Andre Tampubolon | 24 Jul 10:00 2014
Picon

PKCS#15 binding failed: Unsupported card

Hello everyone,

My supervisor asked me to do a little research on how to put key on smartcard, so when every time you use Thunderbird or Outlook, the key has to be plugged in first before.

He gave me this link:
https://minotaur.fi.muni.cz:8443/~xsvenda/docuwiki/doku.php?id=public:smartcard

I didn't find how to put the key specifially on that link, so I did some Google search and found this:
https://code.google.com/p/seek-for-android/wiki/SmartCardPKI
So, to put they key into the card, you have you use pkcs15-tool.

For this testing purposes, I have 3 different smart card (one of them is Austria Card).
All of them failed during the creation of PKCS#15 structure:
$ pkcs15-tool.exe --dump
Using reader with a card: OMNIKEY CardMan 5x21 0
PKCS#15 binding failed: Unsupported card


So, does that mean I cannot use my cards for this purpose? Or is there any workaround?
Thank you.

--
Andre Tampubolon

R & D Engineer at PT Cipta Srigati Lestari
Jln. Kemang Utara No.10 Jakarta Selatan 12730, Indonesia
http://www2.cslgroup.co.id
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte | 21 Jul 15:04 2014
Picon

Italian CNS smartcard - Digital Signing Certificate not listed

Hi all,

Our Italian CNS card can accommodate two certificates, one for authentication and one for digital signatures. The certificate for authentication can be read using OpenSC and logging into the local eGov website works fine.
However the second certificate that gets used for digital signing does not work and unfortunately we dont have a lot of information about the card or the cert since it is all proprietary (I would like to avoid getting into that discussion now). So while OpenSC does not see the second cert, the Siemens CardOS API Viewer does.

I have attached the log file, set to level 9 and can provide the following information in addition to the certificate that cannot be read:

Sigbature Algorithm:    sh256RSA
Issuer                           Actalis Qualified Certificatio....
CKA_LABEL                   CNS DS01 X.509 Certificate
CKA_CERTIFICATE_TYPE  X.509 Public Key Certificate

Anyone here have any similar issues? Pretty stumped on what could be the reason why OpenSC cannot list the cert.

--
shaun
Attachment (debug.log): text/x-log, 230 KiB
------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck
Code Sight - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 14 Jul 11:10 2014
Picon

Smart Cards vs. TEEs

Follow-up on the TPM is dead posting...

It doesn't matter if hell freezes over, Smart Cards will never be able to do this:
https://play.google.com/store/apps/details?id=org.webpki.mobile.android

If you don't have an Android device (or 5-10 minutes to spend...), here is a short description:
https://openkeystore.googlecode.com/svn/resources/trunk/docs/keygen2.html#Sample_Run

The idea is that the scheme should be a part of a standard phone.
Keys would be protected by a TEE and hopefully by a Security Enclave as well.

Anders

------------------------------------------------------------------------------
Want fast and easy access to all the code in your enterprise? Index and
search up to 200,000 lines of code with a free copy of Black Duck&#174;
Code Sight&#153; - the same software that powers the world's largest code
search on Ohloh, the Black Duck Open Hub! Try it now.
http://p.sf.net/sfu/bds
Anders Rundgren | 13 Jul 06:44 2014
Picon

The TPM is dead, long live the TEE!

Sort of related to smart cards...

Somewhat unfortunate for Microsoft and Intel who "bet the house" on TPMs (Trusted Platform Modules), all
their competitors in the mobile space including Google and Apple, have rather settled on embedded TEE
(Trusted Execution Environment) schemes enabling systems like this:

http://www.nasdaq.com/article/samsung-mobilesecurity-platform-to-be-part-of-next-android-20140625-00937

iOS:
http://images.apple.com/iphone/business/docs/iOS_Security_Feb14.pdf

How come the competition didn't buy into the TPM?

TPMs are based on a "one-size-fits-all" API philosophy. Since Intel relies on external vendors supplying
TPM-components this (IMHO fairly unwieldy) API must also be standardized which makes the process
updating TPMs extremely slow and costly.

TEEs OTOH can be fitted at any time with application-specific security APIs which both can be standardized
or entirely proprietary. In fact, even third-parties can create new security APIs using
GlobalPlatform's TEE!

How about security? Since there is (generally) very little consensus on these matters, I should probably
not dive too deep into this :-)

Anders

------------------------------------------------------------------------------
William Roberts | 8 Jul 22:47 2014
Picon

Adding support for AES General Auth

I am currently adding support for AES for general AUTH. I currently am
at this check in card-piv.c

if ( (*q++ != 0x7C)
|| (*q++ != rbuflen - 2)
|| (*q++ != 0x81)
|| (*q++ != rbuflen - 4)) {

This assumes that the response data can be represented in a single
byte length field for the TLVs, which is not always the case. Some of
the cards I have return 256 bytes of challenge data plus meta data.

I would like to change this to actually properly parse the nested
reponse TLV's, however, I am looking for some tlv parsing code in the
code base and have struck out. So the question is, do you have any
code for parsing nested tlv's?

FYI current status is that it sends to the card, gets the response via
multiple get response requests and then dies here. I added support
into the entry point to handle different key sizes and algortihms.

--

-- 
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Douglas E Engert | 7 Jul 15:00 2014
Picon

Re: Public key for OpenSSH

(See additions below)

On 7/7/2014 5:43 AM, Erik Schick wrote:
> Command doesn't seem to work.
>
> pkcs15-tool --read-ssh-key 7 -> nothing happen
>
>
> pkcs15-tool --read-ssh-key 7 --output -> 0 Byte file
>
> Here the trace output for the last command.
>
> http://pastebin.com/MhAE9PXz

If I read this correctly, you have an ECC key, using curve:brainpoolP320r1

It is not clear if OpenSSH will support the brainpoolP320r1.
It may, but It is not one of the recommended curves. See:

   http://tools.ietf.org/html/rfc5656#section-10

The pkcs15-tool with the --read-ssh=key option only supports RSA and DSA.

So you may need to try something like:

pkcs15-tool --read-public-key 01 -o /tmp/pubkey.pem
ssh-keygen -i -m pKCS8 -f /tmp/pubkey.pem

When run on NIST demo card 4 using the PIV Authentication certificate public key,
/tmp/pubkey.pem has:

-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnb1nAmYPPjkCrcOvBwqF6vDnR4uN
iAwcB6JQaKik6i5ZKAezuY/ip3rBcqtEi+fYl/sNXpwUtfN4EIcMH7BYzA==
-----END PUBLIC KEY-----

and ssh-keygen outputs:
ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ29ZwJmDz45Aq3DrwcKherw50eLjYgMHAeiUGiopOouWSgHs7mP4qd6wXKrRIvn2Jf7DV6cFLXzeBCHDB+wWMw=

>
>
> Am 05.07.2014 04:55, schrieb Douglas E Engert:
>>
>> On 7/4/2014 10:13 AM, Erik Schick wrote:
>>> Hello,
>>>
>>> how can i generate an output file from a public key on a card compatible
>>> or importable OpenSSH?
>> pkcs15-tool --read-ssh-key $ID
>>
>>> Greetings
>>>
>>> ------------------------------------------------------------------------------
>>> Open source business process management suite built on Java and Eclipse
>>> Turn processes into business applications with Bonita BPM Community Edition
>>> Quickly connect people, data, and systems into organized workflows
>>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>>> http://p.sf.net/sfu/Bonitasoft
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> Opensc-devel <at> lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>
>

--

-- 

  Douglas E. Engert  <DEEngert <at> gmail.com>

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Christian Skarby | 6 Jul 13:12 2014
Picon

Unsupported card from Buypass - Norwegian eID provider - altinn

Dear opensc developers,

I have a smartcard from Buypass AS, a Norwegian commercial company (owned
50% by the government) that provides electronical identites.

I run Ubuntu 14.04 Trusty amd64, and use it successfully with
https://altinn.no , which seem to access the card via java. However I am
not able to use the card with opensc. My goal is to use the card to access
a VPN with openconnect.

I send you the ATR for the card as suggested on
https://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions

$ opensc-tool --atr
Using reader with a card: Gemalto GemPC Express 00 00
3b:9f:96:40:0a:80:31:e0:6b:04:21:05:02:61:55:55:55:55:55:55

What is the best way to proceed further? I am a software developer myself
and can hopefully help out testing and debugging (and perhaps some coding,
however I have no prior experience with opensc.)

$ opensc-tool -n
Using reader with a card: Gemalto GemPC Express 00 00
Unsupported card

$ opensc-tool -i -a -v
opensc 0.13.0 [gcc  4.8.2]
Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
Using reader with a card: Gemalto GemPC Express 00 00
Connecting to card in reader Gemalto GemPC Express 00 00...
Using card driver Default driver for unknown cards.
Card ATR:
3B 9F 96 40 0A 80 31 E0 6B 04 21 05 02 61 55 55 ;.. <at> ..1.k.!..aUU
55 55 55 55                                     UUUU

The card is listed in
http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt

$ pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau <at> free.fr>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto GemPC Express 00 00

Sun Jul  6 12:07:05 2014
Reader 0: Gemalto GemPC Express 00 00
  Card state: Card inserted, Shared Mode,
  ATR: 3B 9F 96 40 0A 80 31 E0 6B 04 21 05 02 61 55 55 55 55 55 55

