I have an OmniKey CardMan 6121 with Siemens CardOS V4.3B. I follow the instructions of my provider to install the necessary drivers on Linux: http://wiki.infonotary.com/index.php/Installation_of_smart_card_reader_and_smart_card_drivers_in_Linux I have some success. Some commands show that the setup is correct. $ opensc-tool -a Using reader with a card: OMNIKEY CardMan (076B:6622) 6121 00 00 3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74 $ opensc-tool -n Using reader with a card: OMNIKEY CardMan (076B:6622) 6121 00 00 CardOS M4 $ pkcs15-tool -D Gives a long output. Let me know if I should attach it. But this one fails: pkcs11-tool -lt --module opensc-pkcs11.so Segmentation fault (core dumped) Versions of some components I installed: opensc.x86_64 0.15.0-2.fc23 pcsc-lite.x86_64 1.8.14-1.fc23 pcsc-lite-asekey.x86_64 3.7-2.fc23 pcsc-lite-libs.x86_64 1.8.14-1.fc23 ifdokccid_linux_x86_64-v4.1.5 from HID official site Due to the segfault I cannot actually use the electronic signature. Firefox just crashes when the card reader is inserted in the USB. The same card reader and smart card worked without a problem on Ubuntu 15.04 on the same laptop before I switched to Fedora 23.
The page you link requires acr38u for pcsc-lite. Is there such a Fedora package?
The acr38u driver is required for a different card readers - ACR38U and ACR38T. Mine is OmniKey and works with the ccid driver.
Then please do: $ sudo dnf install pcsc-lite-ccid $ sudo dnf remove pcsc-lite-asekey $ sudo systemctl restart pcscd and check whether everything works right.
I followed your instructions. I still get the segfault. I also uninstalled the ifdokccid driver I installed manually - still no luck.
Then try getting a backtrace: $ sudo debuginfo-install opensc $ gdb pkcs11-tool > run -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so > bt full on crash
Here is the complete output of gdb: [kraev@ThinkPad drivers]$ gdb pkcs11-tool GNU gdb (GDB) Fedora 7.10.1-30.fc23 Copyright (C) 2015 Free Software Foundation, Inc. License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html> This is free software: you are free to change and redistribute it. There is NO WARRANTY, to the extent permitted by law. Type "show copying" and "show warranty" for details. This GDB was configured as "x86_64-redhat-linux-gnu". Type "show configuration" for configuration details. For bug reporting instructions, please see: <http://www.gnu.org/software/gdb/bugs/>. Find the GDB manual and other documentation resources online at: <http://www.gnu.org/software/gdb/documentation/>. For help, type "help". Type "apropos word" to search for commands related to "word"... Reading symbols from pkcs11-tool...Reading symbols from /usr/lib/debug/usr/bin/pkcs11-tool.debug...done. done. (gdb) run -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so Starting program: /usr/bin/pkcs11-tool -lt --module /usr/lib64/pkcs11/opensc-pkcs11.so [Thread debugging using libthread_db enabled] Using host libthread_db library "/lib64/libthread_db.so.1". Program received signal SIGSEGV, Segmentation fault. sc_pkcs15_dup_pubkey (ctx=0x5555557770e0, key=0x0, out=out@entry=0x55555578ff00) at pkcs15-pubkey.c:1073 1073 if (key->alg_id) { (gdb) bt full on crash No symbol "on" in current context. (gdb) bt full #0 sc_pkcs15_dup_pubkey (ctx=0x5555557770e0, key=0x0, out=out@entry=0x55555578ff00) at pkcs15-pubkey.c:1073 pubkey = 0x55555578feb0 rv = 0 alg = 0x55555579fa70 "\001" alglen = 13 __FUNCTION__ = "sc_pkcs15_dup_pubkey" #1 0x00007ffff69c7f34 in __pkcs15_prkey_bind_related (pk=0x55555578feb0, fw_data=0x55555578ae10) at framework-pkcs15.c:770 pubkey = 0x55555578d810 obj = 0x55555578d810 id = 0x5555557948b0 i = 10 #2 pkcs15_bind_related_objects (fw_data=fw_data@entry=0x55555578ae10) at framework-pkcs15.c:838 obj = 0x55555578feb0 i = 5 __FUNCTION__ = "pkcs15_bind_related_objects" #3 0x00007ffff69d08d4 in _pkcs15_create_typed_objects (fw_data=0x55555578ae10) at framework-pkcs15.c:1062 rv = <optimized out> #4 pkcs15_create_tokens (p11card=0x55555578a3a0, app_info=0x0, first_slot=0x7fffffffd090) at framework-pkcs15.c:1276 ---Type <return> to continue, or q <return> to quit--- fw_data = <optimized out> ffda = 0x0 auth_user_pin = 0x55555578d870 auth_sign_pin = 0x0 fauo = 0x0 slot = 0x0 i = <optimized out> rv = <optimized out> idx = 0 __FUNCTION__ = "pkcs15_create_tokens" #5 0x00007ffff69c35df in card_detect (reader=reader@entry=0x555555789490) at slot.c:292 atrblock = <optimized out> enable_InitToken = <optimized out> app_generic = 0x0 first_slot = 0x0 p11card = 0x55555578a3a0 rc = <optimized out> rv = <optimized out> i = <optimized out> j = <optimized out> __FUNCTION__ = "card_detect" #6 0x00007ffff69c3c05 in initialize_reader (reader=0x555555789490) at slot.c:144 i = <optimized out> rv = <optimized out> conf_block = <optimized out> list = <optimized out> #7 0x00007ffff69c3e6f in card_detect_all () at slot.c:347 reader = 0x555555789490 i = 0 __FUNCTION__ = "card_detect_all" #8 0x00007ffff69be3f5 in C_GetSlotList (tokenPresent=0 '\000', pSlotList=0x0, pulCount=0x555555770b08 <p11_num_slots>) at pkcs11-global.c:392 i = <optimized out> slot = <optimized out> prev_reader = <optimized out> rv = <optimized out> found = <optimized out> numMatches = <optimized out> pulCount = 0x555555770b08 <p11_num_slots> pSlotList = 0x0 tokenPresent = 0 '\000' rv = <optimized out> ---Type <return> to continue, or q <return> to quit--- #9 0x000055555556052f in list_slots (tokens=<optimized out>, print=0, refresh=1) at pkcs11-tool.c:968 info = { slotDescription = "\b\002", '\000' <repeats 14 times>, "\001.