You can subscribe to this list here.
2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
---|---|---|---|---|---|---|---|---|---|---|---|---|
2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
From: dzeri96 <dz...@pr...> - 2025-04-26 15:18:08
|
I just got the card this year so you might be mixing me up with somebody. I want to delay the reverse-engineering of Athena OpenID for three reasons: 1. Signing stuff is actually the last thing on my wish-list. I'm more interested in the identification data and the activation procedure. The tool seems to only do signing so reverse-engineering it probably won't help me much. 2. The 2 AIDs related to IAS ECC (starting with E8 28 BD 08 0F) are already mentioned in https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in. Someone put them there so someone must know what they do. This leads me to believe that there must be a specification floating out there somewhere. 3. Obviously, it's very time-consuming. I've been reading the IAS ECC spec more thoroughly and chapter 10.4 describes Cryptographic Information Applications whose IDs start with the above-mentioned prefix and continue with the AID of the application they refer to. My card seems to contradict this since, for example 50 45 43 43 2D 65 49 44, is not a selectable AID, it just spells out PECC-eID. I don't know... I think getting my hands on the ChipDocs User Manual from NXP would potentially clear up some things, but they only give it to trusted partners apparently. Cheers, Dzeri96 On Saturday, 26 April 2025 at 10:49, Vincent Le Toux <vin...@my...> wrote: > Inside the middleware, there is a minidriver named ciamd.dll > > What I would suggest is to write a program like the one I wrote here (https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest) that connects to the minidriver and realize basic functions (enumerating public keys, certificates, encrypts, change pin, etc). > You can add a hook to dump the instructions sent to the card. > > You can use the following code to hook the SCardTransmit function: > > > void PrintHexToDebug(const BYTE* buffer, DWORD length) { > // Allocate memory dynamically > TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR)); > if (hexStr == NULL) { > OutputDebugString(TEXT("Memory allocation failed\n")); > return; > } > > for (DWORD i = 0; i < length; i++) { > _stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]); > } > hexStr[3 * length] = '\0'; > OutputDebugString(hexStr); > > // Free the allocated memory > free(hexStr); > } > > LONG WINAPI MySCardTransmit( > SCARDHANDLE hCard, > LPCSCARD_IO_REQUEST pioSendPci, > LPCBYTE pbSendBuffer, > DWORD cbSendLength, > LPSCARD_IO_REQUEST pioRecvPci, > LPBYTE pbRecvBuffer, > LPDWORD pcbRecvLength > ) { > // Trace the input buffer > OutputDebugString(TEXT("pbSendBuffer: ")); > PrintHexToDebug(pbSendBuffer, cbSendLength); > OutputDebugString(TEXT("\n")); > // Call the original SCardTransmit > LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, pioRecvPci, pbRecvBuffer, pcbRecvLength); > > // Write the return code as hex > TCHAR returnCodeStr[30]; > _stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code: %08X\n"), result); > OutputDebugString(returnCodeStr); > > // If the return code is successful, dump the output buffer > if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) { > (TEXT("pbRecvBuffer: ")); > PrintHexToDebug(pbRecvBuffer, *pcbRecvLength); > OutputDebugString(TEXT("\n")); > } > > return result; > } > > VOID EnableHook(HMODULE hModule) > { > HMODULE hScard = LoadLibrary(TEXT("Winscard.dll")); > PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit"); > PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; > PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + pDosHeader->e_lfanew); > PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); > > while (pImportDesc->Name) { > LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name); > if (_stricmp(pszModName, "Winscard.dll") == 0) { > PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule + pImportDesc->FirstThunk); > while (pThunk->u1.Function) { > PROC* ppfn = (PROC*)&pThunk->u1.Function; > if (*ppfn == (PROC)pfnScardTransmit) { > DWORD oldProtect; > VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect); > *ppfn = (PROC)MySCardTransmit; > VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect); > } > pThunk++; > } > break; > } > pImportDesc++; > } > } > > > And to initialize the minidriver: > > > DWORD Connect(BOOL fSystemDll = TRUE) > { > DWORD dwReturn = 0; > SCARDCONTEXT hSCardContext = NULL; > SCARDHANDLE hSCardHandle = NULL; > TCHAR szCardModule[256]; > TCHAR szReader[256]; > DWORD dwCardModuleSize = ARRAYSIZE(szCardModule); > DWORD dwReaderSize = ARRAYSIZE(szReader); > OPENCARDNAME_EX dlgStruct; > PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext; > > __try > { > // find a smart card > ///////////////////// > > dwReturn = SCardEstablishContext(SCARD_SCOPE_USER, > NULL, > NULL, > &hSCardContext); > if (SCARD_S_SUCCESS != dwReturn) > { > __leave; > } > > // Initialize the structure. > memset(&dlgStruct, 0, sizeof(dlgStruct)); > dlgStruct.dwStructSize = sizeof(dlgStruct); > dlgStruct.hSCardContext = hSCardContext; > dlgStruct.dwFlags = SC_DLG_MINIMAL_UI; > dlgStruct.lpstrRdr = szReader; > dlgStruct.nMaxRdr = dwReaderSize; > dlgStruct.lpstrCard = szCard; > dlgStruct.nMaxCard = ARRAYSIZE(szCard); > dlgStruct.lpstrTitle = L"Select Card"; > dlgStruct.dwShareMode = 0; > // Display the select card dialog box. > dwReturn = SCardUIDlgSelectCard(&dlgStruct); > if (SCARD_S_SUCCESS != dwReturn) > { > __leave; > } > > // find the dll path / name > //////////////////////////// > if (fSystemDll) > { > > > dwReturn = SCardGetCardTypeProviderName( > hSCardContext, > szCard, > SCARD_PROVIDER_CARD_MODULE, > (PTSTR)&szCardModule, > &dwCardModuleSize); > if (0 == dwCardModuleSize) > { > dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD; > __leave; > } > } > else > { > #ifdef _M_X64 > _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll")); > #else > _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll")); > #endif > } > // connect to the smart card > //////////////////////////// > DWORD dwProtocol, dwState; > dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol); > if (SCARD_S_SUCCESS != dwReturn) > { > __leave; > } > atr.cbAtr = 32; > dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState, &dwProtocol, atr.rgbAtr, &atr.cbAtr); > if (SCARD_S_SUCCESS != dwReturn) > { > __leave; > } > // load > //////// > if (NULL == (hModule = LoadLibrary(szCardModule))) > { > dwReturn = GetLastError(); > __leave; > } > if (fSystemDll) > { > EnableHook(hModule); > } > if (NULL == (pfnCardAcquireContext = > (PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress( > hModule, "CardAcquireContext"))) > { > dwReturn = GetLastError(); > __leave; > } > // initialize context > ////////////////////// > pCardData = &CardData; > pCardData->dwVersion = CARD_DATA_CURRENT_VERSION; > pCardData->pfnCspAlloc = _Alloc; > pCardData->pfnCspFree = _Free; > pCardData->pfnCspReAlloc = _ReAlloc; > pCardData->pfnCspCacheAddFile = _CacheAddFileStub; > pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub; > pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub; > pCardData->hScard = hSCardHandle; > pCardData->hSCardCtx = hSCardContext; > pCardData->cbAtr = atr.cbAtr; > pCardData->pbAtr = atr.rgbAtr; > pCardData->pwszCardName = szCard; > //dwReturn = SCardBeginTransaction(hSCardHandle); > if (SCARD_S_SUCCESS != dwReturn) > { > __leave; > } > dwReturn = pfnCardAcquireContext(pCardData, 0); > } > __finally > { > if (dwReturn != 0) > { > if (hSCardHandle) > { > SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD); > SCardDisconnect(hSCardHandle, 0); > } > if (hSCardContext) > SCardReleaseContext(hSCardContext); > } > } > return dwReturn; > } > > DWORD