opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] SO PIN creation

[Maksym T. <mr...@bu...>]

Sounds like activation process is not so simple.

I tried to upload 4401 from card with SO pin.

I tried to upload 4401 and 5032 from card with SO pin.

Without any success :(

I see SO PIN in dump now:

PIN [Security Officer PIN]
    Object Flags   : [0x3], private, modifiable
    ID             : ff
    Flags          : [0xB0], initialized, needs-padding, soPin
    Length         : min_len:4, max_len:8, stored_len:8
    Pad char       : 0xFF
    Reference      : 3 (0x03)
    Type           : ascii-numeric

But when I try to activate this card I receive the same error:

Failed to finalizing card: Not allowed

WBR,
Maksym

On 04/18/18 23:05, Peter Popovec wrote:
> Hi,
>
> IMHO this flag is only in file 5015/4401 ..  you can initialize new
> card, save file 5015/4401 (opensc-explorer, cd 5015, get 4401
> file_4401.bin ) and then overwrite file 5015/4401 on wrong generated
> card by correct content from saved file (opensc-explorer, cd 5015, put
>   4401 file_4401.bin).
>
>
>
> On Thu, Apr 19, 2018 at 7:34 AM, Maksym Tiurin <mr...@bu...> wrote:
>> On 04/18/18 22:18, Peter Popovec wrote:
>>> Hi
>>>
>>> IMHO, you  can try  to create SO-PIN by:
>>>
>>> $ pkcs15-init --store-pin --auth-id 03 --label 'Security Officer PIN'
>>> --reader 0 --pin '12345678' --puk '87654321'
>> Unfortunately, it doesn't work.
>> I can create multiple PINs using --store-pin but these PINs don't have
>> "soPin" flag.
>>
>> I get error when I try to activate card without real SO PIN (with flags
>> " [0xB0], initialized, needs-padding, soPin").
>>> and then
>>>
>>> $ pkcs15-init -F -- reader 0
>>>
>>> P.
>>>
>>>
>>>
>>>
>>>
>>>
>>> On Thu, Apr 19, 2018 at 4:11 AM, Maksym Tiurin <mr...@bu...> wrote:
>>>> Hi,
>>>>
>>>> Is it possible to create SO PIN & PUK codes for already created PKCS15?
>>>>
>>>> I have couple of Aventra MyEID v4. During card formatting I didn't set SO
>>>> PIN & PUK codes.
>>>> Unfortunately, I can't activate these cards. Since certificates are already
>>>> imported into cards it would be painfull to erase these cards, reformat and
>>>> import new certificates.
>>>>
>>>> Steps to reproduce (similar to described on
>>>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card ):
>>>> $ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
>>>> --so-pin '' --so-puk '' --pin '12345678' --puk '87654321'
>>>> $ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0 --pin
>>>> '12345678' --puk '87654321'
>>>> $ pkcs15-init -F --reader 0
>>>> Failed to finalizing card: Not allowed
>>
>> ------------------------------------------------------------------------------
>> Check out the vibrant tech community on one of the world's most
>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] opensc-0.18.0-rc1 tests with MyEID card

[Frank M. <fra...@gm...>]

Hi, Peter,

thanks for having a look into this! Please add your intermediate results to
https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing#opensc-0180.
<https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing#opensc-0180>

With https://github.com/OpenSC/OpenSC/pull/1339, the opensc-pkcs11.dll
should be found by pkcs11-tool.exe...

Regarding certutil.exe, did your card ever work in the minidriver? If so
open a Github issue, adding an old log (functional) and a new log
(disfunctional) and we can check what's going on. Even if you want to see
this done without having tested this once successfully, we at least need a
log to see what's wrong...

Regards, Frank.

2018-04-19 15:05 GMT+02:00 Peter Popovec <pop...@gm...>:

