opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] OpenSC 0.27.1

[Jakub J. <jj...@re...>]

FYI, we just updated the macos installer on the github release page
with the correct artifact. The sha256 checksum of the new file follows:

61c2c7b9329a65e43a34151016530d54859561d8fbbe7a723911119abf0ccd7f
OpenSC-0.27.1.dmg

The previous installer was not built from tag, but from master branch so
using the old one should not make any functiinal differecne, but it was
missing some signatures that caused installation warnings.

Sorry for the confusion,

Jakub

On Tue, Mar 31, 2026 at 3:04 PM Jakub Jelen <jj...@re...> wrote:

> Hello all,
> We are happy to announce the new release of OpenSC, the Open source smart
> card tools and middleware.
>
> You can find the release of OpenSC version 0.27.1 on Github:
>
> https://github.com/OpenSC/OpenSC/releases/tag/0.27.1
>
> The changes include the new PKCS#11 3.2 support in the tools and
> infrastructure,
> streamlined support for Edwards and Montgomery curves and OS-level FIPS
> mode
> detection. The MacOS installers are now notarized and signed with a new
> key thanks
> to Raul Metsma. We also fixed several potentially security relevant issues
> so please
> update your installations.
>
> Note, that since the last release, we now use the Windows installers built
> by GitHub Actions instead of AppVeyor. Please, give them a try!
>
> For the full changelog, please refer to NEWS file:
> https://github.com/OpenSC/OpenSC/blob/master/NEWS
>
> The sha256sum of artifacts provided through the Github can be found below:
>
> 976f4a23eaf3397a1a2c3a7aac80bf971a8c3d829c9a79f06145bfaeeae5eca7
> opensc-0.27.1.tar.gz
> 13370ea18678a53e2567fc1256bcf7a590e40ccf1c3362a24a805c3e9b5d07bf
>  OpenSC-0.27.1.dmg
> 16e058da0b056540e8d4bc452eb5d64bff0e6a94371c692a3fd087c19f39a08a
>  OpenSC-0.27.1_arm64.msi
> cbf5a60d9e9195cb51d3b48dfed4441eff3b158d067196c88f1568c038f6d716
>  OpenSC-0.27.1-Light_arm64.msi
> 2df6fb9078c5a6fc97d221f111158cb3f887e1e3c2dbb6892f58455a7015b5b8
>  OpenSC-0.27.1-Light_x64.msi
> e3cc46e14bc3c49054f974928440f748039d142855690766e997f2567c461bce
>  OpenSC-0.27.1-Light_x86.msi
> 88ea45e848063ff5f3594a457b7f023223472eae9c9c543f8035f7689bb7b319
>  OpenSC-0.27.1_x64.msi
> 266e1cc593922814a695951f9f39cafe22d9334ab5e5aa96b607bd045a9dfe49
>  OpenSC-0.27.1_x86.msi
> 04f604523857fe7d375394482514831a8ab89128079b37c66e02949890a6296e
>  OpenSC-0.27.1_arm64-dbg.zip
> 1383520901c2723558593dd4439763a4b75bc84c91261e5100c5805d6593ed4b
>  OpenSC-0.27.1-Light_arm64-dbg.zip
> ce1122cb7ae0ba68db03a2c5d115e8b1780b110df6248d844b05e9cf8f67c3e6
>  OpenSC-0.27.1-Light_x64-dbg.zip
> f36f8b6a958b586da86f0be43b32be107299debb139a7d75f037d713449a8633
>  OpenSC-0.27.1-Light_x86-dbg.zip
> c2b630eab13e17e0cf34a70a7faf2221a2e87aa27fb26c958b3e43f4abc601f5
>  OpenSC-0.27.1_x64-dbg.zip
> 527f77ce8ec87b69ed68808fa0c4dede2a93897943fc72d6b3aa01ed5a26b45f
>  OpenSC-0.27.1_x86-dbg.zip
>
>
> Regards,
> Jakub Jelen
> and the OpenSC team
>

Re: [Opensc-devel] jcop 4 driver --test

[Douglas E. E. <dee...@gm...>]

Since last note, I looked at
  https://github.com/mvogt1/OpenSC
and added an issue.
https://github.com/mvogt1/OpenSC/issues/2

I also did the revert of the two commits that removed the driver and pkcs15 changes to see if it could be done
https://github.com/dengert/OpenSC/tree/revert-a-driver
I do not intend to submit this as a PR.


On 4/16/2026 10:06 AM, Doug Engert wrote:
> Start with your employer, ask them where they got the cards and what software is available for MacOS and/or Linux drivers?
>
> How old is this card?
>
> What is the "The binary only pkcs11 driver"  and ported from where to where?
> "The binary only pkcs11 driver" may need other libs ported too.
>
> if you test with pkcs11-tool add  --module /path/to/your binary driver
>
> "The binary only pkcs11 driver" may need other libs ported too.
>
> f this card can not do at least RSA 2048 it is not considered secure.
>
> I assume the card is usable on Windows?
> with card inserted in cmd window type: `certutil -scinfo`
>
> If on linux or MaxOS try opensc-tool -a
>
> What is the ATR? If on linux or MaxOS try: opensc-tool -a
>
>  in in browser goto https://smartcard-atr.apdu.fr/
> this will tell you more about the card.
>
> More info is device manager, and registry.
> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards
>
> See if your ATR is in registry
> Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\PIV Device ATR Cache
> or similar ATR cache
>
> With your OpenSC build, see how to debug: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC
>
> start your tests with the opensc-tool -a
>
> On 4/16/2026 3:59 AM, Martin Vogt wrote:
>>
>>
>> On Thu, Apr 16, 2026 at 10:30 AM Frank Morgner <fra...@gm...> wrote:
>>
>>     We deliberately removed the bluez card driver (jcop is a misnomer),
>>     because nobody was using or maintining either smart card software or
>>     java card applet as far as we know. I don't know why you want to bring
>>     this back. I assume you would be better off using your JCOP4 with a
>>     (open source) java card applet that is supported by OpenSC.
>>
>>
>> It's an already initialized card by my employer, because the porting of the old
>> driver was easily done I asked myself if the --test option is known to work flawlessly.
>>
>> I assume this is not the case, for example:
>>
>> The binary only pkcs11 driver for the card segfaults with --test and reports verify errors too,
>> but overall works, so obviously, for the functioning not all tests need to pass.
>>
>> Currently I'm stuck with the MD5-RSA-PKCS test. Here I need padding :
>>
>> https://www.ibm.com/docs/en/linux-on-systems?topic=cryptography-pkcs-1-hash-formats
>>
>> (case MD5) how can I tell opensc that it should be done by opensc?
>> I assume it's some flags (eg: SC_ALGORITHM_RSA_HASH_MD5) but currently I have no luck.
>>
>> best regards,
>>
>> Martin
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>
  

Re: [Opensc-devel] jcop 4 driver --test

[Doug E. <dee...@gm...>]

Start with your employer, ask them where they got the cards and what software is available for MacOS and/or Linux drivers?

How old is this card?

What is the "The binary only pkcs11 driver"  and ported from where to where?
"The binary only pkcs11 driver" may need other libs ported too.

if you test with pkcs11-tool add  --module /path/to/your binary driver

"The binary only pkcs11 driver" may need other libs ported too.

f this card can not do at least RSA 2048 it is not considered secure.

I assume the card is usable on Windows?
with card inserted in cmd window type: `certutil -scinfo`

If on linux or MaxOS try opensc-tool -a

What is the ATR? If on linux or MaxOS try: opensc-tool -a

  in in browser goto https://smartcard-atr.apdu.fr/
this will tell you more about the card.

