gmane.comp.encryption.opensc.devel

Re: Import X.509 certificate via Firefox?

helpcrypto helpcrypto — 2012-05-16T15:24:01

I suggest you having a look at https://developer.mozilla.org/en/PKCS11_Implement

But probably pkcs11-spy and "on the fly" developing will be easier.
And remember CKA_ID for mozilla is public key hash :)


AFAIK, If the card is not present, it automatically uses softoken, but
if a card is present and is not read-only, it shows a dialog to
select.


Anyhow, ask on dev-tech-crypto< at >lists.mozilla.org ;)

Re: Import X.509 certificate via Firefox?

Ludovic Rousseau — 2012-05-16T12:08:09

2012/5/16 Nguyễn Hồng Quân <quannguyen< at >mbm.vn>:

Hello,


You should use the pkcs11-spy tool [1] provided with OpenSC. It will
display all the C_* calls made by firefox. So you will know what to
implement to support what you want.

Bye

[1] https://www.opensc-project.org/opensc/browser/OpenSC/src/pkcs11/pkcs11-spy.c

Import X.509 certificate via Firefox?

Nguyễn Hồng Quân — 2012-05-16T08:35:39

Hello all,

I'm supplementing OpenPGP card support for OpenSC.
I did some changes in OpenPGP driver and PKCS15 interface to make 
Firefox and Thunderbird read the X.509 certificate stored in the OpenPGP 
card (succeed). Now I want to make Firefox to import certificate to 
OpenPGP card (I implemented write support for OpenPGP driver already), I 
have some question to need your help:

- When Firefox import certificate, which C_* functions in PKCS#11 module 
will be called?
- What is the action flow from the C_* functions in PKCS#11 to the driver?
- Currently, after select *.p12 file, Firefox automatically assume the 
destination as Software Security Device (SSD), instead of asking me 
where to import (SSD or Smartcard...). There may be due to something 
missing in the PKCS-card_driver code. Can you point me what I need to 
implement to make Firefox know that "there are another place to import 
than the built-in SSD"?

Thanks

Re: help Me I'm beginner

Douglas E. Engert — 2012-05-14T20:05:31


On 5/11/2012 12:45 PM, hamed izadi wrote:

Have you considered:
   http://windows.microsoft.com/en-PH/windows-vista/Use-a-smart-card-for-file-encryption

Then use the OpenSC mindriver to access smart cards supported by OpenSC?
   http://www.opensc-project.org/opensc/wiki/MiniDriver

Or:
  http://en.wikipedia.org/wiki/FreeOTFE
Then use OpenSC's PKCS#11.

help Me I'm beginner

hamed izadi — 2012-05-11T17:45:46

Hi
I'm new in PKCS11 and want to create an app under windows platform. the
main goal of this app is to encrypt, decrypt  and wipe off files.
I'm trying to use pkcs11 for two factor authentication and use pkcs11
module for this reason. how can I do that? is it possible with libp11.h
that have presented in site?" if yes how? Please guide me.
I know my question is unusual but I trust  your kindness and wait for your
answer.
sorry I'm so poor in English.
best regards.

Re: flex.profile missing and PIN-EIntry broken

Viktor Tarasov — 2012-05-09T15:50:30

Little addition.

On Wed, May 9, 2012 at 5:45 PM, Viktor Tarasov <viktor.tarasov< at >gmail.com>wrote:


... beside the missing flex.profile problem.
_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: flex.profile missing and PIN-EIntry broken

Viktor Tarasov — 2012-05-09T15:45:52

Hello,


On Sun, May 6, 2012 at 11:20 AM, Peter Koch <pk< at >opensc-project.org> wrote:



Are you expecting to use PIN-pad reader with the pkcs15-init tool ?
Have you tried with the non-pinpad reader ?
What package, version are you using ?

'For-me-it-works" with CryptoFlex-16k, non-pinpad reader and
latest MSI (32bits) of the OpenSC 'secure-messaging' branch.

With PIN-pad  the 'pkcs15-init -C' prompts to enter SOPIN at the command
line.
Not sure that it's a bug, not sure that pkcs15-init *has* to work with
pin-pad.

PinPad (Gemalto's PC PinPad reader) works properly when trying to verify
PIN in opensc-explorer.





Kind regards,
Viktor.


Kind regards,
Viktor.


