From: Ferdinand R. <ra...@we...> - 2015-11-08 20:08:57
|
Dear all, I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0. The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch: https://github.com/OpenSC/OpenSC/pull/357 The result is as follows: 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad. 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document. 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired. Please find below the output of serveral common commands. Could someone please confirm that a) the card suitable for this kind of digital signatures in principle b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though. Best regards, and thanks in advance, Ferdinand > $ opensc-tool -i > OpenSC 0.15.0 [gcc 4.9.2] > Enabled features: zlib readline openssl pcsc(libpcsclite.so.1) ---------------------- > $ opensc-tool --list-readers > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes PIN pad REINER SCT cyberJack RFID komfort (4694896162) 00 00 ---------------------- > $ opensc-tool --name > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > STARCOS SPK 3.4 ---------------------- > $ opensc-tool --atr > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61 ---------------------- > $ pkcs11-tool --list-slots > Available slots: > Slot 0 (0xffffffff): Virtual hotplug slot > (empty) > Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00 > token label : D-TRUST Card V3.0 standard 2ga ( > token manufacturer : D-TRUST GmbH (C) > token model : PKCS#15 > token flags : rng, login required, PIN initialized, PIN pad present, token initialized > hardware version : 0.0 > firmware version : 0.0 > serial num : > Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00 > token label : D-TRUST Card V3.0 standard 2ga ( > token manufacturer : D-TRUST GmbH (C) > token model : PKCS#15 > token flags : rng, login required, PIN initialized, PIN pad present, token initialized > hardware version : 0.0 > firmware version : 0.0 > serial num : ---------------------- > $ pkcs11-tool --list-objects > Using slot 1 with a present token (0x1) > Public Key Object; RSA 2048 bits > label: D-TRUST Authentication Key > ID: 11 > Usage: encrypt, verify, wrap > Certificate Object, type = X.509 cert > label: D-TRUST Authentication Key > ID: 11 > Certificate Object, type = X.509 cert > label: > ID: 2d333730343631303735333036303830313534 > Public Key Object; RSA 2048 bits > label: > ID: 2d333730343631303735333036303830313534 > Usage: encrypt, verify > Certificate Object, type = X.509 cert > label: > ID: 2d32303036363939383139343731343534393238 > Public Key Object; RSA 2048 bits > label: > ID: 2d32303036363939383139343731343534393238 > Usage: encrypt, verify ---------------------- > $ pkcs15-tool -D > Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]: > Version : 0 > Serial number : > Manufacturer ID: D-TRUST GmbH (C) > Flags : Login required, EID compliant > > PIN [PIN1] > Object Flags : [0x3], private, modifiable > Auth ID : 03 > ID : 01 > Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData > Length : min_len:6, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 1 (0x01) > Type : iso 9664-1 > Path : a000000063504b43532d3135:: > > PIN [PUK1] > Object Flags : [0x3], private, modifiable > ID : 03 > Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData > Length : min_len:8, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 1 (0x01) > Type : iso 9664-1 > Path : a000000063504b43532d3135:: > > PIN [PIN2] > Object Flags : [0x3], private, modifiable > Auth ID : 04 > ID : 02 > Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData > Length : min_len:6, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 129 (0x81) > Type : iso 9664-1 > Path : 3f000604 > > PIN [PUK2] > Object Flags : [0x3], private, modifiable > ID : 04 > Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData > Length : min_len:8, max_len:8, stored_len:8 > Pad char : 0xFF > Reference : 129 (0x81) > Type : iso 9664-1 > Path : 3f000604 > > Private RSA Key [D-TRUST Authentication Key] > Object Flags : [0x1], private > Usage : [0x2E], decrypt, sign, signRecover, unwrap > Access Flags : [0x0] > ModLength : 2048 > Key ref : 1 (0x1) > Native : yes > Path : a000000063504b43532d3135::3f000fff0f01 > Auth ID : 01 > ID : 11 > MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35} > :cmap flags : 0x0 > :sign : 0 > :key-exchange: 0 > > Private RSA Key [SigG Signature Key] > Object Flags : [0x1], private > Usage : [0x200], nonRepudiation > Access Flags : [0x0] > ModLength : 2048 > Key ref : 4 (0x4) > Native : yes > Path : a000000063504b43532d3135::3f0006040f01 > Auth ID : 02 > ID : 12 > MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94} > :cmap flags : 0x0 > :sign : 0 > :key-exchange: 0 > > Public RSA Key [D-TRUST Authentication Key] > Object Flags : [0x2], modifiable > Usage : [0xD1], encrypt, wrap, verify, verifyRecover > Access Flags : [0x0] > ModLength : 2048 > Key ref : 1 (0x1) > Native : yes > Path : a000000063504b43532d3135::3f000fff0e01 > Auth ID : 01 > ID : 11 > > Public RSA Key [SigG Signature Key] > Object Flags : [0x2], modifiable > Usage : [0x204], sign, nonRepudiation > Access Flags : [0x0] > ModLength : 2048 > Key ref : 4 (0x4) > Native : yes > Path : a000000063504b43532d3135::3f0006040e01 > Auth ID : 02 > ID : 12 > > X.509 Certificate [D-TRUST Authentication Key] > Object Flags : [0x2], modifiable > Authority : no > Path : a000000063504b43532d3135::3f001501c100 > ID : 11 > Encoded serial : 02 03 168A81 > X.509 Certificate [SigG Signature Key] > Object Flags : [0x2], modifiable > Authority : no > Path : a000000063504b43532d3135::3f001501c103 > ID : 12 > Encoded serial : 02 03 168A82 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c102 > ID : 2d32303036363939383139343731343534393238 > Encoded serial : 02 03 030E96 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c101 > ID : 2d333730343631303735333036303830313534 > Encoded serial : 02 03 097D43 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c105 > ID : 37353738323838313038333736373637303437 > Encoded serial : 02 03 159923 > X.509 Certificate [] > Object Flags : [0x0] > Authority : no > Path : a000000063504b43532d3135::3f001501c104 > ID : 38323832353936323735353833303736353131 > Encoded serial : 02 03 159924 ---------------------- > $ pcsc_scan > PC/SC device scanner > V 1.4.23 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> > Compiled with PC/SC lite version: 1.8.11 > Using reader plug'n play mechanism > Scanning present readers... > 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > > Sat Nov 7 01:39:47 2015 > Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00 > Card state: Card inserted, > ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > > ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > + TS = 3B --> Direct Convention > + T0 = D8, Y(1): 1101, K: 8 (historical bytes) > TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU > 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s > TC(1) = FF --> Extra guard time: 255 (special value) > TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 > ----- > TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1 > ----- > TA(3) = FE --> IFSC: 254 > TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5 > TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following > ----- > TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V > + Historical bytes: 80 64 04 1A B4 03 81 05 > Category indicator byte: 80 (compact TLV data object) > Tag: 6, len: 4 (pre-issuing data) > Data: 04 1A B4 03 > Tag: 8, len: 1 (status indicator) > LCS (life card cycle): 05 > + TCK = 61 (correct checksum) > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): > 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61 > D-Trust multicard advanced 3.1 > German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse" Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan. |