>
> Hi
>
> I found some problems with  opensc 0.18.0-rc1 (in Win 10, 64 bit).
>
> (0. deinstallation of opensc 0.17... seems to be without errors)
> 1. Installation 0.18.0-rc1 - seems to work correctly ("complete"
> installation selected).
> 2. I disconnect computer from internet (to disallow automatic installation
> of
>    aventra driver for MyEID card)
> 3. pkcs15-tool -D  work as expected
> 4. pkcs11-tool --login --test  fail with:
>    Failed to load pkcs11 module
> 5. certutil -scinfo  fail with:
>
> C:\WINDOWS\system32>certutil -scinfo
> The Microsoft Smart Card Resource Manager is running.
> Current reader/card status:
> Readers: 1
>   0: Generic EMV Smartcard Reader 0
> --- Reader: Generic EMV Smartcard Reader 0
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
> --- Status: The card is available for use.
> ---   Card:
> ---    ATR:
>         3b f5 18 00 00 81 31 fe  45 4d 79 45 49 44 9a      ;.....1.EMyEID.
>
>
> =======================================================
> Analyzing card in reader: Generic EMV Smartcard Reader 0
> SCardGetCardTypeProviderName: The system cannot find the file specified.
> 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
> Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The system
> cannot find the file specified. 0x2 (WIN32: 2 ERRO
> Cannot retrieve Provider Name for
> --------------===========================--------------
> CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
> CertUtil: The system cannot find the file specified.
>
>
>
> I can manualy add opensc-minidriver.dll with card ATR into register file
> but
> certutil --scinfo  still fails:
> C:\>certutil -scinfo
> The Microsoft Smart Card Resource Manager is running.
> Current reader/card status:
> Readers: 1
>   0: Generic EMV Smartcard Reader 0
> --- Reader: Generic EMV Smartcard Reader 0
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
> --- Status: The card is available for use.
> ---   Card: MyEID-opensc
> ---    ATR:
>         3b f5 18 00 00 81 31 fe  45 4d 79 45 49 44 9a      ;.....1.EMyEID.
>
>
> =======================================================
> Analyzing card in reader: Generic EMV Smartcard Reader 0
>
> --------------===========================--------------
> ================ Certificate 0 ================
> --- Reader: Generic EMV Smartcard Reader 0
> ---   Card: MyEID-opensc
> Provider = OpenSC CSP
> Key Container = (null) [Default Container]
>
> Cannot open the AT_SIGNATURE key for reader: Generic EMV Smartcard Reader 0
> Cannot open the AT_KEYEXCHANGE key for reader: Generic EMV Smartcard
> Reader 0
>
> --------------===========================--------------
> ================ Certificate 0 ================
> --- Reader: Generic EMV Smartcard Reader 0
> ---   Card: MyEID-opensc
> Provider = Microsoft Smart Card Key Storage Provider
> Key Container = (null) [Default Container]
>
> Cannot open the  key for reader: Generic EMV Smartcard Reader 0
>
> --------------===========================--------------
> Linux (debian 9.4) tests
> ------------------------
>
>
> driver | tested smart card
> myeid  | MyEID cards with PKCS#15 applet
>
> Token info from: pkcs11-tool -T
>
> Available slots:
> Slot 0 (0x0): Alcor Micro AU9560 00 00
>   token label        : MyEID
>   token manufacturer : Aventra Ltd.
>   token model        : PKCS#15
>   token flags        : login required, rng, token initialized, PIN
> initialized
>   hardware version   : 0.0
>   firmware version   : 33.3
>   serial num         : 5003002081976737
>   pin min/max        : 4/8
> $ pkcs11-tool --login --test
> Using slot 0 with a present token (0x0)
> Logging in to "MyEID".
> Please enter User PIN:
> C_SeedRandom() and C_GenerateRandom():
>   seeding (C_SeedRandom) not supported
>   seems to be OK
> Digests:
>   all 4 digest functions seem to work
>   MD5: OK
>   SHA-1: OK
>   RIPEMD160: OK
> Signatures (currently only for RSA)
>   testing key 0 (Certificate)
>   all 4 signature functions seem to work
>   testing signature mechanisms:
>     RSA-X-509: OK
>     RSA-PKCS: OK
>     SHA1-RSA-PKCS: OK
>   testing key 1 (1536 bits, label=key_1536) with 1 signature mechanism
>     RSA-X-509: OK
>   testing key 2 (2048 bits, label=key_2048) with 1 signature mechanism
>     RSA-X-509: OK
>   testing key 3 (512 bits, label=key_512) with 1 signature mechanism
>     RSA-X-509: OK
>   testing key 4 (768 bits, label=key_768) with 1 signature mechanism
>     RSA-X-509: OK
> Verify (currently only for RSA)
>   testing key 0 (Certificate)
>     RSA-X-509: OK
>     RSA-PKCS: OK
>     SHA1-RSA-PKCS: OK
>   testing key 1 (key_1536) with 1 mechanism
>     RSA-X-509: OK
>   testing key 2 (key_2048) with 1 mechanism
>     RSA-X-509: OK
>   testing key 3 (key_512) with 1 mechanism
>     RSA-X-509: OK
>   testing key 4 (key_768) with 1 mechanism
>     RSA-X-509: OK
> Unwrap: not implemented
> Decryption (currently only for RSA)
>   testing key 0 (Certificate)
>     RSA-X-509: OK
>     RSA-PKCS: OK
>   testing key 1 (key_1536)
>     RSA-X-509: OK
>     RSA-PKCS: OK
>   testing key 2 (key_2048)
>     RSA-X-509: OK
>     RSA-PKCS: OK
>   testing key 3 (key_512)
>     RSA-X-509: OK
>     RSA-PKCS: OK
>   testing key 4 (key_768)
>     RSA-X-509: OK
>     RSA-PKCS: OK
> No errors
>
> Firefox (Linux, debian 9.4)
> Load OpenSC PKCS#11 Module ... Working
> PIN Verification.............. Working
> TLS Client Authentication......Working
>
> openssh-client            (Linux, debian 9.4)
> OpenSSH (without ssh-agent) ...Working
> OpenSSH (with    ssh-agent) ...Working
>
>
>
>
> ---
> Peter
>
>
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>

[Opensc-devel] opensc-0.18.0-rc1 tests with MyEID card

[Peter P. <pop...@gm...>]

Hi

I found some problems with  opensc 0.18.0-rc1 (in Win 10, 64 bit).

(0. deinstallation of opensc 0.17... seems to be without errors)
1. Installation 0.18.0-rc1 - seems to work correctly ("complete"
installation selected).
2. I disconnect computer from internet (to disallow automatic installation
of
   aventra driver for MyEID card)
3. pkcs15-tool -D  work as expected
4. pkcs11-tool --login --test  fail with:
   Failed to load pkcs11 module
5. certutil -scinfo  fail with:

C:\WINDOWS\system32>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Generic EMV Smartcard Reader 0
--- Reader: Generic EMV Smartcard Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
---   Card:
---    ATR:
        3b f5 18 00 00 81 31 fe  45 4d 79 45 49 44 9a      ;.....1.EMyEID.


=======================================================
Analyzing card in reader: Generic EMV Smartcard Reader 0
SCardGetCardTypeProviderName: The system cannot find the file specified.
0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The system
cannot find the file specified. 0x2 (WIN32: 2 ERRO
Cannot retrieve Provider Name for
--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2 ERROR_FILE_NOT_FOUND)
CertUtil: The system cannot find the file specified.



I can manualy add opensc-minidriver.dll with card ATR into register file but
certutil --scinfo  still fails:
C:\>certutil -scinfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: Generic EMV Smartcard Reader 0
--- Reader: Generic EMV Smartcard Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
---   Card: MyEID-opensc
---    ATR:
        3b f5 18 00 00 81 31 fe  45 4d 79 45 49 44 9a      ;.....1.EMyEID.


=======================================================
Analyzing card in reader: Generic EMV Smartcard Reader 0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Generic EMV Smartcard Reader 0
---   Card: MyEID-opensc
Provider = OpenSC CSP
Key Container = (null) [Default Container]

Cannot open the AT_SIGNATURE key for reader: Generic EMV Smartcard Reader 0
Cannot open the AT_KEYEXCHANGE key for reader: Generic EMV Smartcard Reader
0

--------------===========================--------------
================ Certificate 0 ================
--- Reader: Generic EMV Smartcard Reader 0
---   Card: MyEID-opensc
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]

