opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] [GitHub] ChatGPT Connector is requesting updated permissions

[Graham L. <mi...@sh...>]

On 19 Jul 2025, at 22:44, Michał Trojnara via Opensc-devel <ope...@li...> wrote:

> Ondřej Surý <on...@su...> wrote: 
> > Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code? 
> 
> I will.

You won't, and this has been settled in law.

https://en.wikipedia.org/wiki/Monkey_selfie_copyright_dispute

Regards,
Graham
--

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Paul W. <ma...@al...>]

В Mon, 21 Jul 2025 14:44:08 +0200
Juraj Šarinay <ju...@sa...> пишет:

> > the legal status of AI-generated code is still under debate  
> 
> The current (rather clear) status means that such code simply cannot be
> included in OpenSC or indeed in any free software.

  Very interesting, and very important! Don't you know, is there any
deeper research about the subject?

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Juraj Š. <ju...@sa...>]

On Sat, 2025-07-19 at 23:44 +0200, Michał Trojnara via Opensc-devel 
wrote:

> > Who would be author then to give copyright assignment to the
> > project and who owns the IP to the LLM generated code?
> 
> I will.

Dear Michał

I understand you intend to mislead others about code authorship. This
might put the project at risk. As if merging LLM-generated garbage were
not risky enough...

> You could argue the same about any output of non-AI code generators
> and/or compilers. I respectfully disagree. I came up with the prompt,
> and I retain intellectual property rights to the generated code.

A LLM merely transforms code originally written (and therefore
copyrighted) by others. To use the output, one needs permission from
the original author(s). Which is indeed how output of non-AI code
generators & compilers is normally treated.


> I myself was trained using code written (and copyrighted) by others.
> I tend to reuse good programming patterns I have seen before.

We all do that. Programming patterns are not protected by copyright.
Code is. Copy-pasting has always been risky.

> the legal status of AI-generated code is still under debate

The current (rather clear) status means that such code simply cannot be
included in OpenSC or indeed in any free software.

Best,
Juraj

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Alex,

On 7/21/25 10:45 AM, Alexander Burke via Opensc-devel wrote:
> You can't legally do that, because the code comes from (1) a program 
> you did not write, which (2) was trained on code written (and 
> copyrighted) by others which it is regurgitating, which is also likely 
> to be licensed differently.

Ad 1. You could argue the same about any output of non-AI code 
generators and/or compilers. I respectfully disagree. I came up with the 
prompt, and I retain intellectual property rights to the generated code.

Ad 2. I myself was trained using code written (and copyrighted) by 
others. I tend to reuse good programming patterns I have seen before. 
This is how learning works. AI is no different. There is no such thing 
as 100% originality. You are always inspired by, and you always reuse, 
thoughts previously expressed by other people.

> This is what the Wikimedia Foundation has to say about it:
> https://en.wikipedia.org/wiki/Wikipedia:Large_language_models_and_copyright

Isn't it better to use a more specific source, such as 
https://openai.com/policies/terms-of-use/ ?

/As between you and OpenAI, and to the extent permitted by applicable 
law, you (a) retain your ownership rights in Input and (b) own the 
Output. We hereby assign to you all our right, title, and interest, if 
any, in and to Output. /

> This is a legal and technical minefield and I encourage you, and the 
> project, to obtain legal advice before using this "tool".

Well, life is a legal, technical, and emotional minefield. Common sense 
helps, though.

I understand that the legal status of AI-generated code is still under 
debate, and interpretations may vary across jurisdictions. While I am 
confident in my approach, I remain open to further discussion and will 
reconsider my position if authoritative legal guidance becomes available.

Regardless of how the code is generated, I ensure that all contributions 
are diligently reviewed for license compatibility and compliance with 
project policies. I believe that maintaining these standards is 
essential for the integrity and sustainability of the project.

Have a nice day,
     Mike

[Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Alexander B. <al...@al...>]

Hi Mike,

You can't legally do that, because the code comes from (1) a program you did not write, which (2) was trained on code written (and copyrighted) by others which it is regurgitating, which is also likely to be licensed differently.

This is what the Wikimedia Foundation has to say about it:
https://en.wikipedia.org/wiki/Wikipedia:Large_language_models_and_copyright

This is a legal and technical minefield and I encourage you, and the project, to obtain legal advice before using this "tool".

Best wishes,
Alex

[Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Ondřej Surý <on...@su...> wrote:
> Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code?

I will.

Best regards,
    Mike

Re: [Opensc-devel] Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Ondřej S. <on...@su...>]

> On 18. 7. 2025, at 22:56, Michał Trojnara via Opensc-devel <ope...@li...> wrote:
> You may think of it as yet another potential (sic!) contributor.

Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code? These are important questions that need to be answered before merging anything into an open source project under free software license.

> I've seen worse pull requests submitted by humans...

Don’t use this as argument. Ever never in any context.

Ondrej
--
Ondřej Surý (He/Him)

[Opensc-devel] Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Alex,

Alexander Burke wrote:
> Why was it given read-write access?
It can submit pull requests when ordered to do so.  Also, it was only given access to the libp11 subproject, and not the entire OpenSC.

> Are we gonna start vibe coding Open
SC?
Definitely not, although I've seen worse pull requests submitted by humans...  You may think of it as yet another potential (sic!) contributor.

Best regards,
    Mike

Re: [Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Alexander B. <al...@al...>]

Hi Mike,

Why was it given read-write access? Are we gonna start vibe coding OpenSC?

Cheers,
Alex

Re: [Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Ludovic,

I have requested access for the ChatGPT Connector and have also handled 
the request for additional read-only access permissions. No action is 
required from you.

Please let me know if you are not comfortable with installing the 
ChatGPT Connector for libp11. The connector is simply a matter of 
convenience. It is not essential for the project, and I can remove it if 
necessary.

Best regards,
     Mike

On 7/17/25 11:10 AM, Ludovic Rousseau wrote:
> Hello,
>
> I received the request bellow from GitHub.
> I had a look at the OpenSC organisation configuration on github. For 
> now the ChatGPT Connector (installed one month ago, not by me) has 
> access to the OpenSC/libp11 project only.
>
> I don't know who installed the ChatGPT Connector.
>
> The ChatGPT Connector app by openai is requesting updated permissions
> Read-only access to Checks
> Read-only access to Members
> Read-only access to Commit statuses
>
>
> The ChatGPT Connector already has access to:
> *Read and write* access to *Actions*
> *Read and write* access to *Contents*
> *Read and write* access to *Issues*
> *Read-only* access to *Metadata*
> *Read and write* access to *Pull requests*
> *Read and write* access to *Workflows*
>
> What should I do with the new request?
>
> Bye
>
> ---------- Forwarded message ---------
> De : *GitHub* <no...@gi...>
> Date: jeu. 17 juil. 2025 à 04:38
> Subject: [GitHub] ChatGPT Connector is requesting updated permissions
> To: Ludovic Rousseau <lud...@gm... 
> <mailto:ludovic.rousseau%2Bg...@gm...>>
>
>
>   Updated Permissions Request
>
> The GitHub App ChatGPT Connector is requesting additional access to 
> your organization.
>
> Hello there!
>
> You’re receiving this email because the GitHub App *ChatGPT 
> Connector*, which is currently installed on your *OpenSC* 
> organization, has updated its permissions and is requesting additional 
> access.
>
> Review permission request to accept or reject this change 
> <https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update> 
>
>
> You may choose to ignore this request, in which case ChatGPT Connector 
> will retain its current permissions.
>
> You can view pending requests directly by visiting your organization’s 
> settings page and clicking on Applications. If you run into problems, 
> please contact support. 
> <https://support.github.com/contact?tags=dotcom-integrations>
>
> Link not working? Paste the following link into your browser:
> https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update 
>
>
> Thanks!
>
>
>
> -- 
>  Dr. Ludovic Rousseau
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Ludovic R. <lud...@gm...>]

Hello,

I received the request bellow from GitHub.
I had a look at the OpenSC organisation configuration on github. For now
the ChatGPT Connector (installed one month ago, not by me) has access to
the OpenSC/libp11 project only.

I don't know who installed the ChatGPT Connector.

The ChatGPT Connector app by openai is requesting updated permissions
Read-only access to Checks
Read-only access to Members
Read-only access to Commit statuses


The ChatGPT Connector already has access to:
*Read and write* access to *Actions*
*Read and write* access to *Contents*
*Read and write* access to *Issues*
*Read-only* access to *Metadata*
*Read and write* access to *Pull requests*
*Read and write* access to *Workflows*

What should I do with the new request?

Bye

---------- Forwarded message ---------
De : GitHub <no...@gi...>
Date: jeu. 17 juil. 2025 à 04:38
Subject: [GitHub] ChatGPT Connector is requesting updated permissions
To: Ludovic Rousseau <lud...@gm...>


Updated Permissions Request

The GitHub App ChatGPT Connector is requesting additional access to your
organization.

Hello there!

You’re receiving this email because the GitHub App *ChatGPT Connector*,
which is currently installed on your *OpenSC* organization, has updated its
permissions and is requesting additional access.

Review permission request to accept or reject this change
<https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update>

You may choose to ignore this request, in which case ChatGPT Connector will
retain its current permissions.

You can view pending requests directly by visiting your organization’s
settings page and clicking on Applications. If you run into problems,
please contact support.
<https://support.github.com/contact?tags=dotcom-integrations>

Link not working? Paste the following link into your browser:
https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update

Thanks!



-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Support for the Montenegrin eID

[dzeri96 <dz...@pr...>]

I just got the card this year so you might be mixing me up with somebody.

I want to delay the reverse-engineering of Athena OpenID for three reasons:

1.  Signing stuff is actually the last thing on my wish-list. I'm more interested in the identification data and the activation procedure. The tool seems to only do signing so reverse-engineering it probably won't help me much.
2.  The 2 AIDs related to IAS ECC (starting with E8 28 BD 08 0F) are already mentioned in https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in. Someone put them there so someone must know what they do. This leads me to believe that there must be a specification floating out there somewhere.
3.  Obviously, it's very time-consuming.


I've been reading the IAS ECC spec more thoroughly and chapter 10.4 describes Cryptographic Information Applications whose IDs start with the above-mentioned prefix and continue with the AID of the application they refer to.

My card seems to contradict this since, for example 50 45 43 43 2D 65 49 44,  is not a selectable AID, it just spells out PECC-eID.


I don't know... I think getting my hands on the ChipDocs User Manual from NXP would potentially clear up some things, but they only give it to trusted partners apparently.


Cheers,
Dzeri96
On Saturday, 26 April 2025 at 10:49, Vincent Le Toux <vin...@my...> wrote:

> Inside the middleware, there is a minidriver named ciamd.dll
> 

> What I would suggest is to write a program like the one I wrote here (https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest) that connects to the minidriver and realize basic functions (enumerating public keys, certificates, encrypts, change pin, etc).
> You can add a hook to dump the instructions sent to the card.
> 

> You can use the following code to hook the SCardTransmit function:
> 

> 

> void PrintHexToDebug(const BYTE* buffer, DWORD length) {
> // Allocate memory dynamically
> TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR));
> if (hexStr == NULL) {
> OutputDebugString(TEXT("Memory allocation failed\n"));
> return;
> }
> 

> for (DWORD i = 0; i < length; i++) {
> _stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]);
> }
> hexStr[3 * length] = '\0';
> OutputDebugString(hexStr);
> 

> // Free the allocated memory
> free(hexStr);
> }
> 

> LONG WINAPI MySCardTransmit(
> SCARDHANDLE hCard,
> LPCSCARD_IO_REQUEST pioSendPci,
> LPCBYTE pbSendBuffer,
> DWORD cbSendLength,
> LPSCARD_IO_REQUEST pioRecvPci,
> LPBYTE pbRecvBuffer,
> LPDWORD pcbRecvLength
> ) {
> // Trace the input buffer
> OutputDebugString(TEXT("pbSendBuffer: "));
> PrintHexToDebug(pbSendBuffer, cbSendLength);
> OutputDebugString(TEXT("\n"));
> // Call the original SCardTransmit
> LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, pioRecvPci, pbRecvBuffer, pcbRecvLength);
> 

> // Write the return code as hex
> TCHAR returnCodeStr[30];
> _stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code: %08X\n"), result);
> OutputDebugString(returnCodeStr);
> 

> // If the return code is successful, dump the output buffer
> if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) {
> (TEXT("pbRecvBuffer: "));
> PrintHexToDebug(pbRecvBuffer, *pcbRecvLength);
> OutputDebugString(TEXT("\n"));
> }
> 

> return result;
> }
> 

> VOID EnableHook(HMODULE hModule)
> {
> HMODULE hScard = LoadLibrary(TEXT("Winscard.dll"));
> PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit");
> PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
> PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + pDosHeader->e_lfanew);
> PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
> 

> while (pImportDesc->Name) {
> LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name);
> if (_stricmp(pszModName, "Winscard.dll") == 0) {
> PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule + pImportDesc->FirstThunk);
> while (pThunk->u1.Function) {
> PROC* ppfn = (PROC*)&pThunk->u1.Function;
> if (*ppfn == (PROC)pfnScardTransmit) {
> DWORD oldProtect;
> VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect);
> *ppfn = (PROC)MySCardTransmit;
> VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect);
> }
> pThunk++;
> }
> break;
> }
> pImportDesc++;
> }
> }
> 