Disconnect() > { > DWORD dwReturn = 0; > if (pCardData) > { > if (pCardData->hScard) > { > SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD); > SCardDisconnect(pCardData->hScard, 0); > } > if (pCardData->hSCardCtx) > SCardReleaseContext(pCardData->hSCardCtx); > pCardData = NULL; > } > else > { > dwReturn = SCARD_E_COMM_DATA_LOST; > } > return dwReturn; > } > > You can then call directly : > > DWORD GenerateNewKey(DWORD dwIndex) > { > DWORD dwReturn, dwKeySpec; > PIN_ID PinId; > __try > { > if (!pCardData) > { > dwReturn = SCARD_E_COMM_DATA_LOST; > __leave; > } > switch(dwIndex) > { > case 0: //Signature, > dwKeySpec = AT_SIGNATURE; > PinId = ROLE_USER; > break; > case 2: //Authentication, > dwKeySpec = AT_SIGNATURE; > PinId = 3; > break; > case 1: // Confidentiality, > dwKeySpec = AT_KEYEXCHANGE; > PinId = 4; > break; > default: > dwReturn = SCARD_E_UNEXPECTED; > __leave; > } > dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex, > CARD_CREATE_CONTAINER_KEY_GEN, > dwKeySpec, 1024, NULL, PinId); > } > __finally > { > } > return dwReturn; > } > > br > Vincent > > > Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a écrit : > > > The middleware is available on the bottom of this page > > https://www.gov.me/clanak/preuzmite-software-i-uputstva > > > > But I think you already know that. You analyzed that in 2024 already, didn't you? > > > > Regards. > > > > Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel: > > > > > Hello everyone, > > > > > > I'm trying to kickstart support for the new Montenegrin eID, or at least figure out how it works. I've sent multiple requests for technical specs to the government, but unless I take them to court, I doubt I'll get any useful information. Therefore I'll just write down what I manage to figure out on my own, and hopefully you can provide further insight. One thing about a country as small as Montenegro, is that there is a very high probability we didn't implement anything custom, as it's not financially viable. > > > > > > Here's what I have so far: > > > > > > - ATR: 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It doesn't seem to comply with the ATR scheme in the IAS ECC specification, even though the government says the card complies with all EU ID regulations (unclear which ones). > > > - EF.ATR raw data: 80004301B946040400ECC24703940180 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 0806062B8122F8780282029000 > > > - EF.DIR raw data: 61374F0EE828BD080FD25047656E6572 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080FD2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F 4E54454E4547524F500A4E6174696F6E 616C4944 > > > > > > - By deciphering the EF.DIR data, we can discover 4 applications: > > > > > > - E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet > > > - E828BD080FD2504543432D654944 - ECC eID > > > - A0000002471001 - ICAO > > > - 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is "NationalID". No idea what this could be... maybe something related to healthcare? > > > > > > - I managed to use npa-tool and read the MRZ stored on the card using CAN-based PACE, but all other functions of the tool don't work, not even PIN-based PACE. I'm just using it as an APDU debugger with PACE support. > > > - The official middleware supplied by the government is Athena IDProtect. > > > - The activation software is available here. It's a java program developed by Mühlbauer. I decompiled it and saw that it's accessing the ECC eID application. I managed to extract some APDUs and get the activation status of the card (PIN change is required on first use). > > > - iasecc-tool and pkcs15-tool say "Card is invalid or cannot be handled" regardless of what I try. > > > > > > I've skimmed over hundreds of pages of standards, including the ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I can barely find any concrete info on these applications. Someone must know how to access them because there are vendor-provided tools to do so. > > > > > > My goals are: > > > > > > 1. Get general knowledge about the card and build some PoC APDU chains to read/set data. > > > 2. Get the birthdate of the person via PIN-based auth and verify the authenticity of the data. > > > 3. Get the openSC suite of tools to work with the card. > > > 4. Replace the closed-source middleware provided by the government. > > > > > > > > > I would really appreciate any help here. Thanks! > > > > > > > > > > > > > > > _______________________________________________ > > > Opensc-devel mailing list > > > Ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
From: Vincent Le T. <vin...@my...> - 2025-04-26 09:06:46
|
Inside the middleware, there is a minidriver named ciamd.dll What I would suggest is to write a program like the one I wrote here ( https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest) that connects to the minidriver and realize basic functions (enumerating public keys, certificates, encrypts, change pin, etc). You can add a hook to dump the instructions sent to the card. You can use the following code to hook the SCardTransmit function: void PrintHexToDebug(const BYTE* buffer, DWORD length) { // Allocate memory dynamically TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR)); if (hexStr == NULL) { OutputDebugString(TEXT("Memory allocation failed\n")); return; } for (DWORD i = 0; i < length; i++) { _stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]); } hexStr[3 * length] = '\0'; OutputDebugString(hexStr); // Free the allocated memory free(hexStr); } LONG WINAPI MySCardTransmit( SCARDHANDLE hCard, LPCSCARD_IO_REQUEST pioSendPci, LPCBYTE pbSendBuffer, DWORD cbSendLength, LPSCARD_IO_REQUEST pioRecvPci, LPBYTE pbRecvBuffer, LPDWORD pcbRecvLength ) { // Trace the input buffer OutputDebugString(TEXT("pbSendBuffer: ")); PrintHexToDebug(pbSendBuffer, cbSendLength); OutputDebugString(TEXT("\n")); // Call the original SCardTransmit LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, pioRecvPci, pbRecvBuffer, pcbRecvLength); // Write the return code as hex TCHAR returnCodeStr[30]; _stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code: %08X\n"), result); OutputDebugString(returnCodeStr); // If the return code is successful, dump the output buffer if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) { (TEXT("pbRecvBuffer: ")); PrintHexToDebug(pbRecvBuffer, *pcbRecvLength); OutputDebugString(TEXT("\n")); } return result; } VOID EnableHook(HMODULE hModule) { HMODULE hScard = LoadLibrary(TEXT("Winscard.dll")); PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit"); PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule; PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + pDosHeader->e_lfanew); PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress); while (pImportDesc->Name) { LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name); if (_stricmp(pszModName, "Winscard.dll") == 0) { PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule + pImportDesc->FirstThunk); while (pThunk->u1.Function) { PROC* ppfn = (PROC*)&pThunk->u1.Function; if (*ppfn == (PROC)pfnScardTransmit) { DWORD oldProtect; VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect); *ppfn = (PROC)MySCardTransmit; VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect); } pThunk++; } break; } pImportDesc++; } } And to initialize the minidriver: DWORD Connect(BOOL fSystemDll = TRUE) { DWORD dwReturn = 0; SCARDCONTEXT hSCardContext = NULL; SCARDHANDLE hSCardHandle = NULL; TCHAR szCardModule[256]; TCHAR szReader[256]; DWORD dwCardModuleSize = ARRAYSIZE(szCardModule); DWORD dwReaderSize = ARRAYSIZE(szReader); OPENCARDNAME_EX dlgStruct; PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext; __try { // find a smart card ///////////////////// dwReturn = SCardEstablishContext(SCARD_SCOPE_USER, NULL, NULL, &hSCardContext); if (SCARD_S_SUCCESS != dwReturn) { __leave; } // Initialize the structure. memset(&dlgStruct, 0, sizeof(dlgStruct)); dlgStruct.dwStructSize = sizeof(dlgStruct); dlgStruct.hSCardContext = hSCardContext; dlgStruct.dwFlags = SC_DLG_MINIMAL_UI; dlgStruct.lpstrRdr = szReader; dlgStruct.nMaxRdr = dwReaderSize; dlgStruct.lpstrCard = szCard; dlgStruct.nMaxCard = ARRAYSIZE(szCard); dlgStruct.lpstrTitle = L"Select Card"; dlgStruct.dwShareMode = 0; // Display the select card dialog box. dwReturn = SCardUIDlgSelectCard(&dlgStruct); if (SCARD_S_SUCCESS != dwReturn) { __leave; } // find the dll path / name //////////////////////////// if (fSystemDll) { dwReturn = SCardGetCardTypeProviderName( hSCardContext, szCard, SCARD_PROVIDER_CARD_MODULE, (PTSTR)&szCardModule, &dwCardModuleSize); if (0 == dwCardModuleSize) { dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD; __leave; } } else { #ifdef _M_X64 _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll")); #else _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll")); #endif } // connect to the smart card //////////////////////////// DWORD dwProtocol, dwState; dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol); if (SCARD_S_SUCCESS != dwReturn) { __leave; } atr.cbAtr = 32; dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState, &dwProtocol, atr.rgbAtr, &atr.cbAtr); if (SCARD_S_SUCCESS != dwReturn) { __leave; } // load //////// if (NULL == (hModule = LoadLibrary(szCardModule))) { dwReturn = GetLastError(); __leave; } if (fSystemDll) { EnableHook(hModule); } if (NULL == (pfnCardAcquireContext = (PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress( hModule, "CardAcquireContext"))) { dwReturn = GetLastError(); __leave; } // initialize context ////////////////////// pCardData = &CardData; pCardData->dwVersion = CARD_DATA_CURRENT_VERSION; pCardData->pfnCspAlloc = _Alloc; pCardData->pfnCspFree = _Free; pCardData->pfnCspReAlloc = _ReAlloc; pCardData->pfnCspCacheAddFile = _CacheAddFileStub; pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub; pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub; pCardData->hScard = hSCardHandle; pCardData->hSCardCtx = hSCardContext; pCardData->cbAtr = atr.cbAtr; pCardData->pbAtr = atr.rgbAtr; pCardData->pwszCardName = szCard; //dwReturn = SCardBeginTransaction(hSCardHandle); if (SCARD_S_SUCCESS != dwReturn) { __leave; } dwReturn = pfnCardAcquireContext(pCardData, 0); } __finally { if (dwReturn != 0) { if (hSCardHandle) { SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD); SCardDisconnect(hSCardHandle, 0); } if (hSCardContext) SCardReleaseContext(hSCardContext); } } return dwReturn; } DWORD Disconnect() { DWORD dwReturn = 0; if (pCardData) { if (pCardData->hScard) { SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD); SCardDisconnect(pCardData->hScard, 0); } if (pCardData->hSCardCtx) SCardReleaseContext(pCardData->hSCardCtx); pCardData = NULL; } else { dwReturn = SCARD_E_COMM_DATA_LOST; } return dwReturn; } You can then call directly : DWORD GenerateNewKey(DWORD dwIndex) { DWORD dwReturn, dwKeySpec; PIN_ID PinId; __try { if (!pCardData) { dwReturn = SCARD_E_COMM_DATA_LOST; __leave; } switch(dwIndex) { case 0: //Signature, dwKeySpec = AT_SIGNATURE; PinId = ROLE_USER; break; case 2: //Authentication, dwKeySpec = AT_SIGNATURE; PinId = 3; break; case 1: // Confidentiality, dwKeySpec = AT_KEYEXCHANGE; PinId = 4; break; default: dwReturn = SCARD_E_UNEXPECTED; __leave; } dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex, CARD_CREATE_CONTAINER_KEY_GEN, dwKeySpec, 1024, NULL, PinId); } __finally { } return dwReturn; } br Vincent Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a écrit : > The middleware is available on the bottom of this page > https://www.gov.me/clanak/preuzmite-software-i-uputstva > > But I think you already know that. You analyzed that in 2024 already, > didn't you? > > Regards. > Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel: > > Hello everyone, > > I'm trying to kickstart support for the new Montenegrin eID > <https://www.gov.me/mup/elk>, or at least figure out how it works. I've > sent multiple requests for technical specs to the government, but unless I > take them to court, I doubt I'll get any useful information. Therefore I'll > just write down what I manage to figure out on my own, and hopefully you > can provide further insight. One thing about a country as small as > Montenegro, is that there is a very high probability we didn't implement > anything custom, as it's not financially viable. > > Here's what I have so far: > > - *ATR*: > 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It > doesn't seem to comply with the ATR scheme in the IAS ECC specification, > even though the government says the card complies with all EU ID > regulations (unclear which ones). > - *EF.ATR raw data*: 80004301B946040400ECC24703940180 > 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 > 0806062B8122F8780282029000 > - *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572 > 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F > D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F > 4E54454E4547524F500A4E6174696F6E 616C4944 > - By deciphering the EF.DIR data, we can discover 4 applications: > - E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet > - E828BD080FD2504543432D654944 - ECC eID > - A0000002471001 - ICAO > - 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is > "NationalID". No idea what this could be... maybe something related to > healthcare? > - I managed to use npa-tool and read the MRZ stored on the card using > CAN-based PACE, but all other functions of the tool don't work, not even > PIN-based PACE. I'm just using it as an APDU debugger with PACE support. > - The official middleware supplied by the government is Athena > IDProtect. > - The activation software is available here > <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>. > It's a java program developed by Mühlbauer <https://www.muehlbauer.de/>. > I decompiled it and saw that it's accessing the ECC eID application. I > managed to extract some APDUs and get the activation status of the card > (PIN change is required on first use). > - iasecc-tool and pkcs15-tool say "Card is invalid or cannot be > handled" regardless of what I try. > > I've skimmed over hundreds of pages of standards, including the ISO-7816 > parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I > can barely find any concrete info on these applications. Someone must know > how to access them because there are vendor-provided tools to do so. > > My goals are: > > 1. Get general knowledge about the card and build some PoC APDU chains > to read/set data. > 2. Get the birthdate of the person via PIN-based auth and verify the > authenticity of the data. > 3. Get the openSC suite of tools to work with the card. > 4. Replace the closed-source middleware provided by the government. > > > I would really appreciate any help here. Thanks! > > > _______________________________________________ > Opensc-devel mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/opensc-devel > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
From: Frank M. <fra...@gm...> - 2025-04-25 20:53:14
|
