Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Jaroslav I. <jar...@gm...> - 2016-01-18 15:14:26
|
Hello David, seems like your primary problem is behaviour of SunPKCS11 provider so IMO you should take a look at "Java PKCS#11 Reference Guide" [0] which describes in detail how this provider operates. I remember that values of CKA_LABEL and CKA_ID attributes were very important and that SunPKCS11 provider didn't "show" private key which were not associated with the certificate. [0] http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html Kind Regards / S pozdravom Jaroslav Imrich http://www.jimrich.sk jar...@gm... On Mon, Jan 18, 2016 at 3:40 PM, David Sills <DS...@da...> wrote: > To whom it may concern: > > > > This is apparently not a mailing list for users, but I am a (potential) > user with many questions. Is there a mailing list for me? > > > > I have successfully (more or less) got OpenSC working on my Windows 7 > machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be > able to detect keys (and thus certificates, I assume) on the card, but when > I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I > generate, which makes it, of course, impossible to get at the data. (What I > really want to know is, is the certificate expired?) Is this a common > occurrence, and has anyone any kind of solution for it? > > > > Please redirect me if I am in the wrong list. Many thanks for your work in > creating OpenSC. > > > > Thanks! > > > > David > > > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: David S. <DS...@da...> - 2016-01-18 14:40:29
|
To whom it may concern: This is apparently not a mailing list for users, but I am a (potential) user with many questions. Is there a mailing list for me? I have successfully (more or less) got OpenSC working on my Windows 7 machine with a Dell Smart Card Reader Keyboard and pkcs11-tool seems to be able to detect keys (and thus certificates, I assume) on the card, but when I go through the Sun API (SunPKCS11) I get no aliases in the Keystore I generate, which makes it, of course, impossible to get at the data. (What I really want to know is, is the certificate expired?) Is this a common occurrence, and has anyone any kind of solution for it? Please redirect me if I am in the wrong list. Many thanks for your work in creating OpenSC. Thanks! David |
|
From: Anders R. <and...@gm...> - 2016-01-14 11:24:02
|
On 2016-01-14 11:29, Andreas Schwier wrote: > Interesting. Hi Andreas, > But how does this approach address the issue of a canonical format for > the signature input ? The described approach does not depend on a canonical JSON representation but on a normalized ditto which is what ECMAScript (using the specified constraints) does automatically. > If you use different JSON encoders generating valid, but different JSON > textual presentations (e.g. different white-space), then signature > validation will fail. I would have expected that white-space is > eliminated during canonicalization, but don't see that in the code sample. White-space is ignored by ECMAScript which means that other systems MUST also do that in order to utilize this scheme. Relying on the number algorithms featured in https://developers.google.com/v8/ may appear slightly "hacky" but OTOH there are already tons of systems out there building on this platform including https://nodejs.org/en/ so it is about as "standard" you can get. > It's the same issue as in XML Signatures and the transformation in a > canonical XML format before hashing. I believe there is 1 to 25 difference in complexity. Anders > > Andreas > > On 01/14/2016 10:41 AM, Anders Rundgren wrote: >> The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done. >> >> JCS was developed to match information-rich, multi-signature schemes like >> https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line >> and similar. JCS has recently been upgraded to match ECMAScript revision 6. >> >> >> JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode >> >> var signedObject = { >> // The data >> statement: "Hello signed world!", >> otherProperties: [2000, true], >> // The signature >> signature: { >> algorithm: "ES256", >> publicKey: { >> type: "EC", >> curve: "P-256", >> x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs", >> y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM" >> }, >> value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ" >> } >> }; >> >> >> JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt >> >> var signedObject = { >> "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", >> "protected": "eyJhbGciOiJFUzI1NiJ9", >> "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q" >> }; >> >> >> >> Anders >> >> ------------------------------------------------------------------------------ >> Site24x7 APM Insight: Get Deep Visibility into Application Performance >> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month >> Monitor end-to-end web transactions and take corrective actions now >> Troubleshoot faster and improve end-user experience. Signup Now! >> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > |
|
From: Andreas S. <and...@ca...> - 2016-01-14 10:30:05
|
Interesting. But how does this approach address the issue of a canonical format for the signature input ? If you use different JSON encoders generating valid, but different JSON textual presentations (e.g. different white-space), then signature validation will fail. I would have expected that white-space is eliminated during canonicalization, but don't see that in the code sample. It's the same issue as in XML Signatures and the transformation in a canonical XML format before hashing. Andreas On 01/14/2016 10:41 AM, Anders Rundgren wrote: > The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done. > > JCS was developed to match information-rich, multi-signature schemes like > https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line > and similar. JCS has recently been upgraded to match ECMAScript revision 6. > > > JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode > > var signedObject = { > // The data > statement: "Hello signed world!", > otherProperties: [2000, true], > // The signature > signature: { > algorithm: "ES256", > publicKey: { > type: "EC", > curve: "P-256", > x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs", > y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM" > }, > value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ" > } > }; > > > JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt > > var signedObject = { > "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", > "protected": "eyJhbGciOiJFUzI1NiJ9", > "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q" > }; > > > > Anders > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Anders R. <and...@gm...> - 2016-01-14 09:41:16
