Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jana N. <jn...@al...> - 2017-08-24 23:54:22
|
Hi Ben, You're correct, it generated libp11.so but NOT libpkcs11.so under /usr/local/lib drwxr-x--- 2 root root 4096 Aug 24 20:37 pkgconfig -rwxr-xr-x 1 root root 290953 Aug 24 20:37 libp11.so.2.4.7 lrwxrwxrwx 1 root root 15 Aug 24 20:37 libp11.so.2 -> libp11.so.2.4.7 lrwxrwxrwx 1 root root 15 Aug 24 20:37 libp11.so -> libp11.so.2.4.7 -rwxr-xr-x 1 root root 938 Aug 24 20:37 libp11.la -rw-r--r-- 1 root root 552282 Aug 24 20:37 libp11.a Ok, so my understanding is I should get OpenSSL engine? If so, can you point me to the rpm or release? On Thu, Aug 24, 2017 at 4:24 PM, Ben Cottrell <Ben...@no...> wrote: > Hi Jana, > > On Thu, 24 Aug 2017 16:11:24 -0700, Jana Nguyen wrote: > > It seems running ./configure && make && sudo make install > > > > Did not generate me the: > > > > opensc-pkcs11.so and libpkcs11.so > > What *did* it generate? The openssl engine is called "pkcs11.so" when > I build on Linux. I'm guessing if you don't tell the configure script > any different, it'll end up in /usr/local/lib. > > If you're wanting to use it with openssl, you don't want "libp11.so" or > "libpkcs11.so" -- those are lower level libraries that are part of the > OpenSC libp11 project, they're not the OpenSSL dynamically-loadable > engine. The OpenSSL engine is "pkcs11.so". > > ~Ben > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Bernd E. <ec...@zu...> - 2017-08-24 23:46:17
|
Just a FYI, the 0.14 version of opensc is in the CentOS EPEL repository, so you do not need to built it yourself: https://centos.pkgs.org/6/epel-x86_64/opensc-0.14.0-2.el6.x86_64.rpm.html Gruss Bernd -- http://bernd.eckenfels.net _____________________________ From: Jana Nguyen <jn...@al...<mailto:jn...@al...>> Sent: Freitag, August 25, 2017 1:11 AM Subject: Re: [Opensc-devel] How to build OpenSC/libp11 ? To: Ben Cottrell <ben...@no...<mailto:ben...@no...>> Cc: <ope...@li...<mailto:ope...@li...>> Unfortunately I'm not on MAC, I'm on Centos 6. It's linux. I'm trying to see if Safenet HSM works with openssl from cryptography. It seems running ./configure && make && sudo make install Did not generate me the: opensc-pkcs11.so and libpkcs11.so Am I missing an additional step? Thanks pkcs11 guru for responding. On Thu, Aug 24, 2017 at 3:12 PM, Ben Cottrell <Ben...@no...<mailto:Ben...@no...>> wrote: Hi Jana, On Thu, 24 Aug 2017 14:01:41 -0700, Jana Nguyen wrote: > Thanks, running the tarball seems to run without error. Following the > README.md, I tried to locate > > opensc-pkcs11.so and libpkcs11.so > > None was found. Am I suppose to also install the "engine_pkcs11" ? I > want to use p11 and OpenSSL from the command line. Are you on a Mac? The files may be called .dylib instead of .so. Here's my notes for running openssl from the command line: 1. You need to be using openssl commands that allow -engine and -keyform flags to be passed in. Not all openssl commands do. If you need to use a command that doesn't, you're out of luck :-( 2. You need to use openssl in interactive mode, by typing "openssl" and then entering commands into the prompt. (Or by doing the equivalent from a shell script using a here-document.) This is because the openssl "engine" command is stateful. It sets up state which is used later by the actual command you're trying to run. Trying to run "openssl engine ..." from your shell, and then trying to run "openssl whatever ...", will lose state between the two invocations. Here's an example of a pair of commands that can be typed into an interactive openssl session: engine dynamic -pre SO_PATH:/path/to/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/path/to/hsm/library.so -pre VERBOSE req -new -keyform engine -engine pkcs11 -key "pkcs11:type=private;object=foo;token=bar" -out myreq.csr -subj "/C=US/ST=CA/CN=localhost" -days 10000 (The /path/to/pkcs11.so may be .dylib if you're on a Mac, as noted above) The first "engine" command sets up an engine and names it "pkcs11" (the ID: is what associates it with a name). The -engine flag in the second command refers to the engine by the name we gave it. Then "-keyform engine" says that the key we pass in should be interpreted by the engine, not treated as the name of a file on disk. Then finally the -key flag can be passed as a PKCS11 URL, which works because we did the "-keyform engine". See https://www.ietf.org/rfc/rfc7512.txt for a description of the PKCS11 URI format. Hope this helps! I went through the same process of discovery you're going through, earlier this year. ~Ben ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org<http://Slashdot.org>! http://sdm.link/slashdot _______________________________________________ Opensc-devel mailing list Ope...@li...<mailto:Ope...@li...> https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Ben C. <Ben...@no...> - 2017-08-24 23:44:30
|
Hi Jana, On Thu, 24 Aug 2017 16:11:24 -0700, Jana Nguyen wrote: > It seems running ./configure && make && sudo make install > > Did not generate me the: > > opensc-pkcs11.so and libpkcs11.so What *did* it generate? The openssl engine is called "pkcs11.so" when I build on Linux. I'm guessing if you don't tell the configure script any different, it'll end up in /usr/local/lib. If you're wanting to use it with openssl, you don't want "libp11.so" or "libpkcs11.so" -- those are lower level libraries that are part of the OpenSC libp11 project, they're not the OpenSSL dynamically-loadable engine. The OpenSSL engine is "pkcs11.so". ~Ben |
|
From: Jana N. <jn...@al...> - 2017-08-24 23:11:34
|
