Martin Paljak | 14 Apr 22:42 2014
Picon

OpenSC and OpenSSL


"OpenSSL must die, for it will never get any better."

http://queue.acm.org/detail.cfm?id=2602816

While it is just the 2014 FOSDEM speak made more tangible, it is worth
reading.

The fact that OpenSC is interwoven with OpenSSL has been a long known
"trouble point". While it might be good for OpenSSL it certainly
doesn't make it better for OpenSC that Google is thinking of moving
from NSS to OpenSSL:

https://docs.google.com/document/d/1ML11ZyyMpnAr6clIAwWrXD53pQgNR-DppMYwt9XvE6s/preview?pli=1&sle=true

PHK suggests a "godsend" that doesn't exist yet, but something we
looked into a few years ago:

"We need a well-designed API, as simple as possible to make it hard
for people to use it incorrectly. And we need multiple independent
quality implementations of that API, so that if one turns out to be
crap, people can switch to a better one in a matter of hours."

While OpenSC doesn't depend on OpenSSL in the sense of being
vulnerable because of *SSL/TLS* issues in it (and partially thanks to
the policy that OpenSC *should not do crypto itself unless it has to*
but "delegate the problem to the card") we *really-really* need to
think how to handle this. So that adjustments could easily be made for
other platforms and libraries. Especially for any new code.

(Continue reading)

Leonardo Brondani Schenkel | 14 Apr 12:42 2014
Picon

sc-hsm-tool --create-dkek-share fails with message "Error generating random number failed with Transmit failed"

Hi all,

I'm trying out a SmartCard-HSM 1.2 with OpenSC 0.13.0g20140316163538 on
64-bit Windows 8.1 (both 64- and 32-bit versions of OpenSC are installed).

I was testing the backup/restore functionality with one DKEK share but
the following command:

sc-hsm-tool --create-dkek-share test.dkek --password password

results in:

Using reader with a card: Feitian SCR301 0
Enciphering DKEK share, please wait... [pauses for a few seconds here]
Error generating random number failed with Transmit failed

I have attached a trace of running the command with OPENSC_DEBUG=3.
I tried a different card readers and I'm getting the same result.

Any clues?

// Leonardo.
2014-04-14 12:28:01.255 ===================================
2014-04-14 12:28:01.256 opensc version: 0.13.0g20140316163538
2014-04-14 12:28:01.257 PC/SC options: connect_exclusive=0 disconnect_action=1
transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=1
2014-04-14 12:28:01.259 [sc-hsm-tool] reader-pcsc.c:948:pcsc_detect_readers: called
2014-04-14 12:28:01.260 Probing pcsc readers
(Continue reading)

Umberto Rustichelli aka Ubi | 10 Apr 14:57 2014

suggested small fix


IMHO in opensc source, file src/tools/pkcs11-tool.c, function

parse_certificate(struct x509cert_info *cert,
                 unsigned char *data, int len)

behaviour can potentially corrupt memory or lead to a segmentation fault.

Three times, it writes into pre-allocated memory areas (here: 
cert->subject, cert->issuer, cert->serialnum) where their dimension is 
fixed (256, 256, 128) and the length (n) is checked when it is too late:

        [...]
        p = cert->subject;
         n = i2d_X509_NAME(x->cert_info->subject, &p);
         [...]
         if (n > (int)sizeof (cert->subject))
                 util_fatal("subject name too long");
         [...]

         p = cert->issuer;
         n = i2d_X509_NAME(x->cert_info->issuer, &p);
         [...]

         p = cert->serialnum;
         n = i2d_ASN1_INTEGER(x->cert_info->serialNumber, &p);
         [...]

Here is the host struct (cert is of this type):

(Continue reading)

Sachin Gaikwad | 10 Apr 08:04 2014
Picon

engine_pkcs11 installation question

Hi all,

I am following engine_pkcs11 quickstart guide here:
https://github.com/OpenSC/OpenSC/wiki/Engine-pkcs11-quickstart

It mentions on top this:
"Please first install the PKCS#11 Module you want to use such as OpenSC, and install libp11 (runtime and development)."

I understand what is meant by libp11. I will need to download this library and install it. What is mean by "install the PKCS#11 Module you want to use such as OpenSC"? Does it mean I need to download opensc tarball and install that as well?