Cannot open the  key for reader: Generic EMV Smartcard Reader 0

--------------===========================--------------
Linux (debian 9.4) tests
------------------------


driver | tested smart card
myeid  | MyEID cards with PKCS#15 applet

Token info from: pkcs11-tool -T

Available slots:
Slot 0 (0x0): Alcor Micro AU9560 00 00
  token label        : MyEID
  token manufacturer : Aventra Ltd.
  token model        : PKCS#15
  token flags        : login required, rng, token initialized, PIN
initialized
  hardware version   : 0.0
  firmware version   : 33.3
  serial num         : 5003002081976737
  pin min/max        : 4/8
$ pkcs11-tool --login --test
Using slot 0 with a present token (0x0)
Logging in to "MyEID".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only for RSA)
  testing key 0 (Certificate)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
  testing key 1 (1536 bits, label=key_1536) with 1 signature mechanism
    RSA-X-509: OK
  testing key 2 (2048 bits, label=key_2048) with 1 signature mechanism
    RSA-X-509: OK
  testing key 3 (512 bits, label=key_512) with 1 signature mechanism
    RSA-X-509: OK
  testing key 4 (768 bits, label=key_768) with 1 signature mechanism
    RSA-X-509: OK
Verify (currently only for RSA)
  testing key 0 (Certificate)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
  testing key 1 (key_1536) with 1 mechanism
    RSA-X-509: OK
  testing key 2 (key_2048) with 1 mechanism
    RSA-X-509: OK
  testing key 3 (key_512) with 1 mechanism
    RSA-X-509: OK
  testing key 4 (key_768) with 1 mechanism
    RSA-X-509: OK
Unwrap: not implemented
Decryption (currently only for RSA)
  testing key 0 (Certificate)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (key_1536)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 2 (key_2048)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 3 (key_512)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 4 (key_768)
    RSA-X-509: OK
    RSA-PKCS: OK
No errors

Firefox (Linux, debian 9.4)
Load OpenSC PKCS#11 Module ... Working
PIN Verification.............. Working
TLS Client Authentication......Working

openssh-client            (Linux, debian 9.4)
OpenSSH (without ssh-agent) ...Working
OpenSSH (with    ssh-agent) ...Working




---
Peter

Re: [Opensc-devel] SO PIN creation

[Peter P. <pop...@gm...>]

Hi,

IMHO this flag is only in file 5015/4401 ..  you can initialize new
card, save file 5015/4401 (opensc-explorer, cd 5015, get 4401
file_4401.bin ) and then overwrite file 5015/4401 on wrong generated
card by correct content from saved file (opensc-explorer, cd 5015, put
  4401 file_4401.bin).



On Thu, Apr 19, 2018 at 7:34 AM, Maksym Tiurin <mr...@bu...> wrote:
>
> On 04/18/18 22:18, Peter Popovec wrote:
>> Hi
>>
>> IMHO, you  can try  to create SO-PIN by:
>>
>> $ pkcs15-init --store-pin --auth-id 03 --label 'Security Officer PIN'
>> --reader 0 --pin '12345678' --puk '87654321'
> Unfortunately, it doesn't work.
> I can create multiple PINs using --store-pin but these PINs don't have
> "soPin" flag.
>
> I get error when I try to activate card without real SO PIN (with flags
> " [0xB0], initialized, needs-padding, soPin").
>>
>> and then
>>
>> $ pkcs15-init -F -- reader 0
>>
>> P.
>>
>>
>>
>>
>>
>>
>> On Thu, Apr 19, 2018 at 4:11 AM, Maksym Tiurin <mr...@bu...> wrote:
>>> Hi,
>>>
>>> Is it possible to create SO PIN & PUK codes for already created PKCS15?
>>>
>>> I have couple of Aventra MyEID v4. During card formatting I didn't set SO
>>> PIN & PUK codes.
>>> Unfortunately, I can't activate these cards. Since certificates are already
>>> imported into cards it would be painfull to erase these cards, reformat and
>>> import new certificates.
>>>
>>> Steps to reproduce (similar to described on
>>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card ):
>>> $ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
>>> --so-pin '' --so-puk '' --pin '12345678' --puk '87654321'
>>> $ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0 --pin
>>> '12345678' --puk '87654321'
>>> $ pkcs15-init -F --reader 0
>>> Failed to finalizing card: Not allowed
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel

Re: [Opensc-devel] SO PIN creation

[Maksym T. <mr...@bu...>]

On 04/18/18 22:18, Peter Popovec wrote:
> Hi
>
> IMHO, you  can try  to create SO-PIN by:
>
> $ pkcs15-init --store-pin --auth-id 03 --label 'Security Officer PIN'
> --reader 0 --pin '12345678' --puk '87654321'
Unfortunately, it doesn't work.
I can create multiple PINs using --store-pin but these PINs don't have
"soPin" flag.

I get error when I try to activate card without real SO PIN (with flags
" [0xB0], initialized, needs-padding, soPin").
>
> and then
>
> $ pkcs15-init -F -- reader 0
>
> P.
>
>
>
>
>
>
> On Thu, Apr 19, 2018 at 4:11 AM, Maksym Tiurin <mr...@bu...> wrote:
>> Hi,
>>
>> Is it possible to create SO PIN & PUK codes for already created PKCS15?
>>
>> I have couple of Aventra MyEID v4. During card formatting I didn't set SO
>> PIN & PUK codes.
>> Unfortunately, I can't activate these cards. Since certificates are already
>> imported into cards it would be painfull to erase these cards, reformat and
>> import new certificates.
>>
>> Steps to reproduce (similar to described on
>> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card ):
>> $ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
>> --so-pin '' --so-puk '' --pin '12345678' --puk '87654321'
>> $ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0 --pin
>> '12345678' --puk '87654321'
>> $ pkcs15-init -F --reader 0
>> Failed to finalizing card: Not allowed

Re: [Opensc-devel] SO PIN creation

[Peter P. <pop...@gm...>]

Hi

IMHO, you  can try  to create SO-PIN by:

$ pkcs15-init --store-pin --auth-id 03 --label 'Security Officer PIN'
--reader 0 --pin '12345678' --puk '87654321'

and then

$ pkcs15-init -F -- reader 0

P.






On Thu, Apr 19, 2018 at 4:11 AM, Maksym Tiurin <mr...@bu...> wrote:
> Hi,
>
> Is it possible to create SO PIN & PUK codes for already created PKCS15?
>
> I have couple of Aventra MyEID v4. During card formatting I didn't set SO
> PIN & PUK codes.
> Unfortunately, I can't activate these cards. Since certificates are already
> imported into cards it would be painfull to erase these cards, reformat and
> import new certificates.
>
> Steps to reproduce (similar to described on
> https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card ):
> $ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
> --so-pin '' --so-puk '' --pin '12345678' --puk '87654321'
> $ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0 --pin
> '12345678' --puk '87654321'
> $ pkcs15-init -F --reader 0
> Failed to finalizing card: Not allowed

[Opensc-devel] SO PIN creation

[Maksym T. <mr...@bu...>]

Hi,

Is it possible to create SO PIN & PUK codes for already created PKCS15?