The middleware is available on the bottom of this page https://www.gov.me/clanak/preuzmite-software-i-uputstva But I think you already know that. You analyzed that in 2024 already, didn't you? Regards. Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel: > Hello everyone, > > I'm trying to kickstart support for the new Montenegrin eID > <https://www.gov.me/mup/elk>, or at least figure out how it works. > I've sent multiple requests for technical specs to the government, but > unless I take them to court, I doubt I'll get any useful information. > Therefore I'll just write down what I manage to figure out on my own, > and hopefully you can provide further insight. One thing about a > country as small as Montenegro, is that there is a very high > probability we didn't implement anything custom, as it's not > financially viable. > > Here's what I have so far: > > * *ATR*: > 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. > It doesn't seem to comply with the ATR scheme in the IAS ECC > specification, even though the government says the card complies > with all EU ID regulations (unclear which ones). > * *EF.ATR raw data*: 80004301B946040400ECC24703940180 > 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 > 0806062B8122F8780282029000 > * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572 > 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F > D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F > 4E54454E4547524F500A4E6174696F6E 616C4944 > * By deciphering the EF.DIR data, we can discover 4 applications: > o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet > o E828BD080FD2504543432D654944 - ECC eID > o A0000002471001 - ICAO > o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label > is "NationalID". No idea what this could be... maybe something > related to healthcare? > * I managed to use npa-tool and read the MRZ stored on the card > using CAN-based PACE, but all other functions of the tool don't > work, not even PIN-based PACE. I'm just using it as an APDU > debugger with PACE support. > * The official middleware supplied by the government is Athena > IDProtect. > * The activation software is available here > <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>. > It's a java program developed by Mühlbauer > <https://www.muehlbauer.de/>. I decompiled it and saw that it's > accessing the ECC eID application. I managed to extract some APDUs > and get the activation status of the card (PIN change is required > on first use). > * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be > handled" regardless of what I try. > > I've skimmed over hundreds of pages of standards, including the > ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC > spec, but I can barely find any concrete info on these applications. > Someone must know how to access them because there are vendor-provided > tools to do so. > > My goals are: > > 1. Get general knowledge about the card and build some PoC APDU > chains to read/set data. > 2. Get the birthdate of the person via PIN-based auth and verify the > authenticity of the data. > 3. Get the openSC suite of tools to work with the card. > 4. Replace the closed-source middleware provided by the government. > > > I would really appreciate any help here. Thanks! > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
From: Frank M. <fra...@gm...> - 2025-04-25 20:30:37
|
Sorry, I don't have any insights about the card to share, but it seems you already managed to gather quite some infrmation. I think the jar will not help you much in integrating the card into OpenSC (or some similar). I assume there must be some middleware that allows using the cryptographic keys of the card, i.e. some PKCS#11 module or a macOS/Windows card driver. If you find one (Athena IDProtect?), you can intercept the middleware commands together with the APDUs to the card. If you have that, you can start re-implementing that in an open source fashon. Best Regards, Frank Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel: > Hello everyone, > > I'm trying to kickstart support for the new Montenegrin eID > <https://www.gov.me/mup/elk>, or at least figure out how it works. > I've sent multiple requests for technical specs to the government, but > unless I take them to court, I doubt I'll get any useful information. > Therefore I'll just write down what I manage to figure out on my own, > and hopefully you can provide further insight. One thing about a > country as small as Montenegro, is that there is a very high > probability we didn't implement anything custom, as it's not > financially viable. > > Here's what I have so far: > > * *ATR*: > 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. > It doesn't seem to comply with the ATR scheme in the IAS ECC > specification, even though the government says the card complies > with all EU ID regulations (unclear which ones). > * *EF.ATR raw data*: 80004301B946040400ECC24703940180 > 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 > 0806062B8122F8780282029000 > * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572 > 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F > D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F > 4E54454E4547524F500A4E6174696F6E 616C4944 > * By deciphering the EF.DIR data, we can discover 4 applications: > o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet > o E828BD080FD2504543432D654944 - ECC eID > o A0000002471001 - ICAO > o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label > is "NationalID". No idea what this could be... maybe something > related to healthcare? > * I managed to use npa-tool and read the MRZ stored on the card > using CAN-based PACE, but all other functions of the tool don't > work, not even PIN-based PACE. I'm just using it as an APDU > debugger with PACE support. > * The official middleware supplied by the government is Athena > IDProtect. > * The activation software is available here > <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>. > It's a java program developed by Mühlbauer > <https://www.muehlbauer.de/>. I decompiled it and saw that it's > accessing the ECC eID application. I managed to extract some APDUs > and get the activation status of the card (PIN change is required > on first use). > * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be > handled" regardless of what I try. > > I've skimmed over hundreds of pages of standards, including the > ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC > spec, but I can barely find any concrete info on these applications. > Someone must know how to access them because there are vendor-provided > tools to do so. > > My goals are: > > 1. Get general knowledge about the card and build some PoC APDU > chains to read/set data. > 2. Get the birthdate of the person via PIN-based auth and verify the > authenticity of the data. > 3. Get the openSC suite of tools to work with the card. > 4. Replace the closed-source middleware provided by the government. > > > I would really appreciate any help here. Thanks! > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
From: dzeri96 <dz...@pr...> - 2025-04-22 12:44:51
|
Hello everyone, I'm trying to kickstart support for the new Montenegrin eID, or at least figure out how it works. I've sent multiple requests for technical specs to the government, but unless I take them to court, I doubt I'll get any useful information. Therefore I'll just write down what I manage to figure out on my own, and hopefully you can provide further insight. One thing about a country as small as Montenegro, is that there is a very high probability we didn't implement anything custom, as it's not financially viable. Here's what I have so far: - ATR: 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It doesn't seem to comply with the ATR scheme in the IAS ECC specification, even though the government says the card complies with all EU ID regulations (unclear which ones). - EF.ATR raw data: 80004301B946040400ECC24703940180 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 0806062B8122F8780282029000 - EF.DIR raw data: 61374F0EE828BD080FD25047656E6572 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080FD2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F 4E54454E4547524F500A4E6174696F6E 616C4944 - By deciphering the EF.DIR data, we can discover 4 applications: - E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet - E828BD080FD2504543432D654944 - ECC eID - A0000002471001 - ICAO - 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is "NationalID". No