Michael Ströder | 29 Oct 17:05 2014

Smartcard-HSM sleeping?

HI!

I'm testing the Smartcard-HSM with read "ACS ACR38U-CCID" and PKCS#11 with EJBCA.

Sometimes the USB token is not reachable from EJBCA anymore.
In this case "pkcs15-tool -D" also says "no readers". But the second
invocation of "pkcs15-tool -D" works as expected.

Seems that some component is going into sleep mode. But how to track which
one? Which sleep parameters should be tweaked?

Any experience of others here?

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 5750 bytes
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
J.Witvliet | 28 Oct 12:54 2014
Picon

driver difference

Hi all,

 

A third party is enquiring about all sorts of software we are using.

Claiming they need to know, because of omnikey linux/drivers.

 

Perhaps I am mistaken, but afaicr those ifdokccid packages were only needed for the wireless chip,

Not for the contact/chip/readers. For those we use the generic drivers from the distro.

 

Smells like phising to me

 

Hans

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Martin Paljak | 27 Oct 12:36 2014
Picon

CFP: Security Devroom <at> FOSDEM'15

Hello,

Next  FOSDEM [1] will, again, have a security devroom, this time on
the topic  of "Hardware and Software isolation mechanisms". We'd like
to invite  submissions of talks and presentations from developers,
security  researchers and other interested representatives of open
source and free  software and hardware projects.

This is the call for talks and presentations that will take place in
the Security devroom at FOSDEM 2015.

Our topic this year:
As  complex software tends to have bugs, methods to contain the damage
from  a potentially serious bug (e.g., code injection, leak of memory
contents) are required. While such methods have been known and
available  for a long time (HSMs and smart cards, privilege
separation), it is  surprising that an attack like heartbleed required
the revocation of the  private keys of a large part of the Internet.
For that reason Hardware  and Software isolation mechanisms that could
mitigate such attacks, are  again on the line, and the main theme of
this devroom.

For up-to-date submission and event information:
https://github.com/security-devroom/fosdem-2015

The security devroom will be held on Sunday 1st of February 2015 in
Brussels, Belgium at ULB room S.AW1.120 from 09:00 to 17:00.

I kindly ask you to forward this announcement to any relevant FOSS
project mailing list (except the ones already covered in the working
doc etherpad)

[1] https://fosdem.org/2015/
[2] https://github.com/security-devroom/fosdem-2015

--
Martin
+372 515 6495

------------------------------------------------------------------------------
Michael Ströder | 24 Oct 09:24 2014

0.14.1?

HI!

I experienced seg faults of EJBCA as noted at the end of this page:

http://www.smartcard-hsm.com/2014/09/05/Accessing_your_SmartCard-HSM_from_EJBCA.html

Currently I'm testing with the git version of OpenSC but I wonder whether and
when the patches noted on the page will be released (maybe as 0.14.1)?

Ciao, Michael.

Attachment (smime.p7s): application/pkcs7-signature, 5750 bytes
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Picon

OpenSC Internet Explorer


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi List,

I was wondering if anyone here managed to get some smart cards working
with Internet Explorer. Upstream there are some "reg" files that
configure some cards such as ePass2003, Feitan and so forth...
Do they really work well with Internet Explorer? (Do the smart cards
work at all with IE? If so... how?)

We are a small province in the north of Italy and would like to
implement a FOSS solution to manage smart cards. Our OpenSC-GUI
frontend, creates an easy way to change the PIN, however getting the
OpenSC drivers to play nice with Internet Explorer seems to be rather
tricky... (All works under Linux but the majority of the userbase uses
Windows and IE)

The project can be found here:
https://github.com/tis-innovation-park/OpenSC-GUI/

Before going into a lot of details I was wondering if anyone on this
list managed to get the Italian CNS (European Health Insurance Card)
working with Internet Explorer. All works great under Firefox.
I have been playing with a lot of registry settings but somehow think
that the problems are related to the minidriver?

This topic somehow relates to the issues that were mentioned previously,
concerning deprecated drivers and the maintenance thereof. I am more
than happy to provide all sorts of information regarding this topic!