I have couple of Aventra MyEID v4. During card formatting I didn't set
SO PIN & PUK codes.
Unfortunately, I can't activate these cards. Since certificates are
already imported into cards it would be painfull to erase these cards,
reformat and import new certificates.

Steps to reproduce (similar to described on
https://github.com/OpenSC/OpenSC/wiki/Aventra-MyEID-PKI-card ):
$ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
--so-pin '' --so-puk '' --pin '12345678' --puk '87654321'
$ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0
--pin '12345678' --puk '87654321'
$ pkcs15-init -F --reader 0
Failed to finalizing card: Not allowed
$ pkcs15-tool --reader 0 --dump --list-pins
PIN [nickname]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x30], initialized, needs-padding
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 1 (0x01)
Type           : ascii-numeric

PKCS#15 Card [Firstname Lastname]:
Version        : 0
Serial number  : 00007169017525987395
Manufacturer ID: Aventra Ltd.
Last update    : 20180418224042Z
Flags          : PRN generation, EID compliant

PIN [nickname]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x30], initialized, needs-padding
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 1 (0x01)
Type           : ascii-numeric

With SO PIN/PUK card activation woks:
$ pkcs15-init --create-pkcs15 --label 'Firstname Lastname' --reader 0
--so-pin '11111111' --so-puk '22222222' --pin '12345678' --puk '87654321'
$ pkcs15-init --store-pin --auth-id 01 --label 'nickname' --reader 0
--pin '12345678' --puk '87654321'
Security officer PIN [Security Officer PIN] required.
Please enter Security officer PIN [Security Officer PIN]: 
$ pkcs15-init -F --reader 0
$ pkcs15-tool --reader 0 --dump --list-pins
PIN [Security Officer PIN]
Object Flags   : [0x3], private, modifiable
ID             : ff
Flags          : [0xB0], initialized, needs-padding, soPin
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 3 (0x03)
Type           : ascii-numeric

PIN [nickname]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x30], initialized, needs-padding
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 1 (0x01)
Type           : ascii-numeric

PKCS#15 Card [Firstname Lastname]:
Version        : 0
Serial number  : 00007169017525987395
Manufacturer ID: Aventra Ltd.
Last update    : 20180418223743Z
Flags          : PRN generation, EID compliant

PIN [Security Officer PIN]
Object Flags   : [0x3], private, modifiable
ID             : ff
Flags          : [0xB0], initialized, needs-padding, soPin
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 3 (0x03)
Type           : ascii-numeric

PIN [nickname]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x30], initialized, needs-padding
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0xFF
Reference      : 1 (0x01)
Type           : ascii-numeric


I use Debian Stretch with opensc ver.0.16.0-3
-- 
WBR,
Maksym

[Opensc-devel] Upcoming release 0.18.0 needs testing

[Frank M. <fra...@gm...>]

Hi all!

You'll find a pre-release of OpenSC 0.18.0 on Github
<https://github.com/OpenSC/OpenSC/releases/tag/0.18.0-rc1>. A draft version
of the user visible changes is available in this ticket
<https://github.com/OpenSC/OpenSC/issues/1260>.

I've updated the wiki page
<https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Release-Testing> on how
to  systematically test your card. Please extend the page with test results
from your smart cards.

Regards,
Frank.

[Opensc-devel] Fwd: [Pull Request] P11 PKCS11 Engine Random Support

[William R. <bil...@gm...>]

Resend: bounce..

I'm not sure if folks want PRs via github or mailing list for this,
but I added basic support to for random number generation:

https://github.com/OpenSC/libp11/pull/214

I couldn't find a nice way to plumb the pkcs11 context back into the openssl
random callbacks, as they don't provide an engine to pull the engine specific
extra data from.

Re: [Opensc-devel] how to go about adding a new card to pcsclite/opensc

[Robert <fuz...@ya...>]

Doug,
Thank you for the response, was starting to get lonely.  :)
Anyways it does have certificate based authentication tokens (which I believe is pkcs15, again I am pkcs11 and up person...I haven't had to go this deep into smartcards before and have been in ignorant bliss for years), it contains several user certificates and a bunch of other "stuff".   
The intro on the wiki is more for a basic pkcs15 card.  I started looking at the PIV card implementation and went down a dangerous rabbit hole of setting some very large object based structures.  Since I can't find any comments or doc's on those structures.  I am not sure how to go about using them or what is required, etc etc.

I hate to ask, should  I be looking at a different route over OpenSC?  Once I got past anything that didn't have a C_* function with it I started to worry.  
Is there any books on this bit that would be helpful so I don't harass folks on the list?  

FH
 

    On Wednesday, March 7, 2018, 2:36:17 PM EST, Robert via Opensc-devel <ope...@li...> wrote:  
 
 



Stillhaven't gotten a good answer yet.  But figured I would sharewhat I am starting to understand about OpenSC as I look at and pushup some new questions

Anda different question, instead of documentation on adding a new card,is the a book perhaps that would be worth reading?  I haveworked on the application side of PKCS15 but never had to deal withthis side.

Anywaysmy understanding to add in a new card type is to create apkcs15-mycardname.c  and corresponding card-mycardname.c fileand basically fill in functionality for the following bits below.

Italso looks like I can create a test tool based on opensc-tool(noticed several other cards have done the same thing just renamed it).




Forcard-*.c

 addin an the following function:

 staticstruct sc_card_driver * sc_get_driver() – Object like Creference for functions to use on the card. From here we add incustom functions for each item in the sc_card_driver structure. 

ISthere anything that gives definitions as to what each function isexpected to do?




Forpkcs15-*.c

 Addin the following function (also add in a hook to either opensc.confor pkcs15-syn.h – This bit is pretty confusing to me. It “lookslike” this function is used as an initialization for a series ofobjects. But I can't find documentation or figure out how thoseobjects play with the rest of OpenSC. 

