Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Douglas E E. <dee...@gm...> - 2016-05-20 18:54:44
|
On 5/20/2016 11:05 AM, Gyurgyik, Matthew S. wrote: > > Is there a clever way to forward the card reader to the bastion host? > Closest thing is the Windows RDC/unix rdesktop that can do pcsc over the RDC session. But RDC is not SSH. The pcscd on the bastion host might give one user access to another user's card. (but would require the PIN.) Forwarding the the ssh-agent connection sounds like the way to go as that is the point of forwarding the ssh-agent. -- Douglas E. Engert <DEE...@gm...> |
|
From: Douglas E E. <dee...@gm...> - 2016-05-20 18:46:26
|
The problem maybe ssh_add has access to the environment variables, but it passes the name of the library /usr/lib64/pkcs11-spy.so to the ssh-agent that then loads the library. pkcs11-spy.so needs to then open the log and load the real PKCS#11 library so ssh-agent needs access to: export PKCS11SPY=/usr/lib64/opensc-pkcs11.so export PKCS11SPY_OUTPUT=/tmp/pkcs11-spy.$$.log Could also be full path to the logfile is needed in a directory writable like /tmp/pkcs11-spy.$$.log to get one log per process. On 5/20/2016 11:02 AM, Matthew Gyurgyik wrote: > On 16-05-20 07:09:16, Douglas E Engert wrote: >> >> >> On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: >>> Hello. >>> >>> First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. >>> >>> I can add keys provided by my smart card to ssh-agent with >>> >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> However, if I remove the card from the reader and then reinsert it I have to re-add the keys >>> >>> $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so >>> $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so >>> >>> This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? >>> >> >> You could ask on the OpenSSH list. >> >> I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. >> >> To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: >> >> https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC >> > > I tried those instructions but I can't get PKCS11SPY to work. > > ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so > Enter passphrase for PKCS#11: > SSH_AGENT_FAILURE > Could not add card: /usr/lib64/pkcs11-spy.so > > However this works just fine > > ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so > Enter passphrase for PKCS#11: > Card added: /usr/lib64/opensc-pkcs11.so > > I tried on both RHEL and OS X. > > Thanks, > Matthew > . > -- Douglas E. Engert <DEE...@gm...> |
|
From: Gyurgyik, M. S. <gyu...@or...> - 2016-05-20 16:05:28
|
On 16-05-20 14:54:39, Andreas Kemnade wrote: > Hello, > > Am Fri, 20 May 2016 00:18:48 +0000 > schrieb "Gyurgyik, Matthew S." <gyu...@or...>: > > > Hello. > > > > First, let me say I’m new to smart cards and I haven’t been able to > > find much documentation on how they work. I’m looking for some > > education, if there is a better place to post this question, please > > let me know. > > > > I can add keys provided by my smart card to ssh-agent with > > > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > However, if I remove the card from the reader and then reinsert it I > > have to re-add the keys > > > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > This happens on both OS X and RHEL7. I am assuming this expected > > behavior. Can someone explain (or point me to documentation) why it > > is necessary to remove the keys and re-add them? > > > here I simply use > $ cat .ssh/config > Host xxx > PKCS11Provider /usr/local/lib/opensc-pkcs11.so > > xxx is the host I use the private key to connect to. > > No commands for card removal/reinsertion needed. > > Regards, > Andreas Kemnade > Thanks for the suggestion and that certainly works, however I have a bastion host which allows access to the rest of the network. I am using SSH Agent Forwarding to allow authentication to hosts past the bastion host. Is there a clever way to forward the card reader to the bastion host? Thanks, Matthew |
|
From: Matthew G. <gyu...@or...> - 2016-05-20 16:02:23
|
On 16-05-20 07:09:16, Douglas E Engert wrote: > > > On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: > > Hello. > > > > First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. > > > > I can add keys provided by my smart card to ssh-agent with > > > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > However, if I remove the card from the reader and then reinsert it I have to re-add the keys > > > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > > > This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? > > > > You could ask on the OpenSSH list. > > I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. > > To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: > > https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC > I tried those instructions but I can't get PKCS11SPY to work. ~ $ PKCS11SPY=/usr/lib64/opensc-pkcs11.so PKCS11SPY_OUTPUT=logfile ssh-add -s /usr/lib64/pkcs11-spy.so Enter passphrase for PKCS#11: SSH_AGENT_FAILURE Could not add card: /usr/lib64/pkcs11-spy.so However this works just fine ~ $ ssh-add -s /usr/lib64/opensc-pkcs11.so Enter passphrase for PKCS#11: Card added: /usr/lib64/opensc-pkcs11.so I tried on both RHEL and OS X. Thanks, Matthew |
|
From: Andreas K. <ke...@un...> - 2016-05-20 13:25:24
|