Thanks,
Sachin
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Vieri | 9 Apr 20:01 2014
Picon

Oberthur smartcard driver


Hi,

I'm new to the world of smartcards so please bear with me.

Let's see if I have the general idea of how things usually work. One needs to have a driver in order to access
the "card reader". However, one also needs another driver to access the "card itself". Some cards may have
a proprietary format or a proprietary access method.
Is that right?

If so, according to the data I'm posting further down, I seem to have a ccid-compatible reader (so
pcsc-lite+ccid is all I need in order to communicate with the reader) and an Oberthur smartcard that
*requires* a specific driver. Is that what you may call "middleware"?

So after installing pcsc-lite and ccid on my Linux distro I can see the reader and I can detect events such as
"card inserted", "card removed" (pcsc_scan).

I downloaded a card driver from a web site I found when reading the output of pcsc_scan (when it actually read
some general card information).
Unfortunately the Oberthur card driver package is binary-only and the only thing of interest in its README
file is that once the binary files are installed "the P11 cryptoki module is ready to be loaded and used in
the preferred application (Firefox, Thunderbird etc.)".
I have a text console-only linux system and all I wish to do now is make sure I can access the certificate
that's on the smartcard (I don't need to use it in a web browser).
I'm hoping to do this on the command line somehow.

Here's are the files within the extracted car driver package:

# ls -lR ./
./:
total 4
drwxr-xr-x 5 root root  120 abr  7 10:42 usr
-rwxr--r-- 1 root root 3680 feb  3  2010 WP_README_V1.3.txt

./usr:
total 1
drwxr-xr-x 2 root root 632 abr  7 14:12 lib
drwxr-xr-x 3 root root  72 abr  7 10:42 local
drwxr-xr-x 3 root root  72 abr  7 10:42 share

./usr/lib:
total 9112
lrwxrwxrwx 1 root     root              29 abr  7 14:11 libOcsAuthentIC22Mod.so
-> libOcsAuthentIC22Mod.so.1.3.0
-rwxr--r-- 1 root root 1304138 dic  9  2009 libOcsAuthentIC22Mod.so.1.3.0
lrwxrwxrwx 1 root     root              23 abr  7 14:11 libOcsCryptoki.so -> libOcsCryptoki.so.1.3.0
-rwxr--r-- 1 root root 3316353 dic  9  2009 libOcsCryptoki.so.1.3.0
lrwxrwxrwx 1 root     root              18 abr  7 14:11 libOcsIAS.so -> libOcsIAS.so.1.3.0
-rwxr--r-- 1 root root 1556637 dic  9  2009 libOcsIAS.so.1.3.0
lrwxrwxrwx 1 root     root              30 abr  7 14:11 libOcsIDOneClassicMod.so
-> libOcsIDOneClassicMod.so.1.3.0
-rwxr--r-- 1 root root 1292262 dic  9  2009 libOcsIDOneClassicMod.so.1.3.0
lrwxrwxrwx 1 root     root              27 abr  7 14:11 libOcsIDOneLiteMod.so -> libOcsIDOneLiteMod.so.1.3.0
-rwxr--r-- 1 root root 1432954 dic  9  2009 libOcsIDOneLiteMod.so.1.3.0
lrwxrwxrwx 1 root     root              28 abr  7 14:11 libOcsReaderOmnikey.so -> libOcsReaderOmnikey.so.1.3.0
-rwxr--r-- 1 root root  190789 dic  9  2009 libOcsReaderOmnikey.so.1.3.0
lrwxrwxrwx 1 root     root              24 abr  7 14:12 libOcsReaderStd.so -> libOcsReaderStd.so.1.3.0
-rwxr--r-- 1 root root  214694 dic  9  2009 libOcsReaderStd.so.1.3.0

./usr/local:
total 0
drwxr-xr-x 2 root root 152 abr  7 10:42 OCS

./usr/local/OCS:
total 20
-rwxr--r-- 1 root root 6569 dic  9  2009 OCSMiddlewareConf.xml
-rwxr--r-- 1 root root 6576 dic  9  2009 Omnikey.png
-rwxr--r-- 1 root root 3290 dic  9  2009 WP_README.txt