> 

> And to initialize the minidriver:
> 

> 

> DWORD Connect(BOOL fSystemDll = TRUE)
> {
> DWORD dwReturn = 0;
> SCARDCONTEXT hSCardContext = NULL;
> SCARDHANDLE hSCardHandle = NULL;
> TCHAR szCardModule[256];
> TCHAR szReader[256];
> DWORD dwCardModuleSize = ARRAYSIZE(szCardModule);
> DWORD dwReaderSize = ARRAYSIZE(szReader);
> OPENCARDNAME_EX dlgStruct;
> PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext;
> 

> __try
> {
> // find a smart card
> /////////////////////
> 

> dwReturn = SCardEstablishContext(SCARD_SCOPE_USER,
> NULL,
> NULL,
> &hSCardContext);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> 

> // Initialize the structure.
> memset(&dlgStruct, 0, sizeof(dlgStruct));
> dlgStruct.dwStructSize = sizeof(dlgStruct);
> dlgStruct.hSCardContext = hSCardContext;
> dlgStruct.dwFlags = SC_DLG_MINIMAL_UI;
> dlgStruct.lpstrRdr = szReader;
> dlgStruct.nMaxRdr = dwReaderSize;
> dlgStruct.lpstrCard = szCard;
> dlgStruct.nMaxCard = ARRAYSIZE(szCard);
> dlgStruct.lpstrTitle = L"Select Card";
> dlgStruct.dwShareMode = 0;
> // Display the select card dialog box.
> dwReturn = SCardUIDlgSelectCard(&dlgStruct);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> 

> // find the dll path / name
> ////////////////////////////
> if (fSystemDll)
> {
> 

> 

> dwReturn = SCardGetCardTypeProviderName(
> hSCardContext,
> szCard,
> SCARD_PROVIDER_CARD_MODULE,
> (PTSTR)&szCardModule,
> &dwCardModuleSize);
> if (0 == dwCardModuleSize)
> {
> dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD;
> __leave;
> }
> }
> else
> {
> #ifdef _M_X64
> _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
> #else
> _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
> #endif
> }
> // connect to the smart card
> ////////////////////////////
> DWORD dwProtocol, dwState;
> dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> atr.cbAtr = 32;
> dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState, &dwProtocol, atr.rgbAtr, &atr.cbAtr);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> // load
> ////////
> if (NULL == (hModule = LoadLibrary(szCardModule)))
> {
> dwReturn = GetLastError();
> __leave;
> }
> if (fSystemDll)
> {
> EnableHook(hModule);
> }
> if (NULL == (pfnCardAcquireContext =
> (PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress(
> hModule, "CardAcquireContext")))
> {
> dwReturn = GetLastError();
> __leave;
> }
> // initialize context
> //////////////////////
> pCardData = &CardData;
> pCardData->dwVersion = CARD_DATA_CURRENT_VERSION;
> pCardData->pfnCspAlloc = _Alloc;
> pCardData->pfnCspFree = _Free;
> pCardData->pfnCspReAlloc = _ReAlloc;
> pCardData->pfnCspCacheAddFile = _CacheAddFileStub;
> pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub;
> pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub;
> pCardData->hScard = hSCardHandle;
> pCardData->hSCardCtx = hSCardContext;
> pCardData->cbAtr = atr.cbAtr;
> pCardData->pbAtr = atr.rgbAtr;
> pCardData->pwszCardName = szCard;
> //dwReturn = SCardBeginTransaction(hSCardHandle);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> dwReturn = pfnCardAcquireContext(pCardData, 0);
> }
> __finally
> {
> if (dwReturn != 0)
> {
> if (hSCardHandle)
> {
> SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD);
> SCardDisconnect(hSCardHandle, 0);
> }
> if (hSCardContext)
> SCardReleaseContext(hSCardContext);
> }
> }
> return dwReturn;
> }
> 

> DWORD Disconnect()
> {
> DWORD dwReturn = 0;
> if (pCardData)
> {
> if (pCardData->hScard)
> {
> SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD);
> SCardDisconnect(pCardData->hScard, 0);
> }
> if (pCardData->hSCardCtx)
> SCardReleaseContext(pCardData->hSCardCtx);
> pCardData = NULL;
> }
> else
> {
> dwReturn = SCARD_E_COMM_DATA_LOST;
> }
> return dwReturn;
> }
> 

> You can then call directly :
> 

> DWORD GenerateNewKey(DWORD dwIndex)
> {
> DWORD dwReturn, dwKeySpec;
> PIN_ID PinId;
> __try
> {
> if (!pCardData)
> {
> dwReturn = SCARD_E_COMM_DATA_LOST;
> __leave;
> }
> switch(dwIndex)
> {
> case 0: //Signature,
> dwKeySpec = AT_SIGNATURE;
> PinId = ROLE_USER;
> break;
> case 2: //Authentication,
> dwKeySpec = AT_SIGNATURE;
> PinId = 3;
> break;
> case 1: // Confidentiality,
> dwKeySpec = AT_KEYEXCHANGE;
> PinId = 4;
> break;
> default:
> dwReturn = SCARD_E_UNEXPECTED;
> __leave;
> }
> dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex,
> CARD_CREATE_CONTAINER_KEY_GEN,
> dwKeySpec, 1024, NULL, PinId);
> }
> __finally
> {
> }
> return dwReturn;
> }
> 

> br
> Vincent
> 

> 

> Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a écrit :
> 

> > The middleware is available on the bottom of this page
> > https://www.gov.me/clanak/preuzmite-software-i-uputstva
> > 

> > But I think you already know that. You analyzed that in 2024 already, didn't you?
> > 

> > Regards.
> > 

> > Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> > 

> > > Hello everyone,
> > > 

> > > I'm trying to kickstart support for the new Montenegrin eID, or at least figure out how it works. I've sent multiple requests for technical specs to the government, but unless I take them to court, I doubt I'll get any useful information. Therefore I'll just write down what I manage to figure out on my own, and hopefully you can provide further insight. One thing about a country as small as Montenegro, is that there is a very high probability we didn't implement anything custom, as it's not financially viable.
> > > 

> > > Here's what I have so far:
> > > 

> > > -   ATR: 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It doesn't seem to comply with the ATR scheme in the IAS ECC specification, even though the government says the card complies with all EU ID regulations (unclear which ones).
> > > -   EF.ATR raw data: 80004301B946040400ECC24703940180 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 0806062B8122F8780282029000
> > > -   EF.DIR raw data: 61374F0EE828BD080FD25047656E6572 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080FD2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F 4E54454E4547524F500A4E6174696F6E 616C4944
> > >     

> > > -   By deciphering the EF.DIR data, we can discover 4 applications:
> > > 

> > > -   E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
> > > -   E828BD080FD2504543432D654944 - ECC eID
> > > -   A0000002471001 - ICAO
> > > -   4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is "NationalID". No idea what this could be... maybe something related to healthcare?
> > > 

