opensc-devel — discussion of developement of OpenSC and related projects

Re: [Opensc-devel] Preventing malformed ODFs causing segfaults.

[Dirk-Willem v. G. <di...@we...>]

> On 02 Jun 2015, at 18:36, Douglas E Engert <dee...@gm...> wrote:
> 
> 
> 
> On 6/2/2015 10:32 AM, Dirk-Willem van Gulik wrote:
>> We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
>> from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility outside OpenSC)).
>> 
>> Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a rare case ?
> 
> It depends. The part of OpenSC that tries to determine the type of card, would be more likely to run into "naughty cards"
> or cards that don't follow all the standards or cards that have not been initialized as expected.
> 
> Cards that may have worked with older versions of OpenSC, may not work with newer versions, as newer code
> may not have been tested against the older cards For example There are cards that emulate PKCS#15 and newer code
> added to OpenSC for example the sc_enum_apps() may not be emulated correctly. For example the ODF in older code
> does not need to be emulated. Not clear if it does now.
> 
> Older versions of cards that may have worked before. But newer versions of the card or the files on new cards
> are not the same as before because the card issuer changed something.
> 
> Can you say what cards caused these problems?

We dove into this because we saw a card specifically designed to make (login) daemons segfault (and hence fall back to lesser systems due to non ideal designed  processes). 

This is basically an organisational/procedure attack - where a DoS leads to the human/apparatus complex to do unsafe things to tide over; and the exploit is then there; not in OpenSC per-se.

By pure co-incidence (going through old logs) we discovered that various AET cards; including a card issued to most Dutch civil servants also causes pretty much all opensc tools (and pkcs11/15) to segfault. 

In this case it is more ‘silly’ — cards respond to queries with a:

{
 	(char []) "I am the SafeSign Applet of A.E.T. Europe B.V. please authenticate yourself\n”,
	0x90, 0x00 
}

that confuses OpenSC enough to segfault in various places on mere insertion/query.

Dw.

> 
>> 
>> Dw.
>> 
>> https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff
>> 
>> src/libopensc/dir.c
>> @@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
>>  	r = sc_select_file(card, &path, &card->ef_dir);
>>  	LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
>> 
>> +	if (card->ef_dir == NULL) {
>> +		LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
>> +	}
>> +
>>  	if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
>>  		sc_file_free(card->ef_dir);
>>  		card->ef_dir = NULL;
>> 
>> src/libopensc/pkcs15.c
>> @@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>>  			sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
>>  			goto end;
>>  		}
>> +		if (p15card->file_odf == NULL) {
>> +			sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
>> +			goto end;
>> +		}
>>  		sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
>>  		err = sc_select_file(card, &tmppath, &p15card->file_odf);
>>  	}
>> @@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>>  		goto end;
>>  	}
>> 
>> +	assert(p15card->file_odf);
>> +
>>  	len = p15card->file_odf->size;
>>  	if (!len) {
>>  		sc_log(ctx, "EF(ODF) is empty”);
>> 
>> 
>> 
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li... <mailto:Ope...@li...>
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>> 
> 
> -- 
> 
>  Douglas E. Engert  <DEE...@gm... <mailto:DEE...@gm...>>
> 
> 
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li... <mailto:Ope...@li...>
> https://lists.sourceforge.net/lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>

Re: [Opensc-devel] Oberthur Cosmo v7.0-n card support

[Viktor T. <vik...@gm...>]

Hi,

support of Oberthur's cards has been implemented long time ago, and have not been updated for the new cards.

AuthentIC applet has (had) it's own file system, not PKCS#15. OpenSC implements emulator PKCS#15 for 'read' and 'write' mode.
You can get an insight onto this file system from pkcs15-init profile files (authentic.profile, oberthur.profile).

On your place I would start from looking onto dialog between card and the native Oberthur's MW, using the USB sniffer.
 From here, with a little chance, you will get know the AIDs, expected file system, expected content, ...

Best regards,
Viktor.