Hello, Am Fri, 20 May 2016 00:18:48 +0000 schrieb "Gyurgyik, Matthew S." <gyu...@or...>: > Hello. > > First, let me say I’m new to smart cards and I haven’t been able to > find much documentation on how they work. I’m looking for some > education, if there is a better place to post this question, please > let me know. > > I can add keys provided by my smart card to ssh-agent with > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > However, if I remove the card from the reader and then reinsert it I > have to re-add the keys > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > This happens on both OS X and RHEL7. I am assuming this expected > behavior. Can someone explain (or point me to documentation) why it > is necessary to remove the keys and re-add them? > here I simply use $ cat .ssh/config Host xxx PKCS11Provider /usr/local/lib/opensc-pkcs11.so xxx is the host I use the private key to connect to. No commands for card removal/reinsertion needed. Regards, Andreas Kemnade |
|
From: Douglas E E. <dee...@gm...> - 2016-05-20 12:09:25
|
On 5/19/2016 7:18 PM, Gyurgyik, Matthew S. wrote: > Hello. > > First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. > > I can add keys provided by my smart card to ssh-agent with > > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > However, if I remove the card from the reader and then reinsert it I have to re-add the keys > > $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so > $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so > > This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? > You could ask on the OpenSSH list. I would suspect that the code is simple and only looks for a card when ssh-add is first called and the code does not know how to look for a reinsertion of the card. To see what it is doing, you could use the OpenSC SPY trace. See ssh-add example in: https://github.com/OpenSC/OpenSC/wiki/Using-OpenSC > Thank you, > Matthew Gyurgyik > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: Gyurgyik, M. S. <gyu...@or...> - 2016-05-20 00:18:57
|
Hello. First, let me say I’m new to smart cards and I haven’t been able to find much documentation on how they work. I’m looking for some education, if there is a better place to post this question, please let me know. I can add keys provided by my smart card to ssh-agent with $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so However, if I remove the card from the reader and then reinsert it I have to re-add the keys $ ssh-add -e /Library/OpenSC/lib/opensc-pkcs11.so $ ssh-add -s /Library/OpenSC/lib/opensc-pkcs11.so This happens on both OS X and RHEL7. I am assuming this expected behavior. Can someone explain (or point me to documentation) why it is necessary to remove the keys and re-add them? Thank you, Matthew Gyurgyik |
|
From: Douglas E E. <dee...@gm...> - 2016-05-19 11:46:48
|
On 5/19/2016 2:07 AM, Nikos Mavrogiannopoulos wrote: > On Mon, May 16, 2016 at 5:40 PM, Andreas Schwier > <and...@ca...> wrote: >> Dear Jakub, >> having a central regression test set-up would be great thing. >> Internally we use a PKCS#11 test suite similar to [1] that validates the >> PKCS#11 interface in combination with our SmartCard-HSM. We also have a >> smoke-test that runs a couple of tests on the command line. > [...] >> I guess the biggest issue is, that you need a specific configuration for >> each card. If there was a common testing framework, I'd be happy to >> provide tests for our card. > > The test suite Jakub provided is read-only in nature and can be shared > by several cards. > Would it make sense to split the testing to: > (initialization part) - (write params part) - (read part) Yes. Many people using this test suite may be using their national ID or employer issued smart card. They do not know the PUK, or other keys needed to write to the card. Only the read part would be run. Also keep in mind that if any test fails with a bad pin, no other tests should try the pin again to avoid locking the card. For ECDH derive, 2 cards are needed. Each card needs as input the public key of the other. A software ephemeral key could be used in place of the second card. > > Where the write/initialization part can be unique per card and can > simply be a script calling other tools. The write part generates some > test parameters (certificates and keys) under some criteria we agree > on and is shared between families of cards (ECDSA/RSA). Finally, the > read only part verifies the correct operation with the parameters > written. > > Each part can be a different tool, and can even be a pkcs11-tool > option, and can be combined under a per-card specific script (the > initialization). For example: > mycard.sh: > initialize_that_card_with_pin 1234 > run_write_params_test_with_pin 1234 > run_read_params_test_with_pin 1234 > clear_card > > For the PIV cards the test suite is written on it would be simply a > run_read_params_test_with_pin call. The NEO piv tool and the OpenSC piv-tool can do some initialization and write operations. But each card vendor has different options, and each batch of cards is supplied with a 3DES or AES key needed to allow writing to the card. Other cards also have <card>-tool programs. > > Would that be some framework you'd like to provide tests under? For > your cards for example, the initialization part needs to be written, > and followed up by the read-only check. > > regards, > Nikos > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@gm...> |
|
From: Nikos M. <n.m...@gm...> - 2016-05-19 07:07:50
|
