gmane.comp.encryption.opensc.devel

OpenPGP card status?

Daniel Pocock — 2013-06-17T21:36:53


Hi,

I just had a look at this page:

https://www.opensc-project.org/opensc/wiki/SupportedHardware

and it has OpenPGP card below the `Unsupported' heading

Is that still the case?  There appears to be a lot of detail on the
OpenPGP page:
https://www.opensc-project.org/opensc/wiki/OpenPGP

Would it be possible to annotate the unsupported cards with some
comments to distinguish those that will never be supported from those
that are work-in-progress?

Looking at it from the other angle, the OpenSC FAQ took me to this page:
  https://sites.google.com/site/alonbarlev/gnupg-pkcs11

which has a very brief statement about "The GnuPG developers insist of
implementing smartcard support from scratch, what makes a low smartcard
variety" - for an outsider, it's not exactly clear what that means.

Is there any document the explains, at arm's length, the current state
of play with free-software related smart card technology and with some
practical comments about how people can mix-and-match all their
different use cases

OpenSC github Test project

Ludovic Rousseau — 2013-01-01T16:12:14

Hello,

I created a Test [1] project at github. This project is supposed to be
used to test integration of github with other services before
deploying the configuration to a real OpenSC sub-project.

Feel free to use it.
You may need to get access rigths. Just ask on this list.

Bye,

[1] https://github.com/OpenSC/Test

Re: Status of the server migration

Ludovic Rousseau — 2013-01-01T14:45:29

Hello,

2012/12/27 Greg Troxel <gdt< at >ir.bbn.com>:

Good remark.
The sourceforge project now has a link to the github wiki page.

I also created a new "OpenSC Services" page at github wiki are add a
link to that page from the sourceforge project page.


I don't know what that the opensc-project.org domain name will become.
I have no control on it.

Bye

Delete 'staging' branch of github OpenSC/OpenSCproject

Viktor Tarasov — 2012-12-31T14:50:12

Hello,

During considerable time already the master and staging branches have been closely synchronized.
As for me we can close the 'staging' branch.
It's initial role was to be a buffer for the new features,
now this function is fulfilled by the 'master' itself and by the pull-requests branches.

If no objections,
I will remove the 'staging' branch.

Kind regards,
Viktor.

athena javacar ID Protect Client Support

Cyril — 2012-12-29T11:44:55

Hello

I've bought a pair of Athena  Id protect client javacards with an Athena
ASEIIIUSB reader.
The reader is recognized by linux box but I can't access the card.

First question as a newbie, can the reader read other smartcards?
Second, is there a way to handle those Athena Smart cards in OpenSc?
I've spent much time but didn't succeed.

Thanks!!!



The result of pkcs15-tool -L :

------------------------------------------------
Aspire-7730ZG:/usr/lib$ pkcs15-tool -L
Using reader with a card: Athena ASE IIIe [CCID Bulk Interface] 00 00
PKCS#15 binding failed: Unsupported card
------------------------------------------------
The result of pcsc_scan is here :
------------------------------------------------------------------------------------------------
Aspire-7730ZG:/usr/lib$ pcsc_scan
PC/SC device scanner
V 1.4.20 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau< at >free.fr>
Compiled with PC/SC lite version: 1.8.3
Using reader plug'n play mechanism
Scanning present readers...
0: Athena ASE IIIe [CCID Bulk

Re: Status of the server migration

Peter Stuge — 2012-12-28T15:36:29

You waited and you complained. I wish you would have actually
produced a release branch instead, even if that branch included
nothing at all besides the #69 bugfix which bit ccid. My guess is
that noone would have bothered with a fork if you had done that.

As I have explained several times in places where you have probably
already seen it, if someone had proposed a 1.0.8.1 branch with only
bugfixes then I would have been happy to release it. The idea to
do that myself never occured to me, and while the very loud project
leader of the fork loves to spin rhetoric in an attempt make more out
of that than there really is, the fact remains that nobody came up
with a bugfix release branch.