Unfortunately I'm not on MAC, I'm on Centos 6. It's linux. I'm trying to see if Safenet HSM works with openssl from cryptography. It seems running ./configure && make && sudo make install Did not generate me the: opensc-pkcs11.so and libpkcs11.so Am I missing an additional step? Thanks pkcs11 guru for responding. On Thu, Aug 24, 2017 at 3:12 PM, Ben Cottrell <Ben...@no...> wrote: > Hi Jana, > > On Thu, 24 Aug 2017 14:01:41 -0700, Jana Nguyen wrote: > > Thanks, running the tarball seems to run without error. Following the > > README.md, I tried to locate > > > > opensc-pkcs11.so and libpkcs11.so > > > > None was found. Am I suppose to also install the "engine_pkcs11" ? I > > want to use p11 and OpenSSL from the command line. > > Are you on a Mac? The files may be called .dylib instead of .so. > > Here's my notes for running openssl from the command line: > > 1. You need to be using openssl commands that allow -engine and > -keyform flags to be passed in. Not all openssl commands do. If > you need to use a command that doesn't, you're out of luck :-( > > 2. You need to use openssl in interactive mode, by typing > "openssl" and then entering commands into the prompt. (Or by > doing the equivalent from a shell script using a here-document.) > This is because the openssl "engine" command is stateful. It > sets up state which is used later by the actual command you're > trying to run. Trying to run "openssl engine ..." from your shell, > and then trying to run "openssl whatever ...", will lose state > between the two invocations. > > Here's an example of a pair of commands that can be typed into an > interactive openssl session: > > engine dynamic -pre SO_PATH:/path/to/pkcs11.so -pre ID:pkcs11 -pre > LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/path/to/hsm/library.so -pre VERBOSE > > req -new -keyform engine -engine pkcs11 -key "pkcs11:type=private;object=foo;token=bar" > -out myreq.csr -subj "/C=US/ST=CA/CN=localhost" -days 10000 > > (The /path/to/pkcs11.so may be .dylib if you're on a Mac, as noted above) > > The first "engine" command sets up an engine and names it "pkcs11" (the ID: > is what associates it with a name). > > The -engine flag in the second command refers to the engine by the name we > gave it. Then "-keyform engine" says that the key we pass in should be > interpreted by the engine, not treated as the name of a file on disk. Then > finally the -key flag can be passed as a PKCS11 URL, which works because we > did the "-keyform engine". > > See https://www.ietf.org/rfc/rfc7512.txt for a description of the > PKCS11 URI format. > > Hope this helps! I went through the same process of discovery you're > going through, earlier this year. > > ~Ben > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ben C. <Ben...@no...> - 2017-08-24 22:35:17
|
Hi Jana, On Thu, 24 Aug 2017 14:01:41 -0700, Jana Nguyen wrote: > Thanks, running the tarball seems to run without error. Following the > README.md, I tried to locate > > opensc-pkcs11.so and libpkcs11.so > > None was found. Am I suppose to also install the "engine_pkcs11" ? I > want to use p11 and OpenSSL from the command line. Are you on a Mac? The files may be called .dylib instead of .so. Here's my notes for running openssl from the command line: 1. You need to be using openssl commands that allow -engine and -keyform flags to be passed in. Not all openssl commands do. If you need to use a command that doesn't, you're out of luck :-( 2. You need to use openssl in interactive mode, by typing "openssl" and then entering commands into the prompt. (Or by doing the equivalent from a shell script using a here-document.) This is because the openssl "engine" command is stateful. It sets up state which is used later by the actual command you're trying to run. Trying to run "openssl engine ..." from your shell, and then trying to run "openssl whatever ...", will lose state between the two invocations. Here's an example of a pair of commands that can be typed into an interactive openssl session: engine dynamic -pre SO_PATH:/path/to/pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/path/to/hsm/library.so -pre VERBOSE req -new -keyform engine -engine pkcs11 -key "pkcs11:type=private;object=foo;token=bar" -out myreq.csr -subj "/C=US/ST=CA/CN=localhost" -days 10000 (The /path/to/pkcs11.so may be .dylib if you're on a Mac, as noted above) The first "engine" command sets up an engine and names it "pkcs11" (the ID: is what associates it with a name). The -engine flag in the second command refers to the engine by the name we gave it. Then "-keyform engine" says that the key we pass in should be interpreted by the engine, not treated as the name of a file on disk. Then finally the -key flag can be passed as a PKCS11 URL, which works because we did the "-keyform engine". See https://www.ietf.org/rfc/rfc7512.txt for a description of the PKCS11 URI format. Hope this helps! I went through the same process of discovery you're going through, earlier this year. ~Ben |
|
From: Jana N. <jan...@gm...> - 2017-08-24 21:01:50
|
Thanks, running the tarball seems to run without error. Following the README.md, I tried to locate opensc-pkcs11.so and libpkcs11.so None was found. Am I suppose to also install the "engine_pkcs11" ? I want to use p11 and OpenSSL from the command line. On Thu, Aug 24, 2017 at 12:02 PM, Alon Bar-Lev <alo...@gm...> wrote: > Hi, > Just download the tarball out of the releases[1] > *libp11-0.4.7.tar.gz* > <https://github.com/OpenSC/libp11/releases/download/libp11-0.4.7/libp11-0.4.7.tar.gz> > Alon > [1] https://github.com/OpenSC/libp11/releases > > > On 24 August 2017 at 20:52, Jana Nguyen <jan...@gm...> wrote: > >> $ ./bootstrap >> ./bootstrap: line 2: autoreconf: command not found >> >> It looks like ./boostrap calls autoreconf which is not there on my >> server. >> >> Would it be easier if I get the release tarball? >> >> Thanks, >> Jana >> >> On Thu, Aug 24, 2017 at 8:02 AM, Kenneth Benson <pho...@gm...> >> wrote: >> >>> On 8/23/2017 11:50 PM, Jana Nguyen wrote: >>> > Hello, >>> > >>> > I want to use OpenSC/libp11 for my project since I want to use the >>> > pkcs11 module to access HSM. I've cloned libp11 repo from the master >>> > branch, but how do I build it so I can start using it for Centos 6? >>> > I've looked at INSTALL.md at >>> > https://github.com/OpenSC/libp11/blob/master/INSTALL.md >>> > <https://github.com/OpenSC/libp11/blob/master/INSTALL.md> and it >>> suggest >>> > I run the below to build libp11: >>> > ./configure && make && sudo make install >>> > >>> > There is no "configure" or "install" under this repo: >>> > >>> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests >>> > >>> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am >>> > >>> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md >>> > >>> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac >>> > <http://configure.ac/> >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap >>> > >>> > -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml >>> > >>> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples >>> > >>> > Thanks! >>> > >>> > >>> > ------------------------------------------------------------ >>> ------------------ >>> > Check out the vibrant tech community on one of the world's most >>> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> > >>> > >>> > >>> > _______________________________________________ >>> > Opensc-devel mailing list >>> > Ope...