On Mon, May 16, 2016 at 5:40 PM, Andreas Schwier <and...@ca...> wrote: > Dear Jakub, > having a central regression test set-up would be great thing. > Internally we use a PKCS#11 test suite similar to [1] that validates the > PKCS#11 interface in combination with our SmartCard-HSM. We also have a > smoke-test that runs a couple of tests on the command line. [...] > I guess the biggest issue is, that you need a specific configuration for > each card. If there was a common testing framework, I'd be happy to > provide tests for our card. The test suite Jakub provided is read-only in nature and can be shared by several cards. Would it make sense to split the testing to: (initialization part) - (write params part) - (read part) Where the write/initialization part can be unique per card and can simply be a script calling other tools. The write part generates some test parameters (certificates and keys) under some criteria we agree on and is shared between families of cards (ECDSA/RSA). Finally, the read only part verifies the correct operation with the parameters written. Each part can be a different tool, and can even be a pkcs11-tool option, and can be combined under a per-card specific script (the initialization). For example: mycard.sh: initialize_that_card_with_pin 1234 run_write_params_test_with_pin 1234 run_read_params_test_with_pin 1234 clear_card For the PIV cards the test suite is written on it would be simply a run_read_params_test_with_pin call. Would that be some framework you'd like to provide tests under? For your cards for example, the initialization part needs to be written, and followed up by the read-only check. regards, Nikos |
|
From: Thomas C. <cal...@gm...> - 2016-05-17 16:15:39
|
Hi David, You are correct opkcs11-tool does not currently support RFC7512, I'll give it a look. Should be easy enough to add. That being said, opkcs11-tool was developed to allow fine-grained token management and crypto operations using the CLI, not primarily to leverage system-wide configuration using p11-kit. Of course, being an open source project, contributions that can speed up this feature are welcome :-) Cheers, Thomas On Tue, May 17, 2016 at 3:53 PM, David Woodhouse <dw...@in...> wrote: > On Tue, 2016-05-17 at 14:51 +0100, Thomas Calderon wrote: > > > > In addition to pkcs11-tool it might be worth mentioning opkcs11-tool > > [1], a tool that I co-develop. > > Hm, I note the README on Github doesn't seem to indicate that it > supports RFC7512 PKCS#11 URIs to specify objects. Does it? > > The examples also explicitly specify a module, rather than using the > system (typically p11-kit) configuration and just doing the right > thing... > > -- > dwmw2 > > > |
|
From: David W. <dw...@in...> - 2016-05-17 14:53:58
|
On Tue, 2016-05-17 at 14:51 +0100, Thomas Calderon wrote: > > In addition to pkcs11-tool it might be worth mentioning opkcs11-tool > [1], a tool that I co-develop. Hm, I note the README on Github doesn't seem to indicate that it supports RFC7512 PKCS#11 URIs to specify objects. Does it? The examples also explicitly specify a module, rather than using the system (typically p11-kit) configuration and just doing the right thing... -- dwmw2 |
|
From: Jakub J. <jj...@re...> - 2016-05-17 13:55:18
|
Hi, few more notes. On 05/17/2016 02:39 PM, Jakub Jelen wrote: > On 05/16/2016 07:20 PM, Douglas E Engert wrote: >> I would say the closest tool we have is: pkcs11-tool -t -l >> It does some basic tests, but as you may have noted if you try and run it >> with a PIV card, it has some problems, especially with the decryption, as it >> says the user is not logged in when trying to use the Sign key. The key usage >> says it should not be used for decryption. With other cards it may have different problems. > Thanks for mentioning pkcs11-tool test mode. I struggled upon it, but > there were > some problems that prevented me to work with that. I will check what can > be done there. The pkcs11-tool -t has most of the problems with PIV cards I was solving during last weeks: * missing ECDSA mechanisms support (more work) * C_Verify is not implemented in these cards * CKA_ALWAYS_AUTHENTICATE is not respected for decryption (well implemented for signing) The first is expected, the second is soft fail and the last one is hard fail letting down whole test suite (but should be quite easy fix). Otherwise it supports most of the general tests, but bundling inside card-specific initializations or bunches of regression tests (theoretically) does not seem like a way to go. Kind regards, -- Jakub Jelen Security Technologies Red Hat |
|
From: Thomas C. <cal...@gm...> - 2016-05-17 13:51:31
|
Hi everybody, In addition to pkcs11-tool it might be worth mentioning opkcs11-tool [1], a tool that I co-develop. It mimics the CLI interface of pkcs11-tool but allows for advanced PKCS#11 use cases: - template based operations (management and crypto) - PSS signature - Wrap/Unwrap - and much more as it is easy to extend In a sense, the tool could be used to perform some regression testing from the CLI. [1] https://github.com/ANSSI-FR/opkcs11-tool Cheers, Thomas On Tue, May 17, 2016 at 1:39 PM, Jakub Jelen <jj...@re...> wrote: > On 05/16/2016 07:20 PM, Douglas E Engert wrote: > > On 5/16/2016 10:04 AM, Jakub Jelen wrote: > >> Hello OpenSC devels, > >> > >> I didn't find any test suite or unit tests for OpenSC project. As I > >> noticed, there is a lot of hand-testing work on pull requests for > >> various cards and users. I believe everyone has some use cases to verify > >> basic functionality of their cards. > >> I understand that this fields is very divergent, there is a lot of card > >> variants and it is almost impossible to build automatic test suite that > >> would run in cloud with every build. But would it make sense to have > >> something that devels (or users) can simply run and what would verify > >> basic functionality and possible regressions? > > In-cloud testing would require the cloud test machine to have physical > cards. > > (Unless you are suggesting some RDC access to cards.) > Yes, this would be awesome, but probably impossible to achieve. Rather > having > something that can be simply run by many users with many different cards > and > report general success or failure would be achievable. > > Theoretically generating logs, collecting them from different cards and > users and > representing them in readable form could be too useful for future > codebase stability > among releases. But it is a bit over the initial idea. > > I would say the closest tool we have is: pkcs11-tool -t -l > > It does some basic tests, but as you may have noted if you try and run it > > with a PIV card, it has some problems, especially with the decryption, > as it > > says the user is not logged in when trying to use the Sign key. The key > usage > > says it should not be used for decryption. With other cards it may have > different problems. > Thanks for mentioning pkcs11-tool test mode. I struggled upon it, but > there were > some problems that prevented me to work with that. I will check what can > be done there. > >> I went to the directory src/tests/ and fixed the tests that are > >> available now (see pull request [1], broken for 6 years), but they are > >> far away from complete test suite. > >> > >> I also started with the idea from PKCS#11 API and put together basic > >> test suite and inspector for OpenSC, which is currently in my OpenSC > >> fork [2]. It is by no mean complete test suite of all the use cases, but > >> I tried to catch most common cases, represent results in understandable > >> form (currently tested with PIV cards) and add regression test for > >> recent pull request [3]. > > Good choice of card :-) > > > > Are you using the the NIST set of 16 demo/test cards? > Yes. > > Regards, > > -- > Jakub Jelen > Security Technologies > Red Hat > > > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data > untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Jakub J. <jj...@re...> - 2016-05-17 12:40:07
|
On 05/16/2016 07:20 PM, Douglas E Engert wrote: > On 5/16/2016 10:04 AM, Jakub Jelen wrote: >> Hello OpenSC devels, >> >> I didn't find any test suite or unit tests for OpenSC project. As I >> noticed, there is a lot of hand-testing work on pull requests for >> various cards and users. I believe everyone has some use cases to verify >> basic functionality of their cards. >> I understand that this fields is very divergent, there is a lot of card >> variants and it is almost impossible to build automatic test suite that >> would run in cloud with every build. But would it make sense to have >> something that devels (or users) can simply run and what would verify >> basic functionality and possible regressions? > In-cloud testing would require the cloud test machine to have physical cards. > (Unless you are suggesting some RDC access to cards.) Yes, this would be awesome, but probably impossible to achieve. Rather having something that can be simply run by many users with many different cards and report general success or failure would be achievable. Theoretically generating logs, collecting them from different cards and users and representing them in readable form could be too useful for future codebase stability among releases. But it is a bit over the initial idea. > I would say the closest tool we have is: pkcs11-tool -t -l > It does some basic tests, but as you may have noted if you try and run it > with a PIV card, it has some problems, especially with the decryption, as it > says the user is not logged in when trying to use the Sign key. The key usage > says it should not be used for decryption. With other cards it may have different problems. Thanks for mentioning pkcs11-tool test mode. I struggled upon it, but there were some problems that prevented me to work with that. I will check what can be done there. >> I went to the directory src/tests/ and fixed the tests that are >> available now (see pull request [1], broken for 6 years), but they are >> far away from complete test suite. >> >> I also started with the idea from PKCS#11 API and put together basic >> test suite and inspector for OpenSC, which is currently in my OpenSC >> fork [2]. It is by no mean complete test suite of all the use cases, but >> I tried to catch most common cases, represent results in understandable >> form (currently tested with PIV cards) and add regression test for >> recent pull request [3]. > Good choice of card :-) > > Are you using the the NIST set of 16 demo/test cards? Yes. Regards, -- Jakub Jelen Security Technologies Red Hat |
|
From: Jakub J. <jj...@re...> - 2016-05-17 11:03:04
|
Hello Andreas,
On 05/16/2016 05:40 PM, Andreas Schwier wrote:
> Dear Jakub,
>
> having a central regression test set-up would be great thing.
> Internally we use a PKCS#11 test suite similar to [1] that validates the
> PKCS#11 interface in combination with our SmartCard-HSM. We also have a
> smoke-test that runs a couple of tests on the command line.
Wow, PKCS#11 test suite in Javascript. I did not see everything yet. But
the concept looks similar to the think that we put together. Having
something similar in OpenSC that would be possible to run by as many
users with as many cards as possible would be ultimate goal.
Basically what I see in the linked testsuite is:
* initialization, key and certificate generation
* (not applicable for test PIV cards I have)
* card dependent
* enumerate
* encrypt
* decrypt
* signature (with and without digest)
* should be card independent, isn't it?
> Other than that we occasionally do regression testing of the Minidriver.
>
> I guess the biggest issue is, that you need a specific configuration for
> each card. If there was a common testing framework, I'd be happy to
> provide tests for our card.
Great to hear it.
> Andreas
>
>
> [1] https://github.com/CardContact/sc-hsm-embedded/tree/master/p11tests
Thanks for reference and ideas.