> > > -   I managed to use npa-tool and read the MRZ stored on the card using CAN-based PACE, but all other functions of the tool don't work, not even PIN-based PACE. I'm just using it as an APDU debugger with PACE support.
> > > -   The official middleware supplied by the government is Athena IDProtect.
> > > -   The activation software is available here. It's a java program developed by Mühlbauer. I decompiled it and saw that it's accessing the ECC eID application. I managed to extract some APDUs and get the activation status of the card (PIN change is required on first use).
> > > -   iasecc-tool and pkcs15-tool say "Card is invalid or cannot be handled" regardless of what I try.
> > > 

> > > I've skimmed over hundreds of pages of standards, including the ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I can barely find any concrete info on these applications. Someone must know how to access them because there are vendor-provided tools to do so.
> > > 

> > > My goals are:
> > > 

> > > 1.  Get general knowledge about the card and build some PoC APDU chains to read/set data.
> > > 2.  Get the birthdate of the person via PIN-based auth and verify the authenticity of the data.
> > > 3.  Get the openSC suite of tools to work with the card.
> > > 4.  Replace the closed-source middleware provided by the government.
> > > 

> > > 

> > > I would really appreciate any help here. Thanks!
> > > 

> > > 

> > > 

> > > 

> > > _______________________________________________
> > > Opensc-devel mailing list
> > > Ope...@li...
> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 

> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Support for the Montenegrin eID

[Vincent Le T. <vin...@my...>]

Inside the middleware, there is a minidriver named ciamd.dll

What I would suggest is to write a program like the one I wrote here (
https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest)
that connects to the minidriver and realize basic functions (enumerating
public keys, certificates, encrypts, change pin, etc).
You can add a hook to dump the instructions sent to the card.

You can use the following code to hook the SCardTransmit function:


void PrintHexToDebug(const BYTE* buffer, DWORD length) {
// Allocate memory dynamically
TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR));
if (hexStr == NULL) {
OutputDebugString(TEXT("Memory allocation failed\n"));
return;
}

for (DWORD i = 0; i < length; i++) {
_stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]);
}
hexStr[3 * length] = '\0';
OutputDebugString(hexStr);

// Free the allocated memory
free(hexStr);
}

LONG WINAPI MySCardTransmit(
SCARDHANDLE hCard,
LPCSCARD_IO_REQUEST pioSendPci,
LPCBYTE pbSendBuffer,
DWORD cbSendLength,
LPSCARD_IO_REQUEST pioRecvPci,
LPBYTE pbRecvBuffer,
LPDWORD pcbRecvLength
) {
// Trace the input buffer
OutputDebugString(TEXT("pbSendBuffer: "));
PrintHexToDebug(pbSendBuffer, cbSendLength);
OutputDebugString(TEXT("\n"));
// Call the original SCardTransmit
LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength,
pioRecvPci, pbRecvBuffer, pcbRecvLength);

// Write the return code as hex
TCHAR returnCodeStr[30];
_stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code:
%08X\n"), result);
OutputDebugString(returnCodeStr);

// If the return code is successful, dump the output buffer
if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) {
(TEXT("pbRecvBuffer: "));
PrintHexToDebug(pbRecvBuffer, *pcbRecvLength);
OutputDebugString(TEXT("\n"));
}

return result;
}

VOID EnableHook(HMODULE hModule)
{
HMODULE hScard = LoadLibrary(TEXT("Winscard.dll"));
PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit");
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule +
pDosHeader->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule +
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

while (pImportDesc->Name) {
LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name);
if (_stricmp(pszModName, "Winscard.dll") == 0) {
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule +
pImportDesc->FirstThunk);
while (pThunk->u1.Function) {
PROC* ppfn = (PROC*)&pThunk->u1.Function;
if (*ppfn == (PROC)pfnScardTransmit) {
DWORD oldProtect;
VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect);
*ppfn = (PROC)MySCardTransmit;
VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect);
}
pThunk++;
}
break;
}
pImportDesc++;
}
}


And to initialize the minidriver:


DWORD Connect(BOOL fSystemDll = TRUE)
{
DWORD dwReturn = 0;
SCARDCONTEXT     hSCardContext = NULL;
SCARDHANDLE hSCardHandle = NULL;
TCHAR szCardModule[256];
TCHAR szReader[256];
DWORD dwCardModuleSize = ARRAYSIZE(szCardModule);
DWORD dwReaderSize = ARRAYSIZE(szReader);
OPENCARDNAME_EX  dlgStruct;
PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext;

__try
{
// find a smart card
/////////////////////

dwReturn = SCardEstablishContext(SCARD_SCOPE_USER,
NULL,
NULL,
&hSCardContext);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}

// Initialize the structure.
memset(&dlgStruct, 0, sizeof(dlgStruct));
dlgStruct.dwStructSize = sizeof(dlgStruct);
dlgStruct.hSCardContext = hSCardContext;
dlgStruct.dwFlags = SC_DLG_MINIMAL_UI;
dlgStruct.lpstrRdr = szReader;
dlgStruct.nMaxRdr = dwReaderSize;
dlgStruct.lpstrCard = szCard;
dlgStruct.nMaxCard = ARRAYSIZE(szCard);
dlgStruct.lpstrTitle = L"Select Card";
dlgStruct.dwShareMode = 0;
// Display the select card dialog box.
dwReturn = SCardUIDlgSelectCard(&dlgStruct);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}

// find the dll path / name
////////////////////////////
if (fSystemDll)
{


dwReturn = SCardGetCardTypeProviderName(
hSCardContext,
szCard,
SCARD_PROVIDER_CARD_MODULE,
(PTSTR)&szCardModule,
&dwCardModuleSize);
if (0 == dwCardModuleSize)
{
dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD;
__leave;
}
}
else
{
#ifdef _M_X64
_tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
#else
_tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
#endif
}
// connect to the smart card
////////////////////////////
DWORD dwProtocol, dwState;
dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED,
SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
atr.cbAtr = 32;
dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState,
&dwProtocol, atr.rgbAtr, &atr.cbAtr);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
// load
////////
if (NULL == (hModule = LoadLibrary(szCardModule)))
{
dwReturn = GetLastError();
__leave;
}
if (fSystemDll)
{
EnableHook(hModule);
}
if (NULL == (pfnCardAcquireContext =
(PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress(
hModule, "CardAcquireContext")))
{
dwReturn = GetLastError();
__leave;
}
// initialize context
//////////////////////
pCardData = &CardData;
pCardData->dwVersion = CARD_DATA_CURRENT_VERSION;
pCardData->pfnCspAlloc = _Alloc;
pCardData->pfnCspFree = _Free;
pCardData->pfnCspReAlloc = _ReAlloc;
pCardData->pfnCspCacheAddFile = _CacheAddFileStub;
pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub;
pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub;
pCardData->hScard = hSCardHandle;
pCardData->hSCardCtx = hSCardContext;
pCardData->cbAtr = atr.cbAtr;
pCardData->pbAtr = atr.rgbAtr;
pCardData->pwszCardName = szCard;
//dwReturn = SCardBeginTransaction(hSCardHandle);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
dwReturn = pfnCardAcquireContext(pCardData, 0);
}
__finally
{
if (dwReturn != 0)
{
if (hSCardHandle)
{
SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD);
SCardDisconnect(hSCardHandle, 0);
}
if (hSCardContext)
SCardReleaseContext(hSCardContext);
}
}
return dwReturn;
}

DWORD Disconnect()
{
DWORD dwReturn = 0;
if (pCardData)
{
if (pCardData->hScard)
{
SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD);
SCardDisconnect(pCardData->hScard, 0);
}
if (pCardData->hSCardCtx)
SCardReleaseContext(pCardData->hSCardCtx);
pCardData = NULL;
}
else
{
dwReturn = SCARD_E_COMM_DATA_LOST;
}
return dwReturn;
}

You can then call directly :

DWORD GenerateNewKey(DWORD dwIndex)
{
DWORD dwReturn, dwKeySpec;
PIN_ID  PinId;
__try
{
if (!pCardData)
{
dwReturn = SCARD_E_COMM_DATA_LOST;
__leave;
}
switch(dwIndex)
{
case 0: //Signature,
dwKeySpec = AT_SIGNATURE;
PinId = ROLE_USER;
break;
case 2: //Authentication,
dwKeySpec = AT_SIGNATURE;
PinId = 3;
break;
case 1: // Confidentiality,
dwKeySpec = AT_KEYEXCHANGE;
PinId = 4;
break;
default:
dwReturn = SCARD_E_UNEXPECTED;
__leave;
}
dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex,
CARD_CREATE_CONTAINER_KEY_GEN,
dwKeySpec, 1024, NULL, PinId);
}
__finally
{
}
return dwReturn;
}

br
Vincent


Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a
écrit :

> The middleware is available on the bottom of this page
> https://www.gov.me/clanak/preuzmite-software-i-uputstva
>
> But I think you already know that. You analyzed that in 2024 already,
> didn't you?
>
> Regards.
> Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
>
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID
> <https://www.gov.me/mup/elk>, or at least figure out how it works. I've
> sent multiple requests for technical specs to the government, but unless I
> take them to court, I doubt I'll get any useful information. Therefore I'll
> just write down what I manage to figure out on my own, and hopefully you
> can provide further insight. One thing about a country as small as
> Montenegro, is that there is a very high probability we didn't implement
> anything custom, as it's not financially viable.
>
> Here's what I have so far:
>
>    - *ATR*:
>    3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It
>    doesn't seem to comply with the ATR scheme in the IAS ECC specification,
>    even though the government says the card complies with all EU ID
>    regulations (unclear which ones).
>    - *EF.ATR raw data*: 80004301B946040400ECC24703940180
>    4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>    0806062B8122F8780282029000
>    - *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>    6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>    D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>    4E54454E4547524F500A4E6174696F6E 616C4944
>    - By deciphering the EF.DIR data, we can discover 4 applications:
>       - E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       - E828BD080FD2504543432D654944 - ECC eID
>       - A0000002471001 - ICAO
>       - 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is
>       "NationalID". No idea what this could be... maybe something related to
>       healthcare?
>    - I managed to use npa-tool and read the MRZ stored on the card using
>    CAN-based PACE, but all other functions of the tool don't work, not even
>    PIN-based PACE. I'm just using it as an APDU debugger with PACE support.
>    - The official middleware supplied by the government is Athena
>    IDProtect.
>    - The activation software is available here
>    <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>    It's a java program developed by Mühlbauer <https://www.muehlbauer.de/>.
>    I decompiled it and saw that it's accessing the ECC eID application. I
>    managed to extract some APDUs and get the activation status of the card
>    (PIN change is required on first use).
>    - iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>    handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the ISO-7816
> parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I
> can barely find any concrete info on these applications. Someone must know
> how to access them because there are vendor-provided tools to do so.
>
> My goals are:
>
>    1. Get general knowledge about the card and build some PoC APDU chains
>    to read/set data.
>    2. Get the birthdate of the person via PIN-based auth and verify the
>    authenticity of the data.
>    3. Get the openSC suite of tools to work with the card.
>    4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing lis...@li...https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] Support for the Montenegrin eID

[Frank M. <fra...@gm...>]

The middleware is available on the bottom of this page
https://www.gov.me/clanak/preuzmite-software-i-uputstva

But I think you already know that. You analyzed that in 2024 already, 
didn't you?

Regards.

Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID 
> <https://www.gov.me/mup/elk>, or at least figure out how it works. 
> I've sent multiple requests for technical specs to the government, but 
> unless I take them to court, I doubt I'll get any useful information. 
> Therefore I'll just write down what I manage to figure out on my own, 
> and hopefully you can provide further insight. One thing about a 
> country as small as Montenegro, is that there is a very high 
> probability we didn't implement anything custom, as it's not 
> financially viable.
>
> Here's what I have so far:
>
>   * *ATR*:
>     3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de.
>     It doesn't seem to comply with the ATR scheme in the IAS ECC
>     specification, even though the government says the card complies
>     with all EU ID regulations (unclear which ones).
>   * *EF.ATR raw data*: 80004301B946040400ECC24703940180
>     4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>     0806062B8122F8780282029000
>   * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>     6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>     D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>     4E54454E4547524F500A4E6174696F6E 616C4944
>   * By deciphering the EF.DIR data, we can discover 4 applications:
>       o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       o E828BD080FD2504543432D654944 - ECC eID
>       o A0000002471001 - ICAO
>       o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label
>         is "NationalID". No idea what this could be... maybe something
>         related to healthcare?
>   * I managed to use npa-tool and read the MRZ stored on the card
>     using CAN-based PACE, but all other functions of the tool don't
>     work, not even PIN-based PACE. I'm just using it as an APDU
>     debugger with PACE support.
>   * The official middleware supplied by the government is Athena
>     IDProtect.
>   * The activation software is available here
>     <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>     It's a java program developed by Mühlbauer
>     <https://www.muehlbauer.de/>. I decompiled it and saw that it's
>     accessing the ECC eID application. I managed to extract some APDUs
>     and get the activation status of the card (PIN change is required
>     on first use).
>   * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>     handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the 
> ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC 
> spec, but I can barely find any concrete info on these applications. 
> Someone must know how to access them because there are vendor-provided 
> tools to do so.
>
> My goals are:
>
>  1. Get general knowledge about the card and build some PoC APDU
>     chains to read/set data.
>  2. Get the birthdate of the person via PIN-based auth and verify the
>     authenticity of the data.
>  3. Get the openSC suite of tools to work with the card.
>  4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Support for the Montenegrin eID

[Frank M. <fra...@gm...>]

Sorry, I don't have any insights about the card to share, but it seems 
you already managed to gather quite some infrmation. I think the jar 
will not help you much in integrating the card into OpenSC (or some 
similar).

I assume there must be some middleware that allows using the 
cryptographic keys of the card, i.e. some PKCS#11 module or a 
macOS/Windows card driver. If you find one (Athena IDProtect?), you can 
intercept the middleware commands together with the APDUs to the card. 
If you have that, you can start re-implementing that in an open source 
fashon.

Best Regards,
Frank

Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID 
> <https://www.gov.me/mup/elk>, or at least figure out how it works. 
> I've sent multiple requests for technical specs to the government, but 
> unless I take them to court, I doubt I'll get any useful information. 
> Therefore I'll just write down what I manage to figure out on my own, 
> and hopefully you can provide further insight. One thing about a 
> country as small as Montenegro, is that there is a very high 
> probability we didn't implement anything custom, as it's not 
> financially viable.
>
> Here's what I have so far:
>
>   * *ATR*:
>     3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de.
>     It doesn't seem to comply with the ATR scheme in the IAS ECC
>     specification, even though the government says the card complies
>     with all EU ID regulations (unclear which ones).
>   * *EF.ATR raw data*: 80004301B946040400ECC24703940180
>     4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>     0806062B8122F8780282029000
>   * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>     6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>     D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>     4E54454E4547524F500A4E6174696F6E 616C4944
>   * By deciphering the EF.DIR data, we can discover 4 applications:
>       o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       o E828BD080FD2504543432D654944 - ECC eID
>       o A0000002471001 - ICAO
>       o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label
>         is "NationalID". No idea what this could be... maybe something
>         related to healthcare?
>   * I managed to use npa-tool and read the MRZ stored on the card
>     using CAN-based PACE, but all other functions of the tool don't
>     work, not even PIN-based PACE. I'm just using it as an APDU
>     debugger with PACE support.
>   * The official middleware supplied by the government is Athena
>     IDProtect.
>   * The activation software is available here
>     <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>     It's a java program developed by Mühlbauer
>     <https://www.muehlbauer.de/>. I decompiled it and saw that it's
>     accessing the ECC eID application. I managed to extract some APDUs
>     and get the activation status of the card (PIN change is required
>     on first use).
>   * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>     handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the 
> ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC 
> spec, but I can barely find any concrete info on these applications. 
> Someone must know how to access them because there are vendor-provided 
> tools to do so.
>
> My goals are:
>
>  1. Get general knowledge about the card and build some PoC APDU
>     chains to read/set data.
>  2. Get the birthdate of the person via PIN-based auth and verify the
>     authenticity of the data.
>  3. Get the openSC suite of tools to work with the card.
>  4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Support for the Montenegrin eID

[dzeri96 <dz...@pr...>]

Hello everyone,

I'm trying to kickstart support for the new Montenegrin eID, or at least figure out how it works. I've sent multiple requests for technical specs to the government, but unless I take them to court, I doubt I'll get any useful information. Therefore I'll just write down what I manage to figure out on my own, and hopefully you can provide further insight. One thing about a country as small as Montenegro, is that there is a very high probability we didn't implement anything custom, as it's not financially viable.

Here's what I have so far:

-   ATR: 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It doesn't seem to comply with the ATR scheme in the IAS ECC specification, even though the government says the card complies with all EU ID regulations (unclear which ones).
-   EF.ATR raw data: 80004301B946040400ECC24703940180 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 0806062B8122F8780282029000
-   EF.DIR raw data: 61374F0EE828BD080FD25047656E6572 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080FD2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F 4E54454E4547524F500A4E6174696F6E 616C4944
    

-   By deciphering the EF.DIR data, we can discover 4 applications:

-   E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
-   E828BD080FD2504543432D654944 - ECC eID
-   A0000002471001 - ICAO
-   4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is "NationalID". No idea what this could be... maybe something related to healthcare?

-   I managed to use npa-tool and read the MRZ stored on the card using CAN-based PACE, but all other functions of the tool don't work, not even PIN-based PACE. I'm just using it as an APDU debugger with PACE support.
-   The official middleware supplied by the government is Athena IDProtect.
-   The activation software is available here. It's a java program developed by Mühlbauer. I decompiled it and saw that it's accessing the ECC eID application. I managed to extract some APDUs and get the activation status of the card (PIN change is required on first use).
-   iasecc-tool and pkcs15-tool say "Card is invalid or cannot be handled" regardless of what I try.

I've skimmed over hundreds of pages of standards, including the ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I can barely find any concrete info on these applications. Someone must know how to access them because there are vendor-provided tools to do so.

My goals are:

1.  Get general knowledge about the card and build some PoC APDU chains to read/set data.
2.  Get the birthdate of the person via PIN-based auth and verify the authenticity of the data.
3.  Get the openSC suite of tools to work with the card.
4.  Replace the closed-source middleware provided by the government.


I would really appreciate any help here. Thanks!

[Opensc-devel] OpenSC 0.26.1

[Veronika H. <vha...@re...>]

Hello all,

We are happy to announce the latest release of OpenSC 0.26.1.
You can find the full summary of changes, release tarballs, and binaries
on Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.26.1

>From the outstanding changes, the release includes fixes for the allocation
of aligned memory,
fixes for crashes when spying with the C_GetInterface function and corrected
reading of certificates in TCOS driver.

For the full changelog, please refer to the NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

The Windows binaries contain signed installers provided by Signpath.io. The
macOS installer is signed by Tim Wilbrink, as in previous releases. You can
find
SHA-256 hashes of the release artifacts below (calculated with
`openssl sha256 $file`):

OpenSC-0.26.1.dmg
7b66e256cefc7fdf6d9267383ac9e4763e299339aa52c99973f414b8a6a2ee05
OpenSC-0.26.1_win32-Debug.zip
15b52b21da3aa2ac22d6a99687cea8ccfea3a8093ee8fee15d4a689bafea7dca
OpenSC-0.26.1_win32-Light-Debug.zip
5e9d587803018212653c9d26796ad987b3fbf4da74fac8bc1c771c441d949f14
OpenSC-0.26.1_win32-Light.msi
b7e8ef7ff9c49d5a8a917d0c25f1518f19df7620b8e7d8d735e19e579a9d4b4e
OpenSC-0.26.1_win32.msi
fde5dbd86fd21424eb048484d7b151c0a9b2953decab44576ad54ac98366cfc7
OpenSC-0.26.1_win64-Debug.zip
ec21060d336996644927f09bbb51a4d5cc01fd12c8227669270632ef85dea673
OpenSC-0.26.1_win64-Light-Debug.zip
b61dc287caac3996d206e78fcb618378562d5b1ff41c6398e4059b4c8c6f4579
OpenSC-0.26.1_win64-Light.msi
2457246fa563ef112c53e13bc4de5b169ce538d35ff118ab1da5550905c9cf49
OpenSC-0.26.1_win64.msi
bb2a47bd7a87617f38828c17eb7129a40fe27fe6656781882f2924fc2c9cf96e
opensc-0.26.1.tar.gz
f16291a031d86e570394762e9f35eaf2fcbc2337a49910f3feae42d54e1688cb

Best regards,
The OpenSC team

[Opensc-devel] Security Devroom at FOSDEM 2025

[Jakub J. <jj...@re...>]

Hello security enthusiasts!