@li... >>> > https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> > >>> Configure is a program in (I think) usr/local/bin directory that uses >>> configure.ac and makefile.am to create the files to compile with. >>> Install is a subsection of the makefile that runs instructions to >>> install the library to it's correct location. >>> >>> ------------------------------------------------------------ >>> ------------------ >>> Check out the vibrant tech community on one of the world's most >>> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >>> _______________________________________________ >>> Opensc-devel mailing list >>> Ope...@li... >>> https://lists.sourceforge.net/lists/listinfo/opensc-devel >>> >> >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > |
|
From: Alon Bar-L. <alo...@gm...> - 2017-08-24 19:03:09
|
Hi, Just download the tarball out of the releases[1] *libp11-0.4.7.tar.gz* <https://github.com/OpenSC/libp11/releases/download/libp11-0.4.7/libp11-0.4.7.tar.gz> Alon [1] https://github.com/OpenSC/libp11/releases On 24 August 2017 at 20:52, Jana Nguyen <jan...@gm...> wrote: > $ ./bootstrap > ./bootstrap: line 2: autoreconf: command not found > > It looks like ./boostrap calls autoreconf which is not there on my > server. > > Would it be easier if I get the release tarball? > > Thanks, > Jana > > On Thu, Aug 24, 2017 at 8:02 AM, Kenneth Benson <pho...@gm...> > wrote: > >> On 8/23/2017 11:50 PM, Jana Nguyen wrote: >> > Hello, >> > >> > I want to use OpenSC/libp11 for my project since I want to use the >> > pkcs11 module to access HSM. I've cloned libp11 repo from the master >> > branch, but how do I build it so I can start using it for Centos 6? >> > I've looked at INSTALL.md at >> > https://github.com/OpenSC/libp11/blob/master/INSTALL.md >> > <https://github.com/OpenSC/libp11/blob/master/INSTALL.md> and it >> suggest >> > I run the below to build libp11: >> > ./configure && make && sudo make install >> > >> > There is no "configure" or "install" under this repo: >> > >> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests >> > >> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src >> > >> > -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md >> > >> > -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS >> > >> > -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak >> > >> > -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak >> > >> > -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am >> > >> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 >> > >> > -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md >> > >> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc >> > >> > -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING >> > >> > -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac >> > <http://configure.ac/> >> > >> > -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap >> > >> > -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml >> > >> > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples >> > >> > Thanks! >> > >> > >> > ------------------------------------------------------------ >> ------------------ >> > Check out the vibrant tech community on one of the world's most >> > engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> > >> > >> > >> > _______________________________________________ >> > Opensc-devel mailing list >> > Ope...@li... >> > https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > >> Configure is a program in (I think) usr/local/bin directory that uses >> configure.ac and makefile.am to create the files to compile with. >> Install is a subsection of the makefile that runs instructions to >> install the library to it's correct location. >> >> ------------------------------------------------------------ >> ------------------ >> Check out the vibrant tech community on one of the world's most >> engaging tech sites, Slashdot.org! http://sdm.link/slashdot >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Jana N. <jan...@gm...> - 2017-08-24 17:52:35
|
$ ./bootstrap ./bootstrap: line 2: autoreconf: command not found It looks like ./boostrap calls autoreconf which is not there on my server. Would it be easier if I get the release tarball? Thanks, Jana On Thu, Aug 24, 2017 at 8:02 AM, Kenneth Benson <pho...@gm...> wrote: > On 8/23/2017 11:50 PM, Jana Nguyen wrote: > > Hello, > > > > I want to use OpenSC/libp11 for my project since I want to use the > > pkcs11 module to access HSM. I've cloned libp11 repo from the master > > branch, but how do I build it so I can start using it for Centos 6? > > I've looked at INSTALL.md at > > https://github.com/OpenSC/libp11/blob/master/INSTALL.md > > <https://github.com/OpenSC/libp11/blob/master/INSTALL.md> and it suggest > > I run the below to build libp11: > > ./configure && make && sudo make install > > > > There is no "configure" or "install" under this repo: > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src > > > > -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md > > > > -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS > > > > -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak > > > > -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak > > > > -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 > > > > -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc > > > > -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING > > > > -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac > > <http://configure.ac/> > > > > -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap > > > > -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples > > > > Thanks! > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > Configure is a program in (I think) usr/local/bin directory that uses > configure.ac and makefile.am to create the files to compile with. > Install is a subsection of the makefile that runs instructions to > install the library to it's correct location. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Jana N. <jn...@al...> - 2017-08-24 17:51:55