It's really easy to wait and to complain. It's apparently really hard
to produce something that can be released.



I think that's silly.



<sarcasm>
I don't think we can count on you to make a backup within that time.
</sarcasm>

I hope you agree that my above sarcasm is absolutely ridiculous..


Andreas Jellinghaus wrote:

Re: Status of the server migration

Andreas Jellinghaus — 2012-12-28T07:26:49

2012/12/27 Ludovic Rousseau <ludovic.rousseau< at >gmail.com>:

Sure, that is fine. I'd prefer to shutdown those parts that are
migrated already -
i.e., make the SVN read-only (is this possible), set the mailing lists
to moderated etc.

Andreas

Re: Status of the server migration

Lukas Wunner — 2012-12-27T19:05:06

Hi,

On Thu, Dec 27, 2012 at 04:26:38PM +0100, Ludovic Rousseau wrote:

There's some valuable stuff in Trac like a GemSafeV2 driver which
never got merged (http://www.opensc-project.org/opensc/ticket/267).
Losing that would really be unfortunate.

Kind regards,

Lukas

Re: Status of the server migration

Viktor Tarasov — 2012-12-27T17:35:34

Hello,


On Thu, Dec 27, 2012 at 4:26 PM, Ludovic Rousseau <
ludovic.rousseau< at >gmail.com> wrote:


Sorry, the correct link is:
https://sourceforge.net/p/forge/site-support/2051/



Ok, I see.  I will look around for a different solution.
Probably migrate trac&wiki to my platform .



Currently my platform use the 'opensc.fr' domain name,
but, it can be changed for 'opensc.org', if necessary.



_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Status of the server migration

Greg Troxel — 2012-12-27T15:35:55

  All sources, OpenSC and sub-projects, are in github.

A perspective from someone on the outside who is trying to pay
attention:

  It would be helpful if the sourceforge page links to something that is
  part of the future, and points out the github repos, and that there
  are no repos on sourceforge.  If sourceforge is not ok with this then
  a new strategy may be needed :-)

  If the opensc-project.org wiki is going away, it would be good to have
  the front wiki page have a note about that  and pointers to
  sourceforge and github.

_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Status of the server migration

Ludovic Rousseau — 2012-12-27T15:26:38

Hello all,

2012/12/26 Viktor Tarasov <viktor.tarasov< at >gmail.com>:


Viktor, this request has been closed the same day you opened it.
It looks like it is not the correct procedure.

I just sent an email on each of the 3 lists to ask users to
resubscribe to the lists at SF.


I don't think we can count on Peter. I had a bad experience on the
libusb project and waited after Peter for a new release during 2 years
before participating to a forked project (libusbx).


I do not like it at all but we may have lose all the bugs reported at
opensc-project.org and start a new collection at github.

If it is possible to do it automatically we may add a comment to every
bug asking the bug reporter to report it again on github if the bug is
still valid.


Martin is busy with other project and real life.
The best we can do is ask him to redirect opensc-project.org to
opensc.org so a web site is still available.


Andreas, can you wait until mid-January before retiring the server so
I have a chance to backup what I can? I a

List opensc-devel migration

Ludovic Rousseau — 2012-12-27T15:08:33

Hello,

You are a subscribed member of the
opensc-devel< at >lists.opensc-project.org mailing list. The server at
opensc-project.org will be shut down soon and all the services need to
migrated to a new home [1] and [2].

An opensc-devel mailing list has been created at SourceForge. Go to
[3] and subscribe again if you want to continue to receive messages
for opensc-announce. We decided NOT to migrate your email
automatically. So you have to resubscribe by hand.

Sorry for the inconvenience.

Regards,

[1] http://sourceforge.net/projects/opensc/
[2] https://github.com/opensc
[3] https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: Status of the server migration

Viktor Tarasov — 2012-12-26T17:02:58

Hello, merry Christmas,

On Wed, Dec 26, 2012 at 3:56 PM, Andreas Jellinghaus
<andreas< at >ionisiert.de>wrote:



All sources, OpenSC and sub-projects, are in github.

The contributions are passing through the pull-requests.
The pull requests from 'confirmed' contributors are automatically built on
Ubuntu and Windows-Vista (other platforms are coming).
For the other contributors the build of pull request has to be validated by
one of 'admins' .
'Admins' can add contributor to the 'confirmed contributors' list.
The 'admin' operations are accessible through the coded messages in
comments to the pull-request.

Admin can merge pull-request using the github interface,
but, for the sake of linear git's history,
it's preferable to pull the contributor's branch into the local branch,
rebase it if necessary
and push it 'ff-only' to the github's master.





The mailing lists with the same names are created on SF.
The request to import the 'OpenSC' archive (for a while only OpenSC) is
pending.
https://sourceforge.net/trac

Re: Status of the server migration

Peter Stuge — 2012-12-26T16:19:51

No progress, the offer is still good, but no chance of making it
happen before end of year.


//Peter

Status of the server migration

Andreas Jellinghaus — 2012-12-26T14:56:06

Hi,

merry xmas / happy holidays everyone!

If you don't read this in the coming day: all is fine, enjoy your time
off with friends and family or skiing or ...

But for those with time on their hands for open source project work:
can someone summarize the current status of our server migration?

* source code: now all in git on github, right? Does everyone have
access who needs?
  What is the new system, people are asked to push patches to the
mailing list and someone collects them?
  Or should people have their own repo, publish patches there and
someone else pulls them? (more work, maybe not such a good idea)
  Or do we have an rietveld instance somewhere, so people can push
changes there (how?) and they get compile-build-tested?
* mailing lists: no idea what the current status is (i.e. this is a
test mail). Do we have new lists? Subscribers migrated or invited?
  Does this old list still work, or should I shut it down?
* Continuous build: is there a replacement system for the (jenkins?)
system we have/had

OpenSC Windows minidriver reg file for theePass2003

曲博 — 2012-12-24T01:43:46

hello all,
please try it again use the below Registry content.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC ePass2003 ECP]
"ATR"=hex:3b,9f,95,81,31,fe,9f,00,66,46,53,05,00,00,00,71,df,00,00,00,00,00,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,ff,ff,ff,ff,00,00,00,00
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"




曲博
飞天诚信科技股份有限公司
地址：北京市海淀区学清路9号汇智大厦B座17层
邮编：100085
电话：010 62304466-391
传真：010 62304477
电子邮件：qubo< at >FTsafe.com
网址：http://www.FTsafe.com.cn_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Openssl pkcs11-engine using s_client with PIVcard

Matthew Zimmerman — 2012-12-20T16:56:42

Doug, thanks, I got it working now.  Turns out it was the -t I was
throwing to the openssl engine command... I don't know where I saw
that or what it even does, but if I don't use it there's no segfault
and the connection succeeds!  Now to figure out what's different in
the TLS/SSL libraries that both Chromium and Firefox fail...

engine -vvvv dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so
-pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE

s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -state
-cert cert.01.pem -key 1:01 -keyform engine

On Thu, Dec 20, 2012 at 10:58 AM, Douglas E. Engert <deengert< at >anl.gov> wrote:
Good to know as I kept thinking that it was where/how openssl was
getting the cert that was the issue.

I found that 1:01 works too!

Matt

Re: Segmentation fault in pkcs11-tool

Douglas E. Engert — 2012-12-20T16:30:06


On 12/20/2012 8:04 AM, Anna Pavlova wrote:


You are running it out of the build directory?
That may be a shell script.
The install will get the real pkcs11-tool from
  src/tools/.libs/pkcs11-tool

If you are building, can you use the OpenSC-0.13.0

On Wed, Dec 5, 2012 at 6:23 PM, Greg Troxel <gdt< at >ir.bbn.com> wrote:


       https://github.com/OpenSC/OpenSC/tags
       https://sourceforge.net/projects/opensc/files/OpenSC/
       https://opensc.fr/jenkins/



You are using C++, are your functions declared as C?