Doesthis sound about right? Is there any guides worth looking at orsomething that is written about all the objects that you assignfunctions to in these two modules?




FuzzyH








   On Wednesday, January 17, 2018, 8:39:04 AM EST, Robert <fuz...@ya...> wrote:  
 
 
All,

Just wanted to knowif my assumption to add in a new card to OpenSC is correct.

I have been alongtime user of pcsc-lite but never had to dive into it myself. Well I got asked if I could look into implementing a card if I wasgiven the ADPU spec for the card. 

If I am readingeverything correctly from the pages below I just need to add insupport to OpenSC and make sure I put in the proper ATR's for thecards.

Is that correct? Oram I missing an important part where I need to add in something tothe pkcs11 layer as well. Also what about some of the debug toolslike opensc-tool, would they need to be modified? Or do they pullwhat they need from the OpenSC card driver?




Robert







https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC

https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver

https://github.com/OpenSC/OpenSC/wiki/New-card-driver:-EnterSafe-card-example

  ------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel
  

Re: [Opensc-devel] how to go about adding a new card to pcsclite/opensc

[Douglas E E. <dee...@gm...>]

First of all if this is a new card, you will need the vendor or applet documentation on
what ISO-7816-4 commands the card supports.
Search internet for iso 7816-4 you can buy the ISO documentation or find
some online versions.

Does the card have a PKCS#15 file structure?
OpenSC was originally written to support PKCS#15 cards.

The sort of hierarchy or APIs is:
PKCS#11 routines
framework-pkcs15.c
sc_pkcs15_* routines
pkcs15_mycardanme.c routines
sc_routines
card_mycardname.c routines
iso7816.c
sc routines at APDU level
reader drivers PCSC is the main one.

On 3/7/2018 1:35 PM, Robert via Opensc-devel wrote:
> 
> Still haven't gotten a good answer yet.  But figured I would share what I am starting to understand about OpenSC as I look at and push up some new questions
> 
> And a different question, instead of documentation on adding a new card, is the a book perhaps that would be worth reading?  I have worked on the application side of PKCS15 but never had to deal with 
> this side.

The card vendor documentation on the card edge commands. These are the ISO-7816-4 commands
supported by the card and any card specific commands.

> 
> Anyways my understanding to add in a new card type is to create a pkcs15-mycardname.c  and corresponding card-mycardname.c file and basically fill in functionality for the following bits below.

The pkcs15-mycardanme.c can emulate a PKCS15 file structure for a card  by creating
pkcs15 objects  from whjatever the card can support.
(I am most familiar with this type of card.)

> 
> It also looks like I can create a test tool based on opensc-tool (noticed several other cards have done the same thing just renamed it).

pkcs11-tool  uses PKCS#11 API to talk to any PKCS#11 module including the opensc-pkcs11.so
pkcs11-tool calls sc_pkcs15_* routines
opensc-tool calls the sc_* routines at the card driver level and below.

Other tools have operations for doing additional card specific operations.
> 
> 
> For card-*.c
> 
> add in an the following function:
> 
> /static struct sc_card_driver * sc_get_driver()/ – Object like C reference for functions to use on the card. From here we add in custom functions for each item in the sc_card_driver structure.

You will also need create the match_card and init routines.
You can also supply a list of ATRs for for you card do the matching in teh match_card routine.

> 
> IS there anything that gives definitions as to what each function is expected to do?

The pretty match the ISO-7816-4 commands.
> 
> 
> For pkcs15-*.c
> 
> Add in the following function (also add in a hook to either opensc.conf or pkcs15-syn.h – This bit is pretty confusing to me. It “looks like” this function is used as an initialization for a series of 
> objects. But I can't find documentation or figure out how those objects play with the rest of OpenSC.
> 
> Does this sound about right? Is there any guides worth looking at or something that is written about all the objects that you assign functions to in these two modules?

Yes. (Have to go now.)

> 
> 
> FuzzyH
> 
> 
> 
> 
> On Wednesday, January 17, 2018, 8:39:04 AM EST, Robert <fuz...@ya...> wrote:
> 
> 
> All,
> 
> Just wanted to know if my assumption to add in a new card to OpenSC is correct.
> 
> I have been a longtime user of pcsc-lite but never had to dive into it myself. Well I got asked if I could look into implementing a card if I was given the ADPU spec for the card.
> 
> If I am reading everything correctly from the pages below I just need to add in support to OpenSC and make sure I put in the proper ATR's for the cards.
> 
> Is that correct? Or am I missing an important part where I need to add in something to the pkcs11 layer as well. Also what about some of the debug tools like opensc-tool, would they need to be 
> modified? Or do they pull what they need from the OpenSC card driver?
> 
> 
> Robert
> 
> 
> 
> https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC
> 
> https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver
> 
> https://github.com/OpenSC/OpenSC/wiki/New-card-driver:-EnterSafe-card-example
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] how to go about adding a new card to pcsclite/opensc

[Robert <fuz...@ya...>]

Stillhaven't gotten a good answer yet.  But figured I would sharewhat I am starting to understand about OpenSC as I look at and pushup some new questions

Anda different question, instead of documentation on adding a new card,is the a book perhaps that would be worth reading?  I haveworked on the application side of PKCS15 but never had to deal withthis side.

Anywaysmy understanding to add in a new card type is to create apkcs15-mycardname.c  and corresponding card-mycardname.c fileand basically fill in functionality for the following bits below.

Italso looks like I can create a test tool based on opensc-tool(noticed several other cards have done the same thing just renamed it).




Forcard-*.c

 addin an the following function:

 staticstruct sc_card_driver * sc_get_driver() – Object like Creference for functions to use on the card. From here we add incustom functions for each item in the sc_card_driver structure. 

ISthere anything that gives definitions as to what each function isexpected to do?




Forpkcs15-*.c

 Addin the following function (also add in a hook to either opensc.confor pkcs15-syn.h – This bit is pretty confusing to me. It “lookslike” this function is used as an initialization for a series ofobjects. But I can't find documentation or figure out how thoseobjects play with the rest of OpenSC. 

Doesthis sound about right? Is there any guides worth looking at orsomething that is written about all the objects that you assignfunctions to in these two modules?




FuzzyH








   On Wednesday, January 17, 2018, 8:39:04 AM EST, Robert <fuz...@ya...> wrote:  
 
 
All,

Just wanted to knowif my assumption to add in a new card to OpenSC is correct.