|
$ ./bootstrap ./bootstrap: line 2: autoreconf: command not found It looks like ./boostrap calls autoreconf which is not there on my server. Would it be easier if I get the release tarball? Thanks, Jana On Thu, Aug 24, 2017 at 8:02 AM, Kenneth Benson <pho...@gm...> wrote: > On 8/23/2017 11:50 PM, Jana Nguyen wrote: > > Hello, > > > > I want to use OpenSC/libp11 for my project since I want to use the > > pkcs11 module to access HSM. I've cloned libp11 repo from the master > > branch, but how do I build it so I can start using it for Centos 6? > > I've looked at INSTALL.md at > > https://github.com/OpenSC/libp11/blob/master/INSTALL.md > > <https://github.com/OpenSC/libp11/blob/master/INSTALL.md> and it suggest > > I run the below to build libp11: > > ./configure && make && sudo make install > > > > There is no "configure" or "install" under this repo: > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src > > > > -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md > > > > -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS > > > > -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak > > > > -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak > > > > -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 > > > > -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc > > > > -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING > > > > -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac > > <http://configure.ac/> > > > > -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap > > > > -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml > > > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples > > > > Thanks! > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > Configure is a program in (I think) usr/local/bin directory that uses > configure.ac and makefile.am to create the files to compile with. > Install is a subsection of the makefile that runs instructions to > install the library to it's correct location. > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Kenneth B. <pho...@gm...> - 2017-08-24 15:02:59
|
On 8/23/2017 11:50 PM, Jana Nguyen wrote: > Hello, > > I want to use OpenSC/libp11 for my project since I want to use the > pkcs11 module to access HSM. I've cloned libp11 repo from the master > branch, but how do I build it so I can start using it for Centos 6? > I've looked at INSTALL.md at > https://github.com/OpenSC/libp11/blob/master/INSTALL.md > <https://github.com/OpenSC/libp11/blob/master/INSTALL.md> and it suggest > I run the below to build libp11: > ./configure && make && sudo make install > > There is no "configure" or "install" under this repo: > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src > > -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md > > -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS > > -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak > > -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak > > -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 > > -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc > > -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING > > -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac > <http://configure.ac/> > > -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap > > -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml > > drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples > > Thanks! > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > Configure is a program in (I think) usr/local/bin directory that uses configure.ac and makefile.am to create the files to compile with. Install is a subsection of the makefile that runs instructions to install the library to it's correct location. |
|
From: Jakub J. <jj...@re...> - 2017-08-24 06:25:37
|
On Wed, 2017-08-23 at 20:50 -0700, Jana Nguyen wrote: > Hello, > > I want to use OpenSC/libp11 for my project since I want to use the > pkcs11 > module to access HSM. I've cloned libp11 repo from the master > branch, but > how do I build it so I can start using it for Centos 6? I've looked > at > INSTALL.md at https://github.com/OpenSC/libp11/blob/master/INSTALL.md > and > it suggest I run the below to build libp11: > ./configure && make && sudo make install > > There is no "configure" or "install" under this repo: Hello, when you are building from master, the configure is not pre-generated as in the release tarball. In this case, you need to run $ ./bootstrap which in result runs autoreconf and creates a configure for you. Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
|
From: Jana N. <jan...@gm...> - 2017-08-24 03:51:03
|
Hello, I want to use OpenSC/libp11 for my project since I want to use the pkcs11 module to access HSM. I've cloned libp11 repo from the master branch, but how do I build it so I can start using it for Centos 6? I've looked at INSTALL.md at https://github.com/OpenSC/libp11/blob/master/INSTALL.md and it suggest I run the below to build libp11: ./configure && make && sudo make install There is no "configure" or "install" under this repo: drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 tests drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 src -rwxr-xr-x 1 jnguyen SECENG 7563 Aug 22 21:19 README.md -rwxr-xr-x 1 jnguyen SECENG 7529 Aug 22 21:19 NEWS -rwxr-xr-x 1 jnguyen SECENG 1454 Aug 22 21:19 make.rules.mak -rwxr-xr-x 1 jnguyen SECENG 139 Aug 22 21:19 Makefile.mak -rwxr-xr-x 1 jnguyen SECENG 784 Aug 22 21:19 Makefile.am drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 m4 -rwxr-xr-x 1 jnguyen SECENG 2346 Aug 22 21:19 INSTALL.md drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 21:19 doc -rwxr-xr-x 1 jnguyen SECENG 26528 Aug 22 21:19 COPYING -rwxr-xr-x 1 jnguyen SECENG 7888 Aug 22 21:19 configure.ac -rwxr-xr-x 1 jnguyen SECENG 49 Aug 22 21:19 bootstrap -rwxr-xr-x 1 jnguyen SECENG 2205 Aug 22 21:19 appveyor.yml drwxr-xr-x 2 jnguyen SECENG 4096 Aug 22 22:10 examples Thanks! |
|
From: Frank M. <fra...@gm...> - 2017-08-23 19:29:59
|