Regards,
--
Jakub Jelen
Security Technologies
Red Hat
|
|
From: Nikos M. <n.m...@gm...> - 2016-05-17 06:10:52
|
On Mon, May 16, 2016 at 7:20 PM, Douglas E Engert <dee...@gm...> wrote: >> I didn't find any test suite or unit tests for OpenSC project. As I >> noticed, there is a lot of hand-testing work on pull requests for >> various cards and users. I believe everyone has some use cases to verify >> basic functionality of their cards. >> I understand that this fields is very divergent, there is a lot of card >> variants and it is almost impossible to build automatic test suite that >> would run in cloud with every build. But would it make sense to have >> something that devels (or users) can simply run and what would verify >> basic functionality and possible regressions? > In-cloud testing would require the cloud test machine to have physical cards. > (Unless you are suggesting some RDC access to cards.) Such a test suite has two goals. (1) for the card makers to verify that their cards run with opensc, and (2) for the opensc developers to verify that their new code does not regress. The cloud testing is mainly applicable for (2), and that may be addressed with a card simulator. >> And there is the twist. What would you expect from PKCS#11/Smartcard >> testsuite? Would it make sense to have something like this upstream? >> What use cases would you expect from that to check? > Enhancing the functionality of the pkcs11-tool -t would be a good start. What would be the advantage of having as part of that tool? regards, Nikos |
|
From: Douglas E E. <dee...@gm...> - 2016-05-16 17:20:21
|
On 5/16/2016 10:04 AM, Jakub Jelen wrote: > Hello OpenSC devels, > > I didn't find any test suite or unit tests for OpenSC project. As I > noticed, there is a lot of hand-testing work on pull requests for > various cards and users. I believe everyone has some use cases to verify > basic functionality of their cards. > I understand that this fields is very divergent, there is a lot of card > variants and it is almost impossible to build automatic test suite that > would run in cloud with every build. But would it make sense to have > something that devels (or users) can simply run and what would verify > basic functionality and possible regressions? In-cloud testing would require the cloud test machine to have physical cards. (Unless you are suggesting some RDC access to cards.) I would say the closest tool we have is: pkcs11-tool -t -l It does some basic tests, but as you may have noted if you try and run it with a PIV card, it has some problems, especially with the decryption, as it says the user is not logged in when trying to use the Sign key. The key usage says it should not be used for decryption. With other cards it may have different problems. > > I went to the directory src/tests/ and fixed the tests that are > available now (see pull request [1], broken for 6 years), but they are > far away from complete test suite. > > I also started with the idea from PKCS#11 API and put together basic > test suite and inspector for OpenSC, which is currently in my OpenSC > fork [2]. It is by no mean complete test suite of all the use cases, but > I tried to catch most common cases, represent results in understandable > form (currently tested with PIV cards) and add regression test for > recent pull request [3]. Good choice of card :-) Are you using the the NIST set of 16 demo/test cards? > > And there is the twist. What would you expect from PKCS#11/Smartcard > testsuite? Would it make sense to have something like this upstream? > What use cases would you expect from that to check? Enhancing the functionality of the pkcs11-tool -t would be a good start. > > > [1] https://github.com/OpenSC/OpenSC/pull/759 > [2] https://github.com/Jakuje/OpenSC/tree/jjelen-testsuite/src/tests > [3] https://github.com/OpenSC/OpenSC/pull/743 > > Regards, > -- Douglas E. Engert <DEE...@gm...> |
|
From: Andreas S. <and...@ca...> - 2016-05-16 15:40:34
|
Dear Jakub, having a central regression test set-up would be great thing. Internally we use a PKCS#11 test suite similar to [1] that validates the PKCS#11 interface in combination with our SmartCard-HSM. We also have a smoke-test that runs a couple of tests on the command line. Other than that we occasionally do regression testing of the Minidriver. I guess the biggest issue is, that you need a specific configuration for each card. If there was a common testing framework, I'd be happy to provide tests for our card. Andreas [1] https://github.com/CardContact/sc-hsm-embedded/tree/master/p11tests On 05/16/2016 05:04 PM, Jakub Jelen wrote: > Hello OpenSC devels, > > I didn't find any test suite or unit tests for OpenSC project. As I > noticed, there is a lot of hand-testing work on pull requests for > various cards and users. I believe everyone has some use cases to verify > basic functionality of their cards. > I understand that this fields is very divergent, there is a lot of card > variants and it is almost impossible to build automatic test suite that > would run in cloud with every build. But would it make sense to have > something that devels (or users) can simply run and what would verify > basic functionality and possible regressions? > > I went to the directory src/tests/ and fixed the tests that are > available now (see pull request [1], broken for 6 years), but they are > far away from complete test suite. > > I also started with the idea from PKCS#11 API and put together basic > test suite and inspector for OpenSC, which is currently in my OpenSC > fork [2]. It is by no mean complete test suite of all the use cases, but > I tried to catch most common cases, represent results in understandable > form (currently tested with PIV cards) and add regression test for > recent pull request [3]. > > And there is the twist. What would you expect from PKCS#11/Smartcard > testsuite? Would it make sense to have something like this upstream? > What use cases would you expect from that to check? > > > [1] https://github.com/OpenSC/OpenSC/pull/759 > [2] https://github.com/Jakuje/OpenSC/tree/jjelen-testsuite/src/tests > [3] https://github.com/OpenSC/OpenSC/pull/743 > > Regards, > -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier |
|
From: Jakub J. <jj...@re...> - 2016-05-16 15:04:23
|
