Re: [Opensc-devel] OpenSC at FOSDEM 2018

[Douglas E E. <dee...@gm...>]

It turns out I have from Aventra a MyEID card card which also has PIV.
Due to the way the card responds to the PIV SELECT AID the PIV driver
does not select the card. I have a fix for this.

But before submitting a PR, I need to look at the MyEID as it does
have an AID:

./pkcs15-tool --list-applications
Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00
Application 'Aventra':
	AID: A000000063504B43532D3135

and this is then another card that can have multiple applets

doug@XUbuntu-16:/opt/ossl-1.1/bin$ ./opensc-tool -s "00 A4 04 00 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 00"
Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00
Sending: 00 A4 04 00 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 00
Received (SW1=0x90, SW2=0x00):
6F 25 81 02 7F FF 82 01 38 83 02 50 15 86 03 11 o%......8..P....
30 FF 85 02 00 E2 8A 01 07 84 0C A0 00 00 00 63 0..............c
50 4B 43 53 2D 31 35                            PKCS-15
doug@XUbuntu-16:/opt/ossl-1.1/bin$ ./opensc-tool -s "00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 00"
Using reader with a card: SCM Microsystems Inc. SCR 355 [CCID Interface] 00 00
Sending: 00 A4 04 00 09 A0 00 00 03 08 00 00 10 00 00
Received (SW1=0x90, SW2=0x00):
4F 06 00 00 10 00 01 00 79 08 4F 06 00 00 10 00 O.......y.O.....
01 00 50 18 4D 79 45 49 44 20 50 49 56 20 63 61 ..P.MyEID PIV ca
72 64 20 65 6D 75 6C 61 74 69 6F 6E             rd emulation

But does not appear to have an OpenPGP applet. This adds more
urgency to address issues in:

https://github.com/OpenSC/OpenSC/issues/962


On 1/12/2018 8:04 AM, Jakub Jelen wrote:
> On Sat, 2018-01-06 at 12:11 +0100, NdK wrote:
>> Il 05/01/2018 19:01, Bernd Eckenfels ha scritto:
>>> Hello,
>>> Did you try scdaemon (scenario 1 with SCd-PKCS11 should work with
>>> Firefox)
>>> https://github.com/sektioneins/scd-pkcs11/blob/master/README.md
>>
>> IIUC that's for GPG to use OpenSC-managed cards.
>>
>> Practical example. I have a MyEID cards where I load a couple of keys
>> for web auth (say work portal and CAcert), a key for mail signing
>> (X509), a key for SSH access and the 3 GPG keys (DEC, SIG, AUT, and
>> possibly the master C key too).
>> That's what I could do before problems started (I last tested quite
>> some
>> time ago, so it might a bit fuzzy). IIRC, if I had Firefox open I
>> couldn't access any key from other apps (including Thunderbird).
>> If I closed FF, then I could sign/decrypt mails in Thunderbird, but
>> either with X509 or GPG (Enigmail). And to use SSH I had to close TB,
>> too.
> 
> Hello Diego,
> I am not using web authentication using PKCS#11, but (for the sake of
> correct outcomes here) I got to test it today and it works as expected
> without any concurrent issues (until you let the GnuPG's scdaemon into
> the round) with all the cards I have around, but mostly with PIV on
> yubikey.
> 
> I believe you should give it a try again. You might be pleasantly
> surprised (unless the MyEID cards have some different issues than my
> cards).
> 
> The scdaemon could be replaced with a tool that does not require
> exclusive access and talks PKCS#11, such as gnupg-pkcs11-scd [1] and
> then we should be over these problems.
> 
>> Guess what's the "normal user" reaction? "fsck smartcards".
> 
> Yes, some of the configuration steps should be more explicit
> (disconnect = leave), and we should support both applets on the smart
> card (PIV, OpenPGP) on yubikey [2] to make it working setup for general
> users. But I would not say it is impossible nor that we are far.
> 
> [1] http://gnupg-pkcs11.sourceforge.net/index.html
> [2] https://github.com/OpenSC/OpenSC/issues/962
> 
> Thanks for inputs and regards,
> 

-- 

  Douglas E. Engert  <DEE...@gm...>