Niklas Hansel | 27 Jun 12:09 2016
Picon

Gemalto IDPrime .Net 510 Smartcard

Hello,
did someone get the Gemalto IDPrime .Net card working with OpenSC?
Here some pcsc_scan information:

ATR: 3B 16 96 41 73 74 72 69 64
+ TS = 3B --> Direct Convention
+ T0 = 16, Y(1): 0001, K: 6 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
+ Historical bytes: 41 73 74 72 69 64
  Category indicator byte: 41 (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 16 96 41 73 74 72 69 64
        Gemalto .NET v2.0

I'd like to implement a FDE und 2FA with the Card on Linux (CentOS), maybe someone worked with this card already and has a best practice for me.

best regards
Niklas

Die nächsten Messeauftritte der EDAG Group finden Sie unter: http://www.edag.de/edag/presse/presseinformationen/veranstaltungen.html
The EDAG Group's next exhibitions you will find under: http://www.edag.de/en/edag/press-media/press-information/exhibition-schedule.html

Mehr News und Informationen aus der Welt der EDAG Group können Sie in unserem interaktiven
EMAG-Magazin http://www.edag.de/de/services/corporate-services/newsletter.html nachlesen!
More news and information about the EDAG Group can be found in our interactive EMAG-Magazine http://www.edag.de/en/services/corporate-services/newsletter.html
_________________________________________________________________________________________________________________________
Registergericht/Court of jurisdiction: Amtsgericht Wiesbaden, HRB 28257 USt.-Id: DE 292 939 239
Geschäftsführung / Board of Managing Directors: Jörg Ohlsen (CEO), Harald Poeschke (COO), Jürgen Vogt (CFO)
Aufsichtsratsvorsitzender / Chairman of the Supervisory Board: Thomas Eichelmann
Hauptsitz/Headquarters: EDAG Engineering GmbH, Kreuzberger Ring 40, 65205 Wiesbaden Deutschland/Germany / http://www.edag.de
---
This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorised copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Carsten Blüggel | 26 Jun 22:22 2016
Picon

OpenSC VERSION='0.15.0' API: A moving target to bind to on Linux?

Hello folks at OpenSC,

I downloaded https://sourceforge.net/projects/opensc/files/OpenSC/opensc-0.15.0/opensc-0.15.0.tar.gz/download
twice, last year and recently this year, and surprisingly the tarballs contents are quite different, as well as the file dates: 2015-05-16 and 2016-02-16.
(I can't compare .zip archives; current still has 2015-05-16 file date, thus probably stable, but Windows isn't my first priority)

A binding (for a new driver written as external module in D; as well as the module acos5_64 itself) renders quite useless for the public if the version is a moving target.
Problems arise from API differences (called same version 0.15.0) in:
opensc.h (struct sc_reader_driver, struct sc_reader, struct sc_context),
pkcs15.h (struct sc_md_cmap_record, struct sc_md_cardcf, struct sc_md_data, struct sc_pkcs15_prkey_info),
sc-pkcs11.h (struct sc_pkcs11_config, struct sc_pkcs11_slot).

Thus I can base on version 0.16.0 only/earliest, which most people's Linux distributions won't supply for some time (my recent Kubuntu upgrade 16.04 comes with 0.15.0 whichever)?

Any ideas?

Thanks, Carsten

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert | 25 Jun 17:03 2016
Picon

Fwd: NIST Released Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

OpenSC developers might be interested in this draft doc.

tokend is not mentioned at all.
PIV is referenced in 7 places, including this vague foot note:
43 The support for PIV card readers on OS X is still evolving

Not being a Mac OS person, I am just passing it on...


-------- Forwarded Message -------- Subject: Date: From: Reply-To: To:
NIST Released Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist
Fri, 24 Jun 2016 20:52:59 -0500
NIST Computer Security Resource Center <csrc.nist <at> service.govdelivery.com>
csrc.nist <at> service.govdelivery.com
deengert <at> gmail.com


NIST Released Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist

NIST Released Draft Special Publication 800-179, Guide to Securing Apple OS X 10.10 Systems for IT Professionals: A NIST Security Configuration Checklist. This Draft Special Publication is available for public comment.  See below for further details.

