Francesco Muzio | 28 Aug 10:39 2014



I have some trouble with a smartcard that should be structured as a 
standard italian CNS.

this problem renders unusable the smart card for usages like strong 
authentication and strong signature. It seems related to the error 
produced with this command:

$ pkcs11-tool -t -l
Using slot 1 with a present token (0x1)
Logging in to "TEST CARD (PIN CNS".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
   seeding (C_SeedRandom) not supported
   seems to be OK
   all 4 digest functions seem to work
   MD5: OK
   SHA-1: OK
   RIPEMD160: OK
Signatures (currently only RSA signatures)
   testing key 0 (CNS0)
error: PKCS11 function C_SignFinal failed: rv = CKR_ARGUMENTS_BAD (0x7)

this smartcard is provided with two different PIN (the first to access 
into the smartcard, the second to authorize the signature) but during 
the test performed above only the first PIN is requested.

(Continue reading)

Eric Dorland | 27 Aug 23:54 2014

Is openct dead?


Debian maintainer of openscy stuff here. I'm wondering if openct is
worth having in Debian anymore as it doesn't seem to have seen any
release or even significant changes in the last 4 years
( Its popularity in
Debian is also dwindling

I guess my question is if I removed it from Debian for the next
release, would anyone be sad?


Eric Dorland <eric <at>>
43CF 1228 F726 FD5B 474C  E962 C256 FBD5 0022 1E93
Slashdot TV.  
Video for Nerds.  Stuff that matters.
Opensc-devel mailing list
Opensc-devel <at>
Dirk-Willem van Gulik | 23 Aug 14:45 2014

Yosemite and OpenSC/PKCS11/PCSC head

FWIIW - found that out of the box OpenSC (head) on Yosemite 10.10 does not quite work (after below tiny tweak
to get it to compile); it segfaults in _Block_release() on exit/cleanup. Besides that most things seem
fine - except for keychain interaction (i.e. have your pkcs#15 appear in the normal keychain, etc).

The culprint seems to be:

	 int sc_release_context(sc_context_t *ctx)
	       if (ctx->reader_driver->ops->finish != NULL)

with the reader_driver being the stock (i.e. Apple its) PCSC. Commenting this out does make things spring
to live sufficiently to get chipcards to work with SSH, the browser for client auth, Osirix and so on.

Unfortunately in PCSC no obvious changes stand out - all seems rather well - and it is almost as if
_Block_release() is not something in the code but added by clang/linker/c++magic late in the game.

Suggestions appreciated.


index 1a0a8bc..5033f83 100755
--- a/MacOSX/
+++ b/MacOSX/
 <at>  <at>  -10,7 +10,7  <at>  <at>  BUILDPATH=${PWD}

 # Use new locations for SDK on 10.8+
 OSX_RELEASE=`sw_vers -productVersion`
-case ${OSX_RELEASE:0:4} in
+case ${OSX_RELEASE} in
(Continue reading)

mikybrother | 19 Aug 19:58 2014

Re: Link OpenSC against

see  this
post for some useful info

View this message in context:
Sent from the Developer mailing list archive at

William Roberts | 1 Aug 04:07 2014

Clarifying PIV CSR

I am working through the PIV admin flow. And I am on this step:

 export PIV_9A_KEY
 openssl << EOT
 engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/ \
      -pre ID:pkcs11 -pre NO_VCHECK:1 \
      -pre LIST_ADD:1 -pre LOAD  \
      -pre MODULE_PATH:/usr/lib/
 req $SSLEAY_CONFIG -engine pkcs11 -md5 -new  \
     -key slot_0-id_1 -keyform engine -out card/newreq.1.$CARD.pem -text

Which yeilds:
PKCS11_get_private_key returned NULL
cannot load Private Key from engine
routines:ENGINE_load_private_key:failed loading private
unable to load Private Key
error in req

My question is, what private key? Shouldn't that key remain on the card?

