... 000000E0 5B 25 04 73 A1 EF 7E FC DE 84 97 4C 6D E7 74 DD [%.s..~....Lm.t. 000000F0 81 61 B1 1D D5 5B A5 87 80 6F C2 5F E5 9B EA 8F .a...[...o._.... Returned: 0 CKR_OK Using client certificate 'Woodhouse\, David' ... but then it goes off and connects to the server, and then it's asked by the server to perform a signature, but by this time it seems to have forgotten that I'd logged in: Code:* Attempting to connect to server xx.xx.xx.xx:443 SSL negotiation with xx.xx.xx.xx 22: C_SignInit 2014-11-06 16:32:39.499 [in] hSession = 0x28a1560 pMechanism->type=CKM_RSA_PKCS [in] hKey = 0x2a3b950 Returned: 0 CKR_OK 23: C_Sign 2014-11-06 16:32:39.499 [in] hSession = 0x28a1560 [in] pData[ulDataLen] 00007fff6dbbf6b0 / 36 00000000 42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34 B...K......(..]4 00000010 09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9 ..l.,.1....eY... 00000020 24 89 88 9D $... [out] pSignature[pulSignatureLen] NULL [size : 0x100 (256)] Returned: 0 CKR_OK 24: C_Sign 2014-11-06 16:32:39.499 [in] hSession = 0x28a1560 [in] pData[ulDataLen] 00007fff6dbbf6b0 / 36 00000000 42 B1 2E A0 4B A2 D6 C0 AD C0 CA 28 AD 0F 5D 34 B...K......(..]4 00000010 09 AD 6C 8C 2C A1 31 1E 13 FF 91 65 59 A3 9D D9 ..l.,.1....eY... 00000020 24 89 88 9D $... Returned: 257 CKR_USER_NOT_LOGGED_IN SSL connection failure: PKCS #11 user error Failed to open HTTPS connection to xx.xx.xx.xx Failed to obtain WebVPN cookie What's wrong? It looks like it's so close* to working... FWIW I don't think the PKCS#11 standard permits CKR_USER_NOT_LOGGED_IN as a return value from C_Sign(). If that's the case, C_SignInit() should have failed.

Author:	dwmw2 [ Thu Nov 06, 2014 9:10 pm ]
Post subject:	Re: [QUESTION] How do I use NEO as PKCS#11 token
I think this is a bug. We modified GnuTLS to call pkcs11_login() again when a key has the CKA_ALWAYS_AUTHENTICATE attribute set: https://gitorious.org/gnutls/gnutls/commit/e1a0af191 Now the GnuTLS pkcs11_login() function is duly called before C_SignInit() and does this: Code: 25: C_GetSessionInfo 2014-11-06 19:56:41.534 [in] hSession = 0xed7620 [out] pInfo: slotID: 1 state: ' CKS_RO_USER_FUNCTIONS' flags: 4 CKF_SERIAL_SESSION ulDeviceError: 0 Returned: 0 CKR_OK We see CKS_RO_USER_FUNCTIONS and we don't actually call C_Login(). So I hacked it again to avoid that check and now it does call C_Login() and the exchange goes like this... Code: 28: C_Login 2014-11-06 20:02:11.599 [in] hSession = 0x2c089a0 [in] userType = CKU_USER [in] pPin[ulPinLen] 000000000293d9c0 / 6 00000000 31 32 33 34 35 36 123456 Returned: 256 CKR_USER_ALREADY_LOGGED_IN p11: Login result = 256 29: C_SignInit 2014-11-06 20:02:11.599 [in] hSession = 0x2c089a0 pMechanism->type=CKM_RSA_PKCS [in] hKey = 0x269da90 Returned: 0 CKR_OK 30: C_Sign 2014-11-06 20:02:11.599 [in] hSession = 0x2c089a0 [in] pData[ulDataLen] 00007fff4449d3d0 / 36 00000000 E9 44 15 2E 2F 04 6F 66 78 9B F1 9F 35 20 1D EB .D../.ofx...5 .. 00000010 A7 8B A1 B9 70 99 36 1B 9E 75 73 2D 4D 8F 7A A6 ....p.6..us-M.z. 00000020 7D DE 54 B7 }.T. [out] pSignature[*pulSignatureLen] NULL [size : 0x100 (256)] Returned: 0 CKR_OK 31: C_Sign 2014-11-06 20:02:11.599 [in] hSession = 0x2c089a0 [in] pData[ulDataLen] 00007fff4449d3d0 / 36 00000000 E9 44 15 2E 2F 04 6F 66 78 9B F1 9F 35 20 1D EB .D../.ofx...5 .. 00000010 A7 8B A1 B9 70 99 36 1B 9E 75 73 2D 4D 8F 7A A6 ....p.6..us-M.z. 00000020 7D DE 54 B7 }.T. Returned: 257 CKR_USER_NOT_LOGGED_IN Since this might be an OpenSC bug I've also posted to the opensc-devel list: http://permalink.gmane.org/gmane.comp.e ... evel/15731

Author:	dwmw2 [ Fri Nov 07, 2014 6:02 pm ]
Post subject:	Re: [SOLVED] NEO PIV gives CKR_USER_NOT_LOGGED_IN
This is mostly fixed in GnuTLS with the following commits: https://gitorious.org/gnutls/gnutls/commit/e1a0af19 https://gitorious.org/gnutls/gnutls/commit/239cb7d7 This now works: Code: openconnect -c 'pkcs11:manufacturer=piv_II;id=%01' $VPNSERVER

Yubico Forum https://forum.yubico.com/

[SOLVED] NEO PIV gives CKR_USER_NOT_LOGGED_IN https://forum.yubico.com/viewtopic.php?f=26&t=1586	Page 1 of 1

Page 1 of 1	All times are UTC + 1 hour
Powered by phpBB® Forum Software © phpBB Group https://www.phpbb.com/