|
The samples below should be comparable with respect to securing the integrity of the payload and the signature parameters, but they obviously differ a lot in the way they get the work done. JCS was developed to match information-rich, multi-signature schemes like https://www.w3.org/Payments/IG/wiki/Main_Page/ProposalsQ42015/SCAI#The_SCAI_line and similar. JCS has recently been upgraded to match ECMAScript revision 6. JSON Cleartext Signature (JCS): https://cyberphone.github.io/openkeystore/resources/docs/jcs.html#ECMAScript_Compatibility_Mode var signedObject = { // The data statement: "Hello signed world!", otherProperties: [2000, true], // The signature signature: { algorithm: "ES256", publicKey: { type: "EC", curve: "P-256", x: "vlYxD4dtFJOp1_8_QUcieWCW-4KrLMmFL2rpkY1bQDs", y: "fxEF70yJenP3SPHM9hv-EnvhG6nXr3_S-fDqoj-F6yM" }, value: "2H__TkcV28QpGWPkyVbR1CW0I8L4xARrVGL0LjOeHJLOPozdzRqCTyYfmAippJXqdzgNAonnFPVCSI5A6novMQ" } }; JSON Web Signature (JWS): https://tools.ietf.org/rfc/rfc7515.txt var signedObject = { "payload": "eyJpc3MiOiJqb2UiLA0KICJleHAiOjEzMDA4MTkzODAsDQogImh0dHA6Ly9leGFtcGxlLmNvbS9pc19yb290Ijp0cnVlfQ", "protected": "eyJhbGciOiJFUzI1NiJ9", "signature": "DtEhU3ljbEg8L38VWAfUAqOyKAM6-Xx-F4GawxaepmXFCgfTjDxw5djxLa8IS lSApmWQxfKTUJqPP3-Kg6NU1Q" }; Anders |
|
From: Andreas S. <and...@ca...> - 2016-01-13 11:27:46
|
Sure > Can you please be more specific about some aspects of this PKI: > > a) if CardContact goes out of business for any reason, what is the > impact on people using the cards? Will people using the intermediate > certificates signed by your root be able to keep using them until they > expire? How long are they valid? If CardContact goes out of business, then the Scheme Root CA will stop operating and will not issue new device issuer certificates. Existing device issuer can of course continue to operate their CA instance and can produce legitimate SmartCard-HSMs. A device issuer certificate is valid for 8 years. Device certificates have a validity date, which does not exceed the expiration date of the device issuer CA certificate. But remember that these certificates are card-verifiable-certificates not suitable for X.509 based applications. We are not operating a X509 PKI. > > b) if the CardContact root certificate is compromised (private key > stolen, etc), what is the impact on people using the cards? The Scheme Root CA private key is - of course - stored on a SmartCard-HSM with dual-control for both, operation and recovery. The CA is an offline CA. We do our best to protect the Scheme Root CA, but if it would be compromised, a relying party could no longer trust public keys generated in the device. The impact would need to be evaluated in the actual application scenario. Any customer is of course free to become a device issuer himself and even operate his own scheme root CA. This is common for customers that have additional security requirements that we can't (or don't want to) fulfil. > > c) you say that some customers operate their own root, does that mean > they can completely eliminate or replace the "device authentication key" > you create at the factory? The device authentication key is generated during SmartCard-HSM personalization, which can be done by any device issuer. Our business model with the SmartCard-HSM is to license the applet to device issuer and to provide the required infrastructure to produce the devices. At the same time we are a device issuer for the USB and MicroSD based form factor. > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Daniel P. <da...@po...> - 2016-01-13 10:52:52
|
On 12/01/16 23:38, Andreas Schwier wrote: > Hi Daniel, > > the purpose of the SmartCard-HSM PKI is to allow a relying party to > authenticate public keys for private keys generated on the device. It > does both, proof of possession and proof of correspondence. > > It also allows using the public key without a certificate, because the > internally generated certificate signing request is signed by the device > authentication key. In some applications like the n-of-m scheme [1] this > is sufficient, i.e. there is no need for another separate PKI to issue > certificates that bind the public key to a identity (each SmartCard-HSM > has an identity asserted by the device certificate and linked to the > device authentication key). > > This means, that if someone relies on this PKI, he must rely on the > device issuer and the correct operation of the systems at the two PKI > layers. > > This is not limited to ourselves, as we have customers that are > operating their own root and production CA. > > Having a full PKI for public key authentication is something that - as > far as I know - only the SmartCard-HSM provides for. Other schemes > provide key attestation, but typically with a key shared amongst all > devices. > Can you please be more specific about some aspects of this PKI: a) if CardContact goes out of business for any reason, what is the impact on people using the cards? Will people using the intermediate certificates signed by your root be able to keep using them until they expire? How long are they valid? b) if the CardContact root certificate is compromised (private key stolen, etc), what is the impact on people using the cards? c) you say that some customers operate their own root, does that mean they can completely eliminate or replace the "device authentication key" you create at the factory? |
|
From: Thomas C. <cal...@gm...> - 2016-01-13 10:03:24
|
Hi Daniel, If I am not mistaken, most cards working with OpenSC do not perform onboard hash computation (even if it is supported by the card's spec) but rather use a software approach (using OpenSSL as a backend for those operations). Hence, this means that you should be able to use OpenSC's PKCS#11 middleware to perform CKM_SHA256_RSA_PKCS signatures even if the card only supports plain RSA signatures (the padding is also generally computed by the middleware). Now if you require ECC support but your cards lack support, then you need newer ones. Hope this helps, Thomas On Tue, Jan 12, 2016 at 10:08 PM, Daniel Pocock <da...@po...> wrote: > > > Hi, > > I've got a few cards in my drawer that I'm trying to identify. > > Spec sheets for some versions of these cards only mention SHA-1 while > I've come across other spec sheets that mention SHA-256, I'm not sure if > there are different versions of the same card, software updates or > something else. > > The cards in question are Athena "ASECard Crypto" and the "CryptoFlex > for Windows 32k" > > Can opensc tell me definitively if these cards have anything better than > SHA-1 capability? > > With SHA-1 being considered insecure, is there any practical use for > cards that don't have SHA-256 built-in already? Can they be upgraded > somehow to support newer hashes and/or adding ECC support? > > Regards, > > Daniel > > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Ryan C. <ry...@rc...> - 2016-01-12 22:40:33
|
Hi, Does anyone know of a source to obtain a Oberthur ID-One Piv on Cosmo card (preferably their newest, the Cosmo V8) or a Cosmo V8 eval kit? Of course I'm willing to pay for it, but haven't been able to find a supplier. My attempts to contact Oberthur directly have gone unanswered. Best regards, Ryan |
|
From: Andreas S. <and...@ca...> - 2016-01-12 22:38:31
|
Hi Daniel, the purpose of the SmartCard-HSM PKI is to allow a relying party to authenticate public keys for private keys generated on the device. It does both, proof of possession and proof of correspondence. It also allows using the public key without a certificate, because the internally generated certificate signing request is signed by the device authentication key. In some applications like the n-of-m scheme [1] this is sufficient, i.e. there is no need for another separate PKI to issue certificates that bind the public key to a identity (each SmartCard-HSM has an identity asserted by the device certificate and linked to the device authentication key). This means, that if someone relies on this PKI, he must rely on the device issuer and the correct operation of the systems at the two PKI layers. This is not limited to ourselves, as we have customers that are operating their own root and production CA. Having a full PKI for public key authentication is something that - as far as I know - only the SmartCard-HSM provides for. Other schemes provide key attestation, but typically with a key shared amongst all devices. Andreas [1] http://www.smartcard-hsm.com/docs/SmartCard-HSM_n-of-m_Authentication_V1.0_2015-03-25.pdf On 01/12/2016 11:08 PM, Daniel Pocock wrote: > > > Hi all, > > I was looking at the specs for Smartcard HSM: > > http://www.smartcard-hsm.com/features.html#devaut > > and it suggests that a "Scheme Root CA maintained by CardContact issues > certificates for Device Issuer CAs, which in turn issue an unique device > certificate for each SmartCard-HSM produced." > > Does this mean the card has some dependency on the manufacturer/vendor? > Is this typical? > > Regards, > > Daniel > > ------------------------------------------------------------------------------ > Site24x7 APM Insight: Get Deep Visibility into Application Performance > APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month > Monitor end-to-end web transactions and take corrective actions now > Troubleshoot faster and improve end-user experience. Signup Now! > http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140 > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Daniel P. <da...@po...> - 2016-01-12 22:08:38
|
Hi, I've got a few cards in my drawer that I'm trying to identify. Spec sheets for some versions of these cards only mention SHA-1 while I've come across other spec sheets that mention SHA-256, I'm not sure if there are different versions of the same card, software updates or something else. The cards in question are Athena "ASECard Crypto" and the "CryptoFlex for Windows 32k" Can opensc tell me definitively if these cards have anything better than SHA-1 capability? With SHA-1 being considered insecure, is there any practical use for cards that don't have SHA-256 built-in already? Can they be upgraded somehow to support newer hashes and/or adding ECC support? Regards, Daniel |
|
From: Daniel P. <da...@po...> - 2016-01-12 22:08:17
|
Hi all, I was looking at the specs for Smartcard HSM: http://www.smartcard-hsm.com/features.html#devaut and it suggests that a "Scheme Root CA maintained by CardContact issues certificates for Device Issuer CAs, which in turn issue an unique device certificate for each SmartCard-HSM produced." Does this mean the card has some dependency on the manufacturer/vendor? Is this typical? Regards, Daniel |
|
From: Ludovic R. <lud...@gm...> - 2015-12-29 17:40:17
|
2015-12-29 17:57 GMT+01:00 Nikos Mavrogiannopoulos < n.m...@gm...>: > Hi, > Hello, > I'm lately quite busy and cannot keep up with maintaining libp11 and > engine_pkcs11; for that I'd like to recommend to give the > maintainership of libp11 and engine_pkcs11 to Michal Trojnara (the > author of stunnel). He has already provided few merged (and unmerged) > patches [0], and most importantly he uses these projects and is > willing to plan and make the next releases. > > OK I just invited him in the Engine pkcs11 maintainers [1] and libp11 maintainers [2] teams on github. Michal, if you need something on github please just ask on this opensc-deval mailing list. Thanks to Nikos for your past work and Michal for your future work. Bye [1] https://github.com/orgs/OpenSC/teams/engine-pkcs11-maintainers [2] https://github.com/orgs/OpenSC/teams/libp11-maintainers -- Dr. Ludovic Rousseau |
|
From: Nikos M. <n.m...@gm...> - 2015-12-29 16:57:54
|
Hi, I'm lately quite busy and cannot keep up with maintaining libp11 and engine_pkcs11; for that I'd like to recommend to give the maintainership of libp11 and engine_pkcs11 to Michal Trojnara (the author of stunnel). He has already provided few merged (and unmerged) patches [0], and most importantly he uses these projects and is willing to plan and make the next releases. regards, Nikos [0]. https://github.com/opensc/libp11/pulls |