Kind Regards,

- --
shaun
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iJwEAQECAAYFAlRIBC4ACgkQ3XULNXOD2nl1cAQAovBo44pTjSzU94X2d/GWpw0X
lUZRix8ww1FyCd5K9QlPP8EO8Q63nT6WPIcLnjni9bgUfCJqr/YNRZtAktrwRy6V
YXIE3jxE+mWPSoIX/f/pBY6aK/00GmBO4XWhU0E+bRAsQH+vhPfuuv4BTRJYeMvQ
51d2j5yw+gTSq1apfKo=
=9wcq
-----END PGP SIGNATURE-----

------------------------------------------------------------------------------
Frank Morgner | 20 Oct 22:34 2014
Picon

State of card drivers

Hey guys!

I see we have a number of pull requests hanging concerning new card
drivers. We have some internal card drivers that don't seem to have a
maintainer. We have seen errors in OpenSC that could be exploited by a
rouge smart card.

Still, we don't seem to have a clear policy about new code in OpenSC.
Here is what I would suggest regarding the card driver level (which I
know relatively good):

    Only mature drivers with active maintainers should be loaded by
    default.

This means that

1. All new card drivers belong into a separate driver library that is
  *not* loaded together with all internal drivers.

  I this would allow us to faster accept contributions (but it would
  still require changes for the existing pull requests).

2. Old drivers need to be reviewed. If there is no maintainer, the
   driver needs to be separated and disabled by default.

   I would work on this from time to time, I invite others to do the
   same.

3. Automatic tests need to be applied for drivers that are enabled by
   default.

    <at> Victor Is your smart card farm still up an running? Where can we
   check whether all of the cards are still working?

Loading external card drivers is already built into OpenSC so
refactoring the existing code should be relatively easy. Having an
external driver would also comply with the feeling of most contributors
that think that the card driver allows him to do everything he wants
(which sometimes is implementing core functionality over and over
again).

Also, we need to look at OpenSC as software that implements security.
Even though it does not deal with keys directly, it still defines what
you actually *do* with the keys stored on your card.

-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Frank Morgner | 19 Oct 14:58 2014
Picon

Fwd: Re: Regarding pcsc reader


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
Picon
From: Frank Morgner <morgner <at> informatik.hu-berlin.de>
Subject: Re: [Opensc-devel] Regarding pcsc reader
Date: 2014-10-19 12:51:55 GMT
Your debug output is very hard to read, the line breaks are missing.
What you are describing seems to work for me. What is your
configuration, how can the behaviour be reproduced?