Information and links to Draft SP 800-179 can be found on the NIST CSRC Draft Publications page: 
<http://csrc.nist.gov/publications/PubsDrafts.html#800-179>
*Note: There is a comment template available to use when submitting comments to this draft document.

Deadline to submit comments: August 15, 2016

Email comments or questions about this draft document to:
<800-179comments <at> nist.gov>

__________
NIST Computer Security Division
webmaster-csrc <at> nist.gov (Attn: Pat O’Reilly)

 

Update your subscriptions, modify your password or e-mail address, or stop subscriptions at any time on your Subscriber Preferences Page. You will need to use your email address to log in. If you have questions or problems with the subscription service, please visit subscriberhelp.govdelivery.com. All other enquiries can be directed to webmaster-csrc <at> nist.gov.

This service is provided to you at no charge by the National Institute of Standards and Technology (NIST).

 

 

This email was sent to deengert <at> gmail.com using GovDelivery, on behalf of: NIST Computer Security Resource Center · 100 Bureau Drive · Gaithersburg, MD 20899 · (301) 975-6478

------------------------------------------------------------------------------
Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San
Francisco, CA to explore cutting-edge tech and listen to tech luminaries
present their vision of the future. This family event has something for
everyone, including kids. Get more information and register today.
http://sdm.link/attshape
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Marx, Peter | 14 Jun 11:42 2016

Crypto Chip Support imaginable ?

I’m IT architect in a big IoT project. I’m looking for getting PKCS#11 support for Java applications on Linux, so i can get rid of the keystore files of e.g. Apache ActiveMQ. TLS certificates and keys shall be created/stored in hardware instead.

 

But I can’t use Smartcards. The idea is to use a cryptochip on the mainboard (headless Linux field unit) like the ATMEL ATECC108A. The chip is on I2C bus and is e.g. accessible from Linux as a device.

 

I had asked ATMEL about software support for their chips beyond the embedded level. But they can only provide a Linux I2C reference implementation of the HAL, nothing in the direction of a PKCS#11 module. And an OpenSSL add-on is available.

 

Not having in-depth knowledge from PKCS#11 wrapper down to the chip my questions are:

 

-          What components have to be developped to make a cryptochip look as Smartcard to OpenSC

-          Has this been done before ?

-          Can this be purchased or is it available for free ?

-          Can this be done in native Java or is some C/C++ wrapping with JNI needed ?

-          What effort would this be ?

-          In case there is no open solution: who knows a company which could deliver a solution ?

 

Peter



Knorr-Bremse IT-Services GmbH
Sitz: München
Geschäftsführer: Helmut Draxler (Vorsitzender), Harald Jessen, Harald Schneider
Registergericht München, HR B 167 268

This transmission is intended solely for the addressee and contains confidential information.
If you are not the intended recipient, please immediately inform the sender and delete the message and any attachments from your system.
Furthermore, please do not copy the message or disclose the contents to anyone unless agreed otherwise. To the extent permitted by law we shall in no way be liable for any damages, whatever their nature, arising out of transmission failures, viruses, external influence, delays and the like.
------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Jean-Pierre Münch | 28 May 22:16 2016
Picon

Clarification request regarding the support of Yubikey Neo / 4

Hello everyone,

I've searched the internet for quite some time now and couldn't find a satisfying / understandable answer, so I figured I could ask here.

I've read that the Yubikey 4 and the Yubikey Neo have a "PIV" application which is supported via OpenSC, so I really would like to have answers to the following (simple) questions:

  • What is the authoritative document / website that documents the procedure that enables the PIV application on the Yubikeys?
  • Once the PIV application is enabled, is it possible to use the Yubikey as a normal PKCS#11 smart card, if not what operations (if any) are exposed via PKCS#11? (e.g. use the PKCS#11 library for signing and decrypting stuff on-card with RSA / ECDH / ECDSA)
  • Assuming you can use the Yubikey as an ordinary PKCS#11 smart card, does it support PKCS#11 (-tool) / PKCS#15 (-tool) / custom tool based key-import?

I really hope you can help me with these three questions.