|
From: Vincent Le T. <vin...@my...> - 2015-12-14 15:45:51
|
My comment about the pin pad is not about the authentication itself but about the fact that you can't cache the pin and that long transaction was a workaround. Vincent Le lundi 14 décembre 2015, Douglas E Engert <dee...@gm...> a écrit : > > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx > says: "If a transaction is held on the card for more than five seconds > with no operations happening on that card," > > The key phrase is: "with no operations happening on the card" > > I would say a pin pad reader prompt is part of the verify command sent to > the reader, and thus would be considered an active operation and not timed. > (I believe the the pinpad reader command has its own timeout too.) > Generating a key on the card should also be considered an active operation > on the card. > The card and the reader should be doing the keep alive protocol for this. > > I think the point is a transaction SCardBeginTransaction - > SCardEndTransaction should not hold the card indefinitely. > The 5 seconds by the middleware should be long enough to get the next > command to the card. > > Any software prompt for a PIN should be done before starting the > transaction to send the verify and crypto operations. > > This may be a problem if OpenSC tries to hold the transaction from verify > to logoff. > https://github.com/frankmorgner Is this what the "atomic" changes are > doing? > > The Microsoft doc also says: "Calling any of the Smart Card and Reader > Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx> > or Direct Card Access Functions > <https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx> > on the card > that is transacted results in the timer being reset to continue allowing > the transaction to be used". > > With FireFox, it calls C_GetSessionInfo every few seconds. If > C_GetSessionInfo would force a command to the card > that could keep the session alive. > https://github.com/OpenSC/OpenSC/pull/624 > is a step in that direction. > > > This should be easy to test on W7, if the 30 seconds timer is set to 5 > seconds. > > > On 12/14/2015 3:08 AM, Vincent Le Toux wrote: > > Long apdu are still been performed but that will be a problem with pin pad > sessions. > The workaround for minidriver are called session pin. > You get one with a pin pad then use this session pin for further > authentication > > I do not know a card / minidriver which supports it (gemalto Id prime > included) > > Vincent > > Le lundi 14 décembre 2015, Martin Paljak < > <javascript:_e(%7B%7D,'cvml','ma...@ma...');> > ma...@ma... > <javascript:_e(%7B%7D,'cvml','ma...@ma...');>> a écrit : > >> On 14/12/15 10:37, Ludovic Rousseau wrote: >> > I looks like Microsoft added an undocumented registry key to change the >> 5 >> > seconds delay. >> > >> > Key CardDisconnectPowerDownDelay in >> > HK_local_machine\software\microsoft\cryptography\calais >> > The value defines the delay in seconds. >> > >> > It also looks like this feature is also present in Windows 7 but with a >> 30 >> > seconds delay. >> >> >> Wow, this is funny (not encountered yet) but basically this means that >> generating longer keys (sometimes takes minute(s)) is not possible >> without hacks on Windows, inside a card transaction ? >> >> >> >> >> ------------------------------------------------------------------------------ >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing lis...@li... <javascript:_e(%7B%7D,'cvml','Ope...@li...');>https://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <javascript:_e(%7B%7D,'cvml','DEE...@gm...');> > > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Douglas E E. <dee...@gm...> - 2015-12-14 15:03:15
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<a class="moz-txt-link-freetext" href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx">https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx</a><br>
says: "If a transaction is held on the card for more than five
seconds with no operations happening on that card,"<br>
<br>
The key phrase is: "with no operations happening on the card"<br>
<br>
I would say a pin pad reader prompt is part of the verify command
sent to the reader, and thus would be considered an active operation
and not timed.<br>
(I believe the the pinpad reader command has its own timeout too.)
<br>
Generating a key on the card should also be considered an active
operation on the card. <br>
The card and the reader should be doing the keep alive protocol for
this.<br>
<br>
I think the point is a transaction SCardBeginTransaction -
SCardEndTransaction should not hold the card indefinitely. <br>
The 5 seconds by the middleware should be long enough to get the
next command to the card.<br>
<br>
Any software prompt for a PIN should be done before starting the
transaction to send the verify and crypto operations. <br>
<br>
This may be a problem if OpenSC tries to hold the transaction from
verify to logoff.<br>
<a class="moz-txt-link-freetext" href="https://github.com/frankmorgner">https://github.com/frankmorgner</a> Is this what the "atomic" changes
are doing? <br>
<br>
The Microsoft doc also says: "Calling any of the <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa380141%28v=vs.85%29.aspx">Smart
Card and Reader Access Functions</a> or <a
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa375369%28v=vs.85%29.aspx">Direct
Card Access Functions</a> on the card<br>
that is transacted results in the timer being reset to continue
allowing the transaction to be used".<br>
<br>
With FireFox, it calls C_GetSessionInfo every few seconds. If
C_GetSessionInfo would force a command to the card<br>
that could keep the session alive.
<a class="moz-txt-link-freetext" href="https://github.com/OpenSC/OpenSC/pull/624">https://github.com/OpenSC/OpenSC/pull/624</a><br>
is a step in that direction. <br>
<br>
<br>
This should be easy to test on W7, if the 30 seconds timer is set
to 5 seconds. <br>
<br>
<br>
<div class="moz-cite-prefix">On 12/14/2015 3:08 AM, Vincent Le Toux
wrote:<br>
</div>
<blockquote
cite="mid:CAO...@ma..."
type="cite">Long apdu are still been performed but that will be a
problem with pin pad sessions.
