Frank Morgner | 29 Jul 10:22 2014
Picon

different algorithms for different keys

Hi!

I am writing a card driver for a card that needs raw RSA data for
decryption but digestinfo+hash for creating a signature (pkcs#1 padding
on-card).

During the card driver initialization I use 

_sc_card_add_rsa_alg(card, 2048,
    SC_ALGORITHM_RSA_PAD_PKCS1|SC_ALGORITHM_RSA_RAW, 0);

This adds the pkcs1 and raw usage to each key on the card. It is due to,
https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/framework-pkcs15.c#L4665-4811

Decryption works with

_sc_card_add_rsa_alg(card, 2048,
    SC_ALGORITHM_RSA_RAW, 0);

Signature works with

_sc_card_add_rsa_alg(card, 2048,
    SC_ALGORITHM_RSA_PAD_PKCS1, 0);

The only problem is that on the card driver level I can't specify the
type of key. Is there a workaround for this problem?

--

-- 
Frank Morgner

(Continue reading)

William Roberts | 28 Jul 20:59 2014
Picon

Generating keypairs on PIV cards

Suppose you had a blank card in this state:
1. Most of the private keys are empty (9A, 9C, 9D, 9E)
2. The Card Management Key (9B) is set
3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty

What commands would run using piv-tool to take the card into an
initialized state?

My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
command should do on the card side, does it actually update the
corresponding x509. Ie does a generate request on '9A' update the x509
in 5FC105?

--

-- 
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Johannes Becker | 28 Jul 12:42 2014
Picon

OpenSC 0.14.0 Windows installer

Hello,

  opensc-0.14.0-win32.msi does not install all files in the subdirectory 
'tools', if opensc-0.13.0-win32.msi is already installed.

Regards
  Johannes

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Andreas Schwier | 28 Jul 12:51 2014
Picon

Support in the Asia-Pacific region

Hi list,

is there anyone on the list who could provide commercial support for
OpenSC in the Asia-Pacific region ?

Andreas

------------------------------------------------------------------------------
Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
http://pubads.g.doubleclick.net/gampad/clk?id=153845071&iu=/4140/ostg.clktrk
Adam Zimmerman | 26 Jul 18:25 2014
Picon

"fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Hi everyone,

I'm trying to set up DNSSEC for my domain with my KSK being stored on a
smart card. I have an Aventra MyEID card, and setting up the card seems
to go perfectly (except for finalizing it). However, when I try to use
dnssec-keyfromlabel to generate the public key information to be used
later with dnssec-signzone, I get the error listed in the subject. The
error occurs before I'm asked for my PIN.

So I have a couple of questions:
- Is this something I'm doing wrong, a bug somewhere, or an issue with
  the card? (also, am I on the right list? This seemed to be the most
  relevant one when I searched)
- Is it related at all to the inability to finalize the card?
- (on the off chance this is the culprit) My PIN and PUK are identical.
  I'm assuming this isn't the issue, am I right?

Below I've copied/pasted the commands I'm using to set up the card and
run dnssec-keyfromlabel. I've also attached the output from running
dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
provide any more information.

Thanks in advance,
- Adam

--------

adam <at> midnight% pkcs15-init -E
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00

(Continue reading)

William Roberts | 26 Jul 00:16 2014
Picon

PIV General Auth command example correct

Is the command given here:

https://www.opensc-project.org/opensc/wiki/PivTool

piv-tool -A A:9B:03 -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00

Correctly formated. The NIST docs say the data in the PUT DATA
apdu shall be formated with 2 tags, 5C and 53. So parsing the above we
end up with:

5C:03:5F:C1:05
53:00:00:00

Assuming that TAG 53 should at least be a properly structured TLV, it
is not. Shouldn't it be:

53:02:00:00

?

--

-- 
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
(Continue reading)

Andre Tampubolon | 24 Jul 10:00 2014
Picon

PKCS#15 binding failed: Unsupported card

Hello everyone,

My supervisor asked me to do a little research on how to put key on smartcard, so when every time you use Thunderbird or Outlook, the key has to be plugged in first before.