idea what this could be... maybe something related to healthcare? - I managed to use npa-tool and read the MRZ stored on the card using CAN-based PACE, but all other functions of the tool don't work, not even PIN-based PACE. I'm just using it as an APDU debugger with PACE support. - The official middleware supplied by the government is Athena IDProtect. - The activation software is available here. It's a java program developed by Mühlbauer. I decompiled it and saw that it's accessing the ECC eID application. I managed to extract some APDUs and get the activation status of the card (PIN change is required on first use). - iasecc-tool and pkcs15-tool say "Card is invalid or cannot be handled" regardless of what I try. I've skimmed over hundreds of pages of standards, including the ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I can barely find any concrete info on these applications. Someone must know how to access them because there are vendor-provided tools to do so. My goals are: 1. Get general knowledge about the card and build some PoC APDU chains to read/set data. 2. Get the birthdate of the person via PIN-based auth and verify the authenticity of the data. 3. Get the openSC suite of tools to work with the card. 4. Replace the closed-source middleware provided by the government. I would really appreciate any help here. Thanks! |
From: Veronika H. <vha...@re...> - 2025-01-14 16:38:38
|
Hello all, We are happy to announce the latest release of OpenSC 0.26.1. You can find the full summary of changes, release tarballs, and binaries on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.26.1 >From the outstanding changes, the release includes fixes for the allocation of aligned memory, fixes for crashes when spying with the C_GetInterface function and corrected reading of certificates in TCOS driver. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS The Windows binaries contain signed installers provided by Signpath.io. The macOS installer is signed by Tim Wilbrink, as in previous releases. You can find SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.26.1.dmg 7b66e256cefc7fdf6d9267383ac9e4763e299339aa52c99973f414b8a6a2ee05 OpenSC-0.26.1_win32-Debug.zip 15b52b21da3aa2ac22d6a99687cea8ccfea3a8093ee8fee15d4a689bafea7dca OpenSC-0.26.1_win32-Light-Debug.zip 5e9d587803018212653c9d26796ad987b3fbf4da74fac8bc1c771c441d949f14 OpenSC-0.26.1_win32-Light.msi b7e8ef7ff9c49d5a8a917d0c25f1518f19df7620b8e7d8d735e19e579a9d4b4e OpenSC-0.26.1_win32.msi fde5dbd86fd21424eb048484d7b151c0a9b2953decab44576ad54ac98366cfc7 OpenSC-0.26.1_win64-Debug.zip ec21060d336996644927f09bbb51a4d5cc01fd12c8227669270632ef85dea673 OpenSC-0.26.1_win64-Light-Debug.zip b61dc287caac3996d206e78fcb618378562d5b1ff41c6398e4059b4c8c6f4579 OpenSC-0.26.1_win64-Light.msi 2457246fa563ef112c53e13bc4de5b169ce538d35ff118ab1da5550905c9cf49 OpenSC-0.26.1_win64.msi bb2a47bd7a87617f38828c17eb7129a40fe27fe6656781882f2924fc2c9cf96e opensc-0.26.1.tar.gz f16291a031d86e570394762e9f35eaf2fcbc2337a49910f3feae42d54e1688cb Best regards, The OpenSC team |
From: Jakub J. <jj...@re...> - 2024-11-25 16:44:42
|
Hello security enthusiasts! As some of you already know, we are organizing a Security devroom again next year and we are looking for speakers! Do you have some project related to Smart cards you worked on and would like to show off? Or anything else related to Security? Submit your talk by the 1st December! It would be great to meet you in person! More information is available on the following announcement mail: https://lists.fosdem.org/pipermail/fosdem/2024q4/003556.html If you would just like to come and say hello, This is where I will be the first weekend of February! See you in Brussels! Regards, Jakub |
From: Veronika H. <vha...@re...> - 2024-11-13 12:59:53
|
Hello all, We are happy to announce the latest release of OpenSC 0.26.0. You can find the full summary of changes, release tarballs, and binaries on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.26.0 >From the outstanding changes, the release includes additional fixes for removing the time side-channel leakage related to RSA PKCS#1 v1.5 padding removal after decryption, unified OpenSSL logging, several features for pkcs11-tool and fixes for CVEs targeting uninitialized memory problems. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS It is recommended to use the last version (or your distribution's latest maintained version) due to published PoC with Kerberos to side-channel leaking while RSA PKCS#1 v1.5 padding. Details can be found here: https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h6ww-xfc2-jw4h The Windows binaries contain signed installers provided by Signpath.io. The macOS installer is signed by Tim Wilbrink, as in previous releases. You can find SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.26.0.dmg 8f474d55c8b172167014a246035f38ce427207bf90de06ae6cc837ac37cc269c OpenSC-0.26.0_win32-Debug.zip e26b29c121852ddd1ebd5304cd83ccbfa1ac032a00828a1ce452028d58acb6b9 OpenSC-0.26.0_win32-Light-Debug.zip ec142bda8471f244d5b55d7f837ab96f7c60b6590f7ad3a4d851a29de16a3862 OpenSC-0.26.0_win32-Light.msi 008c2fe08735dfc15c0d2d1c8b1c13450841c885b120d2d80d12ab12abce8469 OpenSC-0.26.0_win32.msi 31f0056b06d710de1e9762e80069c2a1b3adfcff70ad4878b88c6a605dabd9ab OpenSC-0.26.0_win64-Debug.zip 106a14eb6003d4fcd4e3ef6b6f2ecffc3381741b77cbb6df8d6067ab350a41b3 OpenSC-0.26.0_win64-Light-Debug.zip 40644ad2b4dbe40aedd3edae8790dab343e52010929983f43a75e8dbf117956f OpenSC-0.26.0_win64-Light.msi 5a630cbfc353f1802d6b711122eafa6e25a8ac8283fd98db42ab48264569eca6 OpenSC-0.26.0_win64.msi 5ebfc1e0094ed8670c11c94a9e7c0decfa25ad71fded638c8cdd427a5d242639 opensc-0.26.0.tar.gz 837baead45e1505260d868871056150ede6e73d35460a470f2595a9e5e75f82b Best regards, The OpenSC team |
From: Frank M. <fra...@gm...> - 2024-11-08 20:15:48
|
Hi! I have just now enabled private security reporting on Github: https://github.com/OpenSC/pam_pkcs11/security Regards, Frank. Am 07.11.24 um 14:02 schrieb mat...@su...: > Hello list, > > I am looking for a contact to privately report a security issue in > the pam_pkcs11 code base. Can you help me out in this regard? > > Thanks > > Matthias > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
From: <mat...@su...> - 2024-11-07 13:02:44
|
Hello list, I am looking for a contact to privately report a security issue in the pam_pkcs11 code base. Can you help me out in this regard? Thanks Matthias -- Matthias Gerstner <mat...@su...> Security Engineer https://www.suse.com/security GPG Key ID: 0x14C405C971923553 SUSE Software Solutions Germany GmbH HRB 36809, AG Nürnberg Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich |
From: Jakub J. <jj...@re...> - 2024-09-11 17:26:35
|
Hello all, You can find a release candidate for OpenSC version 0.26.0 for testing on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.26.0-rc1 >From the outstanding changes, the release includes additional fixes for removing the time side-channel leakage related to RSA PKCS#1 v1.5 padding removal after decryption, unified OpenSSL logging, several features for pkcs11-tool and fixes for CVEs targeting uninitialized memory problems. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS We are looking forward to your feedback, which we may discuss via this mailing list or GitHub: https://github.com/OpenSC/OpenSC/issues/3223 Advises for systematic testing can be found here: https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing We would like to release the final version in a few weeks. After that, it is recommended to use the last version (or your distribution's latest maintained version) due to published PoC with Kerberos to side-channel leaking while RSA PKCS#1 v1.5 padding. Details can be found here: https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h6ww-xfc2-jw4h The Windows binaries contain signed installers provided by Signpath.io. The macOS installer is signed by Tim Wilbrink, as in previous releases. You can find SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.26.0-rc1.dmg ae4fde25be52b3e05f8722f22a2392d7881a0680cc625863d9c1c82ecc2200f7 OpenSC-0.26.0-rc1_win32-Light-Debug.zip ea1df15005bcac89ddee5b0bec37cc0d5dc2261bb11b6d9254316a5dd381c33b OpenSC-0.26.0-rc1_win32-Light.msi bd6b5ab0f25a235af96929d85073433e2a7963d2f6083fcdae2ba09ea22677f2 OpenSC-0.26.0-rc1_win32.msi 9fd4d51925ee0d01f329844c8b91aad9743dffb7493e5421d2c5acf612ff8350 OpenSC-0.26.0-rc1_win64-Debug.zip 8864278af69f84bb167af2d10c0a7825612f7f14321d4850378695e2a708386b OpenSC-0.26.0-rc1_win64-Light-Debug.zip c00d9e0d5f6e802883f54a8c6ad823306da473d822f1782505d66c02a211fc9c OpenSC-0.26.0-rc1_win64-Light.msi aa5e4bb4b98423ed23f6753af885d73fdf94ea3dbe9d0cb0b6cba843c364ac0a OpenSC-0.26.0-rc1_win64.msi fb150006e916bd1260abb6ccaf83d296b3ee800e8170aeee59d8f43612b01059 opensc-0.26.0-rc1.tar.gz f11a69a9cb07e7dc34b59cfbd7176136c05cbb4628059f21189c9f194bea54ca Best regards, The OpenSC team |