Hello OpenSC devels, I didn't find any test suite or unit tests for OpenSC project. As I noticed, there is a lot of hand-testing work on pull requests for various cards and users. I believe everyone has some use cases to verify basic functionality of their cards. I understand that this fields is very divergent, there is a lot of card variants and it is almost impossible to build automatic test suite that would run in cloud with every build. But would it make sense to have something that devels (or users) can simply run and what would verify basic functionality and possible regressions? I went to the directory src/tests/ and fixed the tests that are available now (see pull request [1], broken for 6 years), but they are far away from complete test suite. I also started with the idea from PKCS#11 API and put together basic test suite and inspector for OpenSC, which is currently in my OpenSC fork [2]. It is by no mean complete test suite of all the use cases, but I tried to catch most common cases, represent results in understandable form (currently tested with PIV cards) and add regression test for recent pull request [3]. And there is the twist. What would you expect from PKCS#11/Smartcard testsuite? Would it make sense to have something like this upstream? What use cases would you expect from that to check? [1] https://github.com/OpenSC/OpenSC/pull/759 [2] https://github.com/Jakuje/OpenSC/tree/jjelen-testsuite/src/tests [3] https://github.com/OpenSC/OpenSC/pull/743 Regards, -- Jakub Jelen Security Technologies Red Hat |
|
From: Frank M. <mo...@in...> - 2016-05-03 10:33:22
|
If you are lucky your card is already supported, but OpenSC does not yet recognize it. You should try to get to know what specific java card applets are on your card. If the card is not supported, you will have to find some programmer, who adds support. Greets, Frank. On Thursday, April 28 at 10:30PM, Claudio Felix wrote: > Hi Frank, > > Is there anything else I can do or use to get the required information? > > Thanks, > > Claudio > > 2016-04-19 19:17 GMT-03:00 Frank Morgner <mo...@in...>: > > > Sorry, this does unfortunately not contain any useful information. > > > > Greets, Frank. > > > > > > On Tuesday, April 19 at 07:09PM, Claudio Felix wrote: > > > Hi, > > > > > > Some time ago I bought a card in an online store to store digital > > > certificates for e-CPF or e-CNPJ, which are respectively like a tax payer > > > identifier for people and companies. I don't have the e-mail from the > > store > > > anymore, but I remember something about JCOP and java card. Although it > > > seems yet unsupported in OpenSC, it looks supported in PCSC, since > > > pcsc_scan outputs the following information when the card gets inserted: > > > > > > Reader 0: CASTLES EZ100PU 00 00 > > > Card state: Card inserted, > > > ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > > > > > ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > > + TS = 3B --> Direct Convention > > > + T0 = 6A, Y(1): 0110, K: 10 (historical bytes) > > > TB(1) = 00 --> VPP is not electrically connected > > > TC(1) = FF --> Extra guard time: 255 (special value) > > > + Historical bytes: 4A 43 4F 50 32 31 56 32 33 31 > > > Category indicator byte: 4A (proprietary format) > > > > > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): > > > 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > > JCOP21 v2.3 Standard > > > > > > > > > Hope this helps getting the card supported. > > > > > > Thank you, > > > > > > Claudio > > > > > > > ------------------------------------------------------------------------------ > > > Find and fix application performance issues faster with Applications > > Manager > > > Applications Manager provides deep performance insights into multiple > > tiers of > > > your business applications. It resolves application problems quickly and > > > reduces your MTTR. Get your free trial! > > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > _______________________________________________ > > > Opensc-devel mailing list > > > Ope...@li... > > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > > -- > > Frank Morgner > > > > Virtual Smart Card Architecture http://vsmartcard.sourceforge.net > > OpenPACE http://openpace.sourceforge.net > > IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc > > > > > > ------------------------------------------------------------------------------ > > Find and fix application performance issues faster with Applications > > Manager > > Applications Manager provides deep performance insights into multiple > > tiers of > > your business applications. It resolves application problems quickly and > > reduces your MTTR. Get your free trial! > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACE http://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc |
|
From: Claudio F. <fel...@gm...> - 2016-04-29 01:30:34
|
Hi Frank, Is there anything else I can do or use to get the required information? Thanks, Claudio 2016-04-19 19:17 GMT-03:00 Frank Morgner <mo...@in...>: > Sorry, this does unfortunately not contain any useful information. > > Greets, Frank. > > > On Tuesday, April 19 at 07:09PM, Claudio Felix wrote: > > Hi, > > > > Some time ago I bought a card in an online store to store digital > > certificates for e-CPF or e-CNPJ, which are respectively like a tax payer > > identifier for people and companies. I don't have the e-mail from the > store > > anymore, but I remember something about JCOP and java card. Although it > > seems yet unsupported in OpenSC, it looks supported in PCSC, since > > pcsc_scan outputs the following information when the card gets inserted: > > > > Reader 0: CASTLES EZ100PU 00 00 > > Card state: Card inserted, > > ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > > > ATR: 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > + TS = 3B --> Direct Convention > > + T0 = 6A, Y(1): 0110, K: 10 (historical bytes) > > TB(1) = 00 --> VPP is not electrically connected > > TC(1) = FF --> Extra guard time: 255 (special value) > > + Historical bytes: 4A 43 4F 50 32 31 56 32 33 31 > > Category indicator byte: 4A (proprietary format) > > > > Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): > > 3B 6A 00 FF 4A 43 4F 50 32 31 56 32 33 31 > > JCOP21 v2.3 Standard > > > > > > Hope this helps getting the card supported. > > > > Thank you, > > > > Claudio > > > > ------------------------------------------------------------------------------ > > Find and fix application performance issues faster with Applications > Manager > > Applications Manager provides deep performance insights into multiple > tiers of > > your business applications. It resolves application problems quickly and > > reduces your MTTR. Get your free trial! > > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > _______________________________________________ > > Opensc-devel mailing list > > Ope...@li... > > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > Frank Morgner > > Virtual Smart Card Architecture http://vsmartcard.sourceforge.net > OpenPACE http://openpace.sourceforge.net > IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications > Manager > Applications Manager provides deep performance insights into multiple > tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Philip W. <wen...@gm...> - 2016-04-26 09:42:00