More info is device manager, and registry.
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards

See if your ATR is in registry
Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\PIV Device ATR Cache
or similar ATR cache

With your OpenSC build, see how to debug: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC

start your tests with the opensc-tool -a

On 4/16/2026 3:59 AM, Martin Vogt wrote:
>
>
> On Thu, Apr 16, 2026 at 10:30 AM Frank Morgner <fra...@gm...> wrote:
>
>     We deliberately removed the bluez card driver (jcop is a misnomer),
>     because nobody was using or maintining either smart card software or
>     java card applet as far as we know. I don't know why you want to bring
>     this back. I assume you would be better off using your JCOP4 with a
>     (open source) java card applet that is supported by OpenSC.
>
>
> It's an already initialized card by my employer, because the porting of the old
> driver was easily done I asked myself if the --test option is known to work flawlessly.
>
> I assume this is not the case, for example:
>
> The binary only pkcs11 driver for the card segfaults with --test and reports verify errors too,
> but overall works, so obviously, for the functioning not all tests need to pass.
>
> Currently I'm stuck with the MD5-RSA-PKCS test. Here I need padding :
>
> https://www.ibm.com/docs/en/linux-on-systems?topic=cryptography-pkcs-1-hash-formats
>
> (case MD5) how can I tell opensc that it should be done by opensc?
> I assume it's some flags (eg: SC_ALGORITHM_RSA_HASH_MD5) but currently I have no luck.
>
> best regards,
>
> Martin
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

-- 

  Douglas E. Engert  <DEE...@gm...>
  

Re: [Opensc-devel] jcop 4 driver --test

[Martin V. <mv...@gm...>]

On Thu, Apr 16, 2026 at 2:25 PM AlanCui4080 <me...@al...> wrote:

> I don't really know what's a driver for JCOP 4, JCOP is an implemention of
> JavaCard
> or OS developed by NXP, You can, and have to install applets to make it
> "useful".
>

I' unsure about the correct naming (driver,applet,..) but here is what I
know:

- the old implementation in OpenSC had the name card-jcop.c

card-jcop.c implements the APDU Manual for BlueZ PKCS#15, the pdf is
available here:

 https://public.dhe.ibm.com/software/pervasive/info/BlueZ-PKCS15.pdf

This was implemented in 2003, NXP took this Manual and made proprietary
extensions.
So maybe I have a JCOP 4.x card, with a NXP Applet which is mostly
compatible to BlueZ?

Now I have this initialized card, which I can read with this old driver,
but the
tests do not work and I don't have this proprietary NXP APDU Manual.

I think I will give it a bit more time and try to make a few tests work.
The porting up to now was rather quick (less than two days), so with a bit
of luck I can
make a read-only driver.

best regards,

Martin

Re: [Opensc-devel] jcop 4 driver --test

[Martin V. <mv...@gm...>]

On Thu, Apr 16, 2026 at 10:30 AM Frank Morgner <fra...@gm...>
wrote:

> We deliberately removed the bluez card driver (jcop is a misnomer),
> because nobody was using or maintining either smart card software or
> java card applet as far as we know. I don't know why you want to bring
> this back. I assume you would be better off using your JCOP4 with a
> (open source) java card applet that is supported by OpenSC.
>

It's an already initialized card by my employer, because the porting of the
old
driver was easily done I asked myself if the --test option is known to work
flawlessly.

I assume this is not the case, for example:

The binary only pkcs11 driver for the card segfaults with --test and
reports verify errors too,
but overall works, so obviously, for the functioning not all tests need to
pass.

Currently I'm stuck with the MD5-RSA-PKCS test. Here I need padding :

https://www.ibm.com/docs/en/linux-on-systems?topic=cryptography-pkcs-1-hash-formats

(case MD5) how can I tell opensc that it should be done by opensc?
I assume it's some flags (eg: SC_ALGORITHM_RSA_HASH_MD5) but currently I
have no luck.

best regards,

Martin

Re: [Opensc-devel] jcop 4 driver --test

[Frank M. <fra...@gm...>]

We deliberately removed the bluez card driver (jcop is a misnomer), 
because nobody was using or maintining either smart card software or 
java card applet as far as we know. I don't know why you want to bring 
this back. I assume you would be better off using your JCOP4 with a 
(open source) java card applet that is supported by OpenSC.

https://github.com/OpenSC/OpenSC/wiki/JavaCards

BR, Frank.

Am 15.04.26 um 16:18 schrieb Martin Vogt:
> Hello,
>
> I have started a jcop 4 driver. (I haven't found a working driver for 
> this JavaCard,
> maybe I'm wrong?)
>
> https://github.com/mvogt1/OpenSC
>
> The initial porting went fast, I used the BlueZ implementation from 2003
> from the opensc project, which was removed 2024:
>
> https://github.com/OpenSC/OpenSC/commit/549359e137b318e5dcb182ae5b2a4c9a4ee38b16
>
> I ported the removed implementation to compile with current OpenSC and 
> then I experimented a bit with the security environment. The result 
> can be seen here:
>
> https://github.com/mvogt1/OpenSC/issues/1
>
> Now I'm stuck with the tests.
>
> I cannot figure out why the openssl verification does not work. Maybe
> someone with a bit more knowledge can have a look?
> Are these openssl tests functional at all?
>
> (I cannot verify this because I only have this card.)
>
> Many thanks in advance,
>
> Martin
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] jcop 4 driver --test

[Martin V. <mv...@gm...>]

Hello,

I have started a jcop 4 driver. (I haven't found a working driver for this
JavaCard,
maybe I'm wrong?)

https://github.com/mvogt1/OpenSC

The initial porting went fast, I used the BlueZ implementation from 2003
from the opensc project, which was removed 2024:

https://github.com/OpenSC/OpenSC/commit/549359e137b318e5dcb182ae5b2a4c9a4ee38b16

I ported the removed implementation to compile with current OpenSC and then
I experimented a bit with the security environment. The result can be seen
here:

https://github.com/mvogt1/OpenSC/issues/1

Now I'm stuck with the tests.

I cannot figure out why the openssl verification does not work. Maybe
someone with a bit more knowledge can have a look?
Are these openssl tests functional at all?

(I cannot verify this because I only have this card.)

Many thanks in advance,

Martin

[Opensc-devel] OpenSC 0.27.1

[Jakub J. <jj...@re...>]

Hello all,
We are happy to announce the new release of OpenSC, the Open source smart
card tools and middleware.

You can find the release of OpenSC version 0.27.1 on Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.27.1

The changes include the new PKCS#11 3.2 support in the tools and
infrastructure,
streamlined support for Edwards and Montgomery curves and OS-level FIPS mode
detection. The MacOS installers are now notarized and signed with a new key
thanks
to Raul Metsma. We also fixed several potentially security relevant issues
so please
update your installations.

Note, that since the last release, we now use the Windows installers built
by GitHub Actions instead of AppVeyor. Please, give them a try!

For the full changelog, please refer to NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

The sha256sum of artifacts provided through the Github can be found below:

976f4a23eaf3397a1a2c3a7aac80bf971a8c3d829c9a79f06145bfaeeae5eca7
opensc-0.27.1.tar.gz
13370ea18678a53e2567fc1256bcf7a590e40ccf1c3362a24a805c3e9b5d07bf
 OpenSC-0.27.1.dmg
16e058da0b056540e8d4bc452eb5d64bff0e6a94371c692a3fd087c19f39a08a
 OpenSC-0.27.1_arm64.msi
cbf5a60d9e9195cb51d3b48dfed4441eff3b158d067196c88f1568c038f6d716
 OpenSC-0.27.1-Light_arm64.msi
2df6fb9078c5a6fc97d221f111158cb3f887e1e3c2dbb6892f58455a7015b5b8
 OpenSC-0.27.1-Light_x64.msi
e3cc46e14bc3c49054f974928440f748039d142855690766e997f2567c461bce
 OpenSC-0.27.1-Light_x86.msi
88ea45e848063ff5f3594a457b7f023223472eae9c9c543f8035f7689bb7b319
 OpenSC-0.27.1_x64.msi
266e1cc593922814a695951f9f39cafe22d9334ab5e5aa96b607bd045a9dfe49
 OpenSC-0.27.1_x86.msi
04f604523857fe7d375394482514831a8ab89128079b37c66e02949890a6296e
 OpenSC-0.27.1_arm64-dbg.zip
1383520901c2723558593dd4439763a4b75bc84c91261e5100c5805d6593ed4b
 OpenSC-0.27.1-Light_arm64-dbg.zip
ce1122cb7ae0ba68db03a2c5d115e8b1780b110df6248d844b05e9cf8f67c3e6
 OpenSC-0.27.1-Light_x64-dbg.zip
f36f8b6a958b586da86f0be43b32be107299debb139a7d75f037d713449a8633
 OpenSC-0.27.1-Light_x86-dbg.zip
c2b630eab13e17e0cf34a70a7faf2221a2e87aa27fb26c958b3e43f4abc601f5
 OpenSC-0.27.1_x64-dbg.zip
527f77ce8ec87b69ed68808fa0c4dede2a93897943fc72d6b3aa01ed5a26b45f
 OpenSC-0.27.1_x86-dbg.zip