From: Jakub J. <jj...@re...> - 2024-06-12 09:17:51
|
Hello, thank you for your contributions so far! I looked through the current PR and they look good. I will keep them around for some days if others will have some other comments. On Tue, Jun 11, 2024 at 3:54 PM Alexandre Gonzalo via Opensc-devel <ope...@li...> wrote: > [...] > Ed25519, x25519, ed448 and x448 There is a large PR reworking the edwards and montgomery curves here: https://github.com/OpenSC/OpenSC/pull/3090 It touches the pkcs11-tool too, but is not yet in the state to get merged so if you will have some small self-contained changes, they would be welcomed. > CKM_AES_CMAC & CKM_AES_CMAC_GENERAL I think CKM_AES_CMAC should already work in pkcs11-tool, but double-checking or fixing would be welcomed. > CKM_AES_GCM > CKM_AES_KEY_WRAP_PAD >From my side, I do not have any specific use for these, but there is some basic support for wrapping and symmetric encryption. We had previous attempts to contribute the GCM support, but the reporter never came back (but some comments or code might be useful): https://github.com/OpenSC/OpenSC/pull/2927 In any case, it would be good to have some test coverage for the new options and use cases to make sure they keep working. We are running some tests against few HW tokens we have in https://gitlab.com/redhat-crypto/OpenSC from the gitlab mirror. If there would be a way to run some tests against your HSM directly in CI, that would be awesome (feel free to contact me privately for details). If not, in tests/ we have couple of scripts running against softhms that could be extended. If something is not supported by SoftHSM, it might make sense to have a look into NSS softoken (I can probably help there). Jakub |
From: Alexandre G. <ale...@tr...> - 2024-06-11 13:53:20
|
Hi OpenSC developers, Today, I created 5 new pull requests: feat(pkcs11-tool): don't limit object size to 5000 bytes<https://github.com/OpenSC/OpenSC/pull/3174> feat(pkcs11-tool): add support for RSA OAEP encryption<https://github.com/OpenSC/OpenSC/pull/3175> feat(pkcs11-tool): set CKA_PRIVATE=CK_TRUE if the --private option is…<https://github.com/OpenSC/OpenSC/pull/3177> feat(pkcs11-tool): an invalid signature is a fatal error<https://github.com/OpenSC/OpenSC/pull/3178> feat(pkcs11-tool): remove useless calls to token in show_dobj()<https://github.com/OpenSC/OpenSC/pull/3179> We are intensively using the pkcs11-tool and the OpenSC/libp11 engine for the validation of our Trustonic HSM. It would be great if you could review my changes and provide your feedback. I have other changes but I need to rebase them to the head of master since we are using an old version of the pkcs11-tool (0.23.0-rc1). Moreover, at the moment, I can only test with OpenSSL 1.1.1l. We plan to move to OpenSSL 3 but that won't probably happen before the end of the year. I would like to know if you want us to create new PRs for: * Ed25519, x25519, ed448 and x448 * CKM_AES_CMAC & CKM_AES_CMAC_GENERAL * CKM_AES_GCM * CKM_AES_KEY_WRAP_PAD Best Regards, Alexandre. Trustonic SAS - 535 route de Lucioles, Les Aqueducs Batiment 2, Sophia Antipolis 06560 Valbonne, France – SAS au capital de 3 038 000€ - RCS Grasse – SIRET 480 011 998 00055 - TVA intracommunautaire : FR02 480 011 998 |
From: Veronika H. <vha...@re...> - 2024-04-05 13:30:49
|
Hello all, We are happy to announce the latest release of OpenSC 0.25.1. You can find the full summary of changes, release tarballs, and binaries on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.25.1 The changes include two fixes for minidriver - corrected RSA decryption with PKCS#1 v1.5 padding and fix for crash when app is not set. It also resolves the issue of not compiling documentation from a release tarball. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS The Windows binaries contain signed installers provided by Signpath.io. The macOS installer is signed by Tim Wilbrink, as in previous releases. You can find SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.25.1.dmg 9679d70db011a68e99360fcd4c5538b0481bd036fb058fc309b999837e63e063 OpenSC-0.25.1_win32-Debug.zip c05c8125ac0d0dab2d4f5bf890986cd11c466baa23d6e1cbd0853a9bebef24f2 OpenSC-0.25.1_win32-Light-Debug.zip 0116ffb539d93c6ce747981ee7c8468cd488d6c71d1ffcd2201c6583ecf2d066 OpenSC-0.25.1_win32-Light.msi 47356e59c4dd143b5fedddaa5e5f55e51ca32490a56063112298cb3c13d74f0a OpenSC-0.25.1_win32.msi 77049d86c0abc15eaf34e8c0819b9ad0d1eb63868e76a2ea4be7b08253dc89aa OpenSC-0.25.1_win64-Debug.zip 64bc7fb7310929e07c6e5aa1b03b71266e047029bb019c3169ef3808183aaa3f OpenSC-0.25.1_win64-Light-Debug.zip 4e0ce676f986b3ddebee8b954112c70c16635e2254e3a5d1aa2d65c712876093 OpenSC-0.25.1_win64-Light.msi 3fd9cabdf54ad1d757e49d5b33cc5834a2186d8e67b0f4dcbd5882e02d6a3eb0 OpenSC-0.25.1_win64.msi 7a619cb3ec7286af6800ecea8aacd5df7b3f3d5eae0ffb6b3998b723095eaa5e opensc-0.25.1.tar.gz 23cbaae8bd7c8eb589b68c0a961dfb0d02007bea3165a3fc5efe2621d549b37b Regards, Veronika Hanulíková and the OpenSC team |
From: Ludovic R. <lud...@gm...> - 2024-03-22 09:08:22
|
Hello, Le ven. 22 mars 2024 à 00:23, <dge...@wo...> a écrit : > > Good night, > > My usb smart card is ok with ccid (https://ccid.apdu.fr/ccid/supported.html#0x09C30x0014) et pcsc-lite but I block with opensc. > https://smartcard-atr.apdu.fr/parse?ATR=3b%3A7d%3A18%3A00%3A00%3A00%3A48%3A79%3A70%3A73%3A49%3A44%3A20%3A53%3A33%3A07%3A90%3A00 > ~# opensc-tool -ln > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Unsupported card Your smart card reader "ActivIdentity Activkey Sim" works fine. But the smart card "Safran Morpho YpsID S3" inside the reader is not supported by OpenSC. You can try to find the equivalent of "MiddleWare Morpho v7.0.1" for GNU/Linux. Maybe Morpho provides it. Bye -- Dr. Ludovic Rousseau |
From: <dge...@wo...> - 2024-03-22 08:41:55
|