ATR: 3B 9F 96 40 0A 80 31 E0 6B 04 21 05 02 61 55 55 55 55 55 55
+ TS = 3B --> Direct Convention
+ T0 = 9F, Y(1): 1001, K: 15 (historical bytes)
  TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
    250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
  TD(1) = 40 --> Y(i+1) = 0100, Protocol T = 0
-----
  TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
+ Historical bytes: 80 31 E0 6B 04 21 05 02 61 55 55 55 55 55 55
  Category indicator byte: 80 (compact TLV data object)
    Tag: 3, len: 1 (card service data byte)
      Card service data byte: E0
        - Application selection: by full DF name
        - Application selection: by partial DF name
        - BER-TLV data objects available in EF.DIR
        - EF.DIR and EF.ATR access services: by GET RECORD(s) command
        - Card with MF
    Tag: 6, len: B (pre-issuing data)
      Data: 04 21 05 02 61 55 55 55 55 55 55

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 9F 96 40 0A 80 31 E0 6B 04 21 05 02 61 55 55 55 55 55 55
	altinn - Buypass
	Electronic ID card for login to the altinn.no service

Is there any other information of value I can provide?

Looking forward to hearing from you,

--

-- 
Best regards,
Christian Skarby

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Andreas Schwier | 5 Jul 13:34 2014
Picon

Minidriver still marked experimental

Hi,

is there a reason that we still mark the minidriver as experimental and
do not install it by default ?

IMHO we should change that and include the minidriver in the default
installation. It won't be used anyway until the card's ATR is added to
the registry.

I observed a strange behaviour in Win7/64: If I only install the 64 bit
version of OpenSC 0.14, then Windows finds the certificate on the card,
but when using the private key it reports "No driver for the smart card
found". If I additionally install the 32 bit version, then it works fine.

Does anyone have an explanation for that ? Is Windows using 64 and 32
bit modules simultaneously ?

Andreas

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Erik Schick | 4 Jul 17:13 2014
Picon

Public key for OpenSSH

Hello,

how can i generate an output file from a public key on a card compatible 
or importable OpenSSH?

Greetings

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
William Roberts | 1 Jul 02:19 2014
Picon

PIV Select APT issues

In the NIST PIV Spec
(http://csrc.nist.gov/publications/nistpubs/800-73-3/sp800-73-3_PART2_piv-card-applic-card-common-interface.pdf)

We see that on a select we should return the Application Property
Template. Looking at the reference implementation in files
PIV_Card_Application.h we see:

static Octet PIVCardApplicationProperties [ ] = {
    APT_TEMPLATE, 0x6C,
                  APT_AID, 0x0B, 0xA0, 0x00, 0x00, 0x03, 0x08, 0x00,
0x00, 0x10, 0x00, 0x01, 0x00,
                  APT_TAG_AUTHORITY, 0x07, APT_TAG_AID, 0x05, 0xA0,
0x00, 0x00, 0x03, 0x08,
                  APT_APPLICATION_LABEL, 0x14,
                                 'P','I','V',' ','C','a','r','d','
','A','p','p','l','i','c','a','t','i','o','n',
                  APT_URL, 0x3D,
'c','s','r','c','.','n','i','s','t','.','g','o','v','/',

'p','u','b','l','i','c','a','t','i','o','n','s','/',

'n','i','s','t','p','u','b','s','/','8','0','0','-','7','3','/',

'S','P','8','0','0','-','7','3','-','F','i','n','a','l','.','p','d','f'};

And the defines for the relevant bits from tags.h
//
// Application Property Template
//
#define APT_TEMPLATE                0x61
#define APT_AID                     0x4F
#define APT_TAG_AUTHORITY           0x79
#define APT_APPLICATION_LABEL       0x50
#define APT_URL                     0x5F,0x50
#define APT_TAG_AID                 0x4F

I generated an APT off of this information that excludes the URL and I
am returning bytes:
616C4F0BA00000030800001000010079074F05A00000030850145049562043617264204170706C69636174696F6E9000

Windows handles this well, and I sniffed some PIV cards and some just
return 9000 (open sc seems to be ok with these as well)

However, when trying my card I get:
piv-tool -c piv -n
Using reader with a card: ACS ACR122U PICC Interface 00 00
Failed to connect to card: Card does not support the requested operation

Any ideas (I am getting the select and returning the bytes)?

Is this command tied to the attrs of the card?

--

-- 
Respectfully,

William C Roberts

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
Viktor Tarasov | 30 Jun 23:11 2014
Picon

OpenSC 0.14.0 released

Hi,
OpenSC 0.14.0, next stable version, is released.

Sources and MSI packages are accessible on sourceforge (https://sourceforge.net/projects/opensc/).
Soon will come the debian based packages.

On github
the release branch 'opensc-0.14.0' is merged into 'master'.
Release campaign is finished and now the pull requests are expected relative to the 'master' branch.

Best regards,
Viktor.

------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft

Gmane