On 06/02/2015 10:38 AM, Fabian Leiros Carrera wrote:
> On 5/26/2015 7:01 AM, Fabian Leiros Carrera wrote:
>> Hello everyone,
>>
>> I'm trying to make OpenSC work with different models of Oberthur smartcards:
>>
>> - Cosmo64 RSA v5.2 (applet: 2.17)
>> - Cosmo v7.0-n (applet: 2.17)
> Thank you for your answer Douglas
>
>> How did you get them?
> I got them from a client who is currently using Oberthur's AWP and who is considering the possibility of changing to OpenSC.
>
>> Are the blank?
> No they are not, both cards are initialized.
>
>> Did you get a manual with transport keys, etc.
> No, I didn't
>
>> Do they an applet on the card?
>   I am quite new to this technologies and I am not really sure, but I suppose they do because Oberthur's software (Authentic Web Pack) shows an "Applet: 2.17" line in the card's information tab.
>
>> Card issuers like governments, usually have the manufacturer provide the cards with an applet installed. You could write an applet, like muscle to the card, but you need the manual with the keys.
> Could you elaborate on this please? What will this applet do? How will it allow OpenSC to recognise the v7.0-n cards?
>
>> Google for: Oberthur Cosmo v7.0-n muscle or Oberthur Cosmo v7.0-n
>>
>> Up until now I only have been able to make the first card model work with OpenSC 0.14.0.
>>
>> After reading this https://github.com/OpenSC/OpenSC/wiki/Oberthur-AuthentIC-applet-v2.2 I assumed that Cosmo v7.0-n model is not supported, but I am not quite sure.
>>
>> Could anyone confirm if Cosmo v7.0-n model is supported by OpenSC please?
>>
>> If no, what would need to be done in order to support it?
>>
>> If it is supported, I am detailing at the end of the email how I am installing and setting up OpenSC. What am I doing wrong?
>>
>> Thank you so much for your help.
>> Best regards
>> Fabián
>>
>> ----------------------------------------------------------------------
>> --------------------------------------------
>>
>> - Install both x86 and x64 versions of OpenSC on a Windows 7 x64
>> computer
>> - Add a new entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\" for Cosmo64 RSA v5.2 including its ATR:
>>
>>           [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthenticV5]
>>           "80000001"="opensc-minidriver.dll"
>>           "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>>           "ATR"=hex:3b,7d,18,00,00,00,31,80,71,8e,64,77,e3,01,00,82,90,00
>>           "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>           "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>>
>> - Add the same entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\"
>> - Restart "Certificate Propagation" service.
>>
>> - Plug-in the Cosmo64 RSA v5.2:
>>           - the certificate will be imported correctly to Windows certificate store.
>>           - "opensc-tool.exe -n" will return the name of the card correctly
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   AuthentIC v5
>>
>>           -  "opensc-tool.exe -a" returns the card's ATR
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   3b:7d:18:00:00:00:31:80:71:8e:64:77:e3:01:00:82:90:00
>>
>>           - "pkcs15-tool.exe -c" will output information about my
>> certificate
>>
>> - So far, so good, so now I add two new Registry entries, on both x86 and x64 hives, for the Cosmo v7.0-n card:
>>
>>           [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthentIC v7]
>>           "80000001"="opensc-minidriver.dll"
>>           "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>>           "ATR"=hex:3b,5b,96,00,00,31,c0,64,ba,fc,10,00,0f,90,00
>>           ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>           "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>>
>> - Now I plug in the Cosmo v7.0-n card and:
>>           - the certificate is not imported to Windows certificate store.
>>           -"opensc-tool -n" returns " Unsupported card"
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   Unsupported card
>>
>>           - "opensc-tool.exe -a" returns the card's ATR
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>>
>>           - "pkcs15-tool.exe -c" also returns an error:
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   Failed to connect to card: Card is invalid or cannot
>> be handled
>>
>> - "opensc-tool.exe --list-drivers " shows two Oberthur drivers:
>>           oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
>>           authentic        Oberthur AuthentIC v3.1
>>
>> - I add a new "atr" entry on "opensc.conf" at "Program Files" and "Program Files (x86)" folders:
>>
>>           # Oberthur's AuthentIC v7
>>           card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>>                                   type = 11100;
>>                                   driver = "authentic";
>>                                   name = "AuthentIC v7";
>>                   }
>>
>> - Plug in the Cosmo v7.0-n card and:
>>           -"opensc-tool -n" changes its output:
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   Failed to connect to card: File not found
>>
>>           - Same thing with "opensc-tool.exe -a":
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   Failed to connect to card: File not found
>>
>>           - And with "pkcs15-tool.exe -c":
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   Failed to connect to card: File not found
>>
>> - Now I change the "atr" entries on "opensc.conf" files to:
>>
>>           # Oberthur's AuthentIC v7
>>           card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>>                                   type = 11100;
>>                                   driver = "oberthur";
>>                                   name = "AuthentIC v7";
>>                   }
>>
>> - And I get this outputs with Cosmo v7.0-n card plugged in:
>>           -"opensc-tool -n":
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   AuthentIC v5
>>
>>           -"opensc-tool -a":
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>>
>>           - "pkcs15-tool.exe -c":
>>                   C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>>                   Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>>                   PKCS#15 binding failed: Unsupported card
>
>
>
>
>> ----------------------------------------------------------------------
>> -------- One dashboard for servers and applications across
>> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
>> 50+ applications Performance metrics, stats and reports that give you
>> Actionable Insights Deep dive visibility with transaction tracing
>> using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
> --
>
>    Douglas E. Engert  <DEE...@gm...>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
> ________________________________
>
> AVISO DE CONFIDENCIALIDAD.
> Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
>
> CONFIDENTIALITY WARNING.
> This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

Re: [Opensc-devel] Preventing malformed ODFs causing segfaults.