# cat usr/local/OCS/OCSMiddlewareConf.xml
<?xml version="1.0"?>
<Middleware>
        <Configuration>
                <Log Activate="0" Path="" DebugLevel="NO"></Log>
                <CachePin Activate="1" CspCache="1"></CachePin>
                <CacheData Activate="1"></CacheData>
                <ContainerCreation EmptyAuthorized="1"></ContainerCreation>
                <DialogBox WaitDialogBox="1"></DialogBox>
        </Configuration>
        <Readers>
                <CardMan3621 Name="OMNIKEY CardMan 3621" Library="OcsReaderOmnikeyCCID"></CardMan3621>
                <CardMan3821 Name="OMNIKEY CardMan 3821" Library="OcsReaderOmnikeyCCID"></CardMan3821>
                <CardMan8630 Name="OMNIKEY CardMan 8630" Library="OcsReaderOmnikey"></CardMan8630>
                <XSignPKI Name="XIRING XI-SIGN USB" Library="OcsReaderPCSC2"></XSignPKI>
                <XiSign6100 Name="MCI_OSR_0205:XIRING XSignUSB" Library="OcsReaderXiring"></XiSign6100>
                <XiSign6100 Name="MCI_OSR_0205:XIRING XSignUSB" Library="OcsReaderXiring"></XiSign6100>
                <ID3Biometric Name="id3 Semiconductors BIOTHENTIC USB" Library="OcsReaderBioAuthentIC"></ID3Biometric>
                <Covadis Name="Covadis USB Pinpad Vega-Alpha" Library="OcsReaderPCSC2"></Covadis>
        </Readers>
        <SmartCard>
        <IDOneClassicT1 ATR="3BFB1800008131FE450031C06477E9100000900062"
ATRMask="FFFF00FFFF00FFFFFFFFFFFFFFFFFFFFFF00FFFF00" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicT1>
        <IDOneClassicT0 ATR="3B7B1800000031C06477E910000F9000"
ATRMask="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicT0>
        <AuthentICCardv220T0 ATR="3b00000000003180718e6477e30000809000"
ATRMask="ff0000ffffffffffffffffffff00ff00ffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T0>
        <AuthentICCardv220T054 ATR="3b7d0000000031c06477e30400009000"
ATRMask="ffff00ffffffffffffffffffff00ffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T054>
        <AuthentICCardv220T154 ATR="3B009600008031FE450031C06477E0000000900000"
ATRMask="FF00FFFFFFFFFFFFFFFFFFFFFFFFF0000000FFFF00" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T154>
        <AuthentICCardv220T0523 ATR="3b000000000031c06400000000009000"
ATRMask="ff0000ffffffffffff000000ff00ffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T0523>
        <AuthentICCardv220T1 ATR="3b000000008131fe45003180718e6477e30000809000"
ATRMask="ff0000ffffffffffffffffffffffffffff00fff0ff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T1>
        <AuthentICCardv220T1523 ATR="3b000000008131fe450031c06400000000819000"
ATRMask="f0000ffffffffffffffffffff000000ffffffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T1523>
        <AuthentIC22TokenUSB ATR="3bfb1100008131fe450031c06477e910000090006a"
ATRMask="ffff00ffffffffffffffffffffffffffff00ffff00" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentIC22TokenUSB>
        <AuthentICCardv220T0 ATR="3b00000000003180718e6477e30000809000"
ATRMask="ff0000ffffffffffffffffffff00ff00ffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentICCardv220T0>
        <AuthentIC22Token ATR="3B7F1800000031C0739E010B6452D90500829000"
ATRMask="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentIC22Token>