On Sunday, October 19 at 04:10PM, nsar nq wrote:
> the virtual card says :19.10.2014 15:52:02  [WARNING] Using default SAM parameters. PIN=1234, Card
Nr=123456789019.10.2014 15:52:02  [INFO] Connected to virtual PCD at localhost:35963
> I have tried it many time, detected card presence, returning with 3, 2 and 0. After that it shows it returns
thecode -1104<card not present>  for detailed debug info, when debug is set to 9. the following output is generated:
> 2014-10-19 15:30:47.182 ===================================2014-10-19 15:30:47.182 opensc
version: 0.13.02014-10-19 15:30:47.182 PC/SC options: connect_exclusive=0 disconnect_action=1
transaction_end_action=0 reconnect_action=0 enable_pinpad=1 enable_pace=12014-10-19
15:30:47.182 [opensc-tool] reader-pcsc.c:948:pcsc_detect_readers: called2014-10-19
15:30:47.182 Probing pcsc readers2014-10-19 15:30:47.182 Establish pcsc context2014-10-19
15:30:47.182 Found new pcsc reader 'Virtual Smart Card Architecture Virtual PCD 0'2014-10-19
15:30:47.182 Virtual Smart Card Architecture Virtual PCD 0 check2014-10-19 15:30:47.198 current 
state: 0x004500122014-10-19 15:30:47.198 previous state: 0x000000002014-10-19 15:30:47.198 card
absent2014-10-19 15:30:47.198 Requesting reader features ...2014-10-19 15:30:47.198 Virtual Smart
Card Architecture Virtual PCD 0:SCardConnect(DIRECT): 0x000000002014-10-19 15:30:47.198
[opensc-tool] reader-pcsc.c:824:detect_reader_features:called2014-10-19 15:30:47.232 Virtual
Smart Card Architecture Virtual PCD 0:SCardControl failed: 0x000000322014-10-19 15:30:47.232
[opensc-tool] reader-pcsc.c:1101:pcsc_detect_readers: returning with: 0 (Success)# Detected
readers (pcsc)Nr.  Card  Features  Name2014-10-19 15:30:47.232 [opensc-tool]
sc.c:231:sc_detect_card_presence: called2014-10-19 15:30:47.232 [opensc-tool]
reader-pcsc.c:370:pcsc_detect_card_presence: called2014-10-19 15:30:47.232 Virtual Smart Card
Architecture Virtual PCD 0 check2014-10-19 15:30:47.232 current  state: 0x004502222014-10-19
15:30:47.232 previous state: 0x004500122014-10-19 15:30:47.232 card present, changed2014-10-19
15:30:47.232 [opensc-tool] reader-pcsc.c:375:pcsc_detect_card_presence: returning with:
32014-10-19 15:30:47.248 [opensc-tool] sc.c:236:sc_detect_card_presence: returning with: 30    Yes            
Virtual Smart Card Architecture Virtual PCD 02014-10-19 15:30:47.248 [opensc-tool]
card.c:125:sc_connect_card: called2014-10-19 15:30:47.248 [opensc-tool]
reader-pcsc.c:450:pcsc_connect: called2014-10-19 15:30:47.248 Virtual Smart Card Architecture
Virtual PCD 0 check2014-10-19 15:30:47.248 current  state: 0x004600122014-10-19 15:30:47.248
previous state: 0x004502222014-10-19 15:30:47.248 card absent, changed2014-10-19 15:30:47.248
[opensc-tool] reader-pcsc.c:457:pcsc_connect: returningwith: -1104 (Card not present)2014-10-19
15:30:47.248 [opensc-tool] card.c:249:sc_connect_card: returning with: -1104 (Card not present)    
failed: Card not present2014-10-19 15:30:47.248 [opensc-tool] ctx.c:787:sc_release_context:
called2014-10-19 15:30:47.248 [opensc-tool] reader-pcsc.c:745:pcsc_finish: called
> 
> 
>  
> Date: Sun, 19 Oct 2014 12:30:34 +0200
> From: morgner <at> informatik.hu-berlin.de
> To: opensc-devel <at> lists.sourceforge.net; opensc-devel <at> lists.opensc-project.org
> Subject: Re: [Opensc-devel] Regarding pcsc reader
> 
> I'm not sure what the problem is. What does the virtual card say when
> you start it with -vvvvvvvvv?
>  
> Also, you could dig deeper and try to debug the virtual driver as
> described here in section "Compile, Install and Debug":
> http://www.codeproject.com/Articles/134010/An-UMDF-Driver-for-a-Virtual-Smart-Card-Reader
>  
> On Sunday, October 19 at 01:34PM, nsar nq wrote:
> > Hi!
> > I am trying to connect my virtual smart card with the reader . On viewing the detailed debug  OpenSC
reader-pcsc shows card presence, connected then changed to card absent . Kindly provide some help. 
> > debug output:
> > C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool -l -vvv# Detected readers
(pcsc)Nr.  Card  Features  Name2014-10-19 13:26:46.569 [opensc-tool]
sc.c:231:sc_detect_card_presence: called2014-10-19 13:26:46.569 [opensc-tool]
reader-pcsc.c:370:pcsc_detect_card_presence: called2014-10-19 13:26:46.569 Virtual Smart Card
Architecture Virtual PCD 0 check2014-10-19 13:26:46.569 current  state: 0x004402222014-10-19
13:26:46.569 previous state: 0x004400122014-10-19 13:26:46.569 card present, changed2014-10-19
13:26:46.569 [opensc-tool] reader-pcsc.c:375:pcsc_detect_card_presence: returning with:
32014-10-19 13:26:46.569 [opensc-tool] sc.c:236:sc_detect_card_presence: returning with: 30    Yes            
Virtual Smart Card Architecture Virtual PCD 02014-10-19 13:26:46.569 [opensc-tool]
card.c:125:sc_connect_card: called2014-10-19 13:26:46.569 [opensc-tool]
reader-pcsc.c:450:pcsc_connect: called2014-10-19 13:26:46.569 Virtual Smart Card Architecture
Virtual PCD 0 check2014-10-19 13:26:46.569 current  state: 0x004500122014-10-19 13:26:46.569
previous state: 0x004402222014-10-19 13:26:46.569 card absent, changed2014-10-19 13:26:46.569
[opensc-tool] reader-pcsc.c:457:pcsc_connect: returningwith: -1104 (Card not present)2014-10-19
13:26:46.585 [opensc-tool] card.c:249:sc_connect_card: returning with: -1104 (Card not present)    
failed: Card not present2014-10-19 13:26:46.585 [opensc-tool] ctx.c:787:sc_release_context:
called2014-10-19 13:26:46.585 [opensc-tool] reader-pcsc.c:745:pcsc_finish: called 		 	   		  
> > ------------------------------------------------------------------------------
> > Comprehensive Server Monitoring with Site24x7.
> > Monitor 10 servers for $9/Month.
> > Get alerted through email, SMS, voice calls or mobile push notifications.
> > Take corrective actions from your mobile device.
> > http://p.sf.net/sfu/Zoho
> > _______________________________________________
> > Opensc-devel mailing list
> > Opensc-devel <at> lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>  
>  
> -- 
> Frank Morgner
>  
> Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
> OpenPACE                        http://openpace.sourceforge.net
> IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
> 
> ------------------------------------------------------------------------------
> Comprehensive Server Monitoring with Site24x7.
> Monitor 10 servers for $9/Month.
> Get alerted through email, SMS, voice calls or mobile push notifications.
> Take corrective actions from your mobile device.
> http://p.sf.net/sfu/Zoho
> _______________________________________________
> Opensc-devel mailing list
> Opensc-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/opensc-devel 		 	   		  
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
nsar nq | 19 Oct 10:34 2014
Picon