Best Regards

JPM

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are 
consuming the most bandwidth. Provides multi-vendor support for NetFlow, 
J-Flow, sFlow and other flows. Make informed decisions using capacity 
planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Gyurgyik, Matthew S. | 20 May 02:18 2016
Picon

Understanding of ssh pkcs key provider

Hello.

First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they
work. I’m looking for some education, if there is a better place to post this question, please let me know.

I can add keys provided by my smart card to ssh-agent with

$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

However, if I remove the card from the reader and then reinsert it I have to re-add the keys

$ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so
$ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so

This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to
documentation) why it is necessary to remove the keys and re-add them?

Thank you,
Matthew Gyurgyik

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Jakub Jelen | 16 May 17:04 2016
Picon

PKCS#11 Test suite (PIV)

Hello OpenSC devels,

I didn't find any test suite or unit tests for OpenSC project. As I 
noticed, there is a lot of hand-testing work on pull requests for 
various cards and users. I believe everyone has some use cases to verify 
basic functionality of their cards.
I understand that this fields is very divergent, there is a lot of card 
variants and it is almost impossible to build automatic test suite that 
would run in cloud with every build. But would it make sense to have 
something that devels (or users) can simply run and what would verify 
basic functionality and possible regressions?

I went to the directory src/tests/ and fixed the tests that are 
available now (see pull request [1], broken for 6 years), but they are 
far away from complete test suite.

I also started with the idea from PKCS#11 API and put together basic 
test suite and inspector for OpenSC, which is currently in my OpenSC 
fork [2]. It is by no mean complete test suite of all the use cases, but 
I tried to catch most common cases, represent results in understandable 
form (currently tested with PIV cards) and add regression test for 
recent pull request [3].

And there is the twist. What would you expect from PKCS#11/Smartcard 
testsuite? Would it make sense to have something like this upstream? 
What use cases would you expect from that to check?

[1] https://github.com/OpenSC/OpenSC/pull/759
[2] https://github.com/Jakuje/OpenSC/tree/jjelen-testsuite/src/tests
[3] https://github.com/OpenSC/OpenSC/pull/743

Regards,

--

-- 
Jakub Jelen
Security Technologies
Red Hat

------------------------------------------------------------------------------
Mobile security can be enabling, not merely restricting. Employees who
bring their own devices (BYOD) to work are irked by the imposition of MDM
restrictions. Mobile Device Manager Plus allows you to control only the
apps on BYO-devices by containerizing them, leaving personal data untouched!
https://ad.doubleclick.net/ddm/clk/304595813;131938128;j
Frank Morgner | 3 May 12:33 2016
Picon

Re: Information for not yet supported card

If you are lucky your card is already supported, but OpenSC does not yet
recognize it. You should try to get to know what specific java card
applets are on your card.

If the card is not supported, you will have to find some programmer, who
adds support.

Greets, Frank.

On Thursday, April 28 at 10:30PM, Claudio Felix wrote:
> Hi Frank,
> 
> Is there anything else I can do or use to get the required information?
> 
> Thanks,
> 
> Claudio
> 
> 2016-04-19 19:17 GMT-03:00 Frank Morgner <morgner <at> informatik.hu-berlin.de>:
> 
> > Sorry, this does unfortunately not contain any useful information.
> >
> > Greets, Frank.
> >
> >
> > On Tuesday, April 19 at 07:09PM, Claudio Felix wrote:
> > > Hi,
> > >
> > > Some time ago I bought a card in an online store to store digital
> > > certificates for e-CPF or e-CNPJ, which are respectively like a tax payer
> > > identifier for people and companies. I don't have the e-mail from the
> > store
> > > anymore, but I remember something about JCOP and java card. Although it
> > > seems yet unsupported in OpenSC, it looks supported in PCSC, since
> > > pcsc_scan outputs the following information when the card gets inserted:
> > >
> > > Reader 0: CASTLES EZ100PU 00 00
> > >   Card state: Card inserted,
> > >   ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
> > >
> > > ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
> > > + TS = 3B --> Direct Convention
> > > + T0 = 6A, Y(1): 0110, K: 10 (historical bytes)
> > >   TB(1) = 00 --> VPP is not electrically connected
> > >   TC(1) = FF --> Extra guard time: 255 (special value)
> > > + Historical bytes: 4A 43 4F 50 32 31 56 32 33 31
> > >   Category indicator byte: 4A (proprietary format)
> > >
> > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> > > 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
> > >         JCOP21 v2.3 Standard
> > >
> > >
> > > Hope this helps getting the card supported.
> > >
> > > Thank you,
> > >
> > > Claudio
> >
> > >
> > ------------------------------------------------------------------------------
> > > Find and fix application performance issues faster with Applications
> > Manager
> > > Applications Manager provides deep performance insights into multiple
> > tiers of
> > > your business applications. It resolves application problems quickly and
> > > reduces your MTTR. Get your free trial!
> > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > > _______________________________________________
> > > Opensc-devel mailing list
> > > Opensc-devel <at> lists.sourceforge.net
> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
> >
> > --
> > Frank Morgner
> >
> > Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
> > OpenPACE                        http://openpace.sourceforge.net
> > IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
> >
> >
> > ------------------------------------------------------------------------------
> > Find and fix application performance issues faster with Applications
> > Manager
> > Applications Manager provides deep performance insights into multiple
> > tiers of
> > your business applications. It resolves application problems quickly and
> > reduces your MTTR. Get your free trial!
> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> > _______________________________________________
> > Opensc-devel mailing list
> > Opensc-devel <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
> >

> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
> _______________________________________________
> Opensc-devel mailing list
> Opensc-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Johannes Rath | 26 Apr 09:58 2016

Writing private key to smart card

 

Hi all,

 

I am trying to write a private key to a smart card, but I am always getting an error:

 

jor <at> jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ pkcs11-tool -y privkey  -l -w  private.der

Using slot 0 with a present token (0x0)

Logging in to "JavaCard isoApplet (User PIN)".

Please enter User PIN:

error: PKCS11 function C_CreateObject failed: rv = CKR_GENERAL_ERROR (0x5)

 

Aborting.

jor <at> jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ opensc-tool -i

OpenSC 0.15.0 [gcc  4.8.4]

Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1)

 

Any ideas?

 

Regards

 

Johannes

 

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert | 21 Apr 23:57 2016
Picon

OPenSC AppVeyer is acting up


It appears that AppVeyer is having problems loading zlib. See:

https://ci.appveyor.com/project/LudovicRousseau/opensc/build/0.16.0.595/job/65tmhvbcns2grosi

Error downloading file: Unable to connect to the remote server

7-Zip [64] 9.20  Copyright (c) 1999-2010 Igor Pavlov  2010-11-18

Error:
cannot find archive
Rename-Item : Cannot rename because item at 'c:\zlib-1.2.8' does not exist.
At line:11 char:3
+   Rename-Item -path "c:\zlib-${env:ZLIB_VER_DOT}" -newName "zlib"
+   ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
     + CategoryInfo          : InvalidOperation: (:) [Rename-Item], PSInvalidOperationException
     + FullyQualifiedErrorId : InvalidOperation,Microsoft.PowerShell.Commands.RenameItemCommand

Command executed with exception: Cannot rename because item at 'c:\zlib-1.2.8' does not exist.

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
Claudio Felix | 20 Apr 00:09 2016
Picon
Gravatar

Information for not yet supported card

Hi,

Some time ago I bought a card in an online store to store digital certificates for e-CPF or e-CNPJ, which are respectively like a tax payer identifier for people and companies. I don't have the e-mail from the store anymore, but I remember something about JCOP and java card. Although it seems yet unsupported in OpenSC, it looks supported in PCSC, since pcsc_scan outputs the following information when the card gets inserted:

Reader 0: CASTLES EZ100PU 00 00
  Card state: Card inserted, 
  ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31

ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
+ TS = 3B --> Direct Convention
+ T0 = 6A, Y(1): 0110, K: 10 (historical bytes)
  TB(1) = 00 --> VPP is not electrically connected
  TC(1) = FF --> Extra guard time: 255 (special value)
+ Historical bytes: 4A 43 4F 50 32 31 56 32 33 31
  Category indicator byte: 4A (proprietary format)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31
        JCOP21 v2.3 Standard


Hope this helps getting the card supported.

Thank you,

Claudio
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Gmane