I have been alongtime user of pcsc-lite but never had to dive into it myself. Well I got asked if I could look into implementing a card if I wasgiven the ADPU spec for the card. 

If I am readingeverything correctly from the pages below I just need to add insupport to OpenSC and make sure I put in the proper ATR's for thecards.

Is that correct? Oram I missing an important part where I need to add in something tothe pkcs11 layer as well. Also what about some of the debug toolslike opensc-tool, would they need to be modified? Or do they pullwhat they need from the OpenSC card driver?




Robert







https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC

https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver

https://github.com/OpenSC/OpenSC/wiki/New-card-driver:-EnterSafe-card-example

  

Re: [Opensc-devel] new Opluz reader

[Ludovic R. <lud...@gm...>]

2018-02-05 13:10 GMT+01:00 <J.W...@mi...>:

> No, it most likely is no  the card (in this case), as the card can be read
> without any problems on  other readers
>

You should compare an OpenSC log trace when used in a working reader and
when used in your new reader.

Bye

-- 
 Dr. Ludovic Rousseau

Re: [Opensc-devel] new Opluz reader

[<J.W...@mi...>]

No, it most likely is no  the card (in this case), as the card can be read without any problems on  other readers

From: Ludovic Rousseau [mailto:lud...@gm...]
Sent: maandag 5 februari 2018 13:08
To: Witvliet, J, Ing., DMO/OPS/I&S/APH
Cc: OpenSC Development
Subject: Re: [Opensc-devel] new Opluz reader

2018-02-05 11:30 GMT+01:00 <J.W...@mi...<mailto:J.W...@mi...>>:
Hi,

Hello,


I found a new reader om amazon.de<http://amazon.de>
One of the nice features (besides it friendly price), is the fact that it is also a reader for all sorts of flash cards.

Opensc-tool does see the reader, and the fact that a card is inserted:
# opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00

This looked hopeful, However, pkcs11-tool cannot cope:
#pkcs11-tool --module /usr/lib/libaetpkss.so -O
No slot with a token was found.

I tried to edit /etc/libccisd_Info.plist,
And I Could change the identification string, (as shown by opensc-tool), but pkcs11_tool could still not see anything

Added the full output of lsusb for detailed device info...

Is this hardware too new?

The problem is not with the smart card reader as you can use it.
The problem is that the smart card you insert into the reader is not supported by OpenSC. It looks like it is also not supported by the libaetpkss library you also used.
Bye

--
 Dr. Ludovic Rousseau

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

Re: [Opensc-devel] new Opluz reader

[Ludovic R. <lud...@gm...>]

2018-02-05 11:30 GMT+01:00 <J.W...@mi...>:

> Hi,
>

Hello,


>
> I found a new reader om amazon.de
> One of the nice features (besides it friendly price), is the fact that it
> is also a reader for all sorts of flash cards.
>
> Opensc-tool does see the reader, and the fact that a card is inserted:
> # opensc-tool -l
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0    Yes             Generic USB2.0-CRW [Smart Card Reader Interface]
> (20070818000000000) 00 00
>
> This looked hopeful, However, pkcs11-tool cannot cope:
> #pkcs11-tool --module /usr/lib/libaetpkss.so -O
> No slot with a token was found.
>
> I tried to edit /etc/libccisd_Info.plist,
> And I Could change the identification string, (as shown by opensc-tool),
> but pkcs11_tool could still not see anything
>
> Added the full output of lsusb for detailed device info...
>
> Is this hardware too new?
>

The problem is not with the smart card reader as you can use it.

The problem is that the smart card you insert into the reader is not
supported by OpenSC. It looks like it is also not supported by the
libaetpkss library you also used.

Bye

-- 
 Dr. Ludovic Rousseau

[Opensc-devel] new Opluz reader

[<J.W...@mi...>]

Hi,

I found a new reader om amazon.de
One of the nice features (besides it friendly price), is the fact that it is also a reader for all sorts of flash cards.

Opensc-tool does see the reader, and the fact that a card is inserted:
# opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Generic USB2.0-CRW [Smart Card Reader Interface] (20070818000000000) 00 00

This looked hopeful, However, pkcs11-tool cannot cope:
#pkcs11-tool --module /usr/lib/libaetpkss.so -O
No slot with a token was found.

I tried to edit /etc/libccisd_Info.plist,
And I Could change the identification string, (as shown by opensc-tool), but pkcs11_tool could still not see anything

Added the full output of lsusb for detailed device info...

Is this hardware too new?




Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

[Opensc-devel] Adding support for this Watchdata token

[Mandar J. <ema...@gm...>]

Hello everyone,

There are these tokens from CCID compliant (I think so) Watchdata
available in the Indian market which are not yet supported in OpenSC.
I would like to work on adding support for them in OpenSC.
I read https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver
and that's where I'll begin.

What I would like to know is whether I'll make significant progress
without any documentation from Watchdata. Will trying to implement the
driver using data from a USB Sniffer really work ?

Which card driver do you suggest I use as skeleton for this new driver?

Here is debug information about the token.

$ opensc-tool -l
Detected readers (pcsc)
Nr. Card Features Name
0 Yes TrustKey [WDIND USB CCID Key] 00 00

$ pkcs11-tool -L
Available slots:
Slot 0 (0xffffffffffffffff): Virtual hotplug slot
(empty)
Slot 1 (0x1): TrustKey [WDIND USB CCID Key] 00 00
(empty)

$ opensc-tool -n
Using reader with a card: TrustKey [WDIND USB CCID Key] 00 00
Unsupported card

--------------------------------------------------------------------------------------------------------
Output of Pykcs11 with proprietary driver:

# PYKCS11LIB=/usr/lib/WatchData/TRUSTKEY/lib/libwdpkcs_TRUSTKEY.so
python getinfo.py -p abcd1234
cryptokiVersion: 2.10
flags:
libraryDescription: PKCS#11 cryptoki module
libraryVersion: 1.0
manufacturerID: WatchData
Available Slots: 3 [1, 2, 3]
Slot n.: 1
 firmwareVersion: 1.00
 flags: CKF_REMOVABLE_DEVICE, CKF_HW_SLOT
 hardwareVersion: 1.00
 manufacturerID: Watchdata Technologies Pte.Ltd
 slotDescription: WatchData IC CARD Reader/Writer 0
 SessionInfo Error: CKR_SLOT_ID_INVALID (0x00000003)
Slot n.: 2
 firmwareVersion: 1.00
 flags: CKF_REMOVABLE_DEVICE, CKF_HW_SLOT
 hardwareVersion: 1.00
 manufacturerID: Watchdata Technologies Pte.Ltd
 slotDescription: WatchData IC CARD Reader/Writer 1
 SessionInfo Error: CKR_SLOT_ID_INVALID (0x00000003)
Slot n.: 3
 firmwareVersion: 1.00
 flags: CKF_REMOVABLE_DEVICE, CKF_HW_SLOT
 hardwareVersion: 1.00
 manufacturerID: Watchdata Technologies Pte.Ltd
 slotDescription: WatchData IC CARD Reader/Writer 2
 SessionInfo Error: CKR_SLOT_ID_INVALID (0x00000003)

--------------------------------------------------------------------------------------------------------
~$ lsusb -d 163c:0418 -v
Bus 003 Device 009: ID 163c:0418
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 (Defined at Interface level)
  bDeviceSubClass         0
  bDeviceProtocol         0
  bMaxPacketSize0        64
  idVendor           0x163c
  idProduct          0x0418
  bcdDevice            0.01
  iManufacturer           1
  iProduct                2
  iSerial                 0
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength          109
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0
    bmAttributes         0x80
      (Bus Powered)
    MaxPower              100mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass         8 Mass Storage
      bInterfaceSubClass      6 SCSI
      bInterfaceProtocol     80 Bulk-Only
      iInterface              4
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x01  EP 1 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           2
      bInterfaceClass        11 Chip/SmartCard
      bInterfaceSubClass      0
      bInterfaceProtocol      0
      iInterface              5
      ChipCard Interface Descriptor:
        bLength                54
        bDescriptorType        33
        bcdCCID              1.10  (Warning: Only accurate for version 1.0)
        nMaxSlotIndex           0
        bVoltageSupport         1  5.0V
        dwProtocols             1  T=0
        dwDefaultClock       3580
        dwMaxiumumClock     14320
        bNumClockSupported      0
        dwDataRate           9600 bps
        dwMaxDataRate      115200 bps
        bNumDataRatesSupp.      0
        dwMaxIFSD             254
        dwSyncProtocols  00000000
        dwMechanical     00000000
        dwFeatures       00010030
          Auto clock change
          Auto baud rate change
          TPDU level exchange
        dwMaxCCIDMsgLen       271
        bClassGetResponse      00
        bClassEnvelope         00
        wlcdLayout           none
        bPINSupport             0
        bMaxCCIDBusySlots       1
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x82  EP 2 IN
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x02  EP 2 OUT
        bmAttributes            2
          Transfer Type            Bulk
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0040  1x 64 bytes
        bInterval               0

------------------------------------------------------------------------------------------------------------

ccid-1.4.28# cat output.txt
 idVendor: 0x163C
  iManufacturer: Watchdata
 idProduct: 0x0418
  iProduct: USB Key
 bcdDevice: 0.01 (firmware release?)
 bLength: 9
 bDescriptorType: 4
 bInterfaceNumber: 1
 bAlternateSetting: 0
 bNumEndpoints: 2
  bulk-IN and bulk-OUT
 bInterfaceClass: 0x0B [Chip Card Interface Device Class (CCID)]
 bInterfaceSubClass: 0
 bInterfaceProtocol: 0
  bulk transfer, optional interrupt-IN (CCID)
 iInterface: WDIND USB CCID Key
 CCID Class Descriptor
  bLength: 0x36
  bDescriptorType: 0x21
  bcdCCID: 1.10
  bMaxSlotIndex: 0x00
  bVoltageSupport: 0x01
   5.0V
  dwProtocols: 0x0000 0x0001
   T=0
  dwDefaultClock: 3.580 MHz
  dwMaximumClock: 14.320 MHz
  bNumClockSupported: 0 (will use whatever is returned)
   IFD does not support GET CLOCK FREQUENCIES request: Resource
temporarily unavailable
  dwDataRate: 9600 bps
  dwMaxDataRate: 115200 bps
  bNumDataRatesSupported: 0 (will use whatever is returned)
   IFD does not support GET_DATA_RATES request: Resource temporarily unavailable
  dwMaxIFSD: 254
  dwSynchProtocols: 0x00000000
  dwMechanical: 0x00000000
   No special characteristics
  dwFeatures: 0x00010030
   ....10 Automatic ICC clock frequency change according to parameters
   ....20 Automatic baud rate change according to frequency and Fi, Di params
   01.... TPDU level exchange
  dwMaxCCIDMessageLength: 271 bytes
  bClassGetResponse: 0x00
  bClassEnvelope: 0x00
  wLcdLayout: 0x0000
  bPINSupport: 0x00
  bMaxCCIDBusySlots: 1

------------------------------------------------------------------------------------------------------------------

Thanks for reading through.

Regards
Mandar Joshi

Re: [Opensc-devel] kerberos

[Douglas E E. <dee...@gm...>]

Before I retired in 2014, we used to use this:
[appdefaults]
148         pam = {
149 #               Uncomment to use with PKINIT and pam_krb5
150 #               for smart card login using AD
151 #               Change module path as needed
152 #               pkinit_prompt = true
153 #               try_pkinit = 1
154 #               pkinit_user = PKCS11:module_name=/usr/lib/opensc/opensc-pkcs11.so
155 }

Windows AD was the KDC, and the certificates have the Microsoft extensions for
Windows login.  If you are trying to use Windows AD, I can give more information.

In the simplest case, one smart card, you should not need all the extra options.
The PKINIT code will look at all the certificates and select one.

