Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Ludovic R. <lud...@gm...> - 2016-08-26 13:46:25
|
Hello, I just read the article "Free software and smartcards" [1] from LWN (Linux Weekly News). The article talks about PC/SC, OpenSC, OpenPGP cards, JavaCards cards. A previous LWN article "One-time passwords and GnuPG with Nitrokey" [2] is also interesting to read. Bye [1] https://lwn.net/Articles/696078/ [2] https://lwn.net/Articles/695438/ -- Dr. Ludovic Rousseau |
|
From: Douglas E E. <dee...@gm...> - 2016-08-22 17:45:05
|
<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Looking at the code, it loos like it is only parsing the certificate
and getting public keys and other values from the certificate.<br>
It does not include rsa.h, but does include bn.h<br>
It looks like it would not take very much effort to use a stripped
down version of the cs-ossl-compat.h from OpenSC
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/pull/853">https://github.com/OpenSC/OpenSC/pull/853</a><br>
<br>
I don't use it, so someone is still needed to do some testing. <br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 8/22/2016 4:12 AM, Ludovic Rousseau
wrote:<br>
</div>
<blockquote
cite="mid:CAGstE8AawRSXGOTVgBvg6u0=0PN...@ma..."
type="cite">
<div dir="ltr">
<div>
<div>Hello,<br>
<br>
After 2 months with no volunteer to take care of pam-pkcs#11
I created a new README.md page on the github project to
indicate the project is no more maintained.<br>
<a moz-do-not-send="true"
href="https://github.com/OpenSC/pam_pkcs11/blob/master/README.md">https://github.com/OpenSC/pam_pkcs11/blob/master/README.md</a><br>
<br>
</div>
I will also orphan the Debian package.<br>
I guess the Debian (and Ubuntu) package will be remove once
OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be
rebuild.<br>
<br>
</div>
Regards,<br>
<div>
<div>
<div>
<div class="gmail_extra"><br>
<div class="gmail_quote">2016-06-30 9:51 GMT+02:00
Ludovic Rousseau <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:lud...@gm..."
target="_blank">lud...@gm...</a>></span>:<br>
<blockquote class="gmail_quote" style="margin:0px 0px
0px 0.8ex;border-left:1px solid
rgb(204,204,204);padding-left:1ex">Hello,<br>
<br>
PAM PKCS#11 [1] is a Pluggable Authentication Module
(PAM) using a<br>
PKCS#11 library (smart card, crypto token, etc.).
The purpose is to be<br>
able to use a smart card to login to a GNU/Linux
system.<br>
<br>
With the introduction of OpenSSL 1.1.0 the API has
changed and many<br>
software, including pam-pkcs#11, need to be updated
to use the new<br>
API. For example see [2] for a patch for OpenSC.<br>
<br>
I am the only maintainer of pam-pkcs11 project. I do
not use this<br>
software myself any more.<br>
I do not have the free time (and motivation) to
invest in a code<br>
change of pam-pkcs11 to support the new OpenSSL API.<br>
If nobody volunteers to do this work then:<br>
- pam-pkcs11 will not work with OpenSSL 1.1.0<br>
- pam-pkcs11 will be removed from the GNU/Linux
distributions<br>
- pam-pkcs11 will not be usable any more.<br>
<br>
A bug [3] has been opened for Debian: "pam-pkcs11:
FTBFS with openssl 1.1.0"<br>
FTBFS is Fails To Build From Source.<br>
When OpenSSL 1.1.0 will be included in Debian
pam-pkcs11 will be<br>
removed from Debian, unless someone adds support of
the new OpenSSL<br>
API.<br>
<br>
If you (or your company) use pam-pkcs11 you should
worry about the situation.<br>
<br>
RedHat provides [4] pam-pkcs11 to its customers. It
could be a good<br>
idea for RedHat to invest some R&D time to take
maintenance of the<br>
software to keep its (paying) customers happy.<br>
<br>
Regards,<br>
<br>
[1] <a moz-do-not-send="true"
href="https://github.com/OpenSC/pam_pkcs11/wiki"
rel="noreferrer" target="_blank">https://github.com/OpenSC/pam_<wbr>pkcs11/wiki</a><br>
[2] <a moz-do-not-send="true"
href="https://github.com/OpenSC/OpenSC/pull/749/files"
rel="noreferrer" target="_blank">https://github.com/OpenSC/<wbr>OpenSC/pull/749/files</a><br>
[3] <a moz-do-not-send="true"
href="https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487"
rel="noreferrer" target="_blank">https://bugs.debian.org/cgi-<wbr>bin/bugreport.cgi?bug=828487</a><br>
[4] <a moz-do-not-send="true"
href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Managing_Smart_Cards/enabling-smart-card-login.html"
rel="noreferrer" target="_blank">https://access.redhat.com/<wbr>documentation/en-US/Red_Hat_<wbr>Enterprise_Linux/6/html/<wbr>Managing_Smart_Cards/enabling-<wbr>smart-card-login.html</a><br>
<span class=""><font color="#888888"><br>
--<br>
Dr. Ludovic Rousseau<br>
</font></span></blockquote>
</div>
<br>
<br clear="all">
<br>
-- <br>
<div class="gmail_signature"
data-smartmail="gmail_signature"> Dr. Ludovic Rousseau</div>
</div>
</div>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: David W. <dw...@in...> - 2016-08-22 13:08:37
|
On Mon, 2016-08-22 at 11:12 +0200, Ludovic Rousseau wrote: > Hello, > > After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained. > https://github.com/OpenSC/pam_pkcs11/blob/master/README.md > > I will also orphan the Debian package. > I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild. I assume the Fedora package will remain for now, as it's built against NSS and still works. We are getting closer to having NSS actually working with RFC7512 PKCS#11 URIs and loading the right tokens according to the system configuration too. For the OpenSSL support, I am disinclined to fix it up as it stands — I note it's doing everything for itself and not even using libp11. I do still plan to fix up OpenSSL after the 1.1 release and basically render libp11 obsolete by adding the same functionality natively to crypto/pkcs11/ in OpenSSL (1.2) itself. At that point, maybe it makes sense to resurrect the OpenSSL support in pam_pkcs11. But for now I don't think it makes sense to patch it up. If somebody really cared, migrating it to libp11 might be the way to go. Because we *will* have a migration strategy for libp11 users to OpenSSL 1.2, and the APIs may well end up being very similar. -- dwmw2 |
|
From: Ludovic R. <lud...@gm...> - 2016-08-22 09:12:41
|
Hello, After 2 months with no volunteer to take care of pam-pkcs#11 I created a new README.md page on the github project to indicate the project is no more maintained. https://github.com/OpenSC/pam_pkcs11/blob/master/README.md I will also orphan the Debian package. I guess the Debian (and Ubuntu) package will be remove once OpenSSL 1.1.0 is included in Debian and pam-pkcs#11 can't be rebuild. Regards, 2016-06-30 9:51 GMT+02:00 Ludovic Rousseau <lud...@gm...>: > Hello, > > PAM PKCS#11 [1] is a Pluggable Authentication Module (PAM) using a > PKCS#11 library (smart card, crypto token, etc.). The purpose is to be > able to use a smart card to login to a GNU/Linux system. > > With the introduction of OpenSSL 1.1.0 the API has changed and many > software, including pam-pkcs#11, need to be updated to use the new > API. For example see [2] for a patch for OpenSC. > > I am the only maintainer of pam-pkcs11 project. I do not use this > software myself any more. > I do not have the free time (and motivation) to invest in a code > change of pam-pkcs11 to support the new OpenSSL API. > If nobody volunteers to do this work then: > - pam-pkcs11 will not work with OpenSSL 1.1.0 > - pam-pkcs11 will be removed from the GNU/Linux distributions > - pam-pkcs11 will not be usable any more. > > A bug [3] has been opened for Debian: "pam-pkcs11: FTBFS with openssl > 1.1.0" > FTBFS is Fails To Build From Source. > When OpenSSL 1.1.0 will be included in Debian pam-pkcs11 will be > removed from Debian, unless someone adds support of the new OpenSSL > API. > > If you (or your company) use pam-pkcs11 you should worry about the > situation. > > RedHat provides [4] pam-pkcs11 to its customers. It could be a good > idea for RedHat to invest some R&D time to take maintenance of the > software to keep its (paying) customers happy. > > Regards, > > [1] https://github.com/OpenSC/pam_pkcs11/wiki > [2] https://github.com/OpenSC/OpenSC/pull/749/files > [3] https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=828487 > [4] https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/6/html/Managing_Smart_Cards/enabling- > smart-card-login.html > > -- > Dr. Ludovic Rousseau > -- Dr. Ludovic Rousseau |
|
From: NdK <ndk...@gm...> - 2016-08-11 21:09:45
|
Il 11/08/2016 14:53, Dirk-Willem van Gulik ha scritto: >> IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but >> SM was not yet present in opensc when the epass2003 driver got added. >> Did that change? >From your answer it seems it didn't change. :( > Below script does the trick for me (key generated ‘off line’ — as to circumvent the 512 len limit). No need to do that, unless you need to backup the private key. For me, a plain pkcs15-init -G rsa:2048 --auth-id 1 -l "key label" does the job. Once the keypair is there, associating a certificate is not a problem. BTW, in your script it could be better to use a tmpfs instead of a normal file. But there are other risks anyway, unless you're using it on an offlined single-user machine. > pkcs15-init -E || exit 1 Erase, ok. > pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --puk 111111 --label $LABEL --pin 1234 || exit 1 Init with onepin option, so you're not using SOPIN, just the User-PIN. >> PS: pkcs15-init -F always reports "Failed to delete object(s): Not >> supported". Is that normal? Is the card finalized anyway? Is the >> finalize step actually required on ePass2003? In the script you don't finalize the token. For Aventra MyEID the pkcs15-init -F step is needed to activate access control, but ePass2003 seems not to need it. Good to know -- could be useful to have it on the wiki page? And maybe opensc could avoid generating an error? BYtE, Diego |
|
From: Dirk-Willem v. G. <di...@we...> - 2016-08-11 13:22:02
|
> On 10 Aug 2016, at 12:44, NdK <ndk...@gm...> wrote: > > Hello all. > > Seems the wiki page on github is quite inaccurate regarding ePass2003 > support: > - there's no mention of the so-pin problems (and seems so-pin > functionality is not -yet- present) > - GOOZE (IIUC) is no more actively involved after discontinuing the > distribution > > Overall, at least for me, it seems more an ad page than a technical one. > > IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but > SM was not yet present in opensc when the epass2003 driver got added. > Did that change? > > PS: pkcs15-init -F always reports "Failed to delete object(s): Not > supported". Is that normal? Is the card finalized anyway? Is the > finalize step actually required on ePass2003? Below script does the trick for me (key generated ‘off line’ — as to circumvent the 512 len limit). Dw. #!/bin/sh # # Copyright (c) 2012 Dirk-Willem van Gulik <di...@we...>, All Rights Reserved. # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # # See the License for the specific language governing permissions and # limitations under the License. # set -e # # Load an existing p12/pem onto a card - protected by a PIN # of sorts; set by the (end) user or a random one. # PIN=${PIN:-`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’ | cut -c 1-6`} LABEL=feitian001 PUK=${PUK:-`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’ | cut -c 1-8`} SUBJ="/emailAddress=foobar/C=XX/L=Foobar/O=Something Nice and Lengthy/OU=Positively bizantine and so on" TMPFILE=x-fred function cleanup { srm $TMPFILE.key || rm $TMPFILE.key exit } trap cleanup SIGHUP SIGINT SIGTERM # Self signed root # openssl req -new -x509 -set_serial 1 -subj "$SUBJ/CN=Da Root of it all" -out $TMPFILE-ca.pem -nodes -keyout $TMPFILE-ca.key || exit 1 # CSR and sign with above root # # Unfortunately we cannot do this on the card - as anything beyond 512 length will time out the USB on linux and OSX. # pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --keypairgen --key-type rsa:2048 --pin $PIN --login # openssl req -new -subj "$SUBJ/CN=Fred Himself" -keyout $TMPFILE.key -out $TMPFILE.csr -nodes || exit 1 openssl x509 -CA $TMPFILE-ca.pem -CAkey $TMPFILE-ca.key -req -set_serial 2 -in $TMPFILE.csr -out $TMPFILE.pem || exit 1 # Initialise a blank key echo echo "Insert a single EPass2003 (blue or red); and press return to start wiping and re-initilaizing it (or press ctrl-C)” echo read nope pkcs15-init -E || exit 1 pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --puk 111111 --label $LABEL --pin 1234 || exit 1 if true; then # This works -- as we set decent labels. # pkcs15-init --store-private-key $TMPFILE.key --format PEM --auth-id 01 --pin $PIN || exit 1 pkcs15-init --store-certificate $TMPFILE.pem --format PEM --auth-id 01 --pin $PIN --label fred || exit 1 pkcs15-init --store-certificate $TMPFILE-ca.pem --format PEM --auth-id 01 --pin $PIN --label root --authority || exit 1 else # Transport password. # PASSWD=`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’ | cut -c 1-8` # And this fails/confuses tokend - as the labels are now DN's with the / in it. # # Package up in PKCS#12 openssl pkcs12 -chain -export -out $TMPFILE.p12 -in $TMPFILE.pem -CAfile $TMPFILE-ca.pem -inkey $TMPFILE.key -nodes -passout pass:$PASSWD || exit 1 # Show what we netted: openssl pkcs12 -in $TMPFILE.p12 -noout -passin pass:$PASSWD -info # Store. pkcs15-init --store-private-key $TMPFILE.p12 --format pkcs12 --auth-id 01 --pin $PIN --passphrase $PASSWD || exit 1 fi cleanup echo echo Done. The PIN is $PIN, the PUK is $PUK |
|
From: NdK <ndk...@gm...> - 2016-08-10 10:44:55
|
Hello all. Seems the wiki page on github is quite inaccurate regarding ePass2003 support: - there's no mention of the so-pin problems (and seems so-pin functionality is not -yet- present) - GOOZE (IIUC) is no more actively involved after discontinuing the distribution Overall, at least for me, it seems more an ad page than a technical one. IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but SM was not yet present in opensc when the epass2003 driver got added. Did that change? PS: pkcs15-init -F always reports "Failed to delete object(s): Not supported". Is that normal? Is the card finalized anyway? Is the finalize step actually required on ePass2003? BYtE, Diego |
|
From: Douglas E E. <dee...@gm...> - 2016-08-04 19:11:36
|
New pre release of OpenSSL 1.1.0 released today. See updated comments in https://github.com/OpenSC/OpenSC/pull/749 ---------- Forwarded message ---------- From: OpenSSL <op...@op...> Date: Thu, Aug 4, 2016 at 7:26 AM Subject: [openssl-announce] OpenSSL version 1.1.0 pre release 6 published To: OpenSSL Developer ML <ope...@op...>, OpenSSL User Support ML <ope...@op...>, OpenSSL Announce ML < ope...@op...> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenSSL version 1.1.0 pre release 6 (beta) =========================================== OpenSSL - The Open Source toolkit for SSL/TLS https://www.openssl.org/ OpenSSL 1.1.0 is currently in beta. OpenSSL 1.1.0 pre release 6 has now been made available. For details of changes and known issues see the release notes at: https://www.openssl.org/news/openssl-1.1.0-notes.html Note: This OpenSSL pre-release has been provided for testing ONLY. It should NOT be used for security critical purposes. The beta release is available for download via HTTP and FTP from the following master locations (you can find the various FTP mirrors under https://www.openssl.org/source/mirror.html): * https://www.openssl.org/source/ * ftp://ftp.openssl.org/source/ The distribution file name is: o openssl-1.1.0-pre6.tar.gz Size: 5100538 SHA1 checksum: b4c4b64c56813a4dd824b9bb2735ac15331845b8 SHA256 checksum: ca869f843b8a947fb64ca7d7bebb2a fe47a48d7bb5e9becc54d9c8fe674535c2 The checksums were calculated using the following commands: openssl sha1 openssl-1.1.0-pre6.tar.gz openssl sha256 openssl-1.1.0-pre6.tar.gz Please download and check this beta release as soon as possible. Bug reports should go to rt...@op.... Please check the release notes and mailing lists to avoid duplicate reports of known issues. Yours, The OpenSSL Project Team. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iQEcBAEBAgAGBQJXo0qTAAoJENnE0m0OYESRj8sH/2sBz0vvkdGHZmNIttjbsrXz Xyx+nZHUkpuNwnQXzq7QuHMrUk+DtPOfgjxt7IOwVyzz/yyDMO+txhTRpgQH0y4e bOjsx+xUz1Bz3AioP06tREGkUdrZSkthVypkF1bKdb043rTZhY4EQ8sr+kw8cha6 sr93CFug/M52P0DLEksQQY0JXWkCvZvBbJK4YcC+ToyVhJ2Iz4og8KeN6X2/bNcB h5+RjdQnaLBMZIWe4MNt4flgtw59vt+3DbwPHiu5WDVl/RngUyGf22qxVV+y9XIu DEJ56V5TKvn7/BonIoUdFthx9s9wzzCcnm71LcfFzW1El9oOP3wOwDpCriRDkhY= =q4/S -----END PGP SIGNATURE----- -- openssl-announce mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-announce |
|
From: Chris G. <cl...@is...> - 2016-08-03 16:05:40
|
On Wed, Aug 03, 2016 at 05:09:43PM +0200, Andreas Schwier wrote:
> Dear Chris,
>
> we've recently integrated a SmartCard-HSM with wpa_supplicant using the
> following configuration:
>
> # Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
> pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
> pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so
>
Do these go in the wpa_supplicant.conf file?
> network={
> ssid="hostAP"
> key_mgmt=WPA-EAP
> eap=TLS
> identity="User"
>
> # use OpenSSL PKCS#11 engine for this network
> engine=1
> engine_id="pkcs11"
>
> # select the private key and certificates based on ID (see pkcs11-tool
> # output above)
> key_id="5:1"
> cert_id="5:1"
> #ca_cert_id="1"
>
> # set the PIN code; leave this out to configure the PIN to be requested
> # interactively when needed (e.g., via wpa_gui or wpa_cli)
> pin="875971"
> }
>
> The AP was running hostapd with a PKI-TLS setup.
>
> I got the configuration from the wpa_supplicant/examples directory in
> the source.
>
OK, presumably I use the example given for EAP-SIM instead.
> To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
> have pcscd installed.
>
Yes, OK. I wish there was an easy way to find out what support is
compiled in to a version of wpa_supplicant. I might have a version
with EAP-SIM support but there's no way to find out.
I have pcscd installed.
Thank you.