As some of you already know, we are organizing a Security devroom
again next year and we are looking for speakers! Do you have some
project related to Smart cards you worked on and would like to show
off? Or anything else related to Security? Submit your talk by the 1st
December! It would be great to meet you in person!

More information is available on the following announcement mail:

https://lists.fosdem.org/pipermail/fosdem/2024q4/003556.html

If you would just like to come and say hello, This is where I will be
the first weekend of February!

See you in Brussels!

Regards,
Jakub

[Opensc-devel] OpenSC 0.26.0

[Veronika H. <vha...@re...>]

Hello all,

We are happy to announce the latest release of OpenSC 0.26.0.
You can find the full summary of changes, release tarballs, and binaries
on Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.26.0

>From the outstanding changes, the release includes additional fixes
for removing the time side-channel leakage related to RSA PKCS#1 v1.5
padding
removal after decryption, unified OpenSSL logging, several features for
pkcs11-tool
and fixes for CVEs targeting uninitialized memory problems.

For the full changelog, please refer to the NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

It is recommended to use the last version (or your distribution's latest
maintained version)
due to published PoC with Kerberos to side-channel leaking while RSA
PKCS#1 v1.5 padding.
Details can be found here:
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h6ww-xfc2-jw4h

The Windows binaries contain signed installers provided by Signpath.io. The
macOS installer is signed by Tim Wilbrink, as in previous releases. You can
find
SHA-256 hashes of the release artifacts below (calculated with `openssl sha256
$file`):

OpenSC-0.26.0.dmg
8f474d55c8b172167014a246035f38ce427207bf90de06ae6cc837ac37cc269c
OpenSC-0.26.0_win32-Debug.zip
e26b29c121852ddd1ebd5304cd83ccbfa1ac032a00828a1ce452028d58acb6b9
OpenSC-0.26.0_win32-Light-Debug.zip
ec142bda8471f244d5b55d7f837ab96f7c60b6590f7ad3a4d851a29de16a3862
OpenSC-0.26.0_win32-Light.msi
008c2fe08735dfc15c0d2d1c8b1c13450841c885b120d2d80d12ab12abce8469
OpenSC-0.26.0_win32.msi
31f0056b06d710de1e9762e80069c2a1b3adfcff70ad4878b88c6a605dabd9ab
OpenSC-0.26.0_win64-Debug.zip
106a14eb6003d4fcd4e3ef6b6f2ecffc3381741b77cbb6df8d6067ab350a41b3
OpenSC-0.26.0_win64-Light-Debug.zip
40644ad2b4dbe40aedd3edae8790dab343e52010929983f43a75e8dbf117956f
OpenSC-0.26.0_win64-Light.msi
5a630cbfc353f1802d6b711122eafa6e25a8ac8283fd98db42ab48264569eca6
OpenSC-0.26.0_win64.msi
5ebfc1e0094ed8670c11c94a9e7c0decfa25ad71fded638c8cdd427a5d242639
opensc-0.26.0.tar.gz
837baead45e1505260d868871056150ede6e73d35460a470f2595a9e5e75f82b

Best regards,
The OpenSC team

Re: [Opensc-devel] pam_pkcs11 maintainer / security contact

[Frank M. <fra...@gm...>]

Hi!

I have just now enabled private security reporting on Github:

https://github.com/OpenSC/pam_pkcs11/security

Regards, Frank.

Am 07.11.24 um 14:02 schrieb mat...@su...:
> Hello list,
>
> I am looking for a contact to privately report a security issue in
> the pam_pkcs11 code base. Can you help me out in this regard?
>
> Thanks
>
> Matthias
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] pam_pkcs11 maintainer / security contact

[<mat...@su...>]

Hello list,

I am looking for a contact to privately report a security issue in
the pam_pkcs11 code base. Can you help me out in this regard?

Thanks

Matthias

-- 
Matthias Gerstner <mat...@su...>
Security Engineer
https://www.suse.com/security
GPG Key ID: 0x14C405C971923553
 
SUSE Software Solutions Germany GmbH
HRB 36809, AG Nürnberg
Geschäftsführer: Ivo Totev, Andrew McDonald, Werner Knoblich

[Opensc-devel] (no subject)

[Jakub J. <jj...@re...>]

Hello all,

You can find a release candidate for OpenSC version 0.26.0 for testing
on Github:
https://github.com/OpenSC/OpenSC/releases/tag/0.26.0-rc1

>From the outstanding changes, the release includes additional fixes
for removing the time side-channel
leakage related to RSA PKCS#1 v1.5 padding removal after decryption,
unified OpenSSL logging,
several features for pkcs11-tool and fixes for CVEs targeting
uninitialized memory problems.

For the full changelog, please refer to the NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

We are looking forward to your feedback, which we may discuss via this
mailing list or GitHub:
https://github.com/OpenSC/OpenSC/issues/3223

Advises for systematic testing can be found here:
https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing

We would like to release the final version in a few weeks.
After that, it is recommended to use the last version (or your
distribution's latest maintained version)
due to published PoC with Kerberos to side-channel leaking while RSA
PKCS#1 v1.5 padding.
Details can be found here:
https://github.com/OpenSC/OpenSC/security/advisories/GHSA-h6ww-xfc2-jw4h
The Windows binaries contain signed installers provided by Signpath.io. The
macOS
installer is signed by Tim Wilbrink, as in previous releases. You can find
SHA-256 hashes of the release artifacts below (calculated with `openssl
sha256 $file`):

OpenSC-0.26.0-rc1.dmg
ae4fde25be52b3e05f8722f22a2392d7881a0680cc625863d9c1c82ecc2200f7
OpenSC-0.26.0-rc1_win32-Light-Debug.zip
ea1df15005bcac89ddee5b0bec37cc0d5dc2261bb11b6d9254316a5dd381c33b
OpenSC-0.26.0-rc1_win32-Light.msi
bd6b5ab0f25a235af96929d85073433e2a7963d2f6083fcdae2ba09ea22677f2
OpenSC-0.26.0-rc1_win32.msi
9fd4d51925ee0d01f329844c8b91aad9743dffb7493e5421d2c5acf612ff8350
OpenSC-0.26.0-rc1_win64-Debug.zip
8864278af69f84bb167af2d10c0a7825612f7f14321d4850378695e2a708386b
OpenSC-0.26.0-rc1_win64-Light-Debug.zip
c00d9e0d5f6e802883f54a8c6ad823306da473d822f1782505d66c02a211fc9c
OpenSC-0.26.0-rc1_win64-Light.msi
aa5e4bb4b98423ed23f6753af885d73fdf94ea3dbe9d0cb0b6cba843c364ac0a
OpenSC-0.26.0-rc1_win64.msi
fb150006e916bd1260abb6ccaf83d296b3ee800e8170aeee59d8f43612b01059
opensc-0.26.0-rc1.tar.gz
f11a69a9cb07e7dc34b59cfbd7176136c05cbb4628059f21189c9f194bea54ca

Best regards,
The OpenSC team

Re: [Opensc-devel] 5 new PRs and more to come?