Idem with the latest commit just compiled: # opensc-tool --version OpenSC-0.24.0-202-g993e6469, rev: 993e6469, commit-time: 2024-03-21 15:36:12 +0100 Le 22/03/24 09:13, dge...@wo... a écrit : >Le 21/03/24 20:39, Douglas E Engert a écrit : >>Looks like just a fingerprint reader, not a smart card with keys and certificates that would be need with firefox. >>Google for: Safran Morpho YpsID S3 >>https://www.biotime-technology.com/en/fingerprint-sensors/morphosmart-1300/ > >I think It's a key with a client certificate inside for access https://portail-sge-v2.enedis.fr (this usb key is supplied by ENEDIS (the french supervisor of electric power distribution) to access its portal) cf. photos in attachement > >In attachement too: > >- PKI guide supplied with the key (in french but screenshot of firefox configuration is clear) >- The output of `OPENSC_DEBUG=9 pkcs11-tool --test --login` (lost of File not found but key led blinks a lot) > >version : opensc-0.22.0-x86_64[-1alien] > >Thx a lot. > >>On 3/21/2024 6:10 PM, dge...@wo... wrote: >>>Good night, >>> >>>My usb smart card is ok with ccid (https://ccid.apdu.fr/ccid/supported.html#0x09C30x0014) et pcsc-lite but I block with opensc. >>>https://smartcard-atr.apdu.fr/parse?ATR=3b%3A7d%3A18%3A00%3A00%3A00%3A48%3A79%3A70%3A73%3A49%3A44%3A20%3A53%3A33%3A07%3A90%3A00 >>>~# opensc-tool -ln >>># Detected readers (pcsc) >>>Nr. Card Features Name >>>0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>>Unsupported card >>> >>>I didn't ask me for my pin: >>>~# pkcs11-tool --login -O >>>Using slot 0 with a present token (0x0) >>>error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1) >>>Aborting. >>> >>>~# pkcs15-tool --pin 0001 -D >>>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>>Failed to connect to card: Card is invalid or cannot be handled >>> >>>I choose driver randomly (there are 2 or 3 drivers who answer by their name (instead "Unsupported card")) : >>>~# opensc-tool -ln -c muscle >>># Detected readers (pcsc) >>>Nr. Card Features Name >>>0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>>MuscleApplet >>> >>>My goal is to connect this security device in firefox's certificat to access https://portail-sge-v2.enedis.fr/accueil >>> >>>Very thx in advance. >>> >>>ps: Under Windows, I can if you want to give you : MiddleWare\ Morpho\ v7.0.1_Install.exe and its configuration file (but I'm under Linux (slackware)) |
From: <dge...@wo...> - 2024-03-22 08:14:09
|
Le 21/03/24 20:39, Douglas E Engert a écrit : >Looks like just a fingerprint reader, not a smart card with keys and certificates that would be need with firefox. >Google for: Safran Morpho YpsID S3 >https://www.biotime-technology.com/en/fingerprint-sensors/morphosmart-1300/ I think It's a key with a client certificate inside for access https://portail-sge-v2.enedis.fr (this usb key is supplied by ENEDIS (the french supervisor of electric power distribution) to access its portal) cf. photos in attachement In attachement too: - PKI guide supplied with the key (in french but screenshot of firefox configuration is clear) - The output of `OPENSC_DEBUG=9 pkcs11-tool --test --login` (lost of File not found but key led blinks a lot) version : opensc-0.22.0-x86_64[-1alien] Thx a lot. >On 3/21/2024 6:10 PM, dge...@wo... wrote: >>Good night, >> >>My usb smart card is ok with ccid (https://ccid.apdu.fr/ccid/supported.html#0x09C30x0014) et pcsc-lite but I block with opensc. >>https://smartcard-atr.apdu.fr/parse?ATR=3b%3A7d%3A18%3A00%3A00%3A00%3A48%3A79%3A70%3A73%3A49%3A44%3A20%3A53%3A33%3A07%3A90%3A00 >>~# opensc-tool -ln >># Detected readers (pcsc) >>Nr. Card Features Name >>0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>Unsupported card >> >>I didn't ask me for my pin: >>~# pkcs11-tool --login -O >>Using slot 0 with a present token (0x0) >>error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1) >>Aborting. >> >>~# pkcs15-tool --pin 0001 -D >>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>Failed to connect to card: Card is invalid or cannot be handled >> >>I choose driver randomly (there are 2 or 3 drivers who answer by their name (instead "Unsupported card")) : >>~# opensc-tool -ln -c muscle >># Detected readers (pcsc) >>Nr. Card Features Name >>0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 >>MuscleApplet >> >>My goal is to connect this security device in firefox's certificat to access https://portail-sge-v2.enedis.fr/accueil >> >>Very thx in advance. >> >>ps: Under Windows, I can if you want to give you : MiddleWare\ Morpho\ v7.0.1_Install.exe and its configuration file (but I'm under Linux (slackware)) > >-- > > Douglas E. Engert <DEE...@gm...> > > > >_______________________________________________ >Opensc-devel mailing list >Ope...@li... >https://lists.sourceforge.net/lists/listinfo/opensc-devel |
From: Douglas E E. <dee...@gm...> - 2024-03-22 01:40:06
|
Looks like just a fingerprint reader, not a smart card with keys and certificates that would be need with firefox. Google for: Safran Morpho YpsID S3 https://www.biotime-technology.com/en/fingerprint-sensors/morphosmart-1300/ On 3/21/2024 6:10 PM, dge...@wo... wrote: > Good night, > > My usb smart card is ok with ccid (https://ccid.apdu.fr/ccid/supported.html#0x09C30x0014) et pcsc-lite but I block with opensc. > https://smartcard-atr.apdu.fr/parse?ATR=3b%3A7d%3A18%3A00%3A00%3A00%3A48%3A79%3A70%3A73%3A49%3A44%3A20%3A53%3A33%3A07%3A90%3A00 > ~# opensc-tool -ln > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Unsupported card > > I didn't ask me for my pin: > ~# pkcs11-tool --login -O > Using slot 0 with a present token (0x0) > error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1) > Aborting. > > ~# pkcs15-tool --pin 0001 -D > Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Failed to connect to card: Card is invalid or cannot be handled > > I choose driver randomly (there are 2 or 3 drivers who answer by their name (instead "Unsupported card")) : > ~# opensc-tool -ln -c muscle > # Detected readers (pcsc) > Nr. Card Features Name > 0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 > MuscleApplet > > My goal is to connect this security device in firefox's certificat to access https://portail-sge-v2.enedis.fr/accueil > > Very thx in advance. > > ps: Under Windows, I can if you want to give you : MiddleWare\ Morpho\ v7.0.1_Install.exe and its configuration file (but I'm under Linux (slackware)) -- Douglas E. Engert <DEE...@gm...> |
From: <dge...@wo...> - 2024-03-21 23:23:13
|
Good night, My usb smart card is ok with ccid (https://ccid.apdu.fr/ccid/supported.html#0x09C30x0014) et pcsc-lite but I block with opensc. https://smartcard-atr.apdu.fr/parse?ATR=3b%3A7d%3A18%3A00%3A00%3A00%3A48%3A79%3A70%3A73%3A49%3A44%3A20%3A53%3A33%3A07%3A90%3A00 ~# opensc-tool -ln # Detected readers (pcsc) Nr. Card Features Name 0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 Unsupported card I didn't ask me for my pin: ~# pkcs11-tool --login -O Using slot 0 with a present token (0x0) error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_RECOGNIZED (0xe1) Aborting. ~# pkcs15-tool --pin 0001 -D Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 Failed to connect to card: Card is invalid or cannot be handled I choose driver randomly (there are 2 or 3 drivers who answer by their name (instead "Unsupported card")) : ~# opensc-tool -ln -c muscle # Detected readers (pcsc) Nr. Card Features Name 0 Yes ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 Using reader with a card: ActivIdentity Activkey_Sim [CCID Bulk Interface] 00 00 MuscleApplet My goal is to connect this security device in firefox's certificat to access https://portail-sge-v2.enedis.fr/accueil Very thx in advance. ps: Under Windows, I can if you want to give you : MiddleWare\ Morpho\ v7.0.1_Install.exe and its configuration file (but I'm under Linux (slackware)) -- @++ |
From: Veronika H. <vha...@re...> - 2024-03-06 12:41:55
|
Hello all, We are happy to announce the latest release of OpenSC 0.25.0. You can find the full summary of changes, release tarballs, and binaries on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.25.0 The notable changes include removing the time side-channel leakage related to RSA PKCS#1 v1.5 padding removal after decryption and new configuration option for disabling PKCS#1 v1.5 depadding on the card. We also implemented a fix for a potential memory security issue in the AuthentIC driver discovered by OSS-Fuzz, added support for RSA D-Trust signature cards, and removed support for some old card drivers. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS The Windows binaries contain signed installers provided by Signpath.io. The macOS installer is signed by Tim Wilbrink, as in previous releases. You can find SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.25.0.dmg 5417186cf88a50931b6186f2c3ade95525b683e55b418eae9d56d728c76d2e51 OpenSC-0.25.0_win32-Debug.zip 533368751a484c308fab41c794cf192d21506e824245b7729f92097c039902bb OpenSC-0.25.0_win32-Light-Debug.zip 01012f075e97898d29f8d2ffe11656dc523be7e1f9f26ebdb8bfe0777f69dea6 OpenSC-0.25.0_win32-Light.msi 4a3fff1ece26d04032b2a16fc697c365705d820bbdfbfb0faf8e6e58f77c7844 OpenSC-0.25.0_win32.msi e6542c5f56f0bedef9ab71dc0f9af0ae68d1b11b73762a9478040497ab61fae6 OpenSC-0.25.0_win64-Debug.zip 5b227438c3fb89bc57a986b240cef440809a79de2f05adcd36e295404d1117be OpenSC-0.25.0_win64-Light-Debug.zip 989a7e03aa6a2f9b874c1b8a12868901b7ea8ad0cec2b3fd4a581a3b5cb0f010 OpenSC-0.25.0_win64-Light.msi a757e3bb75d8a71279f80219a1b8fe88116d012f17d115251e91e63f7e1d0d31 OpenSC-0.25.0_win64.msi 2461ed78953e0e08cfef0cc88d6aaf01a2a5c0cf8e9b3d807a8e30e63c2c7fd7 opensc-0.25.0.tar.gz e6d7b66e2a508a377ac9d67aa463025d3c54277227be10bd08872e3407d6622f Regards, Veronika Hanulíková and the OpenSC team |