--
Chris Green
|
|
From: Andreas S. <and...@ca...> - 2016-08-03 15:28:53
|
Dear Chris,
we've recently integrated a SmartCard-HSM with wpa_supplicant using the
following configuration:
# Configure OpenSSL to load the PKCS#11 engine and openCryptoki module
pkcs11_engine_path=/usr/lib/engines/engine_pkcs11.so
pkcs11_module_path=/usr/local/lib/opensc-pkcs11.so
network={
ssid="hostAP"
key_mgmt=WPA-EAP
eap=TLS
identity="User"
# use OpenSSL PKCS#11 engine for this network
engine=1
engine_id="pkcs11"
# select the private key and certificates based on ID (see pkcs11-tool
# output above)
key_id="5:1"
cert_id="5:1"
#ca_cert_id="1"
# set the PIN code; leave this out to configure the PIN to be requested
# interactively when needed (e.g., via wpa_gui or wpa_cli)
pin="875971"
}
The AP was running hostapd with a PKI-TLS setup.
I got the configuration from the wpa_supplicant/examples directory in
the source.
To use EAP-SIM you need to compile wpa_supplicant with PC/SC support and
have pcscd installed.
Andreas
On 08/03/2016 04:00 PM, Chris Green wrote:
> This question is a continuation from the previous thread 'Error with
> pcsc_scan - "buffer overflow detected"'.
>
> I have got a Gemalto IDBridge K30 (as you suggested at the end of the
> above thread, thank you) and it seems to work OK with opensc on my
> xubuntu 16.04 system:-
>
> root@esprimo# pcsc_scan
> PC/SC device scanner
> V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
> Compiled with PC/SC lite version: 1.8.14
> Using reader plug'n play mechanism
> Scanning present readers...
> 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
>
> Tue Aug 2 12:24:58 2016
> Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
> Card state: Card inserted,
> ATR: 3B 16 95 D0 01 6C FD 0D 00
>
> ATR: 3B 16 95 D0 01 6C FD 0D 00
> + TS = 3B --> Direct Convention
> + T0 = 16, Y(1): 0001, K: 6 (historical bytes)
> TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
> 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
> + Historical bytes: D0 01 6C FD 0D 00
> Category indicator byte: D0 (proprietary format)
>
> Possibly identified card (using /root/.cache/smartcard_list.txt):
> NONE
>
> Your card is not present in the database.
> Please submit your unknown card at:
> http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
>
>
> Now I want to be able to use the information of the card from
> wpa_supplicant. The blog/instructions I'm following add the following
> to the wpa_supplicant configuration file:-
>
> network={
> ssid="FreeWifi_secure"
> key_mgmt=WPA-EAP IEEE8021X
> eap=SIM
> pin="1234"
> pcsc=""
> }
>
> Is this really enough to make wpa_supplicant get the information from
> the card using opensc? Presumably I'd need to run pcscd but is that
> all?
>
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to help)
> would be much appreciated.
>
--
--------- CardContact Systems GmbH
|.##> <##.| Schülerweg 38
|# #| D-32429 Minden, Germany
|# #| Phone +49 571 56149
|'##> <##'| http://www.cardcontact.de
--------- Registergericht Bad Oeynhausen HRB 14880
Geschäftsführer Andreas Schwier
|
|
From: Chris G. <cl...@is...> - 2016-08-03 15:11:53
|
> Now I want to be able to use the information of the card from
> wpa_supplicant. The blog/instructions I'm following add the
> following
> to the wpa_supplicant configuration file:-
> network={
> ssid="FreeWifi_secure"
> key_mgmt=WPA-EAP IEEE8021X
> eap=SIM
> pin="1234"
> pcsc=""
> }
> Is this really enough to make wpa_supplicant get the information
> from
> the card using opensc? Presumably I'd need to run pcscd but is that
> all?
> I realise this is a bit off-topic but I can find very little
> information about this anywhere else so any help (or pointers to
> help)
> would be much appreciated.
>
> What is your card?
It's a Virgin Mobile SIM card. The card reader is a Gemalto IdBridge
K30.
> You just reported the ATR as "Phone SIM card" using
> [4]http://smartcard-atr.appspot.com/
> OpenSC does not support SIM cards.
Well it's what pcsc_scan asked me to do! :-)
> I don't know if wpa_supplicant supports EAP-SIM using a SIM card.
It seems that it does, the blog here:-
https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-eap-sim-on-a-desktop-computer/
describes how to do it using openct. However openct is deprecated
(and seems to have bugs now, as per the earlier thread) so I was
hoping to use opensc directly.
> Maybe it would be simpler to use a "FreeWifi" network with login +
> password instead of the "FreeWifi_secure" network using EAP-SIM.
> But you need to have a Freebox to get a "FreeWifi" account.
> For the non-French readers [5]free.fr is a French Internet Service
> Provider (ADSL + optical fibre) and since some years also a GSM
> operator. The ADSL boxes are call freebox and they provide a wifi
> access for all the Free.fr users using login+password if you have a
> freebox yourself or EAP-SIM if you have a Free.fr SIM card.
Yes, exactly, and I have a Free.fr SIM card.