_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Viktor Tarasov — 2012-05-07T10:35:44

Hello Nguyễn,

Le 07/05/2012 10:42, Nguyễn Hồng Quân a écrit :

This card is not natively PKCS#15 card, and emulator is used to expose the pkcs#15 objects.
If you definitively need to deal with the non-initialized card, imho,
you have to review it's emulator part (libopensc/pkcs15-openpgp.c) .


Kind regards,
Viktor.


_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-07T08:42:16

Hi Viktor,

I've updated the openpgp-card.c and the select_file() now returns right
error "Data object not found".
However, in the final list, the missing pub key still be listed (see the
attached log).

Is anything wrong with the PKCS15 common part?

Thanks,

On 05/05/2012 07:29 PM, Viktor Tarasov wrote:

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-07T07:26:34

Hi Viktor,

Sorry for the late answer for "type" and "ef_structure" question. In
that case, the type is SC_FILE_TYPE_WORKING_EF and the ef_structure is
SC_FILE_EF_TRANSPARENT.

On 05/05/2012 07:29 PM, Viktor Tarasov wrote:

flex.profile missing and PIN-EIntry broken

Peter Koch — 2012-05-06T09:20:22

Hi

I just tried to erase my old Cryptoflex card an recreate a PKCS#15-structure
under Windows.

First problem was: flex.profile was missing - here's the relevant debug
output from pkcs15-init -Cvvv

2012-05-06 10:57:54.577 Trying profile file C:\Programme\OpenSC
Project\OpenSC\profiles\pkcs15.profile
2012-05-06 10:57:54.577 profile C:\Programme\OpenSC
Project\OpenSC\profiles\pkcs15.profile loaded ok
2012-05-06 10:57:54.577 [pkcs15-init] profile.c:380:sc_profile_load:
returning with: 0 (Success)
2012-05-06 10:57:54.587 [pkcs15-init] profile.c:327:sc_profile_load: called
2012-05-06 10:57:54.587 Using profile directory 'C:\Programme\OpenSC
Project\OpenSC\profiles'.
2012-05-06 10:57:54.587 Trying profile file C:\Programme\OpenSC
Project\OpenSC\profiles\flex.profile
2012-05-06 10:57:54.598 profile C:\Programme\OpenSC
Project\OpenSC\profiles\flex.profile loaded ok
2012-05-06 10:57:54.598 [pkcs15-init] profile.c:373:sc_profile_load:
returning with: -1201 (File not found)
2012-05-06 10:57:54.598 Failed to load prof

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Viktor Tarasov — 2012-05-05T12:29:46

Le 05/05/2012 07:14, Nguyễn Hồng Quân a écrit :

First of all,
I do not know openpgp card and do not have this card to make the tests.

Afaiu, the 'child' and it's 'ID' are the openpgp specific features that do not have any relation to the 7816 standards.
They has to be hidden from the common OpenSC library part by the openpgp card's driver.

The authors of openpgp driver could explain better,
by from my point of view,
if the blob cannot be read, pgp_select() has to return 'file-not-found' or other error.
In any case with such openpgp internal errors there is no possibility to return a valid FCP/FCI and valid file length.

Looking onto the code I suppose that the FCP returned by pgp_select(public-key) belongs in fact to MF (or intermediate DF).
That's for, in my previous mail, I asked you
what are the 'type' and 'ef-structure' of the sc_file data returned by 'successful' pgp_select() ?



_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
htt

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-05T05:14:58

Thanks Viktor,

I found the defect at the function pgp_get_blob() in card-openpgp.c. 
There are lines:

if (child->id == id) {
(void) pgp_read_blob(card, child);
*ret = child;
return SC_SUCCESS;

The problem is either:
1. The child blob does not exist, but there still exists its ID.
2. The result of pgp_read_blob(card, child) is not checked.

This function is called by file_select and because it returns SUCCESS, 
it makes file_select SUCCESS although the blob does not exist.

I think fixing 1 is better. What do you think? (Or the ID is 
pre-defined?)

I'm new (and this driver was not written by me), so I'm grateful to 
receive your guidance.

On Fri 04 May 2012 08:18:58 PM ICT, Viktor Tarasov wrote:

--
Regards,
Quân
_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Viktor Tarasov — 2012-05-04T13:18:58

Hello Nguyễn,


On Fri, May 4, 2012 at 12:04 PM, Nguyễn Hồng Quân <quannguyen< at >mbm.vn> wrote:

It's not going about the key files
but about the openpgp specific select_file() method.