\000\000\000\200\377\377\377\321\377\377\377\177\000\000\000\000\000\000\000\000\000\000\003\000\000\000\060", '\000' <repeats 18 times>, manufacturerID = "0\000\000\000\060\000\000\000\300\322\377\377\377\177\000\000\000\322\377\377\377\177\000\000\000S\235\232\004\205\335\016", flags = 0, hardwareVersion = {major = 119 'w', minor = 0 '\000'}, firmwareVersion = {major = 0 '\000', minor = 0 '\000'}} n = <optimized out> rv = <optimized out> #10 0x0000555555559595 in main (argc=<optimized out>, argv=0x7fffffffdf78) at pkcs11-tool.c:728 session = 0 object = 0 err = 0 c = <optimized out> long_optind = 0 do_show_info = 0 do_list_slots = 0 list_token_slots = 0 do_list_mechs = 0 do_list_objects = 0 do_sign = 0 do_decrypt = 0 do_hash = 0 do_derive = 0 do_gen_keypair = 0 do_write_object = 0 do_read_object = 0 do_delete_object = 0 do_set_id = 0 do_test = 1 do_test_kpgen_certwrite = 0 do_test_ec = 0 do_test_fork = 0 need_session = 3 opt_login = 1 do_init_token = 0 do_init_pin = 0 do_change_pin = 0 do_unlock_pin = 0 action_count = 1 rv = <optimized out> (gdb)
I have same issue, with the same debug output. The only way to use opensc on fedora 23 is to downgrade it to fedora 22 version.
Unfortunately I'm not able to reproduce that as my smart cards work. Could you try opensc from git [0] and see if the issue is fixed on latest master? 1. If it is fixed, then please do a git bisect from tag 0.15.0 to current head to figure where the issue was fixed. 2. If it is not fixed, then please do a git bisect from tag 0.14.0 to 0.15.0 to find out where the issue was introduced so I could attempt a fix. Let me know if you need help with that. [0]. https://github.com/OpenSC/OpenSC
I see that the following commit [0] looks quite promising. I cloned the OpenSC git repo locally. Please, give me some detailed instruction how I can make Fedora use OpenSC from git master instead of the library already installed. [0] https://github.com/OpenSC/OpenSC/commit/6e5ae841eb398b6393d7349d45f2386f820c9f5f
I've put a scratch-build with the fix that you referenced at: http://koji.fedoraproject.org/koji/taskinfo?taskID=12592181 Please download and test these rpms. If they work, I'll submit of fix based on that.
(note that the build is in progress and may take some time for the result to be available)
At my side it works as well. I didn't try to sign a document, but the tool pkcs11-tool works fine, no crashes. Thanks
Thanks, Nikos! I think we have some progress, although it does not work completely yet. I downloaded and installed the following RPMs from your build: - opensc-0.15.0-4.fc23.x86_64.rpm - opensc-debuginfo-0.15.0-4.fc23.x86_64.rpm Now the pkcs11-tool does not crash, but fails. Here is the output: [kraev@ThinkPad ~]$ pkcs11-tool -lt --module opensc-pkcs11.so Using slot 1 with a present token (0x1) Logging in to "InfoNotary (PIN)". Please enter User PIN: C_SeedRandom() and C_GenerateRandom(): seeding (C_SeedRandom) not supported seems to be OK Digests: all 4 digest functions seem to work MD5: OK SHA-1: OK RIPEMD160: OK Signatures (currently only RSA signatures) testing key 0 (E586C2EF-BDF3-467D-88C4-77080CD59AB7) error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. I get the same CKR_GENERAL_ERROR in Firefox when I try to login in a web site that requires authentication with this electronic signature: An error occurred during a connection to inetdec.nra.bg. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. (Error code: sec_error_pkcs11_general_error)
I was able to resolve this last error. As suggested in the instructions by Infonotary, I uninstalled pcsc-lite-ccid and manually installed ifdokccid_linux_x86_64-v4.1.5 from HID official site. Now pkcs11-tool works correctly and I can the signature works perfectly in Firefox. The issue is resolved for me :-) Many thanks, Nikos! I think you can submit the fix for OpenSC to Fedora 23.
opensc-0.15.0-4.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-30b36854a0
opensc-0.15.0-4.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-30b36854a0
I removed the opensc package and then installed it again using: sudo dnf install opensc --enablerepo=updates-testing My electronic signature works as expected.
Please provide feedback on the link in Comment #16 to speed up the move of this package to stable.
(In reply to Nikos Mavrogiannopoulos from comment #18) > Please provide feedback on the link in Comment #16 to speed up the move of > this package to stable. Done.
opensc-0.15.0-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.