From: Frank M. <fra...@gm...> - 2024-02-27 14:42:41
|
Hello everyone, I just updated the Windows binaries for this release candidate with a signed installer, which is thankfully provided by Signpath.io. Also, the macOS installer is signed by Tim Wilbrink as in previous releases. Additionally, you can find the SHA-256 hashes of the release artifacts below (calculated with `openssl sha256 $file`): OpenSC-0.25.0-rc1.dmg 6120f2d5ecaf321b4a425ed374cea54f5bdbda9451180f43bccc732a64850efe OpenSC-0.25.0-rc1_win32-Debug.zip 1bded3d120a0673fc8ff4302ad5dd4bb3cf1dea5f72275c0b63e349309469ebb OpenSC-0.25.0-rc1_win32-Light-Debug.zip 7e0e0d2012c3642dd188718a8c0310f83f98b6d0cd52eff329d2ebdb3942c740 OpenSC-0.25.0-rc1_win32-Light.msi d3039c51f373959e462fad08308548574b8cdf6c694c00dd1e8d54664c77cd41 OpenSC-0.25.0-rc1_win32.msi 76b66e8d490efb7026a2c9dcc096f7784ff54b86cd424d809712ed3a51222c7f OpenSC-0.25.0-rc1_win64-Debug.zip ec8842ba91fc09b54e270ce07a933c5d4c28511dbff30e2432ac3d0fd83fe9f7 OpenSC-0.25.0-rc1_win64-Light-Debug.zip 27ee47eb6108b367d7d7f7977defbc884b1127a39d93c959e816827f3373f57d OpenSC-0.25.0-rc1_win64-Light.msi d5f95fbc408bd23e0a912ed42bbc224b0db45251f9532e881b57116d685a372d OpenSC-0.25.0-rc1_win64.msi e9a2d3b64aea65774ce27eabbabb6288eec9f9db066b16730728c977f129d955 opensc-0.25.0-rc1.tar.gz 57add047e2e01a7b6e8ca8920229f3395c27de53bdb12f3265ee7ed3bf158a92 Regards, Frank. Am Mo., 19. Feb. 2024 um 12:14 Uhr schrieb Veronika Hanulíková <vha...@re...>: > > Hello all, > > > You can find a release candidate for OpenSC version 0.25.0 for testing > > on Github: > > https://github.com/OpenSC/OpenSC/releases/tag/0.25.0-rc1 > > > > The changes include removing the time side-channel leakage related > to RSA PKCS#1 v1.5 padding removal after decryption and new configuration > > option for disabling PKCS#1 v1.5 depadding on the card. We also implemented > > a fix for a potential memory security issue in the AuthentIC driver > discovered by OSS-Fuzz, added support for RSA D-Trust signature cards, > and removed support for some old card drivers. > > > > For the full changelog, please refer to the NEWS file: > > https://github.com/OpenSC/OpenSC/blob/master/NEWS > > > We are looking forward to your feedback, which we may discuss via this > > mailing list or GitHub: > > https://github.com/OpenSC/OpenSC/issues/3017 > > > Advises for systematic testing can be found here: > > > https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing > > > We would like to release the final version in a few weeks. > > > Regards, > > Veronika Hanulíková > > and the OpenSC team > > _______________________________________________ > Opensc-announce mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-announce |
From: Veronika H. <vha...@re...> - 2024-02-19 11:14:06
|
Hello all, You can find a release candidate for OpenSC version 0.25.0 for testing on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.25.0-rc1 The changes include removing the time side-channel leakage related to RSA PKCS#1 v1.5 padding removal after decryption and new configuration option for disabling PKCS#1 v1.5 depadding on the card. We also implemented a fix for a potential memory security issue in the AuthentIC driver discovered by OSS-Fuzz, added support for RSA D-Trust signature cards, and removed support for some old card drivers. For the full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS We are looking forward to your feedback, which we may discuss via this mailing list or GitHub: https://github.com/OpenSC/OpenSC/issues/3017 Advises for systematic testing can be found here: https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing We would like to release the final version in a few weeks. Regards, Veronika Hanulíková and the OpenSC team |
From: Jakub J. <jj...@re...> - 2023-12-13 11:12:53
|
Hello all, We are happy to announce the latest release of OpenSC 0.24.0. You can find the full summary of changes, release tarballs and binaries on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.24.0 The notable changes include fixes for potential PIN bypass as well as several potentially security related memory or buffer issues found by oss-fuzz. We also enabled file caching by default, improved support for several IDPrime card types, implemented Secure Messaging for PIV and added support for EC in Minidriver. For full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS Regards, Jakub Jelen and the OpenSC team |
From: Jakub J. <jj...@re...> - 2023-11-20 16:47:22
|
Hi all. the rc2 was just published with dozens of bugfixes since last rc1 (slightly more than we hoped for): https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc2 If you have a minute, please give it a test run and let us know if you find an issue. We expect to get the final release out later this month. Thanks for patience, Jakub On Mon, Sep 25, 2023 at 1:30 PM Jakub Jelen <jj...@re...> wrote: > > Hello all, > > The time in the year has come again! > > You can find a release candidate for OpenSC version 0.24.0 for testing > on Github: > https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 > > > The notable changes include potential PIN bypass in PIV driver as well > as several potentially security related memory or buffer issues found by > oss-fuzz. We also enabled file caching by default, improved support for > several IDPrime card types, implemented Secure Messaging for PIV and > added support for EC in Minidriver. > > > For full changelog, please refer to the NEWS file: > https://github.com/OpenSC/OpenSC/blob/master/NEWS > > We are looking forward to your feedback, which we may discuss via this > mailing list or github: > https://github.com/OpenSC/OpenSC/issues/2792 > > Advises for systematic testing can be found here: > > https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing > > We would like to release the final version in few weeks. > > Regards, > Jakub Jelen > and the OpenSC team |
From: Jakub J. <jj...@re...> - 2023-09-25 11:30:37
|
Hello all, The time in the year has come again! You can find a release candidate for OpenSC version 0.24.0 for testing on Github: https://github.com/OpenSC/OpenSC/releases/tag/0.24.0-rc1 The notable changes include potential PIN bypass in PIV driver as well as several potentially security related memory or buffer issues found by oss-fuzz. We also enabled file caching by default, improved support for several IDPrime card types, implemented Secure Messaging for PIV and added support for EC in Minidriver. For full changelog, please refer to the NEWS file: https://github.com/OpenSC/OpenSC/blob/master/NEWS We are looking forward to your feedback, which we may discuss via this mailing list or github: https://github.com/OpenSC/OpenSC/issues/2792 Advises for systematic testing can be found here: https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing We would like to release the final version in few weeks. Regards, Jakub Jelen and the OpenSC team |