--
Chris Green
|
|
From: Ludovic R. <lud...@gm...> - 2016-08-03 15:04:03
|
2016-08-03 16:00 GMT+02:00 Chris Green <cl...@is...>: > This question is a continuation from the previous thread 'Error with > pcsc_scan - "buffer overflow detected"'. > > I have got a Gemalto IDBridge K30 (as you suggested at the end of the > above thread, thank you) and it seems to work OK with opensc on my > xubuntu 16.04 system:- > Great! > > root@esprimo# pcsc_scan > PC/SC device scanner > V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> > Compiled with PC/SC lite version: 1.8.14 > Using reader plug'n play mechanism > Scanning present readers... > 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00 > > Tue Aug 2 12:24:58 2016 > Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00 > Card state: Card inserted, > ATR: 3B 16 95 D0 01 6C FD 0D 00 > > ATR: 3B 16 95 D0 01 6C FD 0D 00 > + TS = 3B --> Direct Convention > + T0 = 16, Y(1): 0001, K: 6 (historical bytes) > TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU > 125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s > + Historical bytes: D0 01 6C FD 0D 00 > Category indicator byte: D0 (proprietary format) > > Possibly identified card (using /root/.cache/smartcard_list.txt): > NONE > > Your card is not present in the database. > Please submit your unknown card at: > http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00 > > > Now I want to be able to use the information of the card from > wpa_supplicant. The blog/instructions I'm following add the following > to the wpa_supplicant configuration file:- > > network={ > ssid="FreeWifi_secure" > key_mgmt=WPA-EAP IEEE8021X > eap=SIM > pin="1234" > pcsc="" > } > > Is this really enough to make wpa_supplicant get the information from > the card using opensc? Presumably I'd need to run pcscd but is that > all? > > I realise this is a bit off-topic but I can find very little > information about this anywhere else so any help (or pointers to help) > would be much appreciated. > What is your card? You just reported the ATR as "Phone SIM card" using http://smartcard-atr.appspot.com/ <http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00> OpenSC does not support SIM cards. I don't know if wpa_supplicant supports EAP-SIM using a SIM card. Maybe it would be simpler to use a "FreeWifi" network with login + password instead of the "FreeWifi_secure" network using EAP-SIM. But you need to have a Freebox to get a "FreeWifi" account. For the non-French readers free.fr is a French Internet Service Provider (ADSL + optical fibre) and since some years also a GSM operator. The ADSL boxes are call freebox and they provide a wifi access for all the Free.fr users using login+password if you have a freebox yourself or EAP-SIM if you have a Free.fr SIM card. Bye -- Dr. Ludovic Rousseau |
|
From: Chris G. <cl...@is...> - 2016-08-03 14:00:16
|
This question is a continuation from the previous thread 'Error with
pcsc_scan - "buffer overflow detected"'.
I have got a Gemalto IDBridge K30 (as you suggested at the end of the
above thread, thank you) and it seems to work OK with opensc on my
xubuntu 16.04 system:-
root@esprimo# pcsc_scan
PC/SC device scanner
V 1.4.25 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
Compiled with PC/SC lite version: 1.8.14
Using reader plug'n play mechanism
Scanning present readers...
0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
Tue Aug 2 12:24:58 2016
Reader 0: Gemalto USB Shell Token V2 (5689ABD5) 00 00
Card state: Card inserted,
ATR: 3B 16 95 D0 01 6C FD 0D 00
ATR: 3B 16 95 D0 01 6C FD 0D 00
+ TS = 3B --> Direct Convention
+ T0 = 16, Y(1): 0001, K: 6 (historical bytes)
TA(1) = 95 --> Fi=512, Di=16, 32 cycles/ETU
125000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 156250 bits/s
+ Historical bytes: D0 01 6C FD 0D 00
Category indicator byte: D0 (proprietary format)
Possibly identified card (using /root/.cache/smartcard_list.txt):
NONE
Your card is not present in the database.
Please submit your unknown card at:
http://smartcard-atr.appspot.com/parse?ATR=3B1695D0016CFD0D00
Now I want to be able to use the information of the card from
wpa_supplicant. The blog/instructions I'm following add the following
to the wpa_supplicant configuration file:-
network={
ssid="FreeWifi_secure"
key_mgmt=WPA-EAP IEEE8021X
eap=SIM
pin="1234"
pcsc=""
}
Is this really enough to make wpa_supplicant get the information from
the card using opensc? Presumably I'd need to run pcscd but is that
all?
I realise this is a bit off-topic but I can find very little
information about this anywhere else so any help (or pointers to help)
would be much appreciated.
--
Chris Green
|
|
From: Anders R. <and...@gm...> - 2016-08-02 14:33:44
|
On 2016-08-02 10:29, Ludovic Rousseau wrote: > Hello Frank, > > I am not a GlobalPlatform expert. The API is/was also proposed at the W3C. > From the W3C mailing list pub...@w3... <mailto:pub...@w3...> archive [1] I see people names present on the OpenSC mailing list. > Maybe more knowledgeable people can answer you. The fundamental problem with connecting smart cards to the Web is that transiently downloaded javascript from possibly unknown Web sites is not comparable to explicitly installed (hopefully) "trusted" applications. Due to that users will have to deal with security questions they know zilch of: http://webpki.org/papers/permissions.pdf I do not see how the GP access control system could be used on the Web and I do not think the browser vendors know that either. However, the smart card folks keep dreaming of the Web: https://www.w3.org/community/hb-secure-services/ Personally, I continue claiming that there is another way https://github.com/w3c/websec/issues/91#issuecomment-235160950 which is flexible and doesn't require 5 years of standardization. Anders > > Bye > > [1] http://lists.w3.org/Archives/Public/public-sysapps/ > > 2016-08-01 22:42 GMT+02:00 Frank Morgner <mo...@in... <mailto:mo...@in...