Regards,
Jakub Jelen
and the OpenSC team

[Opensc-devel] OpenSC 0.27.0 release candidate 2

[Jakub J. <jj...@re...>]

Hello all,

You can find a release candidate 2 for OpenSC version 0.27.0 for testing on
Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.27.0-rc2

The changes include the new PKCS#11 3.2 support in the tools and
infrastructure,
streamlined support for Edwards and Montgomery curves and OS-level FIPS mode
detection. The MacOS installers are now notarized and signed with a new key
thanks
to Raul Metsma.

Note, that since RC1, we now use the Windows installers built by GitHub
Actions instead of AppVeyor. Please, give them a try!

For the full changelog, please refer to NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

We are looking forward to your feedback, which we may discuss via this
mailing list or GitHub:
https://github.com/OpenSC/OpenSC/issues/3526

Advices for systematic testing can be found here:
https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing

We would like to release the final version in a few weeks.

The sha256sum of artifacts provided through the Github can be found below:

dbea38608a818cc13db882d8f40a8e6f2a64e85ec2e46775d6d835317a855710
 opensc-0.27.0-rc2.tar.gz
b61be443672f4326613130ad8a2f8d9da2564ec8cd9599d597fc6c980f4ecb34
 OpenSC-0.27.0-rc2.dmg
aa473a5e14442f1dc5ecb3702e8ea135da30a983d9e3b01b76150dfefd149234
OpenSC-0.27.0-Light-rc2_arm64.msi
fba44f2fe7eb3bebddbc3a1a417ec3d894d3c08fb016a9d7b7ccfc97380bdeb2
OpenSC-0.27.0-Light-rc2_x64.msi
3dba0aa86b3e5be0c2a6bb20c3c20855b0c2fbecabfa7b274784b47f56a86fe9
OpenSC-0.27.0-Light-rc2_x86.msi
e0ff9207f98c46a4918bddf81c3c2bd93a749e7554eb8d45cec1b9de47994c5a
OpenSC-0.27.0-rc2_arm64.msi
37281dbac9b1b479997b57d8cb074907c76aba6371858731dec823223f3b4299
OpenSC-0.27.0-rc2_x64.msi
1e3b30b3a1a03a5a18efdd773944bed49334fbdba6d43a61e26747c7c21fb8e2
OpenSC-0.27.0-rc2_x86.msi
b997feb635473a6b4da5636573c462689417d776ebbaac36aadc02d23650cfc3
 OpenSC-0.27.0-Light-rc2_arm64-dbg.zip
a936b49efec20ddceb4b57bc47dddb8556a1a2be1d4b8a0f6607ba2801d87262
 OpenSC-0.27.0-Light-rc2_x64-dbg.zip
230ff74a6522085074ce078ca8b814b218a9e296a12335851a5f8cc05d1a3e93
 OpenSC-0.27.0-Light-rc2_x86-dbg.zip
0f0e3596abd8253eeff1947963ac7bf2ad4a9ceac4deecca3bcb80255839e029
 OpenSC-0.27.0-rc2_arm64-dbg.zip
9d9e6624b15c4bc10fde233137c39a50d5d098813cb3a6def76eda635be8a39e
 OpenSC-0.27.0-rc2_x64-dbg.zip
49e8b5d3cfef6bc7acc44c978a6fa6a58701f97f52ba1d069cf2110cf53e1e85
 OpenSC-0.27.0-rc2_x86-dbg.zip

Regards,
Jakub Jelen
and the OpenSC team

[Opensc-devel] OpenSC 0.27.0 release candidate 1

[Jakub J. <jj...@re...>]

Hello all,

You can find a release candidate for OpenSC version 0.27.0 for testing on
Github:

https://github.com/OpenSC/OpenSC/releases/tag/0.27.0-rc1

The changes include the new PKCS#11 3.2 support in the tools and
infrastructure,
streamlined support for Edwards and Montgomery curves and OS-level FIPS mode
detection. The MacOS installers are now notarized and signed with a new key
thanks
to Raul Metsma.

For the full changelog, please refer to NEWS file:
https://github.com/OpenSC/OpenSC/blob/master/NEWS

We are looking forward to your feedback, which we may discuss via this
mailing list or GitHub:
https://github.com/OpenSC/OpenSC/issues/3526

Advices for systematic testing can be found here:
https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing

We would like to release the final version in a few weeks.

The sha256sum of artifacts provided through the Github can be found below:

3d997f1d6b4b63b8e66a2bece252687720a9c242db801f468e9380eb03cc58de
 OpenSC-0.27.0.dmg
97e64e8eb57952f86e13cfb044c38b8fba950ad2c26ea95600df761b7ab83692
 OpenSC-0.27.0-rc1_Win32-Debug.zip
90ae50d29bab2ed9a0378c2896ff195d3feb6aa69f7861d5b58cf9690e914ea4
 OpenSC-0.27.0-rc1_Win32-Light-Debug.zip
e88c21bc6afa30821ae211e8f1a185d892290f6b808b62e1dfd45a20a67ed1cc
 OpenSC-0.27.0-rc1_Win32-Light.msi
a7292a13bc6babcd76fb10573fcffe420602effc05a4c88a857182a43f5bb433
 OpenSC-0.27.0-rc1_Win32.msi
d24cceba6ae93699ec307cfc964d183d12fa048c66d72083af90e900cb183b08
 OpenSC-0.27.0-rc1_Win64-Debug.zip
ff8f7614c00b0e5c90e87589c70aa661229ea71967e488ba62708bd6b82b9448
 OpenSC-0.27.0-rc1_Win64-Light-Debug.zip
f456e69b29078ca60dadcb12f17d2a6c577b0f1b6b3473b0bc440d77424687cf
 OpenSC-0.27.0-rc1_Win64-Light.msi
5869ffd299fc6370fbb7077a161912df5fa87768134966bade1c145cb328771d
 OpenSC-0.27.0-rc1_Win64.msi
d94ff4f36696f4b474f0a055269d7a98ae0208af17c1481d8e3becd67ea5c2a7
opensc-0.27.0-rc1.tar.gz

Regards,
Jakub Jelen
and the OpenSC team

Re: [Opensc-devel] [GitHub] ChatGPT Connector is requesting updated permissions

[Graham L. <mi...@sh...>]

On 19 Jul 2025, at 22:44, Michał Trojnara via Opensc-devel <ope...@li...> wrote:

> Ondřej Surý <on...@su...> wrote: 
> > Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code? 
> 
> I will.

You won't, and this has been settled in law.

https://en.wikipedia.org/wiki/Monkey_selfie_copyright_dispute

Regards,
Graham
--

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Paul W. <ma...@al...>]

В Mon, 21 Jul 2025 14:44:08 +0200
Juraj Šarinay <ju...@sa...> пишет:

> > the legal status of AI-generated code is still under debate  
> 
> The current (rather clear) status means that such code simply cannot be
> included in OpenSC or indeed in any free software.

  Very interesting, and very important! Don't you know, is there any
deeper research about the subject?

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Juraj Š. <ju...@sa...>]

On Sat, 2025-07-19 at 23:44 +0200, Michał Trojnara via Opensc-devel 
wrote:

> > Who would be author then to give copyright assignment to the
> > project and who owns the IP to the LLM generated code?
> 
> I will.