        <SSIDAuthentICCardv220T0 ATR="3BFB1100008131FE450031C06477E910000090006A"
ATRMask="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" Library="libOcsAuthentIC22Mod.so" Aid="A000000341000001"></SSIDAuthentICCardv220T0>
        <IDOneClassicT11 ATR="3B000000008031FE450031C06477E9100000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFFFFFFFF00FFFF00" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicT11>
        <AuthentICCardv220T051 ATR="3BFD9600008031FE45003180718E6477E30200009000"
ATRMask="ffff00ffffffffffffffffffff00ffffffffff00ffff" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F1000000023"></AuthentICCardv220T051>
        <IDOneLite ATR="3B000000000031C06400000100009000"
ATRMask="FF0000FFFFFFFFFFFF0000FFFF00FFFF" Library="libOcsIDOneLiteMod.so" Aid="A000000077018383081000F100000001"></IDOneLite>
        <IDOneLiteBanking ATR="3B0000000031C06495EA0100829000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFF00FFFF" Library="libOcsIDOneLiteMod.so" Aid="A000000077018383081000F100000001"></IDOneLiteBanking>
        <IAS-ECCv1.01 ATR="3BDF96008031FE45003100640000ECC17300010082900000"
ATRMask="FFFFFFFFFFFFFFFFFFFF00FF0000FFFFFF00FF00FFFFFF00" Library="libOcsIASMod.so" Aid="A000000077010800070000FE00000100"></IAS-ECCv1.01>
        <IDOneClassicv7 ATR="3B00000080B1FE451F830031C0640000000000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFF000000FF00FFFF00" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicv7>
        <IASMiniDriver ATR="3B0000008131FE4580F9A00000007701080000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF00FFFF00" Library="libOcsIASMod.so" Aid="A000000077010800070000FE00000100"></IASMiniDriver>
        <IDOneClassicMiniDriver ATR="3B0000008131FE4580F9A00000007701030006900000"
ATRMask="ff0000ffffffffffffffffffffffffffffffffffff00" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicMiniDriver>
        <BioAuthentICV3 ATR="3B00000080B1FE451F830031C06400FC100000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFF00FFFFFF00FFFF00"
Library="libOcsBioAuthentICV3Mod.so" Aid="A000000077010303051000F100000003"></BioAuthentICV3>
        <AuthentIC22v7 ATR="3B00000080B1FE451F830031C0640000000000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFF0000000000FFFF00" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentIC22v7>
        <IDOneLitev7 ATR="3B00000080B1FE451F830031C0640000000000900000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFFFFFF0000000000FFFF00" Library="libOcsIDOneLiteMod.so" Aid="A000000077018383081000F100000001"></IDOneLitev7>
        <IDOneClassicTokenUSB ATR="3B8B80010031C06477E9100000000011"
ATRMask="FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" Library="libOcsIDOneClassicMod.so" Aid="A0000000770103000610000000000002"></IDOneClassicTokenUSB>
        <IDOneLiteItaly ATR="3B0000000031C064BE020100009000"
ATRMask="FF00FFFFFFFFFFFFFFFFFFFF00FFFF" Library="libOcsIDOneLiteMod.so" Aid="A0000000770100000120000100000003"></IDOneLiteItaly>
        <AuthentIC22T0v7 ATR="3B0000000031C064BAFC1000009000"
ATRMask="FF0000FFFFFFFFFFFFFFFFFF00FFFF" Library="libOcsAuthentIC22Mod.so" Aid="A000000077010303000000F100000002"></AuthentIC22T0v7>
</SmartCard>
</Middleware>

What's this xml file for and when should it be used?

I installed opencs and modified opencs.conf by specifying the Oberthur card driver:

        card_drivers = oberthur;

        card_driver oberthur {
                module = /usr/lib/libOcsCryptoki.so;
        }

        force_card_driver = oberthur;

Then I ran:

# pkcs11-tool --module /usr/lib/libOcsCryptoki.so -O

Using slot 0 with a present token (0x0)
Public Key Object; RSA 1024 bits
  label:      
  ID:         17f38f0ec9db8e9aefeaf2d666bfaf07ae9281da
  Usage:      encrypt, verify
Certificate Object, type = X.509 cert
  label:      IDone Classic Card:NAME XXXXXXX XXXXXX XXXXXXX - IDN 000000000's FNMT ID
  ID:         17f38f0ec9db8e9aefeaf2d666bfaf07ae9281da

Does this mean the card driver is correctly accessing the certificate?

However, runinng opencs-explorer or the following command gives an error (Card is invalid or cannot be handled):

# pkcs15-tool -c -vvvv...

0xb740d6c0 10:14:37.427 [pkcs15-tool] sc.c:231:sc_detect_card_presence: called
0xb740d6c0 10:14:37.427 [pkcs15-tool] reader-pcsc.c:370:pcsc_detect_card_presence: called
0xb740d6c0 10:14:37.427 [pkcs15-tool] reader-pcsc.c:283:refresh_attributes: ACS ACR 38U-CCID 00 00 check
0xb740d6c0 10:14:37.427 [pkcs15-tool] reader-pcsc.c:299:refresh_attributes: returning with: 0 (Success)
0xb740d6c0 10:14:37.427 [pkcs15-tool] reader-pcsc.c:375:pcsc_detect_card_presence: returning
with: 1
0xb740d6c0 10:14:37.427 [pkcs15-tool] sc.c:236:sc_detect_card_presence: returning with: 1
Using reader with a card: ACS ACR 38U-CCID 00 00
0xb740d6c0 10:14:37.427 [pkcs15-tool] sc.c:231:sc_detect_card_presence: called
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:370:pcsc_detect_card_presence: called
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:283:refresh_attributes: ACS ACR 38U-CCID 00 00 check
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:299:refresh_attributes: returning with: 0 (Success)
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:375:pcsc_detect_card_presence: returning
with: 1
0xb740d6c0 10:14:37.428 [pkcs15-tool] sc.c:236:sc_detect_card_presence: returning with: 1
0xb740d6c0 10:14:37.428 [pkcs15-tool] card.c:125:sc_connect_card: called
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:450:pcsc_connect: called
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:283:refresh_attributes: ACS ACR 38U-CCID 00 00 check
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:299:refresh_attributes: returning with: 0 (Success)
0xb740d6c0 10:14:37.428 [pkcs15-tool] reader-pcsc.c:479:pcsc_connect: Initial protocol: T=1
0xb740d6c0 10:14:37.429 [pkcs15-tool] apdu.c:687:sc_transmit_apdu: called
0xb740d6c0 10:14:37.429 [pkcs15-tool] card.c:315:sc_lock: called
0xb740d6c0 10:14:37.429 [pkcs15-tool] reader-pcsc.c:517:pcsc_lock: called
0xb740d6c0 10:14:37.429 [pkcs15-tool] apdu.c:654:sc_transmit: called
0xb740d6c0 10:14:37.429 [pkcs15-tool] apdu.c:509:sc_single_transmit: called
0xb740d6c0 10:14:37.429 [pkcs15-tool] apdu.c:514:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:C,
data(7) 0xbfd98ef9
0xb740d6c0 10:14:37.429 [pkcs15-tool] reader-pcsc.c:249:pcsc_transmit: reader 'ACS ACR 38U-CCID 00 00'
0xb740d6c0 10:14:37.429 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Outgoing APDU data [   12 bytes] =====================================
00 A4 04 0C 07 A0 00 00 00 03 00 00 ............
======================================================================
0xb740d6c0 10:14:37.429 [pkcs15-tool] reader-pcsc.c:182:pcsc_internal_transmit: called
0xb740d6c0 10:14:37.452 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
6A 86 j.
======================================================================
0xb740d6c0 10:14:37.452 [pkcs15-tool] apdu.c:524:sc_single_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.452 [pkcs15-tool] apdu.c:676:sc_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.452 [pkcs15-tool] card.c:353:sc_unlock: called
0xb740d6c0 10:14:37.452 [pkcs15-tool] reader-pcsc.c:554:pcsc_unlock: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] apdu.c:687:sc_transmit_apdu: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] card.c:315:sc_lock: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] reader-pcsc.c:517:pcsc_lock: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] apdu.c:654:sc_transmit: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] apdu.c:509:sc_single_transmit: called
0xb740d6c0 10:14:37.460 [pkcs15-tool] apdu.c:514:sc_single_transmit: CLA:80, INS:CA, P1:9F,
P2:7F, data(0) (nil)
0xb740d6c0 10:14:37.460 [pkcs15-tool] reader-pcsc.c:249:pcsc_transmit: reader 'ACS ACR 38U-CCID 00 00'
0xb740d6c0 10:14:37.461 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Outgoing APDU data [    5 bytes] =====================================
80 CA 9F 7F 2D ....-
======================================================================
0xb740d6c0 10:14:37.461 [pkcs15-tool] reader-pcsc.c:182:pcsc_internal_transmit: called
0xb740d6c0 10:14:37.475 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Incoming APDU data [   47 bytes] =====================================
9F 7F 2A 20 50 50 00 40 41 52 73 00 60 82 47 14 ..* PP. <at> ARs.`.G.
D7 38 43 11 00 11 42 91 66 11 43 91 66 11 44 91 .8C...B.f.C.f.D.
66 14 03 00 00 00 00 00 00 00 00 00 00 90 00    f..............
======================================================================
0xb740d6c0 10:14:37.475 [pkcs15-tool] apdu.c:524:sc_single_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.475 [pkcs15-tool] apdu.c:676:sc_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.475 [pkcs15-tool] card.c:353:sc_unlock: called
0xb740d6c0 10:14:37.475 [pkcs15-tool] reader-pcsc.c:554:pcsc_unlock: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] card-oberthur.c:188:auth_select_aid: serial number 349648963/0x14D73843
0xb740d6c0 10:14:37.483 [pkcs15-tool] apdu.c:687:sc_transmit_apdu: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] card.c:315:sc_lock: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] reader-pcsc.c:517:pcsc_lock: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] apdu.c:654:sc_transmit: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] apdu.c:509:sc_single_transmit: called
0xb740d6c0 10:14:37.483 [pkcs15-tool] apdu.c:514:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:C,
data(16) 0xbfd98ce0
0xb740d6c0 10:14:37.483 [pkcs15-tool] reader-pcsc.c:249:pcsc_transmit: reader 'ACS ACR 38U-CCID 00 00'
0xb740d6c0 10:14:37.483 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Outgoing APDU data [   21 bytes] =====================================
00 A4 04 0C 10 A0 00 00 00 77 01 03 03 00 00 00 .........w......
F1 00 00 00 02                                  .....
======================================================================
0xb740d6c0 10:14:37.483 [pkcs15-tool] reader-pcsc.c:182:pcsc_internal_transmit: called
0xb740d6c0 10:14:37.500 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
6A 86 j.
======================================================================
0xb740d6c0 10:14:37.500 [pkcs15-tool] apdu.c:524:sc_single_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.500 [pkcs15-tool] apdu.c:676:sc_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.500 [pkcs15-tool] card.c:353:sc_unlock: called
0xb740d6c0 10:14:37.500 [pkcs15-tool] reader-pcsc.c:554:pcsc_unlock: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] iso7816.c:103:iso7816_check_sw: Incorrect parameters P1-P2
0xb740d6c0 10:14:37.510 [pkcs15-tool] apdu.c:687:sc_transmit_apdu: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] card.c:315:sc_lock: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] reader-pcsc.c:517:pcsc_lock: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] apdu.c:654:sc_transmit: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] apdu.c:509:sc_single_transmit: called
0xb740d6c0 10:14:37.510 [pkcs15-tool] apdu.c:514:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:0,
data(16) 0xbfd98ce0
0xb740d6c0 10:14:37.510 [pkcs15-tool] reader-pcsc.c:249:pcsc_transmit: reader 'ACS ACR 38U-CCID 00 00'
0xb740d6c0 10:14:37.510 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Outgoing APDU data [   21 bytes] =====================================
00 A4 04 00 10 A0 00 00 00 77 01 03 03 00 00 00 .........w......
F1 00 00 00 02                                  .....
======================================================================
0xb740d6c0 10:14:37.510 [pkcs15-tool] reader-pcsc.c:182:pcsc_internal_transmit: called
0xb740d6c0 10:14:37.527 [pkcs15-tool] apdu.c:185:sc_apdu_log: 
Incoming APDU data [    2 bytes] =====================================
6A 82 j.
======================================================================
0xb740d6c0 10:14:37.527 [pkcs15-tool] apdu.c:524:sc_single_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.527 [pkcs15-tool] apdu.c:676:sc_transmit: returning with: 0 (Success)
0xb740d6c0 10:14:37.527 [pkcs15-tool] card.c:353:sc_unlock: called
0xb740d6c0 10:14:37.527 [pkcs15-tool] reader-pcsc.c:554:pcsc_unlock: called
0xb740d6c0 10:14:37.529 [pkcs15-tool] iso7816.c:103:iso7816_check_sw: File not found
0xb740d6c0 10:14:37.529 [pkcs15-tool] iso7816.c:488:iso7816_select_file: returning with: -1201
(File not found)
0xb740d6c0 10:14:37.529 [pkcs15-tool] card-oberthur.c:196:auth_select_aid: rv -1201
0xb740d6c0 10:14:37.529 [pkcs15-tool] card-oberthur.c:197:auth_select_aid: select parent failed:
-1201 (File not found)
0xb740d6c0 10:14:37.529 [pkcs15-tool] card-oberthur.c:245:auth_init: Failed to initialize (null)
0xb740d6c0 10:14:37.529 [pkcs15-tool] card-oberthur.c:246:auth_init: Failed to initialize: -1210
(Card is invalid or cannot be handled)
0xb740d6c0 10:14:37.529 [pkcs15-tool] card.c:179:sc_connect_card: driver 'Oberthur
AuthentIC.v2/CosmopolIC.v4' init() failed: Card is invalid or cannot be handled
0xb740d6c0 10:14:37.529 [pkcs15-tool] reader-pcsc.c:504:pcsc_disconnect: called
0xb740d6c0 10:14:37.989 [pkcs15-tool] card.c:249:sc_connect_card: returning with: -1210 (Card is
invalid or cannot be handled)
Failed to connect to card: Card is invalid or cannot be handled
0xb740d6c0 10:14:37.989 [pkcs15-tool] ctx.c:787:sc_release_context: called
0xb740d6c0 10:14:37.989 [pkcs15-tool] reader-pcsc.c:745:pcsc_finish: called
Connecting to card in reader ACS ACR 38U-CCID 00 00...

Eventually, my goal is to redirect the card reader to a Windows terminal server. I would use something like
"rdesktop -r scard RDPserver". In that case, would the middleware still be necessary on the Linux client?
Or should the "card reader driver" on the Linux client AND the "card driver/middleware" on the Windows
server be enough?

In any case, I'd like to first get rid of all the error messages on the command line and be able to manually
access the certificates (I'd also like to be able to use the pin).

Thanks for your time,

Vieri

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees
J.Witvliet | 7 Apr 12:50 2014
Picon

microSD

Indeed, one of them is: http://www.go-trust.com/products/microsd-java/

They state:

-FIDO Ready

-GO-Trust PKI Applet is available with PKCS#11 support in Android, Windows and Linux.

 

So why should I still need a dev-kit?

If one should need to develop their own application on de card: obviously, but otherwise, when FIDO-ready?

Specially if they claim their Applet has pkcs11 support…

 

I read:

FIDO (Fast IDentity Online) Alliance (www.fidoalliance.org), an industry consortium revolutionizing online authentication with the first standards-based specifications. At RSA, Yubico and NXP will demonstrate the FIDO Ready YubiKey NEO with U2F (Universal Second Factor) standards, which are founded on the recently published FIDO specifications.

U2F is an open authentication standard initiative focused on scaling high security smart card technology beyond government and enterprise to every internet user.

 

 

Hans

 

From: helpcrypto helpcrypto [mailto:helpcrypto <at> gmail.com]
Sent: maandag 7 april 2014 11:47
To: Witvliet, J, DMO/OPS/I&S/HIN
Subject: Re: [Opensc-devel] microSD

 

On Mon, Apr 7, 2014 at 11:39 AM, <J.Witvliet <at> mindef.nl> wrote:

Hi,

 

Anybody around who has any (pos/neg) experience with smartcards packed in the form of a microSD?

 

I tried to obtain some samples before, but these appear to be vaporware…

Recently I came across two others: those from “tyfone” and from “go-trust”

Both of those companies are mainly smartphone centric, while my main objective is to use them initially in desktops, thin-clients, laptops, appliances

And perhaps later on, on other devices.

We are currently running a pilot with ~20 users with Gemalto microSD for mifare/nfc and cryptographic use-cases

Most companies are willing to provide development-kits, after signing NDA’s, but I have no interest in developing applications on the smartcard.

We signed an NDA and use their SDK.
 

I just want to access them with the pkcsxx-tools and vpn-software like openvpn and strongswan.

So I presume (correct me if I’m wrong) I should (..) be able to use standard applets/middleware.

Or am I completely mistaken and am I always subjected to a producers dev-tools? Sincerely hope not…

Technically speaking, you could attack the microSD by your own, but it will require some reverse engineering, probably forbidden by your EULA.

 

As with smartcards, a lot of obscurity/ uneeded secrecy.

BTW: I suggest you have a look at U2F/FidoAlliance.


 

Kind regards, Hans.

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.


------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees_APR
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

 

------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees_APR
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
J.Witvliet | 7 Apr 11:39 2014
Picon

microSD

Hi,

 

Anybody around who has any (pos/neg) experience with smartcards packed in the form of a microSD?