He gave me this link:
https://minotaur.fi.muni.cz:8443/~xsvenda/docuwiki/doku.php?id=public:smartcard

I didn't find how to put the key specifially on that link, so I did some Google search and found this:
https://code.google.com/p/seek-for-android/wiki/SmartCardPKI
So, to put they key into the card, you have you use pkcs15-tool.

For this testing purposes, I have 3 different smart card (one of them is Austria Card).
All of them failed during the creation of PKCS#15 structure:
$ pkcs15-tool.exe --dump
Using reader with a card: OMNIKEY CardMan 5x21 0
PKCS#15 binding failed: Unsupported card


So, does that mean I cannot use my cards for this purpose? Or is there any workaround?
Thank you.

--
Andre Tampubolon

R & D Engineer at PT Cipta Srigati Lestari
Jln. Kemang Utara No.10 Jakarta Selatan 12730, Indonesia
http://www2.cslgroup.co.id
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte | 21 Jul 15:04 2014
Picon

Italian CNS smartcard - Digital Signing Certificate not listed

Hi all,

Our Italian CNS card can accommodate two certificates, one for authentication and one for digital signatures. The certificate for authentication can be read using OpenSC and logging into the local eGov website works fine.
However the second certificate that gets used for digital signing does not work and unfortunately we dont have a lot of information about the card or the cert since it is all proprietary (I would like to avoid getting into that discussion now). So while OpenSC does not see the second cert, the Siemens CardOS API Viewer does.

I have attached the log file, set to level 9 and can provide the following information in addition to the certificate that cannot be read:

Sigbature Algorithm:    sh256RSA
Issuer                           Actalis Qualified Certificatio....
CKA_LABEL                   CNS DS01 X.509 Certificate
CKA_CERTIFICATE_TYPE  X.509 Public Key Certificate

Anyone here have any similar issues? Pretty stumped on what could be the reason why OpenSC cannot list the cert.

--
shaun
Attachment (debug.log): text/x-log, 230 KiB
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 14 Jul 11:10 2014
Picon

Smart Cards vs. TEEs

Follow-up on the TPM is dead posting...

It doesn't matter if hell freezes over, Smart Cards will never be able to do this:
https://play.google.com/store/apps/details?id=org.webpki.mobile.android

If you don't have an Android device (or 5-10 minutes to spend...), here is a short description:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/keygen2.html#Sample_Run

The idea is that the scheme should be a part of a standard phone.
Keys would be protected by a TEE and hopefully by a Security Enclave as well.

Anders

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Anders Rundgren | 13 Jul 06:44 2014
Picon

The TPM is dead, long live the TEE!

Sort of related to smart cards...

Somewhat unfortunate for Microsoft and Intel who "bet the house" on TPMs (Trusted Platform Modules), all
their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE
(Trusted Execution Environment) schemes enabling systems like this:

http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937

iOS:
http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

How come the competition didn't buy into the TPM?

TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying
TPM-components this (IMHO fairly unwieldy) API must also be standardized which makes the process
updating TPMs extremely slow and costly.

TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized
or entirely proprietary. In fact, even third-parties can create new security APIs using
GlobalPlatform's TEE!

How about security? Since there is (generally) very little consensus on these matters, I should probably
not dive too deep into this :-)

Anders

------------------------------------------------------------------------------
William Roberts | 8 Jul 22:47 2014
Picon

Adding support for AES General Auth

I am currently adding support for AES for general AUTH. I currently am
at this check in card-piv.c

if ( (*q++ != 0x7C)
|| (*q++ != rbuflen - 2)
|| (*q++ != 0x81)
|| (*q++ != rbuflen - 4)) {

This assumes that the response data can be represented in a single
byte length field for the TLVs, which is not always the case. Some of
the cards I have return 256 bytes of challenge data plus meta data.

I would like to change this to actually properly parse the nested
reponse TLV's, however, I am looking for some tlv parsing code in the
code base and have struck out. So the question is, do you have any
code for parsing nested tlv's?

FYI current status is that it sends to the card, gets the response via
multiple get response requests and then dies here. I added support
into the entry point to handle different key sizes and algortihms.

--

-- 
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

Gmane