Dear Michał

I understand you intend to mislead others about code authorship. This
might put the project at risk. As if merging LLM-generated garbage were
not risky enough...

> You could argue the same about any output of non-AI code generators
> and/or compilers. I respectfully disagree. I came up with the prompt,
> and I retain intellectual property rights to the generated code.

A LLM merely transforms code originally written (and therefore
copyrighted) by others. To use the output, one needs permission from
the original author(s). Which is indeed how output of non-AI code
generators & compilers is normally treated.


> I myself was trained using code written (and copyrighted) by others.
> I tend to reuse good programming patterns I have seen before.

We all do that. Programming patterns are not protected by copyright.
Code is. Copy-pasting has always been risky.

> the legal status of AI-generated code is still under debate

The current (rather clear) status means that such code simply cannot be
included in OpenSC or indeed in any free software.

Best,
Juraj

Re: [Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Alex,

On 7/21/25 10:45 AM, Alexander Burke via Opensc-devel wrote:
> You can't legally do that, because the code comes from (1) a program 
> you did not write, which (2) was trained on code written (and 
> copyrighted) by others which it is regurgitating, which is also likely 
> to be licensed differently.

Ad 1. You could argue the same about any output of non-AI code 
generators and/or compilers. I respectfully disagree. I came up with the 
prompt, and I retain intellectual property rights to the generated code.

Ad 2. I myself was trained using code written (and copyrighted) by 
others. I tend to reuse good programming patterns I have seen before. 
This is how learning works. AI is no different. There is no such thing 
as 100% originality. You are always inspired by, and you always reuse, 
thoughts previously expressed by other people.

> This is what the Wikimedia Foundation has to say about it:
> https://en.wikipedia.org/wiki/Wikipedia:Large_language_models_and_copyright

Isn't it better to use a more specific source, such as 
https://openai.com/policies/terms-of-use/ ?

/As between you and OpenAI, and to the extent permitted by applicable 
law, you (a) retain your ownership rights in Input and (b) own the 
Output. We hereby assign to you all our right, title, and interest, if 
any, in and to Output. /

> This is a legal and technical minefield and I encourage you, and the 
> project, to obtain legal advice before using this "tool".

Well, life is a legal, technical, and emotional minefield. Common sense 
helps, though.

I understand that the legal status of AI-generated code is still under 
debate, and interpretations may vary across jurisdictions. While I am 
confident in my approach, I remain open to further discussion and will 
reconsider my position if authoritative legal guidance becomes available.

Regardless of how the code is generated, I ensure that all contributions 
are diligently reviewed for license compatibility and compliance with 
project policies. I believe that maintaining these standards is 
essential for the integrity and sustainability of the project.

Have a nice day,
     Mike

[Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Alexander B. <al...@al...>]

Hi Mike,

You can't legally do that, because the code comes from (1) a program you did not write, which (2) was trained on code written (and copyrighted) by others which it is regurgitating, which is also likely to be licensed differently.

This is what the Wikimedia Foundation has to say about it:
https://en.wikipedia.org/wiki/Wikipedia:Large_language_models_and_copyright

This is a legal and technical minefield and I encourage you, and the project, to obtain legal advice before using this "tool".

Best wishes,
Alex

[Opensc-devel] Odp: Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Ondřej Surý <on...@su...> wrote:
> Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code?

I will.

Best regards,
    Mike

Re: [Opensc-devel] Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Ondřej S. <on...@su...>]

> On 18. 7. 2025, at 22:56, Michał Trojnara via Opensc-devel <ope...@li...> wrote:
> You may think of it as yet another potential (sic!) contributor.

Who would be author then to give copyright assignment to the project and who owns the IP to the LLM generated code? These are important questions that need to be answered before merging anything into an open source project under free software license.

> I've seen worse pull requests submitted by humans...

Don’t use this as argument. Ever never in any context.

Ondrej
--
Ondřej Surý (He/Him)

[Opensc-devel] Odp: Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Alex,

Alexander Burke wrote:
> Why was it given read-write access?
It can submit pull requests when ordered to do so.  Also, it was only given access to the libp11 subproject, and not the entire OpenSC.

> Are we gonna start vibe coding Open
SC?
Definitely not, although I've seen worse pull requests submitted by humans...  You may think of it as yet another potential (sic!) contributor.

Best regards,
    Mike

Re: [Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Alexander B. <al...@al...>]

Hi Mike,

Why was it given read-write access? Are we gonna start vibe coding OpenSC?

Cheers,
Alex

Re: [Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Michał T. <Mic...@st...>]

Hi Ludovic,

I have requested access for the ChatGPT Connector and have also handled 
the request for additional read-only access permissions. No action is 
required from you.

Please let me know if you are not comfortable with installing the 
ChatGPT Connector for libp11. The connector is simply a matter of 
convenience. It is not essential for the project, and I can remove it if 
necessary.

Best regards,
     Mike

On 7/17/25 11:10 AM, Ludovic Rousseau wrote:
> Hello,
>
> I received the request bellow from GitHub.
> I had a look at the OpenSC organisation configuration on github. For 
> now the ChatGPT Connector (installed one month ago, not by me) has 
> access to the OpenSC/libp11 project only.
>
> I don't know who installed the ChatGPT Connector.
>
> The ChatGPT Connector app by openai is requesting updated permissions
> Read-only access to Checks
> Read-only access to Members
> Read-only access to Commit statuses
>
>
> The ChatGPT Connector already has access to:
> *Read and write* access to *Actions*
> *Read and write* access to *Contents*
> *Read and write* access to *Issues*
> *Read-only* access to *Metadata*
> *Read and write* access to *Pull requests*
> *Read and write* access to *Workflows*
>
> What should I do with the new request?
>
> Bye
>
> ---------- Forwarded message ---------
> De : *GitHub* <no...@gi...>
> Date: jeu. 17 juil. 2025 à 04:38
> Subject: [GitHub] ChatGPT Connector is requesting updated permissions
> To: Ludovic Rousseau <lud...@gm... 
> <mailto:ludovic.rousseau%2Bg...@gm...>>
>
>
>   Updated Permissions Request
>
> The GitHub App ChatGPT Connector is requesting additional access to 
> your organization.
>
> Hello there!
>
> You’re receiving this email because the GitHub App *ChatGPT 
> Connector*, which is currently installed on your *OpenSC* 
> organization, has updated its permissions and is requesting additional 
> access.
>
> Review permission request to accept or reject this change 
> <https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update> 
>
>
> You may choose to ignore this request, in which case ChatGPT Connector 
> will retain its current permissions.
>
> You can view pending requests directly by visiting your organization’s 
> settings page and clicking on Applications. If you run into problems, 
> please contact support. 
> <https://support.github.com/contact?tags=dotcom-integrations>
>
> Link not working? Paste the following link into your browser:
> https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update 
>
>
> Thanks!
>
>
>
> -- 
>  Dr. Ludovic Rousseau
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

[Opensc-devel] Fwd: [GitHub] ChatGPT Connector is requesting updated permissions

[Ludovic R. <lud...@gm...>]

Hello,

I received the request bellow from GitHub.
I had a look at the OpenSC organisation configuration on github. For now
the ChatGPT Connector (installed one month ago, not by me) has access to
the OpenSC/libp11 project only.

I don't know who installed the ChatGPT Connector.

The ChatGPT Connector app by openai is requesting updated permissions
Read-only access to Checks
Read-only access to Members
Read-only access to Commit statuses


The ChatGPT Connector already has access to:
*Read and write* access to *Actions*
*Read and write* access to *Contents*
*Read and write* access to *Issues*
*Read-only* access to *Metadata*
*Read and write* access to *Pull requests*
*Read and write* access to *Workflows*

What should I do with the new request?

Bye

---------- Forwarded message ---------
De : GitHub <no...@gi...>
Date: jeu. 17 juil. 2025 à 04:38
Subject: [GitHub] ChatGPT Connector is requesting updated permissions
To: Ludovic Rousseau <lud...@gm...>


Updated Permissions Request

The GitHub App ChatGPT Connector is requesting additional access to your
organization.

Hello there!