[Douglas E E. <dee...@gm...>]

On 6/2/2015 10:32 AM, Dirk-Willem van Gulik wrote:
> We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
> from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility outside OpenSC)).
>
> Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a rare case ?

It depends. The part of OpenSC that tries to determine the type of card, would be more likely to run into "naughty cards"
or cards that don't follow all the standards or cards that have not been initialized as expected.

Cards that may have worked with older versions of OpenSC, may not work with newer versions, as newer code
may not have been tested against the older cards For example There are cards that emulate PKCS#15 and newer code
added to OpenSC for example the sc_enum_apps() may not be emulated correctly. For example the ODF in older code
does not need to be emulated. Not clear if it does now.

Older versions of cards that may have worked before. But newer versions of the card or the files on new cards
are not the same as before because the card issuer changed something.

Can you say what cards caused these problems?

>
> Dw.
>
> https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff
>
> src/libopensc/dir.c
> @@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
>   	r = sc_select_file(card, &path, &card->ef_dir);
>   	LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
>
> +	if (card->ef_dir == NULL) {
> +		LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
> +	}
> +
>   	if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
>   		sc_file_free(card->ef_dir);
>   		card->ef_dir = NULL;
>
> src/libopensc/pkcs15.c
> @@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>   			sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
>   			goto end;
>   		}
> +		if (p15card->file_odf == NULL) {
> +			sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
> +			goto end;
> +		}
>   		sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
>   		err = sc_select_file(card, &tmppath, &p15card->file_odf);
>   	}
> @@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
>   		goto end;
>   	}
>
> +	assert(p15card->file_odf);
> +
>   	len = p15card->file_odf->size;
>   	if (!len) {
>   		sc_log(ctx, "EF(ODF) is empty”);
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] Preventing malformed ODFs causing segfaults.

[Dirk-Willem v. G. <di...@we...>]

We seem to be a bit trusting of the cruft which can be on a card; found I needed below to stop naughty cards
from causing segfaults (and hence locking subsequent users out of their desktops (a bit of fragility outside OpenSC)).

Just wondering - is this sort of thing common (and should I scan most of the code for this) — or have i found a rare case ?

Dw.

https://github.com/OpenSC/OpenSC/commit/1061b5ded0edbc6a1f2cb4fd599b7c950ffe18ff

src/libopensc/dir.c
@@ -149,6 +149,10 @@ int sc_enum_apps(sc_card_t *card)
 	r = sc_select_file(card, &path, &card->ef_dir);
 	LOG_TEST_RET(ctx, r, "Cannot select EF.DIR file");
 
+	if (card->ef_dir == NULL) {
+		LOG_TEST_RET(ctx, SC_ERROR_INVALID_CARD, "EF(DIR) nonexistant.");
+	}
+
 	if (card->ef_dir->type != SC_FILE_TYPE_WORKING_EF) {
 		sc_file_free(card->ef_dir);
 		card->ef_dir = NULL;

src/libopensc/pkcs15.c
@@ -1044,6 +1044,10 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 			sc_log(ctx, "Cannot make absolute path to EF(ODF); error:%i", err);
 			goto end;
 		}
+		if (p15card->file_odf == NULL) {
+			sc_log(ctx, "After making absolute path to EF(ODF) still no odf.");
+			goto end;
+		}
 		sc_log(ctx, "absolute path to EF(ODF) %s", sc_print_path(&tmppath));
 		err = sc_select_file(card, &tmppath, &p15card->file_odf);
 	}
@@ -1059,6 +1063,8 @@ sc_pkcs15_bind_internal(struct sc_pkcs15_card *p15card, struct sc_aid *aid)
 		goto end;
 	}
 
+	assert(p15card->file_odf);
+
 	len = p15card->file_odf->size;
 	if (!len) {
 		sc_log(ctx, "EF(ODF) is empty”);

Re: [Opensc-devel] Oberthur Cosmo v7.0-n card support

[Fabian L. C. <FAB...@EV...>]

On 5/26/2015 7:01 AM, Fabian Leiros Carrera wrote:
> Hello everyone,
>
> I'm trying to make OpenSC work with different models of Oberthur smartcards:
>
> - Cosmo64 RSA v5.2 (applet: 2.17)
> - Cosmo v7.0-n (applet: 2.17)

Thank you for your answer Douglas

> How did you get them?
I got them from a client who is currently using Oberthur's AWP and who is considering the possibility of changing to OpenSC.

> Are the blank?
No they are not, both cards are initialized.