Looking at the card edge I see a lot of CB (GET DATA) requests, but I
was under the impression that the GENERAL AUTH command was used to
encrypt the data, per the PIV spec:

The GENERAL AUTHENTICATE command shall be used with the PIV Digital
(Continue reading)

Frank Morgner | 29 Jul 10:22 2014

different algorithms for different keys


I am writing a card driver for a card that needs raw RSA data for
decryption but digestinfo+hash for creating a signature (pkcs#1 padding

During the card driver initialization I use 

_sc_card_add_rsa_alg(card, 2048,

This adds the pkcs1 and raw usage to each key on the card. It is due to,

Decryption works with

_sc_card_add_rsa_alg(card, 2048,

Signature works with

_sc_card_add_rsa_alg(card, 2048,

The only problem is that on the card driver level I can't specify the
type of key. Is there a workaround for this problem?


Frank Morgner

(Continue reading)

William Roberts | 28 Jul 20:59 2014

Generating keypairs on PIV cards

Suppose you had a blank card in this state:
1. Most of the private keys are empty (9A, 9C, 9D, 9E)
2. The Card Management Key (9B) is set
3. The containers (5FC105, 5FC10A, 5FC10B, 5FC101) are empty

What commands would run using piv-tool to take the card into an
initialized state?

My best guess is some combination of GENERATE ASYMMETRIC KEY PAIR and
PUT DATA commands. Im not quite clear what the GENERATE KEY PAIR
command should do on the card side, does it actually update the
corresponding x509. Ie does a generate request on '9A' update the x509
in 5FC105?



William C Roberts

Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
Johannes Becker | 28 Jul 12:42 2014

OpenSC 0.14.0 Windows installer


  opensc-0.14.0-win32.msi does not install all files in the subdirectory 
'tools', if opensc-0.13.0-win32.msi is already installed.


Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
Andreas Schwier | 28 Jul 12:51 2014

Support in the Asia-Pacific region

Hi list,

is there anyone on the list who could provide commercial support for
OpenSC in the Asia-Pacific region ?


Infragistics Professional
Build stunning WinForms apps today!
Reboot your WinForms applications with our WinForms controls. 
Build a bridge from your legacy apps to the future.
Adam Zimmerman | 26 Jul 18:25 2014

"fatal: could not initialize dst: crypto failure" when trying to use dnssec with Aventra card

Hi everyone,

I'm trying to set up DNSSEC for my domain with my KSK being stored on a
smart card. I have an Aventra MyEID card, and setting up the card seems
to go perfectly (except for finalizing it). However, when I try to use
dnssec-keyfromlabel to generate the public key information to be used
later with dnssec-signzone, I get the error listed in the subject. The
error occurs before I'm asked for my PIN.

So I have a couple of questions:
- Is this something I'm doing wrong, a bug somewhere, or an issue with
  the card? (also, am I on the right list? This seemed to be the most
  relevant one when I searched)
- Is it related at all to the inability to finalize the card?
- (on the off chance this is the culprit) My PIN and PUK are identical.
  I'm assuming this isn't the issue, am I right?

Below I've copied/pasted the commands I'm using to set up the card and
run dnssec-keyfromlabel. I've also attached the output from running
dnssec-keyfromlabel with OPENSC_DEBUG=9 set. Let me know if I can
provide any more information.

Thanks in advance,
- Adam


adam <at> midnight% pkcs15-init -E
Using reader with a card: Lenovo Integrated Smart Card Reader 00 00

(Continue reading)

William Roberts | 26 Jul 00:16 2014

PIV General Auth command example correct

Is the command given here:

piv-tool -A A:9B:03 -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00

Correctly formated. The NIST docs say the data in the PUT DATA
apdu shall be formated with 2 tags, 5C and 53. So parsing the above we
end up with:


Assuming that TAG 53 should at least be a properly structured TLV, it
is not. Shouldn't it be:





William C Roberts

Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
(Continue reading)