>>: > > Hi Ludovic! > > Do you have any insights on how the GP's approach relates to the > attempts over the past years on bringing smart card access to the > browser? > > Regards, > Frank. > > > On Monday, August 01 at 11:43AM, Ludovic Rousseau wrote: > > Hello, > > > > A new API is discussed the GlobalPlatform organisation. > > "Web API For Accessing Secure Element" > > http://globalplatform.github.io/WebApis-for-SE/doc/ > > > > The idea is to provide an access to secure elements (smart cards and other > > form factors) from a Javascript application in a web browser. > > > > It is a low level API. You can exchange APDU to secure elements (smart > > cards). > > I don't think the API is provided by any web browser yet. > > > > > > When the API is ready (and deployed) I could write a new sample code in > > Javascript and add it to my list "PC/SC sample in different languages" > > http://ludovicrousseau.blogspot.fr/2010/04/pcsc-sample-in-different-languages.html > > > > Bye > > > > -- > > Dr. Ludovic Rousseau > > > _______________________________________________ > > Pcsclite-muscle mailing list > > Pcs...@li... <mailto:Pcs...@li...> > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle > > -- > Frank Morgner > > Virtual Smart Card Architecture http://vsmartcard.sourceforge.net > OpenPACE http://openpace.sourceforge.net > IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc > > _______________________________________________ > Pcsclite-muscle mailing list > Pcs...@li... <mailto:Pcs...@li...> > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle > > > > > -- > Dr. Ludovic Rousseau > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ludovic R. <lud...@gm...> - 2016-08-02 08:29:25
|
Hello Frank, I am not a GlobalPlatform expert. The API is/was also proposed at the W3C. >From the W3C mailing list pub...@w3... archive [1] I see people names present on the OpenSC mailing list. Maybe more knowledgeable people can answer you. Bye [1] http://lists.w3.org/Archives/Public/public-sysapps/ 2016-08-01 22:42 GMT+02:00 Frank Morgner <mo...@in...>: > Hi Ludovic! > > Do you have any insights on how the GP's approach relates to the > attempts over the past years on bringing smart card access to the > browser? > > Regards, > Frank. > > > On Monday, August 01 at 11:43AM, Ludovic Rousseau wrote: > > Hello, > > > > A new API is discussed the GlobalPlatform organisation. > > "Web API For Accessing Secure Element" > > http://globalplatform.github.io/WebApis-for-SE/doc/ > > > > The idea is to provide an access to secure elements (smart cards and > other > > form factors) from a Javascript application in a web browser. > > > > It is a low level API. You can exchange APDU to secure elements (smart > > cards). > > I don't think the API is provided by any web browser yet. > > > > > > When the API is ready (and deployed) I could write a new sample code in > > Javascript and add it to my list "PC/SC sample in different languages" > > > http://ludovicrousseau.blogspot.fr/2010/04/pcsc-sample-in-different-languages.html > > > > Bye > > > > -- > > Dr. Ludovic Rousseau > > > _______________________________________________ > > Pcsclite-muscle mailing list > > Pcs...@li... > > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle > > -- > Frank Morgner > > Virtual Smart Card Architecture http://vsmartcard.sourceforge.net > OpenPACE http://openpace.sourceforge.net > IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc > > _______________________________________________ > Pcsclite-muscle mailing list > Pcs...@li... > http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pcsclite-muscle > -- Dr. Ludovic Rousseau |
|
From: Chris G. <cl...@is...> - 2016-07-31 14:51:33
|
On Sun, Jul 31, 2016 at 04:01:00PM +0200, Ludovic Rousseau wrote: > 2016-07-31 10:54 GMT+02:00 Chris Green <[1]cl...@is...>: > > On Sat, Jul 30, 2016 at 11:26:41PM +0200, Ludovic Rousseau wrote: > [snip openct problem] > > > > I suspect a bug in OpenCT. > > I suggest to use a CCID supported reader instead. > Are there such readers which can read a SIM card? > > By SIM card I guess you mean the mini SIM, or 2FF, smart card format > [1]. Yes, that's the one. > Yes, such readers exists. Like the Gemalto IDBridge K30 [2] and some > others. Thank you, they're not too expensive either, £12.95, so I'll get one and should be able to progress from there. -- Chris Green |
|
From: Ludovic R. <lud...@gm...> - 2016-07-31 14:01:22
|
2016-07-31 10:54 GMT+02:00 Chris Green <cl...@is...>: > On Sat, Jul 30, 2016 at 11:26:41PM +0200, Ludovic Rousseau wrote: > [snip openct problem] > > > > I suspect a bug in OpenCT. > > I suggest to use a CCID supported reader instead. > > Are there such readers which can read a SIM card? > By SIM card I guess you mean the mini SIM, or 2FF, smart card format [1]. Yes, such readers exists. Like the Gemalto IDBridge K30 [2] and some others. Bye [1] https://en.wikipedia.org/wiki/Subscriber_identity_module#Formats [2] https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x08E60x3438 -- Dr. Ludovic Rousseau |
|
From: Chris G. <cl...@is...> - 2016-07-31 10:55:32
|
On Sun, Jul 31, 2016 at 09:52:32AM +0100, Chris Green wrote: > > You should not need openct now, unless you use a smart card reader that > > does not work with the CCID driver. > > Just install pcscd, that should also install libccid. > > You can use > > [3]https://ludovicrousseau.blogspot.fr/2014/03/level-1-smart-card-suppo > > rt-on-gnulinux.html to check your reader is working correctly. > > Ah, OK, so I don't need openct. I'll need to work out how how to get > the information into the wpa_supplicant configuration. However I will > start again with just pcscd and see if I can reliable reading of my > SIM with that. > I'm a little lost now (nothing new there!) How do I work out if a SIM card reader is compatible with pcscd? The documentation all talks about 'Smart Card' readers and I'm not at all clear how a SIM card reader fits in with this. Are there CCID readers that can read SIMs? -- Chris Green |
|
From: Chris G. <cl...@is...> - 2016-07-31 08:54:37
|
On Sat, Jul 30, 2016 at 11:26:41PM +0200, Ludovic Rousseau wrote: [snip openct problem] > > I suspect a bug in OpenCT. > I suggest to use a CCID supported reader instead. Are there such readers which can read a SIM card? -- Chris Green |
|
From: Chris G. <cl...@is...> - 2016-07-31 08:52:42
|