<div>The workaround for minidriver are called session pin.</div>
<div>You get one with a pin pad then use this session pin for
further authentication </div>
<div><br>
</div>
<div>I do not know a card / minidriver which supports it (gemalto
Id prime included)</div>
<div><br>
</div>
<div>Vincent <br>
<br>
Le lundi 14 décembre 2015, Martin Paljak <<a
moz-do-not-send="true" href="mailto:ma...@ma..."><a class="moz-txt-link-abbreviated" href="mailto:ma...@ma...">ma...@ma...</a></a>>
a écrit :<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">On 14/12/15
10:37, Ludovic Rousseau wrote:<br>
> I looks like Microsoft added an undocumented registry key
to change the 5<br>
> seconds delay.<br>
><br>
> Key CardDisconnectPowerDownDelay in<br>
> HK_local_machine\software\microsoft\cryptography\calais<br>
> The value defines the delay in seconds.<br>
><br>
> It also looks like this feature is also present in
Windows 7 but with a 30<br>
> seconds delay.<br>
<br>
<br>
Wow, this is funny (not encountered yet) but basically this
means that<br>
generating longer keys (sometimes takes minute(s)) is not
possible<br>
without hacks on Windows, inside a card transaction ?<br>
<br>
<br>
<br>
------------------------------------------------------------------------------<br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true" href="javascript:;"
onclick="_e(event, 'cvml',
'Ope...@li...')">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
</blockquote>
</div>
<br>
<br>
-- <br>
--<br>
Vincent Le Toux<br>
<br>
My Smart Logon<br>
<a moz-do-not-send="true" href="http://www.mysmartlogon.com/"
target="_blank">www.mysmartlogon.com</a><br>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Andreas S. <and...@ca...> - 2015-12-14 12:37:59
|
Dear Evan, if you register at the CDN [1], then I can enable access to the SmartCard-HSM SDK which contains a script to decode the wrapped key container. Andreas [1] http://www.cardcontact.de/cdn/about.html On 12/14/2015 01:00 PM, Evan Anderson wrote: > I recently acquired a Nitrokey HSM for testing for one of my Customers. The > feature-set of the SmartCard-HSM software appears to be quite good and a > nearly perfect fit for my Customer's needs. > > My Customer will be signing firmware for a series of embedded control > devices w/ RSA keys. These devices have a planned 15-20 year lifetime in the > field/market (embedded devices attached to very large, very expensive pieces > of machinery with long service lifetimes). Losing access to the firmware > signing key during the device's supported lifetime would be quite bad > (physically recalling the devices and replacing secure SoC devices w/ public > keys stored in on-chip fuse-protected bootloader flash). > > While the built-in key backup/restore functionality in SmartCard-HSM looks > quite good, I'm concerned that without details of the > key-wrapping/unwrapping algorithm my Customer could find themselves, in the > future, in a situation where SmartCard-HSM is no longer available for > purchase. I am reticent to simply recommend assuming that the Customer > purchase extra devices to hold in storage and hope that they will remain > functional for 10+ years. My Customer is already accustomed to supporting > devices in the field w/ 15+ year lifetimes, so this concern is a very real > one to them. > > Are there details of the DKEK key-wrapping/unwrapping algorithm available > (under NDA and/or for a fee, if necessary) that would enable my Customer to > have confidence that, even if the SmartCard-HSM product were discontinued > and no longer available, they would be able to bring the DKEK shares and > key-backup together to reconstruct their key to load into some new device? > > As an alternative to understanding the DKEK key-wrapping/unwrapping > algorithm, is there functionality to import an externally-generated key into > the SmartCard-HSM product? I see a reference here > <http://www.smartcard-hsm.com/features.html#keyimport> but I've reviewed all > the materials I can find publicly, and on the CardContact Developer Network > website, and I am not finding any examples or documentation showing how to > perform this import. On this mailing list, as recently as October 2015 > (under the thread "Cannot delete imported private key from SmartCard-HSM") I > am seeing statements that make me think that this import functionality may > have difficulties. > > Thank you, > Evan Anderson > Wellbury LLC > Troy, OH, US > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org http://www.smartcard-hsm.com |
|
From: Evan A. <EAn...@we...> - 2015-12-14 12:16:59
|
I recently acquired a Nitrokey HSM for testing for one of my Customers. The feature-set of the SmartCard-HSM software appears to be quite good and a nearly perfect fit for my Customer's needs. My Customer will be signing firmware for a series of embedded control devices w/ RSA keys. These devices have a planned 15-20 year lifetime in the field/market (embedded devices attached to very large, very expensive pieces of machinery with long service lifetimes). Losing access to the firmware signing key during the device's supported lifetime would be quite bad (physically recalling the devices and replacing secure SoC devices w/ public keys stored in on-chip fuse-protected bootloader flash). While the built-in key backup/restore functionality in SmartCard-HSM looks quite good, I'm concerned that without details of the key-wrapping/unwrapping algorithm my Customer could find themselves, in the future, in a situation where SmartCard-HSM is no longer available for purchase. I am reticent to simply recommend assuming that the Customer purchase extra devices to hold in storage and hope that they will remain functional for 10+ years. My Customer is already accustomed to supporting devices in the field w/ 15+ year lifetimes, so this concern is a very real one to them. Are there details of the DKEK key-wrapping/unwrapping algorithm available (under NDA and/or for a fee, if necessary) that would enable my Customer to have confidence that, even if the SmartCard-HSM product were discontinued and no longer available, they would be able to bring the DKEK shares and key-backup together to reconstruct their key to load into some new device? As an alternative to understanding the DKEK key-wrapping/unwrapping algorithm, is there functionality to import an externally-generated key into the SmartCard-HSM product? I see a reference here <http://www.smartcard-hsm.com/features.html#keyimport> but I've reviewed all the materials I can find publicly, and on the CardContact Developer Network website, and I am not finding any examples or documentation showing how to perform this import. On this mailing list, as recently as October 2015 (under the thread "Cannot delete imported private key from SmartCard-HSM") I am seeing statements that make me think that this import functionality may have difficulties. Thank you, Evan Anderson Wellbury LLC Troy, OH, US |
|
From: Vincent Le T. <vin...@my...> - 2015-12-14 09:09:09
|
Long apdu are still been performed but that will be a problem with pin pad sessions. The workaround for minidriver are called session pin. You get one with a pin pad then use this session pin for further authentication I do not know a card / minidriver which supports it (gemalto Id prime included) Vincent Le lundi 14 décembre 2015, Martin Paljak <ma...@ma...> a écrit : > On 14/12/15 10:37, Ludovic Rousseau wrote: > > I looks like Microsoft added an undocumented registry key to change the 5 > > seconds delay. > > > > Key CardDisconnectPowerDownDelay in > > HK_local_machine\software\microsoft\cryptography\calais > > The value defines the delay in seconds. > > > > It also looks like this feature is also present in Windows 7 but with a > 30 > > seconds delay. > > > Wow, this is funny (not encountered yet) but basically this means that > generating longer keys (sometimes takes minute(s)) is not possible > without hacks on Windows, inside a card transaction ? > > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > Ope...@li... <javascript:;> > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Martin P. <ma...@ma...> - 2015-12-14 08:42:50
|
On 14/12/15 10:37, Ludovic Rousseau wrote: > I looks like Microsoft added an undocumented registry key to change the 5 > seconds delay. > > Key CardDisconnectPowerDownDelay in > HK_local_machine\software\microsoft\cryptography\calais > The value defines the delay in seconds. > > It also looks like this feature is also present in Windows 7 but with a 30 > seconds delay. Wow, this is funny (not encountered yet) but basically this means that generating longer keys (sometimes takes minute(s)) is not possible without hacks on Windows, inside a card transaction ? |
|
From: Ludovic R. <lud...@gm...> - 2015-12-14 08:38:18
|
Hello, I looks like Microsoft added an undocumented registry key to change the 5 seconds delay. Key CardDisconnectPowerDownDelay in HK_local_machine\software\microsoft\cryptography\calais The value defines the delay in seconds. It also looks like this feature is also present in Windows 7 but with a 30 seconds delay. This is all untested by me. I am not a Windows user. I think we have Windows experts here that can confirm the use of this registry key. I don't know why Microsoft decided to to that. Maybe that is a good idea after all. Regards, 2015-12-13 22:18 GMT+01:00 Douglas E Engert <dee...@gm...>: > Sounds like a call to SCardStatus resets the 5 second timer. Could a > thread be added with a 2 second timer to to keep the transaction alive? > May not help with debugging. > > > > > On 12/13/2015 12:42 PM, Jaroslav Imrich wrote: > > As a result there are also commercial middleware solutions available out > there which display their own PIN dialog during the signing operation and > you need to enter your PIN in less then 5 seconds otherwise signing > operation fails :) > > Regards, Jaroslav > > > On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux < > <vin...@my...>vin...@my...> wrote: > >> Hi, >> >> I just want to share something on which I've lost my day before finding >> this: >> Since Windows 10 (8?) the card is reset if a smart card transaction is >> inactive for 5 seconds. >> >> Quote: "If a transaction is held on the card for more than five seconds >> with no operations happening on that card, then the card is reset. Calling >> any of the Smart Card and Reader Access Functions or Direct Card Access >> Functions on the card that is transacted results in the timer being reset >> to continue allowing the transaction to be used." >> source: >> https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx >> >> This timeout was not active on Windows 7. >> Not easy to attach a debugger to debug OpenSC with that ... >> >> regards, >> -- >> -- >> Vincent Le Toux >> >> My Smart Logon >> www.mysmartlogon.com >> >> >> ------------------------------------------------------------------------------ >> >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> >> > > ------------------------------------------------------------------------------ > > > > _______________________________________________ > Opensc-devel mailing lis...@li...://lists.sourceforge.net/lists/listinfo/opensc-devel > > > -- > > Douglas E. Engert <DEE...@gm...> <DEE...@gm...> > > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > -- Dr. Ludovic Rousseau |
|
From: Douglas E E. <dee...@gm...> - 2015-12-13 21:26:21
|
<html>
<head>
<meta content="text/html; charset=windows-1252"
http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
Sounds like a call to SCardStatus resets the 5 second timer. Could
a thread be added with a 2 second timer to to keep the transaction
alive? May not help with debugging.<br>
<br>
<br>
<br>
<div class="moz-cite-prefix">On 12/13/2015 12:42 PM, Jaroslav Imrich
wrote:<br>
</div>
<blockquote
cite="mid:CAB6OCMvhWWCNy2=QjZ...@ma..."
