Re: [Opensc-devel] Policy on new card driver based on reverse engineering

[Carsten B. <ch...@po...>]

Hello Jarl,

this is my private view, I'm not an OpenSC maintainer, just a 
contributor/user and driver author https://github.com/carblue/acos5:

I don't know Your card "Gemalto Instant EID IP10" and what OpenSC may 
perhaps provide already for that.

If actually a new implementation is required,

then I can help in general with guidance how to do that from my own 
experience. Akin to Your situation I had almost no knowledge about 
cryptography/smartcard and all the other stuff that needs to be 
mastered: There is a hard and interesting task waiting for You, probably 
not solvable in a few week's spare time. I would say, the biggest part 
is integrating all Your knowledge about the card into the OpenSC 
software framework (with Your new driver). Sadly that is only sparsely 
documented, e.g. 
https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver, well, 
it's a starting point, but it's ~ 0.01% of the information required. 
There is a problem when referring to other driver's code, when You don't 
know those card's properties. But in case, You know that Your card is 
very similar to supported card xyz, then the job may be easy, based on a 
copy of card driver xyz.

I assume, Your intention isn't that kind of reverse 
engineering/decompiling, that attracts code author lawyer's attention 
(why else the existing PKCS#11 module is proprietary and presumably has 
some license terms that tell something about reverse 
engineering/decompiling. You would need to check that), *but* it 
probably won't help You much anyway:

You can always inspect the APDU command communication on PC/SC level, 
IIRC with http://ludovic.rousseau.free.fr/softwares/pcsc-tools. I used 
that once i.o. to see, what my card's vendor software does differently 
from described in card's reference manual. So this is the essential 
document that You need, likely no chance at all without that. It 
describes in detail card's commands available, card's properties, file 
types, control reference templates, manage security environment, how to 
do secure messaging (if applicable), how are files protectable by card's 
security access control and a lot more. When You have that manual and 
want more help, send it to an interested OpenSC maintainer and me.

The link and decompiling: Well, it's a lot of swedish that I sadly don't 
understand. And even if You could - with the help of expensive tools - 
unrealistically assumed, see the original proprietary source code: That 
still won't help You much, less than an expressive card reference manual 
and in-depth knowledge of OpenSC code.

Next to the OpenSC wiki, these links might help:

http://cedric.dufour.name/blah/IT/SmartCardsOverview.html

http://cedric.dufour.name/blah/IT/SmartCardsHowto.html


Am 28.11.20 um 11:03 schrieb Jarl Gullberg:
> Correction; the included link is just their userspace application. The
> actual module is available from their customers, such as Telia, and
> has been redistributed via an ubuntu ppa :
> https://launchpad.net/~ubuntu-se/+archive/ubuntu/netid
>
> On Sat, 28 Nov 2020 at 11:01, Jarl Gullberg <jar...@gm...> wrote:
>> Hi,
>>
>> To start with, I apologize for any etiquette or usage issues here on
>> the mailing list on my behalf - I think I've only ever used a mailing
>> list once before.
>>
>> I've got a question in regards to implementing a new driver for a card
>> that's currently unsupported by OpenSC, but one that I have a
>> proprietary PKCS#11 module for. I don't have the source code, nor any
>> technical documentation that would describe the workings of the
>> driver, but using the module I can successfully interact with the card
>> using pkcs11-tool.
>>
>> The card in question is a Gemalto Instant EID IP10, a card commonly
>> used by Swedish authorities (including the military) and as a
>> bank-issued electronic identification card. It's a JavaCard v2-based
>> platform, with Gemalto's IDPrime applet (as far as googling has told
>> me, anyway). I'm quite new to the world of smartcards, but it would be
>> a great help if this card had support in OpenSC. BankID has become the
>> de facto standard for electronic identification here in Sweden, and
>> I'd be very helped at my workplace if the card was supported.
>>
>> What is the OpenSC policy on reverse engineering a new driver from a
>> proprietary module, either by decompiling the binary itself, or by
>> sniffing the traffic between the driver and the card? I'd be up for
>> implementing it myself or providing as much assistance as I can,
>> provided I get some guidance on how to actually do that - I've got
>> access to both a compatible reader, a set of IP10 cards (which I
>> bought because I thought they were of a different model, go me), as
>> well as the PKCS#11 module that talks to them.
>>
>> The module can be downloaded freely from Secmaker, the company behind
>> a fair bit of the technology involved, as "Net iD Access" for Linux,
>> Mac, Windows, iOS, and Android at
>> https://service.secmaker.com/access/apps.aspx.
>>
>> Thanks!
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel