gmane.comp.encryption.opensc.devel

OpenPGP card status?

Daniel Pocock — 2013-06-17T21:36:53


Hi,

I just had a look at this page:

https://www.opensc-project.org/opensc/wiki/SupportedHardware

and it has OpenPGP card below the `Unsupported' heading

Is that still the case?  There appears to be a lot of detail on the
OpenPGP page:
https://www.opensc-project.org/opensc/wiki/OpenPGP

Would it be possible to annotate the unsupported cards with some
comments to distinguish those that will never be supported from those
that are work-in-progress?

Looking at it from the other angle, the OpenSC FAQ took me to this page:
  https://sites.google.com/site/alonbarlev/gnupg-pkcs11

which has a very brief statement about "The GnuPG developers insist of
implementing smartcard support from scratch, what makes a low smartcard
variety" - for an outsider, it's not exactly clear what that means.

Is there any document the explains, at arm's length, the current state
of play with free-software related smart card technology and with some
practical comments about how people can mix-and-match all their
different use cases

OpenSC github Test project

Ludovic Rousseau — 2013-01-01T16:12:14

Hello,

I created a Test [1] project at github. This project is supposed to be
used to test integration of github with other services before
deploying the configuration to a real OpenSC sub-project.

Feel free to use it.
You may need to get access rigths. Just ask on this list.

Bye,

[1] https://github.com/OpenSC/Test

Delete 'staging' branch of github OpenSC/OpenSCproject

Viktor Tarasov — 2012-12-31T14:50:12

Hello,

During considerable time already the master and staging branches have been closely synchronized.
As for me we can close the 'staging' branch.
It's initial role was to be a buffer for the new features,
now this function is fulfilled by the 'master' itself and by the pull-requests branches.

If no objections,
I will remove the 'staging' branch.

Kind regards,
Viktor.

athena javacar ID Protect Client Support

Cyril — 2012-12-29T11:44:55

Hello

I've bought a pair of Athena  Id protect client javacards with an Athena
ASEIIIUSB reader.
The reader is recognized by linux box but I can't access the card.

First question as a newbie, can the reader read other smartcards?
Second, is there a way to handle those Athena Smart cards in OpenSc?
I've spent much time but didn't succeed.

Thanks!!!



The result of pkcs15-tool -L :

------------------------------------------------
Aspire-7730ZG:/usr/lib$ pkcs15-tool -L
Using reader with a card: Athena ASE IIIe [CCID Bulk Interface] 00 00
PKCS#15 binding failed: Unsupported card
------------------------------------------------
The result of pcsc_scan is here :
------------------------------------------------------------------------------------------------
Aspire-7730ZG:/usr/lib$ pcsc_scan
PC/SC device scanner
V 1.4.20 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau< at >free.fr>
Compiled with PC/SC lite version: 1.8.3
Using reader plug'n play mechanism
Scanning present readers...
0: Athena ASE IIIe [CCID Bulk

List opensc-devel migration

Ludovic Rousseau — 2012-12-27T15:08:33

Hello,

You are a subscribed member of the
opensc-devel< at >lists.opensc-project.org mailing list. The server at
opensc-project.org will be shut down soon and all the services need to
migrated to a new home [1] and [2].

An opensc-devel mailing list has been created at SourceForge. Go to
[3] and subscribe again if you want to continue to receive messages
for opensc-announce. We decided NOT to migrate your email
automatically. So you have to resubscribe by hand.

Sorry for the inconvenience.

Regards,

[1] http://sourceforge.net/projects/opensc/
[2] https://github.com/opensc
[3] https://lists.sourceforge.net/lists/listinfo/opensc-devel

Status of the server migration

Andreas Jellinghaus — 2012-12-26T14:56:06

Hi,

merry xmas / happy holidays everyone!

If you don't read this in the coming day: all is fine, enjoy your time
off with friends and family or skiing or ...

But for those with time on their hands for open source project work:
can someone summarize the current status of our server migration?