|
Hi, by default, private key import is not supported by IsoApplet. Did you enable this feature before building the applet? See http://pwendland.net/smartcards/2014/12/21/IsoApplet-configuration/ Also, I would recommend using pkcs15-init and -tool for initialization purposes. If this does not help, you will need to generate and send an OpenSC log (e.g. pkcs15-init -vvvvvvvvv --import-key ...). The log will contain your PIN. Kind regards, Philip On 04/26/2016 09:58 AM, Johannes Rath wrote: > > > Hi all, > > > > I am trying to write a private key to a smart card, but I am always > getting an error: > > > > jor@jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ pkcs11-tool -y > privkey -l -w private.der > > Using slot 0 with a present token (0x0) > > Logging in to "JavaCard isoApplet (User PIN)". > > Please enter User PIN: > > error: PKCS11 function C_CreateObject failed: rv = CKR_GENERAL_ERROR (0x5) > > > > Aborting. > > jor@jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ opensc-tool -i > > OpenSC 0.15.0 [gcc 4.8.4] > > Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1) > > > > Any ideas? > > > > Regards > > > > Johannes > > > > > > ------------------------------------------------------------------------------ > Find and fix application performance issues faster with Applications Manager > Applications Manager provides deep performance insights into multiple tiers of > your business applications. It resolves application problems quickly and > reduces your MTTR. Get your free trial! > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Johannes R. <joh...@sw...> - 2016-04-26 07:59:02
|
Hi all, I am trying to write a private key to a smart card, but I am always getting an error: jor@jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ pkcs11-tool -y privkey -l -w private.der Using slot 0 with a present token (0x0) Logging in to "JavaCard isoApplet (User PIN)". Please enter User PIN: error: PKCS11 function C_CreateObject failed: rv = CKR_GENERAL_ERROR (0x5) Aborting. jor@jorVirtualUbuntu1404:/mnt/Projects/TestOpenSC$ opensc-tool -i OpenSC 0.15.0 [gcc 4.8.4] Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1) Any ideas? Regards Johannes |
|
From: Andreas S. <and...@ca...> - 2016-04-25 08:55:19
|
Dear Przemysław, the DKEK.js file - and all other files under "scsh" - is a module that can not be loaded with load(). Modules are included from scripts using the JavaScript require() command. Try running the sc-hsm-sdk-scripts/key_import/decrypt_keyblob.js script which is an example how to decrypt the key blob. You also need to make sure, that you have the unrestricted cryptographic strength policy installed in your JRE, as the DKEK encryption uses AES-256. Andreas On 04/25/2016 10:26 AM, Ogorzalek, Przemyslaw wrote: > Hello, > > I've finally managed to obtain a card and all credentials required to download the SDK, but now I have bumped into a problem with the script itself. > > I fired up Smart Card Shell GUI, set sc-hsm-workspace as workspace directory and selected scsh/sc-hsm/DKEK.js script to run. As a result it produced the following error: > > Running setup script config.js ... > > SCSH3 - Smart Card Shell 3.7.1917 > --------------------------------------------------------------------------- > (c) 2005-2011 CardContact Software & System Consulting (www.cardcontact.de) > Enter 'help' for a command overview or 'quit' to close the shell > > >load("/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js"); > org.mozilla.javascript.EcmaError: ReferenceError: "exports" is not defined. (/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25) > at /root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25 > > > > I've tried several other scripts from scsh directory, all of them finished with the same error. Scripts from sc-hsm-sdk-scripts directory run without this problem. I used the same instance of Smart Card Shell which I used for account activation process., so the software itself should be fine. > > I suspect it's some simple rookie mistake and I didn't initialize something correctly, but I was unable to find any clues in the documentation. Perhaps there should be some wiki page for absolute beginners to document problems like this one? > > Best regards, > Przemysław Ogorzałek > > -----Original Message----- > From: Andreas Schwier [mailto:and...@ca...] > Sent: Tuesday, April 19, 2016 2:19 PM > To: ope...@li... > Subject: Re: [Opensc-devel] How to retrieve RSA private key from wrapped key blob? > > Dear Przemysław, > > if you register at the CardContact Developers Network, you can download > the SDK [1]. It contains a class DKEK.js which can be used to decrypt > and dump the key blob. > > Andreas > > > [1] > https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip > > On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote: >> Hello, >> >> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands: >> >> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe >> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe >> >> sc-hsm-tool --initialize --dkek-shares 2 >> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe >> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe >> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign >> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1 >> >> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to reencrypt the RSA key to store it in file protected simply by a passphrase? >> >> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room. >> >> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob >> So if you can answer my question, the reputation is yours to get :) >> >> Best regards, >> Przemysław Ogorzałek >> >> >> >> ------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications Manager >> Applications Manager provides deep performance insights into multiple tiers of >> your business applications. It resolves application problems quickly and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> >> >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > -- --------- CardContact Systems GmbH |.##> <##.| Schülerweg 38 |# #| D-32429 Minden, Germany |# #| Phone +49 571 56149 |'##> <##'| http://www.cardcontact.de --------- Registergericht Bad Oeynhausen HRB 14880 Geschäftsführer Andreas Schwier |
|
From: Ogorzalek, P. <prz...@wi...> - 2016-04-25 08:27:02
|
Hello,
I've finally managed to obtain a card and all credentials required to download the SDK, but now I have bumped into a problem with the script itself.