[Jakub J. <jj...@re...>]

Hello,
thank you for your contributions so far! I looked through the current
PR and they look good. I will keep them around for some days if others
will have some other comments.

On Tue, Jun 11, 2024 at 3:54 PM Alexandre Gonzalo via Opensc-devel
<ope...@li...> wrote:
> [...]
> Ed25519, x25519, ed448 and x448

There is a large PR reworking the edwards and montgomery curves here:

https://github.com/OpenSC/OpenSC/pull/3090

It touches the pkcs11-tool too, but is not yet in the state to get
merged so if you will have some small self-contained changes, they
would be welcomed.

> CKM_AES_CMAC & CKM_AES_CMAC_GENERAL

I think CKM_AES_CMAC should already work in pkcs11-tool, but
double-checking or fixing would be welcomed.

> CKM_AES_GCM
> CKM_AES_KEY_WRAP_PAD

>From my side, I do not have any specific use for these, but there is
some basic support for wrapping and symmetric encryption. We had
previous attempts to contribute the GCM support, but the reporter
never came back (but some comments or code might be useful):

https://github.com/OpenSC/OpenSC/pull/2927

In any case, it would be good to have some test coverage for the new
options and use cases to make sure they keep working.

We are running some tests against few HW tokens we have in
https://gitlab.com/redhat-crypto/OpenSC from the gitlab mirror.
If there would be a way to run some tests against your HSM directly in
CI, that would be awesome (feel free to contact me privately for
details).

If not, in tests/ we have couple of scripts running against softhms
that could be extended. If something is not supported by SoftHSM, it
might make sense to have a look into NSS softoken (I can probably help
there).

Jakub

[Opensc-devel] 5 new PRs and more to come?

[Alexandre G. <ale...@tr...>]

Hi OpenSC developers,

Today, I created 5 new pull requests:
feat(pkcs11-tool): don't limit object size to 5000 bytes<https://github.com/OpenSC/OpenSC/pull/3174>
feat(pkcs11-tool): add support for RSA OAEP encryption<https://github.com/OpenSC/OpenSC/pull/3175>
feat(pkcs11-tool): set CKA_PRIVATE=CK_TRUE if the --private option is…<https://github.com/OpenSC/OpenSC/pull/3177>
feat(pkcs11-tool): an invalid signature is a fatal error<https://github.com/OpenSC/OpenSC/pull/3178>
feat(pkcs11-tool): remove useless calls to token in show_dobj()<https://github.com/OpenSC/OpenSC/pull/3179>

We are intensively using the pkcs11-tool and the OpenSC/libp11 engine for the validation of our Trustonic HSM.
It would be great if you could review my changes and provide your feedback.

I have other changes but I need to rebase them to the head of master since we are using an old version of the pkcs11-tool (0.23.0-rc1).
Moreover, at the moment,  I can only test with OpenSSL 1.1.1l.
We plan to move to OpenSSL 3 but that won't probably happen before the end of the year.

I would like to know if you want us to create new PRs for:

  *
Ed25519, x25519, ed448 and x448
  *
CKM_AES_CMAC & CKM_AES_CMAC_GENERAL
  *
CKM_AES_GCM
  *
CKM_AES_KEY_WRAP_PAD

Best Regards,
Alexandre.







Trustonic SAS - 535 route de Lucioles, Les Aqueducs Batiment 2, Sophia Antipolis 06560 Valbonne, France – SAS au capital de 3 038 000€ - RCS Grasse – SIRET 480 011 998 00055 - TVA intracommunautaire : FR02 480 011 998

[Opensc-devel] OpenSC 0.25.1

[Veronika H. <vha...@re...>]

Hello all,

We are happy to announce the latest release of OpenSC 0.25.1.
You can find the full summary of changes, release tarballs, and binaries
on Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.25.1

The changes include two fixes for minidriver - corrected RSA decryption
with PKCS#1 v1.5 padding and fix for crash when app is not set.
It also resolves the issue of not compiling documentation from a release
tarball.

For the full changelog, please refer to the NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

The Windows binaries contain signed installers provided by Signpath.io. The
macOS installer is signed by Tim Wilbrink, as in previous releases. You can
find
SHA-256 hashes of the release artifacts below (calculated with `openssl
sha256 $file`):

OpenSC-0.25.1.dmg
9679d70db011a68e99360fcd4c5538b0481bd036fb058fc309b999837e63e063
OpenSC-0.25.1_win32-Debug.zip
c05c8125ac0d0dab2d4f5bf890986cd11c466baa23d6e1cbd0853a9bebef24f2
OpenSC-0.25.1_win32-Light-Debug.zip
0116ffb539d93c6ce747981ee7c8468cd488d6c71d1ffcd2201c6583ecf2d066
OpenSC-0.25.1_win32-Light.msi
47356e59c4dd143b5fedddaa5e5f55e51ca32490a56063112298cb3c13d74f0a
OpenSC-0.25.1_win32.msi
77049d86c0abc15eaf34e8c0819b9ad0d1eb63868e76a2ea4be7b08253dc89aa
OpenSC-0.25.1_win64-Debug.zip
64bc7fb7310929e07c6e5aa1b03b71266e047029bb019c3169ef3808183aaa3f
OpenSC-0.25.1_win64-Light-Debug.zip
4e0ce676f986b3ddebee8b954112c70c16635e2254e3a5d1aa2d65c712876093
OpenSC-0.25.1_win64-Light.msi
3fd9cabdf54ad1d757e49d5b33cc5834a2186d8e67b0f4dcbd5882e02d6a3eb0
OpenSC-0.25.1_win64.msi
7a619cb3ec7286af6800ecea8aacd5df7b3f3d5eae0ffb6b3998b723095eaa5e
opensc-0.25.1.tar.gz
23cbaae8bd7c8eb589b68c0a961dfb0d02007bea3165a3fc5efe2621d549b37b

Regards,
Veronika Hanulíková
and the OpenSC team