* source code: now all in git on github, right? Does everyone have
access who needs?
  What is the new system, people are asked to push patches to the
mailing list and someone collects them?
  Or should people have their own repo, publish patches there and
someone else pulls them? (more work, maybe not such a good idea)
  Or do we have an rietveld instance somewhere, so people can push
changes there (how?) and they get compile-build-tested?
* mailing lists: no idea what the current status is (i.e. this is a
test mail). Do we have new lists? Subscribers migrated or invited?
  Does this old list still work, or should I shut it down?
* Continuous build: is there a replacement system for the (jenkins?)
system we have/had

OpenSC Windows minidriver reg file for theePass2003

曲博 — 2012-12-24T01:43:46

hello all,
please try it again use the below Registry content.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC ePass2003 ECP]
"ATR"=hex:3b,9f,95,81,31,fe,9f,00,66,46,53,05,00,00,00,71,df,00,00,00,00,00,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,ff,ff,ff,ff,00,00,00,00
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"




曲博
飞天诚信科技股份有限公司
地址：北京市海淀区学清路9号汇智大厦B座17层
邮编：100085
电话：010 62304466-391
传真：010 62304477
电子邮件：qubo< at >FTsafe.com
网址：http://www.FTsafe.com.cn_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Openssl pkcs11-engine using s_client with PIV card

Matthew Zimmerman — 2012-12-20T13:54:52

I'm trying to debug an SSL connection to a webserver utilizing my PIV
Authentication Certificate and the associated private key on my card
and I believe I've found a bug in mechanism.c

I *think* I'm doing everything correctly, although documentation on
the engine in openssl are *very* sparse.  Here's how I'm setting up
the connection.

openssl
engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:src/pkcs11/.libs/opensc-pkcs11.so -pre VERBOSE
s_client -engine pkcs11 -connect webserver:443 -CAfile ca.crt -cert
pivauth.crt -certform PEM -key 1:01 -keyform engine -prexit

According to the opensc tools, my card is in slot 1 and my key is id
01.  I'm fairly certain I'm using the -key and -keyform parameters
correctly but I'm not sure of -cert and -certform.  Should I instead
be telling openssl how to pull the cert from my card instead of the
local file (which corresponds with the key?)  How do I do that?  (I've
tried a few ways.)

This will pro

OpenSC Windows minidriver reg file for the ePass2003

Jean-Michel Pouré - GOOZE — 2012-12-20T11:20:36

Dear all,

Can anyone help me set the correct value for the ePass2003 mini driver
registry:http://download.gooze.eu/pki/opensc/windows/minidriver/exported-ePass2003.reg

The content of the file is:

**************************************
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
\OpenSC ePass2003 ECP]
"ATR"=hex:3b,9f,95,81,31,fe,9f,00,66,46,53,05,01,00,11,71,df,00,00,03,6a,82,f8
"ATRMask"=hex,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
Provider"
"80000001"="opensc-minidriver.dll"
************************************

opensc-tool --atr
Using reader with a card: Feitian ePass2003 00 00
3b:9f:95:81:31:fe:9f:00:66:46:53:05:01:00:11:71:df:00:00:03:6a:82:f8

What is missing in my reg file to make the mini-driver work?

Kind regards,
Jean-Michel POURE

Segmentation fault in pkcs11-tool

Anna Pavlova — 2012-12-17T13:01:29

Hello,

I am new to OpenSC but I was looking for a 3rd party tool with which I
could test my self-developed pkcs11 library and I came across the OpenSC
pkcs11-tool.

I installed OpenSC under Ubuntu11.10, following
http://www.gooze.eu/howto/smartcard-quickstarter-guide/opensc-installation-under-gnu-linux
 everything went fine, but when I wanted to run the pkcs11-tool:


I got segmentation fault.

I was able to find the place where the code crashed. In pkcs11-tool.c the
line (558):

rv = p11->C_Initialize(NULL);

seem to crash. The message is just "Segmentation fault"

The module loads apparently fine.
module = C_LoadModule(opt_module, &p11);  //no error here

The problem is, that in my pkcs11 library I put an error message at the
very beginning of the C_Initialize function, but not even this is printed
out. So I don't think the crash comes from my library. I turned on the
creation of a log file in my pkcs11 library, but not even my pkcs11 library
log file is created.


I tried to google this problem and found

How to compile opensc in windows?

Rns Course — 2012-12-12T14:53:00

Hello

I need to compile opensc-0.11.3. 
On this page:
http://www.opensc-project.org/opensc/wiki/WindowsInstaller


The command "x86: SetEnv.cmd /x86 /Release and nmake /f win32\Makefile.msc LOC="-DASMV -DASMINF" OBJA="inffas32.obj match686.obj" zlib.lib" 
is written, while there's not Makefile.msc file in the package. There is  a Makefile.mak in it.