I fired up Smart Card Shell GUI, set sc-hsm-workspace as workspace directory and selected scsh/sc-hsm/DKEK.js script to run. As a result it produced the following error:
Running setup script config.js ...
SCSH3 - Smart Card Shell 3.7.1917
---------------------------------------------------------------------------
(c) 2005-2011 CardContact Software & System Consulting (www.cardcontact.de)
Enter 'help' for a command overview or 'quit' to close the shell
>load("/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js");
org.mozilla.javascript.EcmaError: ReferenceError: "exports" is not defined. (/root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25)
at /root/opensc/sc-hsm-workspace/sc-hsm-workspace/scsh/sc-hsm/DKEK.js#25
>
I've tried several other scripts from scsh directory, all of them finished with the same error. Scripts from sc-hsm-sdk-scripts directory run without this problem. I used the same instance of Smart Card Shell which I used for account activation process., so the software itself should be fine.
I suspect it's some simple rookie mistake and I didn't initialize something correctly, but I was unable to find any clues in the documentation. Perhaps there should be some wiki page for absolute beginners to document problems like this one?
Best regards,
Przemysław Ogorzałek
-----Original Message-----
From: Andreas Schwier [mailto:and...@ca...]
Sent: Tuesday, April 19, 2016 2:19 PM
To: ope...@li...
Subject: Re: [Opensc-devel] How to retrieve RSA private key from wrapped key blob?
Dear Przemysław,
if you register at the CardContact Developers Network, you can download
the SDK [1]. It contains a class DKEK.js which can be used to decrypt
and dump the key blob.
Andreas
[1]
https://devnet.cardcontact.de/attachments/download/55/sc-hsm-workspace-20160229.zip
On 04/19/2016 02:03 PM, Ogorzalek, Przemyslaw wrote:
> Hello,
>
> I wonder if it's possible to decrypt wrapped RSA private key downloaded from a smartcard? The key was generated and obtained by the following set of commands:
>
> sc-hsm-tool --create-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --create-dkek-share dkek/dkek-share-2.pbe
>
> sc-hsm-tool --initialize --dkek-shares 2
> sc-hsm-tool --import-dkek-share dkek/dkek-share-1.pbe
> sc-hsm-tool --import-dkek-share dkek/dkek-share-2.pbe
> pkcs11-tool -l --pin 123456 --keypairgen --key-type rsa:2048 --id 11 --usage-sign
> sc-hsm-tool --wrap-key wrap-key.bin --key-reference 1
>
> I know how to upload the key to a new card, but what if I want to change the technology stack and stop using smartcards in the future? Is there any way to reencrypt the RSA key to store it in file protected simply by a passphrase?
>
> Assume that I have both DKEK key shares and corresponding passwords, and I can perform the whole process in a designated secure room.
>
> I have also asked this question on superuser.com: http://superuser.com/questions/1066719/how-to-retrieve-rsa-private-key-from-wrapped-key-blob
> So if you can answer my question, the reputation is yours to get :)
>
> Best regards,
> Przemysław Ogorzałek
>
>
>
> ------------------------------------------------------------------------------
> Find and fix application performance issues faster with Applications Manager
> Applications Manager provides deep performance insights into multiple tiers of
> your business applications. It resolves application problems quickly and
> reduces your MTTR. Get your free trial!
> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
--
--------- CardContact Systems GmbH
|.##> <##.| Schülerweg 38
|# #| D-32429 Minden, Germany
|# #| Phone +49 571 56149
|'##> <##'| http://www.cardcontact.de
--------- Registergericht Bad Oeynhausen HRB 14880
Geschäftsführer Andreas Schwier
------------------------------------------------------------------------------
Find and fix application performance issues faster with Applications Manager
Applications Manager provides deep performance insights into multiple tiers of
your business applications. It resolves application problems quickly and
reduces your MTTR. Get your free trial!
https://ad.doubleclick.net/ddm/clk/302982198;130105516;z
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
5 messages has been excluded from this view by a project administrator.