If you want to see the PKCS#11 calls and/or the card commands see
https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC




On 1/25/2018 6:37 AM, J.W...@mi... wrote:
> Hi all,
> 
> Is there anyone around here who tried toget a kerberos ticket based on certs/keys on a smartcard?
> 
> According to all man-pages, I need:
> 
> PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]
> 
> And with pkcs11-tool, I think I know the values of the fields.
> 
> But HOW / WHERE to include the “PKCS11:….” String into /etc/krb5.conf
> 
> Kind regards, Hans
> 
> 
> Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en 
> het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.
> 
> This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the 
> message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.
> 
> 
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> 
> 
> 
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
> 

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] kerberos

[Jakub J. <jj...@re...>]

On Thu, 2018-01-25 at 12:37 +0000, J.W...@mi... wrote:
> Hi all,
> 
> Is there anyone around here who tried toget a kerberos ticket based
> on certs/keys on a smartcard?
> 
> According to all man-pages, I need:
> PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-
> label][:certid=cert-id][:certlabel=cert-label]
> 
> And with pkcs11-tool, I think I know the values of the fields.
> 
> But HOW / WHERE to include the "PKCS11:...." String into
> /etc/krb5.conf

The PKCS11: prefix is used in krb5.conf wherever you want to reference
a private key, certificate from that configuration file. This is useful
for pkinit_* options, which take this argument (or argument with FILE:
prefix).

You usually want to use it with  pkinit_identities  option, or even 
pkinit_anchors, if your CA certificate is in the PKCS#11 device.

Regards,
-- 
Jakub Jelen
Software Engineer
Security Technologies
Red Hat, Inc.

[Opensc-devel] kerberos

[<J.W...@mi...>]

Hi all,

Is there anyone around here who tried toget a kerberos ticket based on certs/keys on a smartcard?

According to all man-pages, I need:
PKCS11:[module_name=]modname[:slotid=slot-id][:token=token-label][:certid=cert-id][:certlabel=cert-label]

And with pkcs11-tool, I think I know the values of the fields.

But HOW / WHERE to include the "PKCS11:...." String into /etc/krb5.conf


Kind regards, Hans

Dit bericht kan informatie bevatten die niet voor u is bestemd. Indien u niet de geadresseerde bent of dit bericht abusievelijk aan u is toegezonden, wordt u verzocht dat aan de afzender te melden en het bericht te verwijderen. De Staat aanvaardt geen aansprakelijkheid voor schade, van welke aard ook, die verband houdt met risico's verbonden aan het elektronisch verzenden van berichten.

This message may contain information that is not intended for you. If you are not the addressee or if this message was sent to you by mistake, you are requested to inform the sender and delete the message. The State accepts no liability for damage of any kind resulting from the risks inherent in the electronic transmission of messages.

[Opensc-devel] support: recommended USB token in 2018

[Attila N. <nag...@gm...>]

Dear OpenSC developers!

I'm using an aladdin eToken Pro 4.2.5.4 for SSH login to all the servers I
work with. AFAIK this is only supported by openct, but this is pretty much
outdated by now, even got removed from debian.

I'm looking for a new USB token to replace the old one, and since I'm
planning to use that for another 14 years, here is what I'm looking for:

 - well supported token (works on debian/ubuntu "out-of-box")
 - supports rsa keys long enough for SSH
 - produced and actively maintained by a respectful company (i'd avoid
anything that is forgotten by it's produced in a few months)
 - [optional] u2f support?
 - [optional] works on windows with the same keys (PuTTY)
 - available in the stores today ;)

Any feedback is appreciated!

Attila Nagy

-- 

Nagy Attila Gábor

Re: [Opensc-devel] New upstream release?

[Frank M. <fra...@gm...>]

See https://github.com/OpenSC/OpenSC/projects/4; a problem on macOS High
Sierra is blocking a new release. Unfortunately, I currently don't have a
lot of time investigating this issue.

Regards, Frank.

2018-01-19 13:50 GMT+01:00 Laurent Bigonville <bi...@de...>:

> Hello,
>
> I would like to know when is a new release planned?
>
> I would really be happy to see a release with the cardos 5 and belpic vs
> firefox (I know multiple people affected by this) fixes included.
>
> Kind regards,
>
> Laurent Bigonville
>
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] New upstream release?

[Laurent B. <bi...@de...>]

Hello,

I would like to know when is a new release planned?

I would really be happy to see a release with the cardos 5 and belpic vs 
firefox (I know multiple people affected by this) fixes included.

Kind regards,

Laurent Bigonville

[Opensc-devel] how to go about adding a new card to pcsclite/opensc

[Robert <fuz...@ya...>]

All,

Just wanted to knowif my assumption to add in a new card to OpenSC is correct.

I have been alongtime user of pcsc-lite but never had to dive into it myself. Well I got asked if I could look into implementing a card if I wasgiven the ADPU spec for the card. 

If I am readingeverything correctly from the pages below I just need to add insupport to OpenSC and make sure I put in the proper ATR's for thecards.

Is that correct? Oram I missing an important part where I need to add in something tothe pkcs11 layer as well. Also what about some of the debug toolslike opensc-tool, would they need to be modified? Or do they pullwhat they need from the OpenSC card driver?




Robert







https://github.com/OpenSC/OpenSC/wiki/Quick-Start-with-OpenSC

https://github.com/OpenSC/OpenSC/wiki/Adding-a-new-card-driver

https://github.com/OpenSC/OpenSC/wiki/New-card-driver:-EnterSafe-card-example

Re: [Opensc-devel] OpenSC at FOSDEM 2018

[NdK <ndk...@gm...>]

Il 12/01/2018 15:04, Jakub Jelen ha scritto:

> I am not using web authentication using PKCS#11, but (for the sake of
> correct outcomes here) I got to test it today and it works as expected
> without any concurrent issues (until you let the GnuPG's scdaemon into
> the round) with all the cards I have around, but mostly with PIV on
> yubikey.
That's good. I'll test again as soon as I find my reader...
Were you able to authenticato to a site from FF and then sign a mail
from TB w/o closing FF? That's great!

> I believe you should give it a try again. You might be pleasantly
> surprised (unless the MyEID cards have some different issues than my
> cards).
I doubt. Mine are quite old, some contact-only and some dual interface,
IIRC. But all single applet.

> The scdaemon could be replaced with a tool that does not require
> exclusive access and talks PKCS#11, such as gnupg-pkcs11-scd [1] and
> then we should be over these problems.
I remember trying it but IIRC it was quite underdocumented. Hope that
changed too :)

> Yes, some of the configuration steps should be more explicit
> (disconnect = leave), and we should support both applets on the smart
> card (PIV, OpenPGP) on yubikey [2] to make it working setup for general
> users. But I would not say it is impossible nor that we are far.
Well, multi-applet cards are a very different beast...

Tks for trying!

BYtE,
 Diego