You’re receiving this email because the GitHub App *ChatGPT Connector*,
which is currently installed on your *OpenSC* organization, has updated its
permissions and is requesting additional access.

Review permission request to accept or reject this change
<https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update>

You may choose to ignore this request, in which case ChatGPT Connector will
retain its current permissions.

You can view pending requests directly by visiting your organization’s
settings page and clicking on Applications. If you run into problems,
please contact support.
<https://support.github.com/contact?tags=dotcom-integrations>

Link not working? Paste the following link into your browser:
https://github.com/organizations/OpenSC/settings/installations/72073247/permissions/update

Thanks!



-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Support for the Montenegrin eID

[dzeri96 <dz...@pr...>]

I just got the card this year so you might be mixing me up with somebody.

I want to delay the reverse-engineering of Athena OpenID for three reasons:

1.  Signing stuff is actually the last thing on my wish-list. I'm more interested in the identification data and the activation procedure. The tool seems to only do signing so reverse-engineering it probably won't help me much.
2.  The 2 AIDs related to IAS ECC (starting with E8 28 BD 08 0F) are already mentioned in https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.example.in. Someone put them there so someone must know what they do. This leads me to believe that there must be a specification floating out there somewhere.
3.  Obviously, it's very time-consuming.


I've been reading the IAS ECC spec more thoroughly and chapter 10.4 describes Cryptographic Information Applications whose IDs start with the above-mentioned prefix and continue with the AID of the application they refer to.

My card seems to contradict this since, for example 50 45 43 43 2D 65 49 44,  is not a selectable AID, it just spells out PECC-eID.


I don't know... I think getting my hands on the ChipDocs User Manual from NXP would potentially clear up some things, but they only give it to trusted partners apparently.


Cheers,
Dzeri96
On Saturday, 26 April 2025 at 10:49, Vincent Le Toux <vin...@my...> wrote:

> Inside the middleware, there is a minidriver named ciamd.dll
> 

> What I would suggest is to write a program like the one I wrote here (https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest) that connects to the minidriver and realize basic functions (enumerating public keys, certificates, encrypts, change pin, etc).
> You can add a hook to dump the instructions sent to the card.
> 

> You can use the following code to hook the SCardTransmit function:
> 

> 

> void PrintHexToDebug(const BYTE* buffer, DWORD length) {
> // Allocate memory dynamically
> TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR));
> if (hexStr == NULL) {
> OutputDebugString(TEXT("Memory allocation failed\n"));
> return;
> }
> 

> for (DWORD i = 0; i < length; i++) {
> _stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]);
> }
> hexStr[3 * length] = '\0';
> OutputDebugString(hexStr);
> 

> // Free the allocated memory
> free(hexStr);
> }
> 

> LONG WINAPI MySCardTransmit(
> SCARDHANDLE hCard,
> LPCSCARD_IO_REQUEST pioSendPci,
> LPCBYTE pbSendBuffer,
> DWORD cbSendLength,
> LPSCARD_IO_REQUEST pioRecvPci,
> LPBYTE pbRecvBuffer,
> LPDWORD pcbRecvLength
> ) {
> // Trace the input buffer
> OutputDebugString(TEXT("pbSendBuffer: "));
> PrintHexToDebug(pbSendBuffer, cbSendLength);
> OutputDebugString(TEXT("\n"));
> // Call the original SCardTransmit
> LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength, pioRecvPci, pbRecvBuffer, pcbRecvLength);
> 

> // Write the return code as hex
> TCHAR returnCodeStr[30];
> _stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code: %08X\n"), result);
> OutputDebugString(returnCodeStr);
> 

> // If the return code is successful, dump the output buffer
> if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) {
> (TEXT("pbRecvBuffer: "));
> PrintHexToDebug(pbRecvBuffer, *pcbRecvLength);
> OutputDebugString(TEXT("\n"));
> }
> 

> return result;
> }
> 

> VOID EnableHook(HMODULE hModule)
> {
> HMODULE hScard = LoadLibrary(TEXT("Winscard.dll"));
> PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit");
> PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
> PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule + pDosHeader->e_lfanew);
> PIMAGE_IMPORT_DESCRIPTOR pImportDesc = (PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule + pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);
> 

> while (pImportDesc->Name) {
> LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name);
> if (_stricmp(pszModName, "Winscard.dll") == 0) {
> PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule + pImportDesc->FirstThunk);
> while (pThunk->u1.Function) {
> PROC* ppfn = (PROC*)&pThunk->u1.Function;
> if (*ppfn == (PROC)pfnScardTransmit) {
> DWORD oldProtect;
> VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect);
> *ppfn = (PROC)MySCardTransmit;
> VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect);
> }
> pThunk++;
> }
> break;
> }
> pImportDesc++;
> }
> }
> 

> 

> And to initialize the minidriver:
> 

> 

> DWORD Connect(BOOL fSystemDll = TRUE)
> {
> DWORD dwReturn = 0;
> SCARDCONTEXT hSCardContext = NULL;
> SCARDHANDLE hSCardHandle = NULL;
> TCHAR szCardModule[256];
> TCHAR szReader[256];
> DWORD dwCardModuleSize = ARRAYSIZE(szCardModule);
> DWORD dwReaderSize = ARRAYSIZE(szReader);
> OPENCARDNAME_EX dlgStruct;
> PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext;
> 

> __try
> {
> // find a smart card
> /////////////////////
> 

> dwReturn = SCardEstablishContext(SCARD_SCOPE_USER,
> NULL,
> NULL,
> &hSCardContext);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> 

> // Initialize the structure.
> memset(&dlgStruct, 0, sizeof(dlgStruct));
> dlgStruct.dwStructSize = sizeof(dlgStruct);
> dlgStruct.hSCardContext = hSCardContext;
> dlgStruct.dwFlags = SC_DLG_MINIMAL_UI;
> dlgStruct.lpstrRdr = szReader;
> dlgStruct.nMaxRdr = dwReaderSize;
> dlgStruct.lpstrCard = szCard;
> dlgStruct.nMaxCard = ARRAYSIZE(szCard);
> dlgStruct.lpstrTitle = L"Select Card";
> dlgStruct.dwShareMode = 0;
> // Display the select card dialog box.
> dwReturn = SCardUIDlgSelectCard(&dlgStruct);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> 

> // find the dll path / name
> ////////////////////////////
> if (fSystemDll)
> {
> 

> 

> dwReturn = SCardGetCardTypeProviderName(
> hSCardContext,
> szCard,
> SCARD_PROVIDER_CARD_MODULE,
> (PTSTR)&szCardModule,
> &dwCardModuleSize);
> if (0 == dwCardModuleSize)
> {
> dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD;
> __leave;
> }
> }
> else
> {
> #ifdef _M_X64
> _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
> #else
> _tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
> #endif
> }
> // connect to the smart card
> ////////////////////////////
> DWORD dwProtocol, dwState;
> dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED, SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> atr.cbAtr = 32;
> dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState, &dwProtocol, atr.rgbAtr, &atr.cbAtr);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> // load
> ////////
> if (NULL == (hModule = LoadLibrary(szCardModule)))
> {
> dwReturn = GetLastError();
> __leave;
> }
> if (fSystemDll)
> {
> EnableHook(hModule);
> }
> if (NULL == (pfnCardAcquireContext =
> (PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress(
> hModule, "CardAcquireContext")))
> {
> dwReturn = GetLastError();
> __leave;
> }
> // initialize context
> //////////////////////
> pCardData = &CardData;
> pCardData->dwVersion = CARD_DATA_CURRENT_VERSION;
> pCardData->pfnCspAlloc = _Alloc;
> pCardData->pfnCspFree = _Free;
> pCardData->pfnCspReAlloc = _ReAlloc;
> pCardData->pfnCspCacheAddFile = _CacheAddFileStub;
> pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub;
> pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub;
> pCardData->hScard = hSCardHandle;
> pCardData->hSCardCtx = hSCardContext;
> pCardData->cbAtr = atr.cbAtr;
> pCardData->pbAtr = atr.rgbAtr;
> pCardData->pwszCardName = szCard;
> //dwReturn = SCardBeginTransaction(hSCardHandle);
> if (SCARD_S_SUCCESS != dwReturn)
> {
> __leave;
> }
> dwReturn = pfnCardAcquireContext(pCardData, 0);
> }
> __finally
> {
> if (dwReturn != 0)
> {
> if (hSCardHandle)
> {
> SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD);
> SCardDisconnect(hSCardHandle, 0);
> }
> if (hSCardContext)
> SCardReleaseContext(hSCardContext);
> }
> }
> return dwReturn;
> }
> 

> DWORD Disconnect()
> {
> DWORD dwReturn = 0;
> if (pCardData)
> {
> if (pCardData->hScard)
> {
> SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD);
> SCardDisconnect(pCardData->hScard, 0);
> }
> if (pCardData->hSCardCtx)
> SCardReleaseContext(pCardData->hSCardCtx);
> pCardData = NULL;
> }
> else
> {
> dwReturn = SCARD_E_COMM_DATA_LOST;
> }
> return dwReturn;
> }
> 

> You can then call directly :
> 

> DWORD GenerateNewKey(DWORD dwIndex)
> {
> DWORD dwReturn, dwKeySpec;
> PIN_ID PinId;
> __try
> {
> if (!pCardData)
> {
> dwReturn = SCARD_E_COMM_DATA_LOST;
> __leave;
> }
> switch(dwIndex)
> {
> case 0: //Signature,
> dwKeySpec = AT_SIGNATURE;
> PinId = ROLE_USER;
> break;
> case 2: //Authentication,
> dwKeySpec = AT_SIGNATURE;
> PinId = 3;
> break;
> case 1: // Confidentiality,
> dwKeySpec = AT_KEYEXCHANGE;
> PinId = 4;
> break;
> default:
> dwReturn = SCARD_E_UNEXPECTED;
> __leave;
> }
> dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex,
> CARD_CREATE_CONTAINER_KEY_GEN,
> dwKeySpec, 1024, NULL, PinId);
> }
> __finally
> {
> }
> return dwReturn;
> }
> 

> br
> Vincent
> 

> 

> Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a écrit :
> 

> > The middleware is available on the bottom of this page
> > https://www.gov.me/clanak/preuzmite-software-i-uputstva
> > 

> > But I think you already know that. You analyzed that in 2024 already, didn't you?
> > 

> > Regards.
> > 

> > Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> > 

> > > Hello everyone,
> > > 

> > > I'm trying to kickstart support for the new Montenegrin eID, or at least figure out how it works. I've sent multiple requests for technical specs to the government, but unless I take them to court, I doubt I'll get any useful information. Therefore I'll just write down what I manage to figure out on my own, and hopefully you can provide further insight. One thing about a country as small as Montenegro, is that there is a very high probability we didn't implement anything custom, as it's not financially viable.
> > > 

> > > Here's what I have so far:
> > > 

> > > -   ATR: 3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It doesn't seem to comply with the ATR scheme in the IAS ECC specification, even though the government says the card complies with all EU ID regulations (unclear which ones).
> > > -   EF.ATR raw data: 80004301B946040400ECC24703940180 4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678 0806062B8122F8780282029000
> > > -   EF.DIR raw data: 61374F0EE828BD080FD25047656E6572 6963500743686970446F63731C300404 025031A004040250324F0EE828BD080FD2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F 4E54454E4547524F500A4E6174696F6E 616C4944
> > >     

> > > -   By deciphering the EF.DIR data, we can discover 4 applications:
> > > 

> > > -   E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
> > > -   E828BD080FD2504543432D654944 - ECC eID
> > > -   A0000002471001 - ICAO
> > > -   4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is "NationalID". No idea what this could be... maybe something related to healthcare?
> > > 

> > > -   I managed to use npa-tool and read the MRZ stored on the card using CAN-based PACE, but all other functions of the tool don't work, not even PIN-based PACE. I'm just using it as an APDU debugger with PACE support.
> > > -   The official middleware supplied by the government is Athena IDProtect.
> > > -   The activation software is available here. It's a java program developed by Mühlbauer. I decompiled it and saw that it's accessing the ECC eID application. I managed to extract some APDUs and get the activation status of the card (PIN change is required on first use).
> > > -   iasecc-tool and pkcs15-tool say "Card is invalid or cannot be handled" regardless of what I try.
> > > 

> > > I've skimmed over hundreds of pages of standards, including the ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I can barely find any concrete info on these applications. Someone must know how to access them because there are vendor-provided tools to do so.
> > > 

> > > My goals are:
> > > 

> > > 1.  Get general knowledge about the card and build some PoC APDU chains to read/set data.
> > > 2.  Get the birthdate of the person via PIN-based auth and verify the authenticity of the data.
> > > 3.  Get the openSC suite of tools to work with the card.
> > > 4.  Replace the closed-source middleware provided by the government.
> > > 

> > > 

> > > I would really appreciate any help here. Thanks!
> > > 

> > > 

> > > 

> > > 

> > > _______________________________________________
> > > Opensc-devel mailing list
> > > Ope...@li...
> > > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> > 

> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Support for the Montenegrin eID

[Vincent Le T. <vin...@my...>]

Inside the middleware, there is a minidriver named ciamd.dll

What I would suggest is to write a program like the one I wrote here (
https://github.com/vletoux/openpgpmdrv/tree/master/OpenPGPminidriverTest)
that connects to the minidriver and realize basic functions (enumerating
public keys, certificates, encrypts, change pin, etc).
You can add a hook to dump the instructions sent to the card.

You can use the following code to hook the SCardTransmit function:


void PrintHexToDebug(const BYTE* buffer, DWORD length) {
// Allocate memory dynamically
TCHAR* hexStr = (TCHAR*)malloc((3 * length + 1) * sizeof(TCHAR));
if (hexStr == NULL) {
OutputDebugString(TEXT("Memory allocation failed\n"));
return;
}

for (DWORD i = 0; i < length; i++) {
_stprintf_s(&hexStr[i * 3], 4, TEXT("%02X "), buffer[i]);
}
hexStr[3 * length] = '\0';
OutputDebugString(hexStr);

// Free the allocated memory
free(hexStr);
}

LONG WINAPI MySCardTransmit(
SCARDHANDLE hCard,
LPCSCARD_IO_REQUEST pioSendPci,
LPCBYTE pbSendBuffer,
DWORD cbSendLength,
LPSCARD_IO_REQUEST pioRecvPci,
LPBYTE pbRecvBuffer,
LPDWORD pcbRecvLength
) {
// Trace the input buffer
OutputDebugString(TEXT("pbSendBuffer: "));
PrintHexToDebug(pbSendBuffer, cbSendLength);
OutputDebugString(TEXT("\n"));
// Call the original SCardTransmit
LONG result = SCardTransmit(hCard, pioSendPci, pbSendBuffer, cbSendLength,
pioRecvPci, pbRecvBuffer, pcbRecvLength);

// Write the return code as hex
TCHAR returnCodeStr[30];
_stprintf_s(returnCodeStr, ARRAYSIZE(returnCodeStr), TEXT("Return code:
%08X\n"), result);
OutputDebugString(returnCodeStr);