I use of the RTLD_LAZY vs RTLD_NOW may make a difference.
Your C_GetFunctionList may be picking up something in the pkcs11-tool or
one of its libraries, when it should be picking up the version in your
library.

Re: Openssl pkcs11-engine using s_client with PIV card

Douglas E. Engert — 2012-12-20T15:58:21


On 12/20/2012 7:54 AM, Matthew Zimmerman wrote:

The OpenSC engine can pull the cert from the card, but it looks like
the OpenSSL c_client does not support using an engine for the cert.
It calls load_cert. Look at the load_cert (vs the load_key) routines
in the OpenSSL src/apps/apps.c It does not recognize FORMAT_ENGINE.

So you have to get the cert off the card in a separate step:

   pkcs15-tool -r 01 > cert.01.pem


For the -key parameter, I have always used slot_1-id_01 for the auth cert.
I had not looked to see if 1:01 works too.

An examples:

openssl << EOT
engine dynamic -vvvv -pre SO_PATH:$OPENSC_ENGINE/engines/engine_pkcs11.so -pre ID:pkcs11 -pre NO_VCHECK:1 -pre LIST_ADD:1 -pre LOAD  -pre MODULE_PATH:$OPENSC_PATH/opensc-pkcs11.so
dgst -engine pkcs11 -keyform engine -sign slot_1-id_02 -c -out /tmp/test.ec.sig.out  fake.ec.key/ec.msg.txt
EOT

Re: Segmentation fault in pkcs11-tool

Anna Pavlova — 2012-12-20T14:04:17

Hi Douglas,


it runs fine under Firefox - it shows the slots and the slotInfo.
Thunderbird I don't have so I didn't try it.


yes, for some strange reason I get

anna< at >anna:~/OpenSC/src/tools$ ldd pkcs11-tool
    not a dynamic executable

That doesn't seem right. I try to find out what's going on.

With my module:

anna< at >anna:~/PKCS11_Project$ ldd libPkcs11.so

linux-gate.so.1 =>  (0xb76f1000)
    libpcsclite.so.1 => /usr/local/lib/libpcsclite.so.1 (0xb73bd000)
    libstdc++.so.6 => /usr/lib/i386-linux-gnu/libstdc++.so.6 (0xb72d2000)
    librt.so.1 => /lib/i386-linux-gnu/librt.so.1 (0xb72c8000)
    libgcc_s.so.1 => /lib/i386-linux-gnu/libgcc_s.so.1 (0xb72aa000)
    libc.so.6 => /lib/i386-linux-gnu/libc.so.6 (0xb7128000)
    libpthread.so.0 => /lib/i386-linux-gnu/libpthread.so.0 (0xb710d000)
    libm.so.6 => /lib/i386-linux-gnu/libm.so.6 (0xb70e3000)
    /lib/ld-linux.so.2 (0xb76f2000)




I made a debug log to show the steps I've done - it's in the attached file
(I left some printouts in the code of a type "T

Openssl pkcs11-engine using s_client with PIV card

Matthew Zimmerman — 2012-12-20T13:54:52

I'm trying to debug an SSL connection to a webserver utilizing my PIV
Authentication Certificate and the associated private key on my card
and I believe I've found a bug in mechanism.c

I *think* I'm doing everything correctly, although documentation on
the engine in openssl are *very* sparse.  Here's how I'm setting up
the connection.

openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit

According to the opensc tools, my card is in slot 1 and my key is id
01.  I'm fairly certain I'm using the -key and -keyform parameters
correctly but I'm not sure of -cert and -certform.  Should I instead
be telling openssl how to pull the cert from my card instead of the
local file (which corresponds with the key?)  How do I do that?  (I've
tried a few ways.)

This will pro