On Sat, Jul 30, 2016 at 11:22:24PM +0200, Ludovic Rousseau wrote: > Hello, > 2016-07-23 17:21 GMT+02:00 Chris Green <[1]cl...@is...>: > > Sorry if these are not really development list questions but I can't > really see anywhere else to ask. > > Yes, that is the correct mailing list. > > I am trying to implement EAP-SIM authentication as a WiFi client, as > described here:- > > [2]https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-e > ap-sim-on-a-desktop-computer/ > This requires the openct package to be installed but openct seems to > have disappeared from all current Debian derived distributions. > Is there something newer in the OpenSC project that replaces openct > or > should I just bite the bullet and build openct from source? > > You should not need openct now, unless you use a smart card reader that > does not work with the CCID driver. > Just install pcscd, that should also install libccid. > You can use > [3]https://ludovicrousseau.blogspot.fr/2014/03/level-1-smart-card-suppo > rt-on-gnulinux.html to check your reader is working correctly. Ah, OK, so I don't need openct. I'll need to work out how how to get the information into the wpa_supplicant configuration. However I will start again with just pcscd and see if I can reliable reading of my SIM with that. Thank you. -- Chris Green |
|
From: Ludovic R. <lud...@gm...> - 2016-07-30 21:27:04
|
Hello, 2016-07-27 22:54 GMT+02:00 Chris Green <cl...@is...>: > I'm trying to use openct and pcscd to read from a SIM card using a > Phoenix based USB card reader. > > I'm running these on an xubuntu 14.04 system. I'm using pcscd > pcsc-tools and libpcsclite-dev from the Ubuntu repositories but I've > been building my own openct as per your instructions:- > > https://github.com/OpenSC/openct/wiki/A-quick-installation-guide-to-openct > > > I seem to have openct and openct-tool working OK:- > > root@acer-aspire:~# openct-tool atr > Detected Phoenix reader > Card present, status changed > ATR: 3f 2f 00 80 69 af 03 07 03 5a 00 15 0a 0e 83 3e 9f 16 ff ff ff ff > ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > This ATR is far too long. > However, should I be getting that string of 'ff ff ff ff ....' at the > end? > No. It is a bug. > > > Then if I run pcsc_scan I get:- > > root@acer-aspire:/etc/reader.conf.d# pcsc_scan > PC/SC device scanner > V 1.4.22 (c) 2001-2011, Ludovic Rousseau <lud...@fr...> > Compiled with PC/SC lite version: 1.8.10 > Using reader plug'n play mechanism > Scanning present readers... > 0: openct 00 00 > 1: �������������������� > > Wed Jul 27 21:37:22 2016 > Reader 0: openct 00 00 > Card state: Card inserted, > ATR: 3F 2F 00 80 69 AF 03 07 03 5A 00 15 0A 0E 83 3E 9F 16 FF FF FF > FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 40 00 00 00 00 00 00 00 FF FF > FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > > *** buffer overflow detected ***: pcsc_scan terminated > ======= Backtrace: ========= > /lib/i386-linux-gnu/libc.so.6(+0x68fce)[0xb75a9fce] > /lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x6b)[0xb763cb8b] > /lib/i386-linux-gnu/libc.so.6(+0xfaa1a)[0xb763ba1a] > /lib/i386-linux-gnu/libc.so.6(+0xfa178)[0xb763b178] > /lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x8e)[0xb75b1d8e] > /lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x4a79)[0xb7589289] > /lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xb1)[0xb763b231] > /lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xb763b15f] > pcsc_scan[0x8048fc6] > /lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb755aaf3] > pcsc_scan[0x80493ca] > ======= Memory map: ======== > 08048000-0804a000 r-xp 00000000 08:06 5642158 /usr/bin/pcsc_scan > 0804a000-0804b000 r--p 00001000 08:06 5642158 /usr/bin/pcsc_scan > 0804b000-0804c000 rw-p 00002000 08:06 5642158 /usr/bin/pcsc_scan > 08393000-083b4000 rw-p 00000000 00:00 0 [heap] > b74f3000-b750f000 r-xp 00000000 08:06 5375119 > /lib/i386-linux-gnu/libgcc_s.so.1 > b750f000-b7510000 rw-p 0001b000 08:06 5375119 > /lib/i386-linux-gnu/libgcc_s.so.1 > b7523000-b7524000 rw-p 00000000 00:00 0 > b7524000-b753c000 r-xp 00000000 08:06 5374047 /lib/i386-linux-gnu/ > libpthread-2.19.so > b753c000-b753d000 r--p 00018000 08:06 5374047 /lib/i386-linux-gnu/ > libpthread-2.19.so > b753d000-b753e000 rw-p 00019000 08:06 5374047 /lib/i386-linux-gnu/ > libpthread-2.19.so > b753e000-b7541000 rw-p 00000000 00:00 0 > b7541000-b76e9000 r-xp 00000000 08:06 5374055 /lib/i386-linux-gnu/ > libc-2.19.so > b76e9000-b76ea000 ---p 001a8000 08:06 5374055 /lib/i386-linux-gnu/ > libc-2.19.so > b76ea000-b76ec000 r--p 001a8000 08:06 5374055 /lib/i386-linux-gnu/ > libc-2.19.so > b76ec000-b76ed000 rw-p 001aa000 08:06 5374055 /lib/i386-linux-gnu/ > libc-2.19.so > b76ed000-b76f0000 rw-p 00000000 00:00 0 > b76f0000-b76fa000 r-xp 00000000 08:06 5375197 > /lib/i386-linux-gnu/libpcsclite.so.1.0.0 > b76fa000-b76fb000 r--p 00009000 08:06 5375197 > /lib/i386-linux-gnu/libpcsclite.so.1.0.0 > b76fb000-b76fc000 rw-p 0000a000 08:06 5375197 > /lib/i386-linux-gnu/libpcsclite.so.1.0.0 > b770d000-b7711000 rw-p 00000000 00:00 0 > b7711000-b7713000 r--p 00000000 00:00 0 [vvar] > b7713000-b7715000 r-xp 00000000 00:00 0 [vdso] > b7715000-b7735000 r-xp 00000000 08:06 5374048 /lib/i386-linux-gnu/ > ld-2.19.so > b7735000-b7736000 r--p 0001f000 08:06 5374048 /lib/i386-linux-gnu/ > ld-2.19.so > b7736000-b7737000 rw-p 00020000 08:06 5374048 /lib/i386-linux-gnu/ > ld-2.19.so > bf840000-bf861000 rw-p 00000000 00:00 0 [stack] > Aborted (core dumped) > root@acer-aspire:/etc/reader.conf.d# > > > It's *almost* working! > > Can anyone suggest what might be wrong and what I can do about it? > I suspect a bug in OpenCT. I suggest to use a CCID supported reader instead. Bye [1] https://pcsclite.alioth.debian.org/ccid/supported.html -- Dr. Ludovic Rousseau |
|
From: Ludovic R. <lud...@gm...> - 2016-07-30 21:22:48
|
Hello, 2016-07-23 17:21 GMT+02:00 Chris Green <cl...@is...>: > Sorry if these are not really development list questions but I can't > really see anywhere else to ask. > Yes, that is the correct mailing list. I am trying to implement EAP-SIM authentication as a WiFi client, as > described here:- > > https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-eap-sim-on-a-desktop-computer/ > > This requires the openct package to be installed but openct seems to > have disappeared from all current Debian derived distributions. > > Is there something newer in the OpenSC project that replaces openct or > should I just bite the bullet and build openct from source? > You should not need openct now, unless you use a smart card reader that does not work with the CCID driver. Just install pcscd, that should also install libccid. You can use https://ludovicrousseau.blogspot.fr/2014/03/level-1-smart-card-support-on-gnulinux.html to check your reader is working correctly. Bye -- Dr. Ludovic Rousseau |
|
From: Chris G. <cl...@is...> - 2016-07-27 20:54:51
|
I'm trying to use openct and pcscd to read from a SIM card using a
Phoenix based USB card reader.