Regarding pcsc reader

Hi!

I am trying to connect my virtual smart card with the reader . On viewing the detailed debug  OpenSC reader-pcsc shows card presence, connected then changed to card absent . Kindly provide some help. 

debug output:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>opensc-tool -l -vvv
# Detected readers (pcsc)
Nr.  Card  Features  Name
2014-10-19 13:26:46.569 [opensc-tool] sc.c:231:sc_detect_card_presence: called
2014-10-19 13:26:46.569 [opensc-tool] reader-pcsc.c:370:pcsc_detect_card_presenc
e: called
2014-10-19 13:26:46.569 Virtual Smart Card Architecture Virtual PCD 0 check
2014-10-19 13:26:46.569 current  state: 0x00440222
2014-10-19 13:26:46.569 previous state: 0x00440012
2014-10-19 13:26:46.569 card present, changed
2014-10-19 13:26:46.569 [opensc-tool] reader-pcsc.c:375:pcsc_detect_card_presenc
e: returning with: 3
2014-10-19 13:26:46.569 [opensc-tool] sc.c:236:sc_detect_card_presence: returnin
g with: 3
0    Yes             Virtual Smart Card Architecture Virtual PCD 0
2014-10-19 13:26:46.569 [opensc-tool] card.c:125:sc_connect_card: called
2014-10-19 13:26:46.569 [opensc-tool] reader-pcsc.c:450:pcsc_connect: called
2014-10-19 13:26:46.569 Virtual Smart Card Architecture Virtual PCD 0 check
2014-10-19 13:26:46.569 current  state: 0x00450012
2014-10-19 13:26:46.569 previous state: 0x00440222
2014-10-19 13:26:46.569 card absent, changed
2014-10-19 13:26:46.569 [opensc-tool] reader-pcsc.c:457:pcsc_connect: returning
with: -1104 (Card not present)
2014-10-19 13:26:46.585 [opensc-tool] card.c:249:sc_connect_card: returning with
: -1104 (Card not present)
     failed: Card not present
2014-10-19 13:26:46.585 [opensc-tool] ctx.c:787:sc_release_context: called
2014-10-19 13:26:46.585 [opensc-tool] reader-pcsc.c:745:pcsc_finish: called
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 17 Oct 11:21 2014
Picon