I think the onepin module is only needed for Firefox, which doesn't handle two PINs in a user convenient way. We could try to guess if we were loaded by Firefox and then switch on the onepin setting (if it wasn't specified via opensc.conf. Finding out which process loaded the PKCS#11 module could, however, get a bit complicated (https://stackoverflow.com/a/1024937)... Anyway, that would eliminate the need for the onepin module! 2016-10-04 18:30 GMT+02:00 Jakub Jelen <jj...@re...>: > On 10/04/2016 03:56 PM, fra...@gm... wrote: > > Hi! > > > > If I'm not mistaken, we are not exposing a virtual hotplug slot to the > > application anymore. > > Yes, you are right. The master does not show this one. But as far as I > understand to this problem is not in the virtual hotplug, but in the > PINs of the card creating the virtual slots, isn't it? > > > Slots are only created for actual readers, see > > https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/slot.c#L142. I > > reintroduced the virtual hotplug slot in > > https://github.com/OpenSC/OpenSC/pull/872, because NSS currently expects > > that, once created, a slot never disappears. > > > > Do you have a link to the one-pin-discussion? > It was internal/offline discussion, mostly theoretical (based on the > mails, comments and issues), because I don't have any cards exposing > more PINs in this way and that would make a difference of the both > libraries to test. > > From the discussion, what we would like to avoid is to have two > (basically same) libraries in the OS for several reasons (p11-kit, ...). > The inception to make the other symlink came in the mailing list more > than two years ago [1] without any follow up. The pursuing the solution > without virtual slots (single PIN) sounds reasonable for most of the > cards. But still I might miss some part of the current behavior so > correct me if I am wrong. > > [1] http://opensc.1086184.n5.nabble.com/opensc-onepin-td14433.html > > Regards, > > -- > Jakub Jelen > Security Technologies > Red Hat > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Jakub J. <jj...@re...> - 2017-08-18 12:58:46
|
On Fri, 2017-06-16 at 14:28 -0500, Douglas E Engert wrote: > > On 6/16/2017 7:48 AM, Jakub Jelen wrote: > > Hello, > > during our testing we noticed that PIV token labels are in OpenSC > > used as a simple driver identification (PIV_II) [1]. Coolkey module > > supporting PIV cards used this field to copy the cardholder name > > (if available) and from there GDM was using this name on various > > places, such as greeting after login [2] or identifying a unique > > card (very non-ideal). > > The question is: Does anyone use the token label in a P11 URI? > I Bcc'ed one person who may be doing that. > > The pkcs15-piv.c sets the sc_pkcs15_auth_info label to "PIV Card > Holder pin" or "Global PIN" depending on the Discovery Object flags. > Then p15card->tokeninfo->label = "PIV_II"; > framework-pkcs15.c then does: > snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, > auth->label, p15card->tokeninfo->label); > > So the C_GetTokenInfo has one of these: > token label : PIV Card Holder pin (PIV_II) > token label : Global PIN (PIV_II) > > I suppose the CN from the AUTH certificate could replace the p15card- > >tokeninfo->label. But there would only be 10 characters left. > The "PIV Card Holder pin" or "Global PIN" could be shorter too. > > The setting of the p15card->tokeninfo->label could be > replaced around line 768,769 before the comment :"* get keyUsage if > present save in ckis[i]" > and this was the AUTH cert and the CN could be found. Thank you for the pointers and comments. I just filled a PR on Github [1] with this feature (sorry it took so long, but other things pilled up). The PR should say everything. This is more like another heads up for the ones who might be using these labels and who expect some significance from them. [1] https://github.com/OpenSC/OpenSC/pull/1133 Regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
|
From: Frank M. <fra...@gm...> - 2017-07-18 20:29:57
|
Hi everyone! The new release 0.17.0 of OpenSC is available on GitHub <https://github.com/OpenSC/OpenSC/releases/tag/0.17.0>. Thanks for everyone contributing in terms of bug fixes, new features and testing. I've started updating the wiki pages so that it starts serving as a useful source of information. You're welcome to add details of your card or smart card use cases as well. Regards, Frank. |
|
From: Douglas E E. <dee...@gm...> - 2017-06-16 19:28:53
|
On 6/16/2017 7:48 AM, Jakub Jelen wrote: > Hello, > during our testing we noticed that PIV token labels are in OpenSC used as a simple driver identification (PIV_II) [1]. Coolkey module supporting PIV cards used this field to copy the cardholder name > (if available) and from there GDM was using this name on various places, such as greeting after login [2] or identifying a unique card (very non-ideal). The question is: Does anyone use the token label in a P11 URI? I Bcc'ed one person who may be doing that. The pkcs15-piv.c sets the sc_pkcs15_auth_info label to "PIV Card Holder pin" or "Global PIN" depending on the Discovery Object flags. Then p15card->tokeninfo->label = "PIV_II"; framework-pkcs15.c then does: snprintf(label, sizeof(label), "%.*s (%s)", (int) sizeof auth->label, auth->label, p15card->tokeninfo->label); So the C_GetTokenInfo has one of these: token label : PIV Card Holder pin (PIV_II) token label : Global PIN (PIV_II) I suppose the CN from the AUTH certificate could replace the p15card->tokeninfo->label. But there would only be 10 characters left. The "PIV Card Holder pin" or "Global PIN" could be shorter too. The setting of the p15card->tokeninfo->label could be replaced around line 768,769 before the comment :"* get keyUsage if present save in ckis[i]" and this was the AUTH cert and the CN could be found. > > I would not consider this a a bug in OpenSC, but more like a potential room for improvement in OpenSC. I am posting here on ML to get some ideas if it is a feature you would be interesting for you or > if it would be considered as a change of behavior and API (PKCS#11 URI), before I will put together a PR implementing this change. > > The idea why this label should be more card-specific is from the PKCS#11 specification: > > > application-defined label, assigned during token initialization. Must be padded with the blank character (‘ ‘). Should not be null-terminated. > > This does not say anything about the content, but cardholder name in PIV case sounds little bit more useful than just a string PIV_II. > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740 > [2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000 > > Thank you for comments and regards, -- Douglas E. Engert <DEE...@gm...> |