I'm running these on an xubuntu 14.04 system. I'm using pcscd
pcsc-tools and libpcsclite-dev from the Ubuntu repositories but I've
been building my own openct as per your instructions:-
https://github.com/OpenSC/openct/wiki/A-quick-installation-guide-to-openct
I seem to have openct and openct-tool working OK:-
root@acer-aspire:~# openct-tool atr
Detected Phoenix reader
Card present, status changed
ATR: 3f 2f 00 80 69 af 03 07 03 5a 00 15 0a 0e 83 3e 9f 16 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
However, should I be getting that string of 'ff ff ff ff ....' at the
end?
Then if I run pcsc_scan I get:-
root@acer-aspire:/etc/reader.conf.d# pcsc_scan
PC/SC device scanner
V 1.4.22 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
Compiled with PC/SC lite version: 1.8.10
Using reader plug'n play mechanism
Scanning present readers...
0: openct 00 00
1: ��������������������
Wed Jul 27 21:37:22 2016
Reader 0: openct 00 00
Card state: Card inserted,
ATR: 3F 2F 00 80 69 AF 03 07 03 5A 00 15 0A 0E 83 3E 9F 16 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 40 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
*** buffer overflow detected ***: pcsc_scan terminated
======= Backtrace: =========
/lib/i386-linux-gnu/libc.so.6(+0x68fce)[0xb75a9fce]
/lib/i386-linux-gnu/libc.so.6(__fortify_fail+0x6b)[0xb763cb8b]
/lib/i386-linux-gnu/libc.so.6(+0xfaa1a)[0xb763ba1a]
/lib/i386-linux-gnu/libc.so.6(+0xfa178)[0xb763b178]
/lib/i386-linux-gnu/libc.so.6(_IO_default_xsputn+0x8e)[0xb75b1d8e]
/lib/i386-linux-gnu/libc.so.6(_IO_vfprintf+0x4a79)[0xb7589289]
/lib/i386-linux-gnu/libc.so.6(__vsprintf_chk+0xb1)[0xb763b231]
/lib/i386-linux-gnu/libc.so.6(__sprintf_chk+0x2f)[0xb763b15f]
pcsc_scan[0x8048fc6]
/lib/i386-linux-gnu/libc.so.6(__libc_start_main+0xf3)[0xb755aaf3]
pcsc_scan[0x80493ca]
======= Memory map: ========
08048000-0804a000 r-xp 00000000 08:06 5642158 /usr/bin/pcsc_scan
0804a000-0804b000 r--p 00001000 08:06 5642158 /usr/bin/pcsc_scan
0804b000-0804c000 rw-p 00002000 08:06 5642158 /usr/bin/pcsc_scan
08393000-083b4000 rw-p 00000000 00:00 0 [heap]
b74f3000-b750f000 r-xp 00000000 08:06 5375119 /lib/i386-linux-gnu/libgcc_s.so.1
b750f000-b7510000 rw-p 0001b000 08:06 5375119 /lib/i386-linux-gnu/libgcc_s.so.1
b7523000-b7524000 rw-p 00000000 00:00 0
b7524000-b753c000 r-xp 00000000 08:06 5374047 /lib/i386-linux-gnu/libpthread-2.19.so
b753c000-b753d000 r--p 00018000 08:06 5374047 /lib/i386-linux-gnu/libpthread-2.19.so
b753d000-b753e000 rw-p 00019000 08:06 5374047 /lib/i386-linux-gnu/libpthread-2.19.so
b753e000-b7541000 rw-p 00000000 00:00 0
b7541000-b76e9000 r-xp 00000000 08:06 5374055 /lib/i386-linux-gnu/libc-2.19.so
b76e9000-b76ea000 ---p 001a8000 08:06 5374055 /lib/i386-linux-gnu/libc-2.19.so
b76ea000-b76ec000 r--p 001a8000 08:06 5374055 /lib/i386-linux-gnu/libc-2.19.so
b76ec000-b76ed000 rw-p 001aa000 08:06 5374055 /lib/i386-linux-gnu/libc-2.19.so
b76ed000-b76f0000 rw-p 00000000 00:00 0
b76f0000-b76fa000 r-xp 00000000 08:06 5375197 /lib/i386-linux-gnu/libpcsclite.so.1.0.0
b76fa000-b76fb000 r--p 00009000 08:06 5375197 /lib/i386-linux-gnu/libpcsclite.so.1.0.0
b76fb000-b76fc000 rw-p 0000a000 08:06 5375197 /lib/i386-linux-gnu/libpcsclite.so.1.0.0
b770d000-b7711000 rw-p 00000000 00:00 0
b7711000-b7713000 r--p 00000000 00:00 0 [vvar]
b7713000-b7715000 r-xp 00000000 00:00 0 [vdso]
b7715000-b7735000 r-xp 00000000 08:06 5374048 /lib/i386-linux-gnu/ld-2.19.so
b7735000-b7736000 r--p 0001f000 08:06 5374048 /lib/i386-linux-gnu/ld-2.19.so
b7736000-b7737000 rw-p 00020000 08:06 5374048 /lib/i386-linux-gnu/ld-2.19.so
bf840000-bf861000 rw-p 00000000 00:00 0 [stack]
Aborted (core dumped)
root@acer-aspire:/etc/reader.conf.d#
It's *almost* working!
Can anyone suggest what might be wrong and what I can do about it?
--
Chris Green
|
|
From: Chris G. <cl...@is...> - 2016-07-23 15:21:10
|
Sorry if these are not really development list questions but I can't
really see anywhere else to ask.
I am trying to implement EAP-SIM authentication as a WiFi client, as
described here:-
https://ohnomoregadgets.wordpress.com/2013/08/28/free-wifi-with-eap-sim-on-a-desktop-computer/
This requires the openct package to be installed but openct seems to
have disappeared from all current Debian derived distributions.
Is there something newer in the OpenSC project that replaces openct or
should I just bite the bullet and build openct from source?
Thanks for any help.
--
Chris Green
|
|
From: Viktor T. <vik...@gm...> - 2016-07-17 16:14:28
|
Hi, OpenSC/OpenSC master has been rebased, as a result of discussion in #823. Please, save your existing local PR/feature/etc. branches, create a new ones from the current OpenSC/OpenSC master, and re-apply your enhancements to the newly created branches. That's an exceptional measure that normally will not occur in a future. Sorry for the inconvenience, Kind regards, Viktor. |
5 messages has been excluded from this view by a project administrator.