Without longly looking into specifications, let us postulate -- valid
'selectable' EF should have length more then zero.
With this rule, your select_file(EF) procedure should not return SUCCESS if
it cannot get valid FCP and file length.

By the way,
what are the 'type' and 'ef_structure' of the sc_file data returned by this
'select' ?

To resume,
as for me it should be case 'return error'.



_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Buffer is not sufficient for extended APDU

Martin Paljak — 2012-05-04T10:36:27

Hello,
On Fri, May 4, 2012 at 8:05 AM, Nguyễn Hồng Quân <quannguyen< at >mbm.vn> wrote:
It has not been autoamtically allocated, if you look in
opensc-explorer.c you see:

        u8 rbuf[SC_MAX_APDU_BUFFER_SIZE];

Which is, indeed, defined as 261

There is also a different define for extended APDU-s:
SC_MAX_EXT_APDU_BUFFER_SIZE (64kB)


It is not a bug in apdu.c, but a deficiency in opensc-explorer. The
simplest would be to extend all buffers in opensc-explorer.c
application to use the extended APDU buffer, but it feels somewhat
wasting (not a real concern on PC-s, where it is supposed to be run
anyway)

As extended APDU-s might not work with all cards or in all readers or
under other certain circumstances, it would be best to have a
flipswitch command in opensc-explorer to turn the extended APDU mode
on or off, and turning it on might fail, if some tests fail (like T=0
is being used, which could be then switched to T=1 mode if the card
did both, or if the reader did not support extended APDU-s etc).

In fa

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-04T10:04:22

Hi Viktor,

The case in this log is that the card is not initialised. It contains 
no key. That is the reason why
the blob read failed, the file length is zero, the read binary returned 
zero and final, a key with zero length modulus.

I think what behavior for this case is conventional. When the card 
contains no key, should OpenSC:
- return error
- see it normal and notify: "No key"
- see it normal and notify: Valid key with zero attributes (modulus 
length if pubkey).

I'm new to OpenSC and I have no other card (but my CryptoStick) to 
test, I don't know what behavior the team agreed for this case. Can you 
let me know?

Observing the situation when the private key does not exist, it seems 
that the 3rd behavior is being adopted:

    $ pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -O -l
    Using slot 1 with a present token (0x1)
    Logging in to "OpenPGP Card (Signature PIN)".
    Please enter User PIN:
    Private Key Object; RSA
      label:      Signature key
      ID:         01
      Usage:

Buffer is not sufficient for extended APDU

Nguyễn Hồng Quân — 2012-05-04T05:05:44

Hello all,

I tried to send extend APDU in opensc-explorer with this command:
apdu 00CA0065000800
and found that the command failed due to insufficient buffer, which had
been automatically allocated:

(The line starting with ">>" is manually added to code by me to track
the process)

Do we consider this a bug?

Re: new release?

Jean-Michel Pouré - GOOZE — 2012-05-03T13:24:20

Dear Peter. 

I hope that we will be switching from peer-review to
community-assisted-review, which means automatic testing tools.

As  Viktor wrote, we have to take into account that there is limited
Human Resources for OpenSC and that we need to go fast to reach a large
audience.

Kind regards,

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Viktor Tarasov — 2012-05-03T12:32:38


Effectively,
there is an insufficient control of the pkcs15/11 object validity in the
common part.

In more details I will look during the weekend,
but, I guess that you have to review the openpgp card driver
(card-openpgp.c) .

According to logs,
it tries to read the file blob inside the pgp_select(),
fails, but nevertheless the pgp_select returns SUCCESS .
Is it wanted behavior?

The returned selected file has zero length,
binary read of zero bytes returns SUCCESS (with zero length it do not even
try to access the card).
and finally there is a valid public key object with zero length modulus.



_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-03T10:38:11

Hi,
I would like to resend the gzipped log file:

On Thu 03 May 2012 05:35:53 PM ICT, Nguyễn Hồng Quân wrote:

--
Regards,
Quân
_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Fix a crash when trying to list objects viaopensc-pkcs11

Nguyễn Hồng Quân — 2012-05-03T08:36:07

Hello every one,

I've just committed a patch to fix a crash of opensc-pkcs11 when I
tested with CryptoStick.
Please review: https://github.com/OpenSC/OpenSC/pull/31