// If the return code is successful, dump the output buffer
if (result == SCARD_S_SUCCESS && pcbRecvLength && pbRecvBuffer) {
(TEXT("pbRecvBuffer: "));
PrintHexToDebug(pbRecvBuffer, *pcbRecvLength);
OutputDebugString(TEXT("\n"));
}

return result;
}

VOID EnableHook(HMODULE hModule)
{
HMODULE hScard = LoadLibrary(TEXT("Winscard.dll"));
PROC pfnScardTransmit = GetProcAddress(hScard, "SCardTransmit");
PIMAGE_DOS_HEADER pDosHeader = (PIMAGE_DOS_HEADER)hModule;
PIMAGE_NT_HEADERS pNtHeaders = (PIMAGE_NT_HEADERS)((BYTE*)hModule +
pDosHeader->e_lfanew);
PIMAGE_IMPORT_DESCRIPTOR pImportDesc =
(PIMAGE_IMPORT_DESCRIPTOR)((BYTE*)hModule +
pNtHeaders->OptionalHeader.DataDirectory[IMAGE_DIRECTORY_ENTRY_IMPORT].VirtualAddress);

while (pImportDesc->Name) {
LPCSTR pszModName = (LPCSTR)((BYTE*)hModule + pImportDesc->Name);
if (_stricmp(pszModName, "Winscard.dll") == 0) {
PIMAGE_THUNK_DATA pThunk = (PIMAGE_THUNK_DATA)((BYTE*)hModule +
pImportDesc->FirstThunk);
while (pThunk->u1.Function) {
PROC* ppfn = (PROC*)&pThunk->u1.Function;
if (*ppfn == (PROC)pfnScardTransmit) {
DWORD oldProtect;
VirtualProtect(ppfn, sizeof(PROC), PAGE_EXECUTE_READWRITE, &oldProtect);
*ppfn = (PROC)MySCardTransmit;
VirtualProtect(ppfn, sizeof(PROC), oldProtect, &oldProtect);
}
pThunk++;
}
break;
}
pImportDesc++;
}
}


And to initialize the minidriver:


DWORD Connect(BOOL fSystemDll = TRUE)
{
DWORD dwReturn = 0;
SCARDCONTEXT     hSCardContext = NULL;
SCARDHANDLE hSCardHandle = NULL;
TCHAR szCardModule[256];
TCHAR szReader[256];
DWORD dwCardModuleSize = ARRAYSIZE(szCardModule);
DWORD dwReaderSize = ARRAYSIZE(szReader);
OPENCARDNAME_EX  dlgStruct;
PFN_CARD_ACQUIRE_CONTEXT pfnCardAcquireContext;

__try
{
// find a smart card
/////////////////////

dwReturn = SCardEstablishContext(SCARD_SCOPE_USER,
NULL,
NULL,
&hSCardContext);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}

// Initialize the structure.
memset(&dlgStruct, 0, sizeof(dlgStruct));
dlgStruct.dwStructSize = sizeof(dlgStruct);
dlgStruct.hSCardContext = hSCardContext;
dlgStruct.dwFlags = SC_DLG_MINIMAL_UI;
dlgStruct.lpstrRdr = szReader;
dlgStruct.nMaxRdr = dwReaderSize;
dlgStruct.lpstrCard = szCard;
dlgStruct.nMaxCard = ARRAYSIZE(szCard);
dlgStruct.lpstrTitle = L"Select Card";
dlgStruct.dwShareMode = 0;
// Display the select card dialog box.
dwReturn = SCardUIDlgSelectCard(&dlgStruct);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}

// find the dll path / name
////////////////////////////
if (fSystemDll)
{


dwReturn = SCardGetCardTypeProviderName(
hSCardContext,
szCard,
SCARD_PROVIDER_CARD_MODULE,
(PTSTR)&szCardModule,
&dwCardModuleSize);
if (0 == dwCardModuleSize)
{
dwReturn = (DWORD)SCARD_E_UNKNOWN_CARD;
__leave;
}
}
else
{
#ifdef _M_X64
_tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
#else
_tcscpy_s(szCardModule, dwCardModuleSize, TEXT("Name of the dll.dll"));
#endif
}
// connect to the smart card
////////////////////////////
DWORD dwProtocol, dwState;
dwReturn = SCardConnect(hSCardContext, szReader, SCARD_SHARE_SHARED,
SCARD_PROTOCOL_T1 | SCARD_PROTOCOL_T0, &hSCardHandle, &dwProtocol);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
atr.cbAtr = 32;
dwReturn = SCardStatus(hSCardHandle, szReader, &dwReaderSize, &dwState,
&dwProtocol, atr.rgbAtr, &atr.cbAtr);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
// load
////////
if (NULL == (hModule = LoadLibrary(szCardModule)))
{
dwReturn = GetLastError();
__leave;
}
if (fSystemDll)
{
EnableHook(hModule);
}
if (NULL == (pfnCardAcquireContext =
(PFN_CARD_ACQUIRE_CONTEXT)GetProcAddress(
hModule, "CardAcquireContext")))
{
dwReturn = GetLastError();
__leave;
}
// initialize context
//////////////////////
pCardData = &CardData;
pCardData->dwVersion = CARD_DATA_CURRENT_VERSION;
pCardData->pfnCspAlloc = _Alloc;
pCardData->pfnCspFree = _Free;
pCardData->pfnCspReAlloc = _ReAlloc;
pCardData->pfnCspCacheAddFile = _CacheAddFileStub;
pCardData->pfnCspCacheLookupFile = _CacheLookupFileStub;
pCardData->pfnCspCacheDeleteFile = _CacheDeleteFileStub;
pCardData->hScard = hSCardHandle;
pCardData->hSCardCtx = hSCardContext;
pCardData->cbAtr = atr.cbAtr;
pCardData->pbAtr = atr.rgbAtr;
pCardData->pwszCardName = szCard;
//dwReturn = SCardBeginTransaction(hSCardHandle);
if (SCARD_S_SUCCESS != dwReturn)
{
__leave;
}
dwReturn = pfnCardAcquireContext(pCardData, 0);
}
__finally
{
if (dwReturn != 0)
{
if (hSCardHandle)
{
SCardEndTransaction(hSCardHandle, SCARD_LEAVE_CARD);
SCardDisconnect(hSCardHandle, 0);
}
if (hSCardContext)
SCardReleaseContext(hSCardContext);
}
}
return dwReturn;
}

DWORD Disconnect()
{
DWORD dwReturn = 0;
if (pCardData)
{
if (pCardData->hScard)
{
SCardEndTransaction(pCardData->hScard, SCARD_LEAVE_CARD);
SCardDisconnect(pCardData->hScard, 0);
}
if (pCardData->hSCardCtx)
SCardReleaseContext(pCardData->hSCardCtx);
pCardData = NULL;
}
else
{
dwReturn = SCARD_E_COMM_DATA_LOST;
}
return dwReturn;
}

You can then call directly :

DWORD GenerateNewKey(DWORD dwIndex)
{
DWORD dwReturn, dwKeySpec;
PIN_ID  PinId;
__try
{
if (!pCardData)
{
dwReturn = SCARD_E_COMM_DATA_LOST;
__leave;
}
switch(dwIndex)
{
case 0: //Signature,
dwKeySpec = AT_SIGNATURE;
PinId = ROLE_USER;
break;
case 2: //Authentication,
dwKeySpec = AT_SIGNATURE;
PinId = 3;
break;
case 1: // Confidentiality,
dwKeySpec = AT_KEYEXCHANGE;
PinId = 4;
break;
default:
dwReturn = SCARD_E_UNEXPECTED;
__leave;
}
dwReturn = pCardData->pfnCardCreateContainerEx(pCardData, (BYTE) dwIndex,
CARD_CREATE_CONTAINER_KEY_GEN,
dwKeySpec, 1024, NULL, PinId);
}
__finally
{
}
return dwReturn;
}

br
Vincent


Le ven. 25 avr. 2025 à 22:53, Frank Morgner <fra...@gm...> a
écrit :