 

I tried to obtain some samples before, but these appear to be vaporware…

Recently I came across two others: those from “tyfone” and from “go-trust”

Both of those companies are mainly smartphone centric, while my main objective is to use them initially in desktops, thin-clients, laptops, appliances

And perhaps later on, on other devices.

 

Most companies are willing to provide development-kits, after signing NDA’s, but I have no interest in developing applications on the smartcard.

I just want to access them with the pkcsxx-tools and vpn-software like openvpn and strongswan.

So I presume (correct me if I’m wrong) I should (..) be able to use standard applets/middleware.

Or am I completely mistaken and am I always subjected to a producers dev-tools? Sincerely hope not…

 

 

Kind regards, Hans.

 

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
------------------------------------------------------------------------------
Put Bad Developers to Shame
Dominate Development with Jenkins Continuous Integration
Continuously Automate Build, Test & Deployment 
Start a new project now. Try Jenkins in the cloud.
http://p.sf.net/sfu/13600_Cloudbees_APR
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Juris Kaminskis | 5 Apr 20:47 2014
Picon

OpenSC for EID Latvia

Hello,

I have built this OpenSC fork :


but I get following error when I do following with the card attached:

root <at> station:/home/juris # opensc-tool -a
Using reader with a card: SCM Microsystems Inc. SCR 3310 (21120702367313) 00 00
3b:dd:18:00:81:31:fe:45:90:4c:41:54:56:49:41:2d:65:49:44:90:00:8c
Assertion failed: (card->lock_count == 0), function sc_disconnect_card, file card.c, line 256.
Abort (core dumped)


Do you possibly know why it fails?

thanks
Juris
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
PASZTOR Miklos | 31 Mar 16:43 2014
Picon

SmartCardHSM problems with imported key


 Hi,

 I have a Cardcontact (SmardCardHSM) token. I try to use it with opensc
 obtained from github (a399905d234d3d6d2a9aa8501a4c8ba1224c6b31).

 I am able to initialize the token, and I can transfer a privkey to it:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -w 1234.der -y privkey -d 1234 -a 1234

 The key appears on the token as expected. I see it with -O:

Using slot 1 with a present token (0x1)
Private Key Object; RSA
  label:      1234
  ID:         1234
  Usage:      sign

 However this is pretty much the only thing I can do with the key.

 1. I can't delete the key:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -b -d 1234 -y privkey
Using slot 1 with a present token (0x1)
error: PKCS11 function C_DestroyObject() failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting.

 2. I cannot sign with the key:

pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 -s -m RSA-PKCS -d 1234
--input-file /etc/issue --output-file /tmp/56
Using slot 1 with a present token (0x1)
Using signature algorithm RSA-PKCS
error: PKCS11 function C_SignFinal failed: rv = CKR_DATA_INVALID (0x20)

Aborting.

 3. I can't use this key with OpenDnssec.

 4. I can't write another key to the token so that this key does not
 disappear. It seems that if I write another key to the token, it
 *replaces* the first (-d 1234) key.

 Note that keys *generated* (pkcs11-tool -k) do not seem to have these
 problems.  I also have success with an Aladdin token: the commands with
 imported keys above work fine. So apparently the problem is SmartCardHSM
 related. I tried several versions of pcscd, operating systems to no avail.

 Please help. Thanks in advance,
 Miklós
--

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Martin Paljak | 27 Mar 19:07 2014
Picon

Latvian "fork" of OpenSC


Hello,

After some pingpong with relevant people, the Latvian government
released the source code of their eID middleware, that included OpenSC
without giving the source for it (joining the club of several other
countries/companies who has done the same).

https://github.com/eID-LV

I have not investigated the source myself but I've been told it
contains a modification of IAS-ECC driver and has other drivers disabled.

Best,
--

-- 
Martin
+372 515 6495
Greg Troxel | 27 Mar 16:54 2014
Picon

patch for avoiding failure on locked cards


I couldn't find a bugtracker for gpshell.
Could someone integrate the following patch to gpshell?

http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/security/gpshell/patches/patch-src_gpshell.c?rev=1.1&content-type=text/x-cvsweb-markup&only_with_tag=MAIN

(Thanks to Douglas Engert for help figuring this out.)

Greg
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Gmane