type="cite">
<div dir="ltr">As a result there are also commercial middleware
solutions available out there which display their own PIN dialog
during the signing operation and you need to enter your PIN in
less then 5 seconds otherwise signing operation fails :)<br>
<div class="gmail_extra"><br>
</div>
<div class="gmail_extra">Regards, Jaroslav<br>
<br>
</div>
<div class="gmail_extra"><br>
<div class="gmail_quote">On Sun, Dec 13, 2015 at 7:09 PM,
Vincent Le Toux <span dir="ltr"><<a
moz-do-not-send="true"
href="mailto:vin...@my..."
target="_blank"><a class="moz-txt-link-abbreviated" href="mailto:vin...@my...">vin...@my...</a></a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div dir="ltr">
<div>
<div>
<div>Hi,<br>
<br>
</div>
I just want to share something on which I've lost my
day before finding this:<br>
</div>
Since Windows 10 (8?) the card is reset if a smart
card transaction is inactive for 5 seconds.<br>
<br>
</div>
Quote: "If a transaction is held on the card for more
than five seconds with no operations happening on that
card, then the card is reset. Calling any of the Smart
Card and Reader Access Functions or Direct Card Access
Functions on the card that is transacted results in the
timer being reset to continue allowing the transaction
to be used."
<div>
<div>
<div>
<div>
<div>source: <a moz-do-not-send="true"
href="https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx"
target="_blank">https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx</a><br>
<br>
</div>
<div>This timeout was not active on Windows 7.<br>
</div>
<div>Not easy to attach a debugger to debug
OpenSC with that ...<br>
</div>
<div><br>
</div>
<div>regards,<span class="HOEnZb"><font
color="#888888"><br>
-- <br>
</font></span></div>
<span class="HOEnZb"><font color="#888888">
<div>
<div>--<br>
Vincent Le Toux<br>
<br>
My Smart Logon<br>
<a moz-do-not-send="true"
href="http://www.mysmartlogon.com/"
target="_blank">www.mysmartlogon.com</a></div>
</div>
</font></span></div>
</div>
</div>
</div>
</div>
<br>
------------------------------------------------------------------------------<br>
<br>
_______________________________________________<br>
Opensc-devel mailing list<br>
<a moz-do-not-send="true"
href="mailto:Ope...@li...">Ope...@li...</a><br>
<a moz-do-not-send="true"
href="https://lists.sourceforge.net/lists/listinfo/opensc-devel"
rel="noreferrer" target="_blank">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a><br>
<br>
</blockquote>
</div>
</div>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">------------------------------------------------------------------------------
</pre>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
Opensc-devel mailing list
<a class="moz-txt-link-abbreviated" href="mailto:Ope...@li...">Ope...@li...</a>
<a class="moz-txt-link-freetext" href="https://lists.sourceforge.net/lists/listinfo/opensc-devel">https://lists.sourceforge.net/lists/listinfo/opensc-devel</a>
</pre>
</blockquote>
<br>
<pre class="moz-signature" cols="200">--
Douglas E. Engert <a class="moz-txt-link-rfc2396E" href="mailto:DEE...@gm..."><DEE...@gm...></a>
</pre>
</body>
</html>
|
|
From: Jaroslav I. <jar...@gm...> - 2015-12-13 18:42:47
|
As a result there are also commercial middleware solutions available out there which display their own PIN dialog during the signing operation and you need to enter your PIN in less then 5 seconds otherwise signing operation fails :) Regards, Jaroslav On Sun, Dec 13, 2015 at 7:09 PM, Vincent Le Toux < vin...@my...> wrote: > Hi, > > I just want to share something on which I've lost my day before finding > this: > Since Windows 10 (8?) the card is reset if a smart card transaction is > inactive for 5 seconds. > > Quote: "If a transaction is held on the card for more than five seconds > with no operations happening on that card, then the card is reset. Calling > any of the Smart Card and Reader Access Functions or Direct Card Access > Functions on the card that is transacted results in the timer being reset > to continue allowing the transaction to be used." > source: > https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx > > This timeout was not active on Windows 7. > Not easy to attach a debugger to debug OpenSC with that ... > > regards, > -- > -- > Vincent Le Toux > > My Smart Logon > www.mysmartlogon.com > > > ------------------------------------------------------------------------------ > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Vincent Le T. <vin...@my...> - 2015-12-13 18:09:22
|
Hi, I just want to share something on which I've lost my day before finding this: Since Windows 10 (8?) the card is reset if a smart card transaction is inactive for 5 seconds. Quote: "If a transaction is held on the card for more than five seconds with no operations happening on that card, then the card is reset. Calling any of the Smart Card and Reader Access Functions or Direct Card Access Functions on the card that is transacted results in the timer being reset to continue allowing the transaction to be used." source: https://msdn.microsoft.com/en-us/library/windows/desktop/aa379469%28v=vs.85%29.aspx This timeout was not active on Windows 7. Not easy to attach a debugger to debug OpenSC with that ... regards, -- -- Vincent Le Toux My Smart Logon www.mysmartlogon.com |
|
From: Ryan C. <ry...@rc...> - 2015-12-12 07:52:14
|
Thanks for the pointers Douglas. You were right--the size of the CHUID object was incorrect (53 <length> xx xx xx). I was able to use the function you suggested in PIVDataTempl.java to encode the signed CHUID and then use piv-tool to load it successfully.