eIDAS-tokens and Apple-SIM

https://www.bsi.bund.de/EN/Publications/TechnicalGuidelines/TR03110/BSITR03110-eIDAS_Token_Specification.html

  eIDAS-tokens have no links to the web (BSI and ANSSI doesn't have such knowledge) and are therefore already
dead in the water.

We will probably have to leave this kind of technology development to Google and Apple.

Apple just launched the first step towards SIM virtualization:
http://techcrunch.com/2014/10/16/apple-sim/

Apple do use a SIM but it is not tied to a specific operator, which means that the original business model is
already gone; the rest is only about "connecting the dots".

Anders

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
William Roberts | 16 Oct 19:42 2014
Picon

IFDs

Looking through the OpenSC code base, its unclear to me how the reader
driver is discovered and used to send the apdu's generated by the card
driver. Can anyone point me in the right direction?

I ask this because I am interested in finding out how to add a new
driver that I would be implementing, and want to look at the
interface. The driver I want to implement would be purely virtual, and
essentially always available, is there a way to configure it
statically via:

reader_driver in opensc.conf

Thanks,
Bill

------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
Thomas Calderon | 15 Oct 16:20 2014
Picon

Discussion about OpenSC broken PKCS#11 compliance

Hi all,

I would like to start a new discussion related to how OpenSC complies or rather do not complies with the PKCS#11 standard.

I understand the need for a multi-card support and appreciate the community effort that has been put towards supporting so many cards.
However, I feel that there is are numerous outstanding issues in the way OpenSC is designed.

First, the current pkcs11.h in OpenSC is a "custom" version derived from a draft of the standard. PKCS#11 v2.20 is long published and was amended 3 times already.
Second, the way OpenSC handles the card provisioning is broken. Let's take an example for IAS-ECC cards.

Suppose you want to inject a Private Key object on the token, but you want to restrict the key usage for this private key. You can do so using PKCS#11 attributes such as : 
  - CKA_SIGN
  - CKA_SIGN_RECOVER
  - CKA_DECRYPT
  - CKA_UNWRAP

Now, you only need this key for signing, therefore the PKCS#11 template you will use within your code will set CKA_SIGN=TRUE and other attributes to FALSE. The OpenSC object creation code will ignore your "least" privilege policy and enable all key usage for this key.
This is bad but there is worse. Since this key was generated "off-board", the PKCS#11 standards mandates that the CKA_LOCAL attribute should be set to FALSE. OpenSC hard-code this value to TRUE, thus lying to client applications !
Other important values such as CKA_ALWAYS_SENSITIVE and CKA_NEVER_EXTRACTABLE are wrongly set in this case.

The "on-board" generation code is also doing dirty tricks behing your back. First the requested PKCS#11 attributes are mapped to an X509 representation and mapped again to PKCS#15 attributes. During this process you loose some granularity on the attributes you required. For instance, request an "on-board" key pair generation for a "signing" key (CKA_SIGN=TRUE, rest to FALSE). Because of this double attribute mapping dance you end up with a private key with CKA_SIGN and CKA_SIGN_RECOVER set to TRUE although you set up CKA_SIGN_RECOVER to FALSE.

As a last example, there is not point in setting CKA_WRAP/CKA_UNWRAP to TRUE if the C_Wrap/C_Unwrap functions are not supported. Those should be the ones hard-coded to FALSE !

Is increased PKCS#11 compliance part of the OpenSC roadmap ?


Feedback appreciated.

Regards,

Thomas C.
------------------------------------------------------------------------------
Comprehensive Server Monitoring with Site24x7.
Monitor 10 servers for $9/Month.
Get alerted through email, SMS, voice calls or mobile push notifications.
Take corrective actions from your mobile device.
http://p.sf.net/sfu/Zoho
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel

Gmane