|
From: Jakub J. <jj...@re...> - 2017-06-16 12:48:54
|
Hello, during our testing we noticed that PIV token labels are in OpenSC used as a simple driver identification (PIV_II) [1]. Coolkey module supporting PIV cards used this field to copy the cardholder name (if available) and from there GDM was using this name on various places, such as greeting after login [2] or identifying a unique card (very non-ideal). I would not consider this a a bug in OpenSC, but more like a potential room for improvement in OpenSC. I am posting here on ML to get some ideas if it is a feature you would be interesting for you or if it would be considered as a change of behavior and API (PKCS#11 URI), before I will put together a PR implementing this change. The idea why this label should be more card-specific is from the PKCS#11 specification: > application-defined label, assigned during token initialization. Must be padded with the blank character (‘ ‘). Should not be null-terminated. This does not say anything about the content, but cardholder name in PIV case sounds little bit more useful than just a string PIV_II. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1449740 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1462000 Thank you for comments and regards, -- Jakub Jelen Software Engineer Security Technologies Red Hat |
|
From: Frank M. <fra...@gm...> - 2017-06-14 13:15:56
|
If you're planning to make a contribution to the project, we'd love to add a new card to OpenSC. We would be happy to get you going and to comment on your code. However, please have in mind that in lack of hardware, documentation and manpower, we can't do this on our own. 2017-06-13 4:07 GMT+02:00 Amin Shah Gilani <ami...@gm...>: > Hello everyone > > I'm a citizen of Pakistan, and our government started issuing "Smart ID > Cards" a few years ago that have an embedded EMV chip, although it hasn't > been digitally in any way yet. > > I was curious so I plugged in my hardware card reader, the one I got with > my Estonian e-Residency ID card, and installed OpenSC. I don't believe this > card is supported, so I'm sending in the result of a few commands. > > Here's an ATR parsing: https://smartcard-atr.appspot. > com/parse?ATR=3bdb96008031fe448059654944204e414452418f > > ``` > $ opensc-tool --name > Using reader with a card: OMNIKEY AG Smart Card Reader > Unsupported card > $ opensc-tool --version > No Git revision info available > $ opensc-tool -i > OpenSC 0.16.0 [gcc 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)] > Enabled features: locking zlib readline openssl > pcsc(/System/Library/Frameworks/PCSC.framework/PCSC) > $ opensc-tool -a > Using reader with a card: OMNIKEY AG Smart Card Reader > 3b:db:96:00:80:31:fe:44:80:59:65:49:44:20:4e:41:44:52:41:8f > $ opensc-tool -D > Configured card drivers: > cardos Siemens CardOS > flex Schlumberger Multiflex/Cryptoflex > cyberflex Schlumberger Cyberflex > gpk Gemplus GPK > gemsafeV1 driver for the Gemplus GemSAFE V1 applet > miocos MioCOS 1.1 > asepcos Athena ASEPCOS > starcos STARCOS SPK 2.3/2.4/3.4 > tcos TCOS 3.0 > jcop JCOP cards with BlueZ PKCS#15 applet > oberthur Oberthur AuthentIC.v2/CosmopolIC.v4 > authentic Oberthur AuthentIC v3.1 > iasecc IAS-ECC > belpic Belpic cards > ias IAS > incrypto34 Incard Incripto34 > acos5 ACS ACOS5 card > akis TUBITAK UEKAE AKIS > entersafe entersafe > epass2003 epass2003 > rutoken Rutoken driver > rutoken_ecp Rutoken ECP driver > westcos WESTCOS compatible cards > myeid MyEID cards with PKCS#15 applet > sc-hsm SmartCard-HSM > dnie DNIe: Spanish eID card > MaskTech MaskTech Smart Card > mcrd MICARDO 2.1 / EstEID 1.0 - 3.0 > setcos Setec cards > muscle MuscleApplet > atrust-acos A-Trust ACOS cards > piv PIV-II for multiple cards > itacns Italian CNS > isoApplet Javacard with IsoApplet > gids GIDS Smart Card > openpgp OpenPGP card > default Default driver for unknown cards > ``` > ᐧ > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, Slashdot.org! http://sdm.link/slashdot > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Frank M. <fra...@gm...> - 2017-06-14 13:10:03
|
Hi all! You'll find a pre-release of OpenSC 0.17.0 on Github <https://github.com/OpenSC/OpenSC/releases/tag/0.17.0-rc1>. A draft version of the user visible changes is available in this ticket <https://github.com/OpenSC/OpenSC/issues/1062>. On Github you'll also find a general ticket for commenting the new release <https://github.com/OpenSC/OpenSC/issues/1055>. I've put together a wiki page <https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Testing> on how to systematically test your card. Please extend the page with test results from your smar cards. If you think that some important usage of OpenSC is missing (I'm looking at you, pkcs15-init), feel free to extend the list of test cases. I'm planning the first of july as release date, so please be active in commenting and testing! Regards, Frank. |
|
From: Amin S. G. <ami...@gm...> - 2017-06-13 02:07:38
|
Hello everyone I'm a citizen of Pakistan, and our government started issuing "Smart ID Cards" a few years ago that have an embedded EMV chip, although it hasn't been digitally in any way yet. I was curious so I plugged in my hardware card reader, the one I got with my Estonian e-Residency ID card, and installed OpenSC. I don't believe this card is supported, so I'm sending in the result of a few commands. Here's an ATR parsing: https://smartcard-atr.appspot.com/parse?ATR= 3bdb96008031fe448059654944204e414452418f ``` $ opensc-tool --name Using reader with a card: OMNIKEY AG Smart Card Reader Unsupported card $ opensc-tool --version No Git revision info available $ opensc-tool -i OpenSC 0.16.0 [gcc 4.2.1 Compatible Apple LLVM 8.0.0 (clang-800.0.42.1)] Enabled features: locking zlib readline openssl pcsc(/System/Library/Frameworks/PCSC.framework/PCSC) $ opensc-tool -a Using reader with a card: OMNIKEY AG Smart Card Reader 3b:db:96:00:80:31:fe:44:80:59:65:49:44:20:4e:41:44:52:41:8f $ opensc-tool -D Configured card drivers: cardos Siemens CardOS flex Schlumberger Multiflex/Cryptoflex cyberflex Schlumberger Cyberflex gpk Gemplus GPK gemsafeV1 driver for the Gemplus GemSAFE V1 applet miocos MioCOS 1.1 asepcos Athena ASEPCOS starcos STARCOS SPK 2.3/2.4/3.4 tcos TCOS 3.0 jcop JCOP cards with BlueZ PKCS#15 applet oberthur Oberthur AuthentIC.v2/CosmopolIC.v4 authentic Oberthur AuthentIC v3.1 iasecc IAS-ECC belpic Belpic cards ias IAS incrypto34 Incard Incripto34 acos5 ACS ACOS5 card akis TUBITAK UEKAE AKIS entersafe entersafe epass2003 epass2003 rutoken Rutoken driver rutoken_ecp Rutoken ECP driver westcos WESTCOS compatible cards myeid MyEID cards with PKCS#15 applet sc-hsm SmartCard-HSM dnie DNIe: Spanish eID card MaskTech MaskTech Smart Card mcrd MICARDO 2.1 / EstEID 1.0 - 3.0 setcos Setec cards muscle MuscleApplet atrust-acos A-Trust ACOS cards piv PIV-II for multiple cards itacns Italian CNS isoApplet Javacard with IsoApplet gids GIDS Smart Card openpgp OpenPGP card default Default driver for unknown cards ``` ᐧ |
|
From: Pallissard, M. <op...@pa...> - 2017-04-19 18:41:41
|
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey all, forgive me if this list is the wrong place to ask. I've been researching smart cards and am looking for a little advice as I'm new to this topic. I'd like to use the cards for PKINIT, file encryption, and email signing. My CA issues ECC certs with prime256v1 key type and ecdsa-with-SHA256 signature algorithm. I've read the supported hardware page on the opensc wiki and /think/ that I've narrowed it down. The two that looked promising (more documentation on the opensc wiki) are the smartcard-hsm and the Aventra MyEID PKI card. I think both options support my requirements. Are there any reason that either of these cards would be a poor choice? Does anyone else have an alternative recommendation? Matt Pallissard -----BEGIN PGP SIGNATURE----- iHUEARYKAB0WIQTvIUMPApUGn6YFkXl1uof+t048SQUCWPevWwAKCRB1uof+t048 SQy9APwKABiUrowUHjaR2aMmIfbrcM2WjlLwj65utIX1yM38xwD+NuP/bK5LeoI7 XhIR9QG1z6tO5act/4EO4DZ1hVu8ww0= =Wl8J -----END PGP SIGNATURE----- |
|
From: Manuel S. <man...@ir...> - 2017-04-12 07:58:57
|
Hi again,
I found my mistake. The build steps should be as follows:
* unset CC; unset CXX; ./configure --host=x86_64-w64-mingw32 --disable-openssl --disable-readline --disable-zlib --prefix=${PWD}/win32/opensc
* make && make install
?I will update the wiki page.
Kind regards,
Manuel
________________________________
From: Manuel Spierenburg
Sent: Tuesday, April 11, 2017 4:31 PM
To: ope...@li...
Subject: OpenSC Windows installer
Hi all,
I'm trying to build the Windows installer from a Ubuntu machine.
But the wiki page seems a little bit outdated.
https://github.com/OpenSC/OpenSC/wiki/OpenSC-Windows-installer?
The script ./win32/installer_from_build.sh does not exist anymore in master.
I was able to find it in another branch, but the script itself relies on other scripts (build) which do not exist in the branch neither.
https://github.com/OpenSC/OpenSC/blob/opensc-0.15.0/win32/installer_from_build.sh
I tried to follow the steps from the build server:
https://travis-ci.org/OpenSC/OpenSC/jobs/220850737
These are the steps I came up so far.?
* ?install packages:
* sudo apt-get install binutils-mingw-w64-i686 binutils-mingw-w64-x86-64 docbook-xsl gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 libpcsclite-dev mingw-w64 wine xsltproc gengetopt?
* install inno setup
*
wget http://www.jrsoftware.org/download.php/is.exe
*
wine is.exe
* build
* export HOST=x86_64-w64-mingw32
* export CC=gcc
* ./bootstrap && ./configure --disable-doc
* make && make dist && sudo make install
* build windows installer
* wine "C:/Program Files (x86)/Inno Setup 5/ISCC.exe" win32/OpenSC.iss
But the last step fails due to the missing profile files in the win32 folder.
Error on line 45 in Z:\home\mspieren\Development\kps-sc\OpenSCorig\win32\OpenSC.iss: No files found matching "Z:\home\mspieren\Development\kps-sc\OpenSCorig\win32\opensc\share\opensc\*.profile"
I can copy the profile files to the folder but then the script fails due to the missing dll files.
Obviously I miss something here.
Is somebody building the the windows installer successfully on a linux machine?
Thanks,
Manuel
PS. I will update the wiki page when I got it working.
|
|
From: Manuel S. <man...@ir...> - 2017-04-11 14:46:15
|
Hi all, I'm trying to build the Windows installer from a Ubuntu machine. But the wiki page seems a little bit outdated. https://github.com/OpenSC/OpenSC/wiki/OpenSC-Windows-installer? The script ./win32/installer_from_build.sh does not exist anymore in master. I was able to find it in another branch, but the script itself relies on other scripts (build) which do not exist in the branch neither. https://github.com/OpenSC/OpenSC/blob/opensc-0.15.0/win32/installer_from_build.sh I tried to follow the steps from the build server: https://travis-ci.org/OpenSC/OpenSC/jobs/220850737 These are the steps I came up so far.? * ?install packages: * sudo apt-get install binutils-mingw-w64-i686 binutils-mingw-w64-x86-64 docbook-xsl gcc-mingw-w64-i686 gcc-mingw-w64-x86-64 libpcsclite-dev mingw-w64 wine xsltproc gengetopt? * install inno setup * wget http://www.jrsoftware.org/download.php/is.exe * wine is.exe * build * export HOST=x86_64-w64-mingw32 * export CC=gcc * ./bootstrap && ./configure --disable-doc * make && make dist && sudo make install * build windows installer * wine "C:/Program Files (x86)/Inno Setup 5/ISCC.exe" win32/OpenSC.iss But the last step fails due to the missing profile files in the win32 folder. Error on line 45 in Z:\home\mspieren\Development\kps-sc\OpenSCorig\win32\OpenSC.iss: No files found matching "Z:\home\mspieren\Development\kps-sc\OpenSCorig\win32\opensc\share\opensc\*.profile" I can copy the profile files to the folder but then the script fails due to the missing dll files. Obviously I miss something here. Is somebody building the the windows installer successfully on a linux machine? Thanks, Manuel PS. I will update the wiki page when I got it working. |
|
From: Timo T. <tim...@ik...> - 2017-04-05 12:07:13
|
Hi all,
I'm currently looking into implementing proper symmetric secret key
support in opensc on pkcs#15 level.
There seems to have been some attempts on it before [1], but that did
not really progress. I've been now analyzing how I'd like to approach
the issue, and would like to check if the overall plan is acceptable.
I would like to:
- Simplify the handling of pkcs15_object EXPLICIT tagging see [2] for
preliminary work, which needs still work as commented in [3]
- Now large parts of the abstraction for generating and uploading the
secret key's could be shared with the private key path. I would
therefore like to merge 'struct sc_pkcs15_skey_info' and 'struct
sc_pkcs15_prkey_info'. Would this sound acceptable change?
- It might make sense to rename SC_PKCS15_PRKEY_* to SC_PKCS15_KEY_*
as they are shared for all-key types everywhere.
- I plan to implement AES key support. According to ISO specification
this should be encoded as 'algIndependentKey' and indicate the key
type via CommonKeyAttributes.algReference that links to
CardInfo.supportedAlgorithms entry which describes the algorithm.
* Should we introduce SC_PKCS15_TYPE_SKEY_* ID for each symmetric key
type? Or should that be mapped to the pkcs#15 object type, and
either resolve the key type runtime, or add a separate
key_algorithm if needed in addition to existing fields?
Some guidance on these matters would get me started, I may get
additional questions later. And I hope to submit code for review earlier
than later.
Any other thoughts, or comments? All feedback at this point would be
appreciated. Thanks.
Thanks,
Timo
[1] https://github.com/OpenSC/OpenSC/issues/627
[2] https://github.com/fabled/OpenSC/commit/79ad7b7456d6c16adbcb45e0d8bc7a6fad7fb545
[3] https://github.com/OpenSC/OpenSC/pull/919
|
|
From: Jakub J. <jj...@re...> - 2017-03-23 08:27:15
|
On 03/22/2017 03:20 PM, Douglas E Engert wrote: > Th card driver has been there a long time, but could have only worked > for signatures and not decrypt. Many older cards only would only create > signatures. According to Frank on Github (where is the final change)[1], the encryption works with CardOS 4.3B (as well as the RSA_X_509). We still miss the missing part how the 5.0 version work. > Also look at the card's set_security_env routine at what flags it sets. > There is an ISO document that defines flags for set security env, and if > you have the manufactures document, you can compare what their card > supports. It is probably ISO 7816, but it is not public available. Also I don't have any documentation from the manufacturer (nor I was able to find anything online). But I guess if I had some documentation, I would have to sign NDA and the changes would end up similarly as #283 [2]. > It may or may not support CKM_X_509. I am not at home and don't have > access to the document to tell you its name. If you will have a look at this when you will get home, it would great. One of the theories worded by Robert Relyea was that this card might not even support this mechanism, because it should be needed only for SSL 2.0 > The problem sounds similar to Nono's card, that could take any hash with > digest header less then 36 bytes, but to support SHA256 one had to send > a flag to tell the card the data being sent was just the 32 bytes of the > hash, and card had to put in the SHA256 digest header before padding. > His card, PTeid using card-gemsafeV1.c did not support CKM_X_509, as > the card always wanted to do the PKCS1 padding. Anyway, not sure if it was intentional you are dropping the opensc-devel mailing list from the CC (instead of reply-all). I don't think there is anything non-public, so I am adding CC back. [1] https://github.com/OpenSC/OpenSC/pull/1003 [2] https://github.com/OpenSC/OpenSC/pull/283 Thank you, Jakub > On Wed, Mar 22, 2017 at 4:10 AM, Jakub Jelen <jj...@re... > <mailto:jj...@re...>> wrote: > > On 03/20/2017 06:08 PM, Douglas E Engert wrote: > > First of all, I can not do much until late next week. > > What I was pointing out is sc_get_encoding_flags takes the > algorithm > flags and breaks them apart into what the card is expected to > do, and > what OpenSC software will do. i.e. who adds/removes the padding. The > card's senv routine can then tell the card what it needs to do. The > algorithm flags should only indicate what the card (or the card > driver) > can do . I hope you would find the debugging messages useful so you > could set the algorithm flags to match what the card and card > driver and > its senv routine can do. > > There may be a difference is the term RAW. From the PKCS#11 > CKM_RSA_X_509 the input and output will both be the key size and the > calling application will do all hashing and padding for both > sign and > decrypt, If the card(and driver) can not do this, then the > CKM_RSA_X_509 > should not be registered. > > Actually PKCS#11 mechanisms also have a HW flag, indicating the > mechanism is preformed in hardware, so claiming it is hardware, but > doing parts in the driver can be misleading to an application. > > It sounds like the card has SC_CARD_CAP_ONLY_RAW_HASH_STRIPPED > and SC_CARD_CAP_ONLY_RAW_HASH. These do not sound like > CKM_RSA_X_509 > to me but more about does the card expect the hash to be > stripped or not. > > > Thank you for your time. I played a bit more with the flags > specified in the cardos_init() and managed to "turn off" the > RSA_X_509 mechanism by specifying SC_ALGORITHM_RSA_PAD_PKCS1 (other > mechanisms stays intact). > > https://github.com/Jakuje/OpenSC/commit/489508cf > <https://github.com/Jakuje/OpenSC/commit/489508cf> > > This has a "side effect" of disabling the RSA_X_509 mechanisms also > for the signatures, but that should not be a big deal, because the > signature routine has also some hacks to strip padding from data for > signatures in case it fails sign data with padding. > > I am not sure if this even worked in older CardOS cards. I will fill > a pull request with the changes so far and try to ping people who > contributed parts of CardOS drivers, if they can verify > functionality with their cards (or if this can be changed in older > versions too). > > Thanks, > Jakub > > -- Jakub Jelen Software Engineer Security Technologies Red Hat |
5 messages has been excluded from this view by a project administrator.