Could you tell me how I should compile it on windows?

THX
_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Changing Admin PIN on PIV card

Ravneet Singh Khalsa — 2012-12-12T02:06:23

Hi,

 

Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?

 

Thanks.

 

_______________________________________________
opensc-devel mailing list
opensc-devel< at >lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

OpenSC Wiki in github

Viktor Tarasov — 2012-12-11T15:17:30

Hello,

for a while we have no news about migration of trac&wiki to the dedicated
platform.

Meanwhile, waiting for better solution, I migrated OpenSC wiki to github
[1] .
(Only wiki pages, not tickets.)

The OpenSC Wiki pages in github are converted into 'textile' format.

The rapid script used for this conversion, the archives with the dump of
the OpenSC sub-project wiki pages and
wiki attachments are also present in wiki repository. (Files are not
accessible with GUI -- you need to clone repository. [2])
Using these files and archives the Wiki of the other OpenSC sub-projects
can be also migrated to github.

I do not yet looked 'manually' through all the wiki pages to update
existing, suppress obsolete or add new information.

I will do it gradually and invite you as well to participate in this
exciting activity, if you have will, possibility, time, etc...
If you notice any 'systematic' conversion error, tell me please, I will
change the conversion script and re-submit the pages .

Kind regards,
Viktor.

Aladdin eToken Pro 64k (regression?) - insecure keys and >1 User PIN configurations don't seem to work

Mike Kazantsev — 2012-12-11T14:09:47

Hi,


Summary: either I'm doing something wrong or with current (and
more generally >0.12.0) OpenSC, Aladdin eToken Pro 64k devices seem to
work only with a single User PIN and secure keys.


I have a bunch of Aladdin eToken Pro 64k USB tokens and have been using
one of them with OpenSC for a few years now.

My use-case settled on generally having one "secure" key with PIN and
one "convenience" key with no PIN, used as a second factor where no
authentication would've been used otherwise.

Unfortunately, it looks like I've locked it down yesterday, entering
too many PUK's for User PIN in a row (and I think I forgot the PUK).

(btw, I do remember SO PIN/PUK and they seem to work, am I correct in
the assumption that User PIN and related keys can't be recovered from it
with this token?)


Creating simiilar configuration with OpenSC 0.13.0 (and 0.12.2, though
due to different known issue, where OpenSC fails to query PINs from
non-pinpad) proved to be quite impossible - insecure keys don't seem to
work when create

Muscle smart card Applet various versions from M.U.S.C.L.E. and OpenSC

Douglas E. Engert — 2012-12-10T20:31:32

I am not using the Muscle card applet, but was looking looking at the OpenSC
debug log for this thread:
Re: [opensc-devel] The smart card reader is known as "VMware Virtual USB CCID 00 00" in linux ??!!

The OpenSC card-muscle.c (0.12.2 or 0.13.0) is looking for PROTO_VERSION_MAJOR=1

The author of the original note said:
  > I've loaded and initialized Muscle applet (0.9.11) on it.

This appears in the log that GET_STATUS is returning: 00 01 00 05 ...
i.e. PROTO_VERSION_MAJOR=0, PROTO_VERSION_MINOR=1

This version from 2003-12-19, does not sound like the latest to me...

Yet in the Muscle CVS archives:
   http://anonscm.debian.org/viewvc/muscleplugins/trunk/MCardApplet/
as of 4 years ago has version.properties has:

   APPLET_VERSION_MAJOR=0
   APPLET_VERSION_MINOR=9

   PROTO_VERSION_MAJOR=1
   PROTO_VERSION_MINOR=3

And there have been changes in the SVN 9 months ago, 2 years ago and
3 years ago, which are not reflected in the Download page:
   https://alioth.debian.org/frs/?group_id=30111

Can the downlo

pam_pkcs11 with many certificates on a single token

2012-12-10T11:11:44

Hello,

I use pam_pkcs11 0.6.8 with libcurl but without nss. My tokens works fine but they can contain 4 or 5 certificates (with corresponding rsa keys).

My certificates are not all from the same PKI, so they are not certified by the same ACs.

The problem I encounter with pam_pkcs11 is that if the first certificate it tries to verify is not certified by ACs I installed on my workstation, I got an error 2328 because verify_certificate() return -4 and pam_pkcs11 stops (line 584 of src/pam_pkcs11/pam_pkcs11.c : goto auth_failed_nopw;), not trying to verify others certificates in my token. I do not really want to install all ACs (including CRLs, ...) of my certificates of my token on every workstations.

