J.Witvliet | 16 Jul 14:10 2015
Picon

Re: Fwd: Smart Card support

Question remains _if_ you want to use the ssh-keys directly from openssh....

In the commercial version of openssh you seems to be able to use the entire openssl-tool chain for key's and certificates
And there used to be a patch for the community version of openssh (Roumen Petrov) with the possibility of tokens/smartcards
See: http://roumenpetrov.info/openssh latest patch version: 1 jul 2015, so it is still maintained.

Hw

-----Original Message-----
From: Douglas E Engert [mailto:deengert <at> gmail.com] 
Sent: donderdag 16 juli 2015 13:39
To: OpenSC-devel
Subject: [Opensc-devel] Fwd: Smart Card support

OpenSC developers may wish to comment on this OpenSSH note.

-------- Forwarded Message --------
Subject: Smart Card support
Date: Thu, 16 Jul 2015 10:37:10 +0200
From: Jakub Jelen <jjelen <at> redhat.com>
To: openssh-unix-dev <at> mindrot.org

Hi all,
I was investigating openssh functionality with Smart Cards of different types from different vendors and
there appeared few problems that would be great if they would be solved before 7.0 release. I filled bugs
for them to keep track of them in openssh bugzilla

Bug 2427 - ssh keygen is trying to read uninitialized slots on smart card (and is failing) [1] Bug 2429 -
ssh-keygen ignores keys that have CKA_ID == 0 [2] Bug 2430 - ssh-keygen should allow to login before
reading public key from smart card [3]
(Continue reading)

Andrea Dell'Anna | 7 Jul 12:55 2015
Picon

x509 cert aliases loading problems using opensc-pkcs11.so

Goodmorning everyone.

I'm writing my first message here so I hope it's the right place to do it.
I'm a java developer writing a program for Ubuntu and I need to access to my Athena smartcard pkcs11 features using opensc-pkcs11.so driver.

There are two x509 certs into the smartcard:
-One is for "non-repudiation" key usage (digital signature)
-the other one is for "Critical" "Signing" "Key Encipherment" (web authentication and encryption)

The sun.security.pkcs11.SunPKCS11 provider is loaded with no problem using the opensc-pkcs11.so driver.
When I load the pkcs11 keystore and I list all the aliases, my code is able to see JUST the alias with "Critical" "Signing" "Key Encipherment" (web authentication and encryption) x509 cert, NOT THE NON-REPUDIATION ONE!!

If I load the pksc11 keystore using the Athena's smartcard Proprietary driver (/lib64/libASEP11.so), my code is able to load all my smartcard keystore aliases.

I tried with some other smartcard produced by different vendors (Incard and Siemens). I'm always able to load the sun.security.pkcs11.SunPKCS11 provider using opensc-pkcs11.so.
But I'm able to see the non-repudiation x509 cert only using the proprietary smartcard driver. Why?

Why I'm not able to load the "non-repudiation" key usage x509 cert using
opensc-pkcs11.so?
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Frank Morgner | 6 Jul 11:25 2015
Picon

Re: C_Login returns CKR_GENERAL_ERROR / SCardBeginTransaction failed: 0x8010001d


Yes, this would at least resolve the memory handling. However, the second copy of the handle would still be
useless though release has never been called by the second client.

Do you know how this is solved in Apple's implementation?

Am 6. Juli 2015 09:27:09 MESZ, schrieb Ludovic Rousseau <ludovic.rousseau <at> gmail.com>:
>2015-07-06 2:07 GMT+02:00 Frank Morgner
><morgner <at> informatik.hu-berlin.de>:
>> I think we have two problems here:
>>
>> 1. The only thing we should do is freeing the memory which gets
>copied
>>    into the child's address space. And that's where I think we have a
>>    problem in pcsc-lite:
>>
>>    I don't know the inner workings of pcsc-lite but I suppose when
>>    calling SCardEstablishContext there will be some memory that can
>only
>>    be free'd by calling SCardReleaseContext. This memory will exist
>in
>>    the parent's and in the child's address space. But with David's
>log
>>    it looks like pcsc-lite has a sanity check that disallows freeing
>the
>>    same handle twice in SCardReleaseContext.
>
>You are right.
>pcsc-lite allocates some memory on the client side and also on the
>server side.
>After a fork the memory on the client side is duplicated, but nothing
>changes on the server side.
>
>Calling SCardReleaseContext will release the memory on 1 client and on
>the server.
>A second call to SCardReleaseContext will try to free resources on the
>server side but the server will then return an error (resources
>already freed). The memory on the client side will then NOT be freed.
>
>I can change the pcsc-lite code to free memory on the client side
>first before asking the server to free its memory. With this change a
>second call to SCardReleaseContext would still return an error but the
>memory on the client would be freed.
>
>That would solve a memory leak when fork() is used.
>I created a ticket
>https://alioth.debian.org/tracker/index.php?func=detail&aid=315106&group_id=30105&atid=410085
>
>Bye
>
>-- 
> Dr. Ludovic Rousseau
>
>------------------------------------------------------------------------------
>Don't Limit Your Business. Reach for the Cloud.
>GigeNET's Cloud Solutions provide you with the tools and support that
>you need to offload your IT needs and focus on growing your business.
>Configured For All Businesses. Start Your Cloud Today.
>https://www.gigenetcloud.com/
>_______________________________________________
>Opensc-devel mailing list
>Opensc-devel <at> lists.sourceforge.net
>https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 
Frank Morgner
--

-- 
Frank Morgner

------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
Frank Morgner | 6 Jul 02:07 2015
Picon

Re: C_Login returns CKR_GENERAL_ERROR / SCardBeginTransaction failed: 0x8010001d

I think we have two problems here:

1. The only thing we should do is freeing the memory which gets copied
   into the child's address space. And that's where I think we have a
   problem in pcsc-lite:

   I don't know the inner workings of pcsc-lite but I suppose when
   calling SCardEstablishContext there will be some memory that can only
   be free'd by calling SCardReleaseContext. This memory will exist in
   the parent's and in the child's address space. But with David's log
   it looks like pcsc-lite has a sanity check that disallows freeing the
   same handle twice in SCardReleaseContext.

2. We should not perform any "terminating" actions on the card when
   detecting a fork. This card belongs to the parent process and we
   should not touch it. That means that calling C_Finalize from
   C_Initialize as currently implemented is not correct.

   In that regard your changes, Nikos, look good, though I'd prefer
   something like `sc_terminate_context` instead of
   `sc_release_context_after_fork`. This would put the focus on the
   desired action (destroy the memory NOW instead of doing some
   additional magic) instead of the circumstances (being called after
   fork). This would raise readability/maintainability, I think.
   However, your current patch still leaks gpriv in reader-pcsc.c
   (because finish is not called).

Right?

Am Freitag, dem 03. Juli, um 10:10 Uhr schrieb Nikos Mavrogiannopoulos:
> On Wed, May 6, 2015 at 1:37 AM, David Woodhouse <dwmw2 <at> infradead.org> wrote:
> >> Here's a test case. I've verified that it fails with OpenSC with both
> >> a PIV device (Yubikey NEO) and a Feitian ePass PKI token:
> > And this "fixes" it, although obviously it's more of a proof of
> > concept than something we could apply as-is:
> 
> The issue is quite complex because shared resources are not
> distinguished to per-process resources. I've attempted to solve it at
> the C_Finalize() function with the following pull request:
> https://github.com/OpenSC/OpenSC/pull/493
> 
> regards,
> Nikos
> 
> ------------------------------------------------------------------------------
> Don't Limit Your Business. Reach for the Cloud.
> GigeNET's Cloud Solutions provide you with the tools and support that
> you need to offload your IT needs and focus on growing your business.
> Configured For All Businesses. Start Your Cloud Today.
> https://www.gigenetcloud.com/
> _______________________________________________
> Opensc-devel mailing list
> Opensc-devel <at> lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc
------------------------------------------------------------------------------
Don't Limit Your Business. Reach for the Cloud.
GigeNET's Cloud Solutions provide you with the tools and support that
you need to offload your IT needs and focus on growing your business.
Configured For All Businesses. Start Your Cloud Today.
https://www.gigenetcloud.com/
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 29 Jun 07:34 2015
Picon

Smart Card to Web interface

Hi Card-lovers,

The following is NOT a Smart Card to Web interface but a scheme for communicating
between native applications and Web-pages, where such an application for example
could be something related to smart cards like a signature plugin:

     https://github.com/cyberphone/web2native-bridge

The system is a fairly mature prototype running on Chrome/Chromium desktop browsers.

The purpose of the prototype is for concept verification and getting input on the design
of the API etc.  The latter is very important so you are extremely welcome testing :-)

Cheers,
Anders

------------------------------------------------------------------------------
Monitor 25 network devices or servers for free with OpManager!
OpManager is web-based network management software that monitors 
network devices and physical & virtual servers, alerts via email & sms 
for fault. Monitor 25 devices for free with no restriction. Download now
http://ad.doubleclick.net/ddm/clk/292181274;119417398;o
Jean-Marc | 21 Jun 14:25 2015
Picon

Belpic - new v1.7 applet

hi,

I made some tests with new eid belgian cards.
Unfortunately, it is not possible to access certs on new cards.
I checked a bit on eid doc' and the new cards have a new applet version v1.7.

Any idea if this new applet will be implemented in openSC too ?

Regards,

Jean-Marc <jean-marc <at> 6jf.be>
------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Hammer, Tim | 16 Jun 23:49 2015
Picon

"how-to" guide for "external" card drivers?

I have been unable to locate any documentation describing how to create an “external” card driver that is loaded by a directive in the conf file. The “New card driver” example and description seems to be only for a “built-in” driver.

 

Can someone please help me with a better search string or a pointer to such a document?

 

Thanks!

--

.Tim

Tim D. Hammer
Software Developer
Global Business & Services Group
Xerox Corporation
M/S 0207-02Z
800 Phillips Road
Webster, NY 14580

Phone: 585/427-1684
Fax:
      585/422-7532
Mail:
     Tim.Hammer <at> xerox.com

 

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
latac | 10 Jun 10:31 2015
Picon

Troubles with a Gemalto USB token

Hello

I have troubles with a Gemalto USB token. It is listed as supported
on OpenSC wiki, but OpenSC is unable to use it.

Here is what happens:
$ opensc-tool -n
Using reader with a card: Gemalto USB Shell Token V2 (3F91D002) 00 00
Unsupported card

Here is the configuration:
  USB token "Gemalto USB Shell Token V2 (3F91D002)"

PCSC-lite version:
  pcsc-lite version 1.8.10.
  Copyright (C) 1999-2002 by David Corcoran <corcoran <at> linuxnet.com>.
  Copyright (C) 2001-2011 by Ludovic Rousseau <ludovic.rousseau <at> free.fr>.
  Copyright (C) 2003-2004 by Damien Sauveron <sauveron <at> labri.fr>.
  Report bugs to <muscle <at> lists.musclecard.com>.
  Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev
usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd
configdir=/etc/reader.conf.d

CCID version:
  CCID 1.4.15

OpenSC version:
  opensc 0.13.0 [gcc  4.8.2]
  Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

OS version:
  Ubuntu 14.04 LTS
  Linux virtual-ubuntu 3.16.0-36-generic #48~14.04.1-Ubuntu SMP Wed Apr 15
13:11:28 UTC 2015 x86_64 x86_64 x86_64 GNU/Linux

And attached is the pcscd log. 
log.txt <http://opensc.1086184.n5.nabble.com/file/n15367/log.txt>  

--
View this message in context: http://opensc.1086184.n5.nabble.com/Troubles-with-a-Gemalto-USB-token-tp15367.html
Sent from the Developer mailing list archive at Nabble.com.

------------------------------------------------------------------------------
J.Witvliet | 3 Jun 16:41 2015
Picon

Re: Google's secure micro-SD

-----Original Message-----
From: Anders Rundgren [mailto:anders.rundgren.net <at> gmail.com] 
Sent: vrijdag 29 mei 2015 21:26
To: OpenSC
Subject: [Opensc-devel] Google's secure micro-SD

http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/

This is a pretty strange thing since both ARM and Intel offer built-in security solutions in the CPU itself.

Anders

-----Original Message-----

Most interesting part is that their storage range from 8GB till 64GB.
Question remain how secure their "secure solution" is.
Is it just "A system on a chip", or does it really uses a crypto co-processor, like they do at smartcard_hsm?

______________________________________________________________________
Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit
bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te
verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband
houdt met risico's verbonden aan het electronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this
message was sent to you by mistake, you are requested to inform the sender and delete the message. The State
accepts no liability for damage of any kind resulting from the risks inherent in the electronic
transmission of messages.

------------------------------------------------------------------------------
Dirk-Willem van Gulik | 2 Jun 17:32 2015

Preventing malformed ODFs causing segfaults.

We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility
outside OpenSC)).

Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a
rare case ?

Dw.

https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff

src/libopensc/dir.c
 <at>  <at>  -149,6 +149,10  <at>  <at>  int sc_enum_apps(sc_card_t *card)
 	r = sc_select_file(card, &path, &card->ef_dir);
 	LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");

+	if (card->ef_dir == NULL) {
+		LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
+	}
+
 	if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
 		sc_file_free(card->ef_dir);
 		card->ef_dir = NULL;

src/libopensc/pkcs15.c
 <at>  <at>  -1044,6 +1044,10  <at>  <at>  sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 			sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
 			goto end;
 		}
+		if (p15card->file_odf == NULL) {
+			sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
+			goto end;
+		}
 		sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
 		err = sc_select_file(card, &tmppath, &p15card->file_odf);
 	}
 <at>  <at>  -1059,6 +1063,8  <at>  <at>  sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 		goto end;
 	}

+	assert(p15card->file_odf);
+
 	len = p15card->file_odf->size;
 	if (!len) {
 		sc_log(ctx, "EF(ODF) is empty”);

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Opensc-devel <at> lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Anders Rundgren | 29 May 21:25 2015
Picon

Google's secure micro-SD

http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/

This is a pretty strange thing since both ARM and Intel offer built-in security solutions in the CPU itself.

Anders

------------------------------------------------------------------------------

Gmane