On Dec 7, 2015, at 10:44 AM, Douglas E Engert <dee...@gm...> wrote:
> looking at keysupport/nist80073/datamodel/PIVCardHolderUniqueID.java
> it looks like getEncoded()
> does an encode().
>
> Bit the encode() line 203 does:
> this.chuid = baos.toByteArray();
>
> but this does not have the PIV_DATA TLV that piv-tool is expecting.
>
> ./nist80073/cardedge/PIVDataTempl.java encode will add this:
>
> 111 TLV _data = BERTLVFactory.encodeTLV(new Tag(Tag.PIV_DATA), this.data);
>
>
>
> On 12/7/2015 1:42 AM, Ryan Chapman wrote:
>> Hi,
>>
>> I'm trying to get an asymmetric CHUID signature on a PIV card, in this case a Yubikey NEO. The FIPS 201 standard requires it, but yubkey-piv-tool only supports writing a random chuid to the card.
>> The basic question is... does someone have an example program that, given a signing certificate and associated private key, can write the asymmetric key to a PIV card??
>>
>> I'm close, but am stuck on long CHUIDs. I can write a short length one successfully, but the longer one required for the asymmetric key is failing.
>>
>> Now a little more detail on what I've got so far, if anyone cares...
>> I've using the piv-tool program to write a short CHUID like so:
>>
>> # Check current CHUID
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 78 hX!.B..!8B...4.x
>> E1 97 B4 5A CA C0 1A 82 64 63 A9 92 3B 56 26 35 ...Z....dc..;V&5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> # Write desired CHUID to file 'chuid'
>> $ X="53:3B:30:19:D4:E7:39:DA:73:9C:ED:39:CE:73:9D:83:68:58:21:08:42:10:84:21:38:42:10:C3:F5:34:10:37:6F:92:E6:EA:92:65:85:0B:AB:D6:9D:73:8B:15:F0:35:08:32:30:33:30:30:31:30:31:3E:00:FE:00"
>>
>> $ (OLDIFS=$IFS; IFS=:; for x in $X; do echo 0x$x | awk '{printf "%c", $1}'; done; IFS=$OLDIFS ) > chuid
>>
>> # Write chuid file to the Yubikey
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>>
>> # Verify it worked... appears to have worked
>> $ piv-tool -A A:9B:03 -s "00:CB:3F:FF:05:5C:03:5F:C1:02:00"
>> Using reader with a card: Yubico Yubikey NEO CCID
>> Sending: 00 CB 3F FF 05 5C 03 5F C1 02 00
>> Received (SW1=0x90, SW2=0x00):
>> 53 3B 30 19 D4 E7 39 DA 73 9C ED 39 CE 73 9D 83 S;0...9.s..9.s..
>> 68 58 21 08 42 10 84 21 38 42 10 C3 F5 34 10 37 hX!.B..!8B...4.7
>> 6F 92 E6 EA 92 65 85 0B AB D6 9D 73 8B 15 F0 35 o....e.....s...5
>> 08 32 30 33 30 30 31 30 31 3E 00 FE 00 .20300101>...
>>
>> TLV '3E' is where the asymmetric signature goes. Above, look at the last four bytes '3E 00 FE 00'; the '3E 00' signifies a null asymmetric signature.
>>
>> I loaded my cert authority's pub/private keypair in the java keystore, then used the library at https://code.google.com/p/keysupport-java-api/ to generate the CHUID signature, which ends up being 2077 (0x81D) bytes, a little strange, but ok.
>>
>> I then try the same thing as before, but encode the '3E' TLV as such:
>> 3E 82 08 1D .. .. <total of 2077 bytes for CHUID asymmetric signature payload> .. ..
>> 82 08 1D is BER-TLV to indicate 2077 bytes
>>
>> What ended up in the 'chuid' file:
>> 53 3b 30 19 d4 e7 39 da 73 9c ed 39 ce 73 9d 83 68 58 21 08 42 10 84 21 38 42 10 c3 f5 34 10 05 9b 23 97 21 6e ee b0 2d b8 d6 01 0a 69 99 3c 35 08 32 30 33 30 30 31 30 31 3e 82 08 1d .. .. <2077 bytes for asymm signature> .. .. fe 00
>>
>> When I attempt to write the 'chuid' file using piv-tools, I get this error:
>>
>> $ piv-tool -A A:9B:03 -O 3000 -i chuid
>> Using reader with a card: Yubico Yubikey NEO CCID
>> object tag or length not valid
>>
>> I'm hoping I missed something elementary. Any ideas?
>>
>> Thanks
>>
>> Ryan
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Go from Idea to Many App Stores Faster with Intel(R) XDK
>> Give your users amazing mobile app experiences with Intel(R) XDK.
>> Use one codebase in this all-in-one HTML5 development environment.
>> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
>> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> --
>
> Douglas E. Engert <DEE...@gm...>
>
> ------------------------------------------------------------------------------
> Go from Idea to Many App Stores Faster with Intel(R) XDK
> Give your users amazing mobile app experiences with Intel(R) XDK.
> Use one codebase in this all-in-one HTML5 development environment.
> Design, debug & build mobile apps & 2D/3D high-impact games for multiple OSs.
> http://pubads.g.doubleclick.net/gampad/clk?id=254741911&iu=/4140_______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
|
5 messages has been excluded from this view by a project administrator.