> The middleware is available on the bottom of this page
> https://www.gov.me/clanak/preuzmite-software-i-uputstva
>
> But I think you already know that. You analyzed that in 2024 already,
> didn't you?
>
> Regards.
> Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
>
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID
> <https://www.gov.me/mup/elk>, or at least figure out how it works. I've
> sent multiple requests for technical specs to the government, but unless I
> take them to court, I doubt I'll get any useful information. Therefore I'll
> just write down what I manage to figure out on my own, and hopefully you
> can provide further insight. One thing about a country as small as
> Montenegro, is that there is a very high probability we didn't implement
> anything custom, as it's not financially viable.
>
> Here's what I have so far:
>
>    - *ATR*:
>    3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de. It
>    doesn't seem to comply with the ATR scheme in the IAS ECC specification,
>    even though the government says the card complies with all EU ID
>    regulations (unclear which ones).
>    - *EF.ATR raw data*: 80004301B946040400ECC24703940180
>    4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>    0806062B8122F8780282029000
>    - *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>    6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>    D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>    4E54454E4547524F500A4E6174696F6E 616C4944
>    - By deciphering the EF.DIR data, we can discover 4 applications:
>       - E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       - E828BD080FD2504543432D654944 - ECC eID
>       - A0000002471001 - ICAO
>       - 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label is
>       "NationalID". No idea what this could be... maybe something related to
>       healthcare?
>    - I managed to use npa-tool and read the MRZ stored on the card using
>    CAN-based PACE, but all other functions of the tool don't work, not even
>    PIN-based PACE. I'm just using it as an APDU debugger with PACE support.
>    - The official middleware supplied by the government is Athena
>    IDProtect.
>    - The activation software is available here
>    <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>    It's a java program developed by Mühlbauer <https://www.muehlbauer.de/>.
>    I decompiled it and saw that it's accessing the ECC eID application. I
>    managed to extract some APDUs and get the activation status of the card
>    (PIN change is required on first use).
>    - iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>    handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the ISO-7816
> parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC spec, but I
> can barely find any concrete info on these applications. Someone must know
> how to access them because there are vendor-provided tools to do so.
>
> My goals are:
>
>    1. Get general knowledge about the card and build some PoC APDU chains
>    to read/set data.
>    2. Get the birthdate of the person via PIN-based auth and verify the
>    authenticity of the data.
>    3. Get the openSC suite of tools to work with the card.
>    4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing lis...@li...://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] Support for the Montenegrin eID

[Frank M. <fra...@gm...>]

The middleware is available on the bottom of this page
https://www.gov.me/clanak/preuzmite-software-i-uputstva

But I think you already know that. You analyzed that in 2024 already, 
didn't you?

Regards.

Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID 
> <https://www.gov.me/mup/elk>, or at least figure out how it works. 
> I've sent multiple requests for technical specs to the government, but 
> unless I take them to court, I doubt I'll get any useful information. 
> Therefore I'll just write down what I manage to figure out on my own, 
> and hopefully you can provide further insight. One thing about a 
> country as small as Montenegro, is that there is a very high 
> probability we didn't implement anything custom, as it's not 
> financially viable.
>
> Here's what I have so far:
>
>   * *ATR*:
>     3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de.
>     It doesn't seem to comply with the ATR scheme in the IAS ECC
>     specification, even though the government says the card complies
>     with all EU ID regulations (unclear which ones).
>   * *EF.ATR raw data*: 80004301B946040400ECC24703940180
>     4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>     0806062B8122F8780282029000
>   * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>     6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>     D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>     4E54454E4547524F500A4E6174696F6E 616C4944
>   * By deciphering the EF.DIR data, we can discover 4 applications:
>       o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       o E828BD080FD2504543432D654944 - ECC eID
>       o A0000002471001 - ICAO
>       o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label
>         is "NationalID". No idea what this could be... maybe something
>         related to healthcare?
>   * I managed to use npa-tool and read the MRZ stored on the card
>     using CAN-based PACE, but all other functions of the tool don't
>     work, not even PIN-based PACE. I'm just using it as an APDU
>     debugger with PACE support.
>   * The official middleware supplied by the government is Athena
>     IDProtect.
>   * The activation software is available here
>     <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>     It's a java program developed by Mühlbauer
>     <https://www.muehlbauer.de/>. I decompiled it and saw that it's
>     accessing the ECC eID application. I managed to extract some APDUs
>     and get the activation status of the card (PIN change is required
>     on first use).
>   * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>     handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the 
> ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC 
> spec, but I can barely find any concrete info on these applications. 
> Someone must know how to access them because there are vendor-provided 
> tools to do so.
>
> My goals are:
>
>  1. Get general knowledge about the card and build some PoC APDU
>     chains to read/set data.
>  2. Get the birthdate of the person via PIN-based auth and verify the
>     authenticity of the data.
>  3. Get the openSC suite of tools to work with the card.
>  4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] Support for the Montenegrin eID

[Frank M. <fra...@gm...>]

Sorry, I don't have any insights about the card to share, but it seems 
you already managed to gather quite some infrmation. I think the jar 
will not help you much in integrating the card into OpenSC (or some 
similar).

I assume there must be some middleware that allows using the 
cryptographic keys of the card, i.e. some PKCS#11 module or a 
macOS/Windows card driver. If you find one (Athena IDProtect?), you can 
intercept the middleware commands together with the APDUs to the card. 
If you have that, you can start re-implementing that in an open source 
fashon.

Best Regards,
Frank

Am 22.04.25 um 14:44 schrieb dzeri96 via Opensc-devel:
> Hello everyone,
>
> I'm trying to kickstart support for the new Montenegrin eID 
> <https://www.gov.me/mup/elk>, or at least figure out how it works. 
> I've sent multiple requests for technical specs to the government, but 
> unless I take them to court, I doubt I'll get any useful information. 
> Therefore I'll just write down what I manage to figure out on my own, 
> and hopefully you can provide further insight. One thing about a 
> country as small as Montenegro, is that there is a very high 
> probability we didn't implement anything custom, as it's not 
> financially viable.
>
> Here's what I have so far:
>
>   * *ATR*:
>     3b:dc:96:ff:81:91:fe:1f:c3:80:73:c8:21:13:66:05:03:63:51:00:02:de.
>     It doesn't seem to comply with the ATR scheme in the IAS ECC
>     specification, even though the government says the card complies
>     with all EU ID regulations (unclear which ones).
>   * *EF.ATR raw data*: 80004301B946040400ECC24703940180
>     4F0BF0496173456363526F6F74E01002 020104020200E6020200E6020200E678
>     0806062B8122F8780282029000
>   * *EF.DIR raw data*: 61374F0EE828BD080FD25047656E6572
>     6963500743686970446F63731C300404 025031A004040250324F0EE828BD080F
>     D2504543432D654944610F4F07A00000 0247100150044943414F61184F0A4D4F
>     4E54454E4547524F500A4E6174696F6E 616C4944
>   * By deciphering the EF.DIR data, we can discover 4 applications:
>       o E828BD080FD25047656E65726963 - ECC Generic PKI / ChipDocs Applet
>       o E828BD080FD2504543432D654944 - ECC eID
>       o A0000002471001 - ICAO
>       o 4D4F4E54454E4547524F - Spells out MONTENEGRO in ASCII, label
>         is "NationalID". No idea what this could be... maybe something
>         related to healthcare?
>   * I managed to use npa-tool and read the MRZ stored on the card
>     using CAN-based PACE, but all other functions of the tool don't
>     work, not even PIN-based PACE. I'm just using it as an APDU
>     debugger with PACE support.
>   * The official middleware supplied by the government is Athena
>     IDProtect.
>   * The activation software is available here
>     <https://wapi.gov.me/download/e63b50c5-9ccc-4034-961f-5bb401a9b375?version=1.0>.
>     It's a java program developed by Mühlbauer
>     <https://www.muehlbauer.de/>. I decompiled it and saw that it's
>     accessing the ECC eID application. I managed to extract some APDUs
>     and get the activation status of the card (PIN change is required
>     on first use).
>   * iasecc-tool and pkcs15-tool say "Card is invalid or cannot be
>     handled" regardless of what I try.
>
> I've skimmed over hundreds of pages of standards, including the 
> ISO-7816 parts, the NXP ChipDoc v4 spec, the BSI TR-03110, the IAS ECC 
> spec, but I can barely find any concrete info on these applications. 
> Someone must know how to access them because there are vendor-provided 
> tools to do so.
>
> My goals are:
>
>  1. Get general knowledge about the card and build some PoC APDU
>     chains to read/set data.
>  2. Get the birthdate of the person via PIN-based auth and verify the
>     authenticity of the data.
>  3. Get the openSC suite of tools to work with the card.
>  4. Replace the closed-source middleware provided by the government.
>
>
> I would really appreciate any help here. Thanks!
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel