Christian Rank | 31 Jan 11:48
Picon
Favicon
Gravatar

C_FindObjectsInit does not always find certificate on token when called from Java application

Hello,

when dealing with accessing tokens from a Java application via OpenSC, I
noticed that the Sun/ORACLE PKCS11-Java implementation is not always
able to retrieve the certificate chain (stored on the token) for a key.

The objects on my token (Feitian PKI card) are:
> Private RSA Key [Private Key]
> 	Object Flags   : [0x3], private, modifiable
> 	Usage          : [0x12E], decrypt, sign, signRecover, unwrap, derive
> 	Access Flags   : [0x0]
> 	ModLength      : 2048
> 	Key ref        : 1 (0x1)
> 	Native         : yes
> 	Path           : 3f005015
> 	Auth ID        : 01
> 	ID             : 692b93bfd7d6f6dd86832f81d1b44adbe266f74d
> 	GUID           : {692b93bf-d7d6-f6dd-8683-2f81d1b44adb}
> 
> X.509 Certificate [/C=DE/L=Entenhausen/O=Dagobert Duck
Enterprises/OU=Geldspeicher/CN=Dagobert Duck]
> 	Object Flags   : [0x2], modifiable
> 	Authority      : no
> 	Path           : 3f0050153100
> 	ID             : 692b93bfd7d6f6dd86832f81d1b44adbe266f74d
> 	GUID           : {692b93bf-d7d6-f6dd-8683-2f81d1b44adb}
> 	Encoded serial : 02 01 03
> 
> X.509 Certificate [/C=DE/O=Deutsche Zertifizierungsstelle/OU=PKI der Deutschen
Zertifizierungsstelle/CN=Deutsche Zertifizierungsstelle Root CA]
(Continue reading)

evalues evalues | 25 Jan 11:45
Picon
Gravatar

PKCS15 Deauthenticate Function

Hello,


I need know if at Opensc (opensc.dll version 0.12.1.0) there is a pkcs15-function that allows me to deauthenticate on a smart card. For example, I was looking the source code of this opensc version, and I found that in the file minidriver.c there is a function (CardAuthenticatePin) that uses the function sc_pkcs15_verify_pin for check if the PIN is correct, and if so authenticate the user on the smartcard. Besides, I was looking the function CaredDeauthenticate, but I did not find a pkcs15-funtion for deauthenticate, does it exist? If it exist, what is?

Also, I want know if there is an API of pkcs15-function.

Thank you.

_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Gergely Buday | 21 Jan 13:30
Picon

OFF: defunct opensc-user

Dear All,

I wanted to ask questions on opensc-user but the mailing list page
said that it was inactive. Should I post my questions here?

- Gergely
Viktor Tarasov | 20 Jan 09:00
Picon

Re: proving a key is on a smart card



On Thu, Jan 19, 2012 at 7:25 PM, Frank Cusack <frank <at> linetwo.net> wrote:
On Thu, Jan 19, 2012 at 2:27 AM, Viktor Tarasov <viktor.tarasov <at> gmail.com> wrote:


On Thu, Jan 19, 2012 at 9:52 AM, Frank Cusack <frank <at> linetwo.net> wrote:
On Wed, Jan 18, 2012 at 11:57 PM, Viktor Tarasov <viktor.tarasov <at> gmail.com> wrote:
On Thu, Jan 19, 2012 at 8:30 AM, Frank Cusack <frank <at> linetwo.net> wrote:
On Wed, Jan 18, 2012 at 11:04 PM, Christian Hohnstaedt <christian <at> hohnstaedt.de> wrote:
On Wed, Jan 18, 2012 at 04:20:05PM -0800, Frank Cusack wrote:
> In a CSR, how is it proven that the key resides on a smart card (and is not
> exportable)?  In my understanding, the CSR is signed by the private key of
> the (to be) cert itself.  Thus that signature only proves that the
> requester actually possesses the private half, not that the private key
> resides on a smart card.
>
> Looking at the cryptoflex command set, I don't see anything there that
> would add something to the CSR asserting that the key was generated
> on-card.  Same for ISO 7816-8, but I could easily be missing something.

You're probably missing the fact that noone stops the owner of a
software key to add the same information to the CSR.

Not if there's an APDU that adds that information as part of the operation, and the key used in that operation cannot be used except for CSR generation.

If the generate/import key operations  are protected by secure-messaging, 
then the 'ticket'  will be included into the successful APDU's response. This 'ticket' can be checked by caller to be sure that key was really injected/generated by card.

You're missing the point.  Of course the caller can know if the key was really generated on card, but the CA cannot know that.


Secure messaging can be established in asymmetric mode, using the CA certificate trusted by card.

I don't think that's enough?  It doesn't matter if the card trusts the CA, it's that the CA has to trust the card.

Difficult to do more with the common cards.
Possible solution could be organisational :
- OpCA dedicated only for mutual authentication between the cards and enrollment/other entities;
- OpCA certificate is not widely published and is only known by the upper actors. (like symmetric keys for symmetric SM.)


_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Picon

Fosdem 2012, donation of 50 ePass2003 to security devroom

Dear all,

Just a quick note that GOOZE will be attending FOSDEM security devroom
(day one) and we will donate 50 ePass2003 tokens to the assistance.
http://www.gooze.eu/epass-2003

People interested will only need to register an online form during the
security devroom and I will hand them free tokens.

Hoping this can make the devroom a success.

Kind regards, 
--

-- 
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
Attachment (smime.p7s): application/x-pkcs7-signature, 6022 bytes
_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Szabó Áron | 19 Jan 11:46
Picon
Gravatar

Always 3F00 is returned after reading (select has no effect)

Hi,

I have to test a rather old Bull card with the OpenSC v0.12.2 on Windows, I try to retrieve all the stored files
by using "SELECT FILE" and "READ BINARY" APDU commands (after performing a successful authentication by
using "VERIFY").

I can easily get the content of the MF (3F00) but I also get the same content for any other file I select and
read. Is it possible that the file ID parameter of "SELECT FILE" can not be evaluated in my case? As you can
see below, I select and read the 3F00, 17FF, 2F02 and I always got the same content which is stored in the 3F00
(I checked it with another tool). Any idea?

Best regards,
Aron

---

opensc-tool.exe --atr -v
Using reader with a card: OMNIKEY CardMan 3621 0
Connecting to card in reader OMNIKEY CardMan 3621 0...
Using card driver Default driver for unknown cards.
Card ATR:
3B 67 00 00 29 20 1A 01 78 90 00 ;g..) ..x..

opensc-tool.exe --send-apdu BC:20:00:00:08:XX:XX:XX:XX:XX:XX:XX:XX
Received (SW1=0x90, SW2=0x00)

opensc-tool.exe --send-apdu BC:A4:00:00:02:3F:00
Received (SW1=0x90, SW2=0x00)

opensc-tool.exe --send-apdu BC:B0:00:00:00
Received (SW1=0x90, SW2=0x00):
17 FF 06 E4 0E 10 03 DF 0E 2F FF C4 1F 6C 04 71 ........./...l.q
2F 03 00 80 B0 BB FF E4 2F 02 00 80 B0 BB FF E5 /......./.......
17 01 14 D4 FF FF FF FF FF FF FF FF FF FF FF FF ................
[...]

opensc-tool.exe --send-apdu BC:A4:00:00:02:17:FF
Received (SW1=0x90, SW2=0x00)

opensc-tool.exe --send-apdu BC:B0:00:00:00
Received (SW1=0x90, SW2=0x00):
17 FF 06 E4 0E 10 03 DF 0E 2F FF C4 1F 6C 04 71 ........./...l.q
2F 03 00 80 B0 BB FF E4 2F 02 00 80 B0 BB FF E5 /......./.......
17 01 14 D4 FF FF FF FF FF FF FF FF FF FF FF FF ................
[...]

opensc-tool.exe --send-apdu BC:A4:00:00:02:2F:02
Received (SW1=0x90, SW2=0x00)

opensc-tool.exe --send-apdu BC:B0:00:00:00
Received (SW1=0x90, SW2=0x00):
17 FF 06 E4 0E 10 03 DF 0E 2F FF C4 1F 6C 04 71 ........./...l.q
2F 03 00 80 B0 BB FF E4 2F 02 00 80 B0 BB FF E5 /......./.......
17 01 14 D4 FF FF FF FF FF FF FF FF FF FF FF FF ................
[...]
---
Frank Cusack | 19 Jan 01:20

proving a key is on a smart card

In a CSR, how is it proven that the key resides on a smart card (and is not exportable)?  In my understanding, the CSR is signed by the private key of the (to be) cert itself.  Thus that signature only proves that the requester actually possesses the private half, not that the private key resides on a smart card.

Looking at the cryptoflex command set, I don't see anything there that would add something to the CSR asserting that the key was generated on-card.  Same for ISO 7816-8, but I could easily be missing something.  Are there card specific APDUs that add some proof?  If so, any pointers to what cards can do this?

Or is the typical method basically to require use of a "secure" enrollment station?

_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Scott Thomas | 13 Jan 04:52
Picon
Favicon

OpenSSL OpenSC PKCS11 engine integration with 2 smart cards

Bonjour All Users,

I have configured opensc with openssl and found this page very helpful : http://www.opensc-project.org/engine_pkcs11/wiki/QuickStart
with following config :

openssl_conf = openssl_def
[openssl_def]
engines = engine_section
[engine_section]
pkcs11 = pkcs11_section
[pkcs11_section]
engine_id = pkcs11
dynamic_path =
/usr/lib/engines/engine_pkcs11.so
MODULE_PATH = /usr/lib/opensc-pkcs11.so
init = 0

and

openssl req -config openssl.conf -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -x509 -subj "/CN=Andreas Jellinghaus"

It is working fine for me - But the issue is that my application requires 2 smart cards . This configuration only deals with 1 smart card and if multiple cards are attached then it will interact with the 1st card - how can i modify this to access the other card attached on my machine ?

Regards
Scott Thomas

_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Ludovic Rousseau | 10 Jan 14:03
Picon
Gravatar

pkcs11-spy: Display the ASCII equivalent of a hex dump

Hello,

I need to have an ascii dump of objects logged by pkcs11-spy. So I
updated the code. The patch is available at
https://github.com/LudovicRousseau/OpenSC/commit/48f8f982a09e5a484ff4951609ebfcabf8d99bfc

The output format of a hex dump has changed from:
    668C045A 1C3A4EF4 CF8550F3 20926525 1E8BF478
to:
    00000000  66 8C 04 5A 1C 3A 4E F4 CF 85 50 F3 20 92 65 25  f..Z.:N...P. .e%
    00000010  1E 8B F4 78                                      ...x

Is it now possible to find text strings inside a hex dump

If nobody complaints I will push the change to OpenSC/staging.

Bye

--

-- 
 Dr. Ludovic Rousseau
Picon

OpenSC GIT organization members

Dear all,

In the previous organization, a lot of developers could commit changes
to SVN after discussion on the mailing list. This proved to be a very
smooth way to work.

Now, from OpenSC main page on GITHUB [1] it is written that organization
members are Martin and Ludovic. Does it mean that only Martin and
Ludovic can accept and commit changes to main tree?

Would it be possible to get back to the old-and-working organisation
where the main developers could commit changes themselves.

[1] https://github.com/OpenSC

Kind regards,
--

-- 
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
Attachment (smime.p7s): application/x-pkcs7-signature, 6022 bytes
_______________________________________________
opensc-devel mailing list
opensc-devel <at> lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Anders Rundgren | 7 Jan 16:29
Picon

PIV - Number of certificates

Hi,
I'm not particularly familiar with PIV but from the spec it seems that
a PIV card supports 1-3 user certificates selected by some kind of index.

Lets say that I rather wanted 10 certificates, would drivers out there
be able to cope with that?

I understand that this is outside of the actual PIV specification but I do
believe that some people have experimented with additional certificates
to not have to carry yet another card.

thanx,
Anders

Gmane