I tried to add a "continue;" in pam_pkcs11.c in the switch test for the error 2328 : if verify_certificate() returns -4, pam_pkcs11 prints the error message "error 2328: ..." and with the continue command, pam_pkcs11 continues to process the next certificates and everything works great.

Maybe I missed somethi

Food for thought on C coding style

Martin Paljak — 2012-12-10T10:26:48

Hello,

https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard

Martin

Building github pull request

Viktor Tarasov — 2012-12-09T10:16:37

Hello,

now the github pull requests (PR) to OpenSC/OpenSC are/can-be checked automatically for building on Ubuntu and Vista.
At the moment this feature is installed to help the contributors to reveal the compilation errors
on the platforms that they do not used to manage (mostly Windows).

Some restrictions in permissions to run the build on the PR's merged repository
are due to the implementation of jenkins plugin "Github pull request builder" [1]:
- PRs from the github OpenSC organization members are built automatically, these members are 'admins';
- PRs from the users present in the CI internal 'whitelist' are built automatically;
- for the PRs from the other contributors jenkins CI adds the PR comment "Can one of the admins verify this patch?"
   to attract the attention of 'admins';
- using the codified comments to PR, 'admins' can add user to the 'whitelist' or (re)run the test;

Codified messages:
- "ok to test" -- authorization to run the test on merged repository;
- "add to whitelist" -- add user t

how to obtain an sc_profile pointer (in pkcs15-tool)?

Anthony Foiani — 2012-12-08T22:46:04

Greetings.

As a part of debugging my current issue, I was looking for a way to
delete objects from a token.  I didn't find one, so I thought I'd try
to add it.

I think that I got very close, but I was unable to determine how to
retrieve the profile pointer.

My efforts so far are here:

https://github.com/tkil/OpenSC/tree/pkcs15-tool-add-del-path

More specifically, I am trying to find the correct sc_profile * in
function delete_path:
https://github.com/tkil/OpenSC/blob/pkcs15-tool-add-del-path/src/tools/pkcs15-tool.c#L1385

Hopefully this will be unnecessary after we figure out how I'm abusing
the tools to corrupt my token, but I thought that others might find it
useful (if they can figure out the profile pointer business).

Thanks again for the great library; hopefully this little contribution
is helpful, and not creating more work for you all...

Best regards,
Anthony Foiani

a few more trivial patches

Anthony Foiani — 2012-12-08T22:39:27

Greetings --

I have two small patches which you might want to consider integrating.

(And given that I can't get git to do what I want, you probably want
to just cherry-pick these, as I suspect I've completely destroyed my
repo history...)

https://github.com/tkil/OpenSC/commit/0c4a2e0c4063f31bc41c34e45869b9a9e7ca41d7
This uses "dir local" settings to configure Emacs indentation correctly.

https://github.com/tkil/OpenSC/commit/599bd1e6c906af63eb379c866076f98a91654cb2
I spotted an inconsistency in how the option argument pointers were
initialized; this fixes it (to make it more consistent).

Best Regards,
Anthony Foiani

inconsistency between pkcs11-tool and pkcs15-tool

Anthony Foiani — 2012-12-08T10:10:23

Greetings!

I'm experimenting with a CardContact HSM, and I'm finding some
peculiar results when trying to install multiple certificates on the
token.  Loading three certificates onto the token seemed to work, but
when I went to remove them, things fell apart.

I think that the crux of the problem is that pkcs11-tool shows only one object:

  $ tool="pkcs11-tool --module opensc-pkcs11.so --login --pin 648219"

  $ $tool -O
  Using slot 1 with a present token (0x1)
  Private Key Object; RSA
    label:      Foo2A
    ID:         0f48886a19793c9e
    Usage:      decrypt, sign, unwrap

But the pkcs15-tool shows quite a few more:

  $ pkcs15-tool -D
  [...]

  Private RSA Key [Foo2A]
          Object Flags   : [0x3], private, modifiable
          Usage          : [0x2E], decrypt, sign, signRecover, unwrap
          Access Flags   : [0x1D], sensitive, alwaysSensitive,
neverExtract, local
          ModLength      : 2048
          Key ref        : 1 (0x1)
          Native         : yes
          Path           : e82