>Did you get a manual with transport keys, etc.
No, I didn't

>Do they an applet on the card?
 I am quite new to this technologies and I am not really sure, but I suppose they do because Oberthur's software (Authentic Web Pack) shows an "Applet: 2.17" line in the card's information tab.

>Card issuers like governments, usually have the manufacturer provide the cards with an applet installed. You could write an applet, like muscle to the card, but you need the manual with the keys.
Could you elaborate on this please? What will this applet do? How will it allow OpenSC to recognise the v7.0-n cards?

>Google for: Oberthur Cosmo v7.0-n muscle or Oberthur Cosmo v7.0-n
>
> Up until now I only have been able to make the first card model work with OpenSC 0.14.0.
>
> After reading this https://github.com/OpenSC/OpenSC/wiki/Oberthur-AuthentIC-applet-v2.2 I assumed that Cosmo v7.0-n model is not supported, but I am not quite sure.
>
> Could anyone confirm if Cosmo v7.0-n model is supported by OpenSC please?
>
> If no, what would need to be done in order to support it?
>
> If it is supported, I am detailing at the end of the email how I am installing and setting up OpenSC. What am I doing wrong?
>
> Thank you so much for your help.
> Best regards
> Fabián
>
> ----------------------------------------------------------------------
> --------------------------------------------
>
> - Install both x86 and x64 versions of OpenSC on a Windows 7 x64
> computer
> - Add a new entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\" for Cosmo64 RSA v5.2 including its ATR:
>
>          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthenticV5]
>          "80000001"="opensc-minidriver.dll"
>          "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>          "ATR"=hex:3b,7d,18,00,00,00,31,80,71,8e,64,77,e3,01,00,82,90,00
>          "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>          "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>
> - Add the same entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\"
> - Restart "Certificate Propagation" service.
>
> - Plug-in the Cosmo64 RSA v5.2:
>          - the certificate will be imported correctly to Windows certificate store.
>          - "opensc-tool.exe -n" will return the name of the card correctly
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  AuthentIC v5
>
>          -  "opensc-tool.exe -a" returns the card's ATR
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:7d:18:00:00:00:31:80:71:8e:64:77:e3:01:00:82:90:00
>
>          - "pkcs15-tool.exe -c" will output information about my
> certificate
>
> - So far, so good, so now I add two new Registry entries, on both x86 and x64 hives, for the Cosmo v7.0-n card:
>
>          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthentIC v7]
>          "80000001"="opensc-minidriver.dll"
>          "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>          "ATR"=hex:3b,5b,96,00,00,31,c0,64,ba,fc,10,00,0f,90,00
>          ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>          "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>
> - Now I plug in the Cosmo v7.0-n card and:
>          - the certificate is not imported to Windows certificate store.
>          -"opensc-tool -n" returns " Unsupported card"
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Unsupported card
>
>          - "opensc-tool.exe -a" returns the card's ATR
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>
>          - "pkcs15-tool.exe -c" also returns an error:
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: Card is invalid or cannot
> be handled
>
> - "opensc-tool.exe --list-drivers " shows two Oberthur drivers:
>          oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
>          authentic        Oberthur AuthentIC v3.1
>
> - I add a new "atr" entry on "opensc.conf" at "Program Files" and "Program Files (x86)" folders:
>
>          # Oberthur's AuthentIC v7
>          card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>                                  type = 11100;
>                                  driver = "authentic";
>                                  name = "AuthentIC v7";
>                  }
>
> - Plug in the Cosmo v7.0-n card and:
>          -"opensc-tool -n" changes its output:
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
>          - Same thing with "opensc-tool.exe -a":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
>          - And with "pkcs15-tool.exe -c":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
> - Now I change the "atr" entries on "opensc.conf" files to:
>
>          # Oberthur's AuthentIC v7
>          card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>                                  type = 11100;
>                                  driver = "oberthur";
>                                  name = "AuthentIC v7";
>                  }
>
> - And I get this outputs with Cosmo v7.0-n card plugged in:
>          -"opensc-tool -n":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  AuthentIC v5
>
>          -"opensc-tool -a":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>
>          - "pkcs15-tool.exe -c":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  PKCS#15 binding failed: Unsupported card





> ----------------------------------------------------------------------
> -------- One dashboard for servers and applications across
> Physical-Virtual-Cloud Widest out-of-the-box monitoring support with
> 50+ applications Performance metrics, stats and reports that give you
> Actionable Insights Deep dive visibility with transaction tracing
> using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <DEE...@gm...>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/opensc-devel

________________________________

AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.

CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.

Re: [Opensc-devel] Google's secure micro-SD

[NdK <ndk...@gm...>]

Il 30/05/2015 08:34, Martin Paljak ha scritto:

>> http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/
What does it offer over SmartCard-HSM MicroSD or similar devices?

>> This is a pretty strange thing since both ARM and Intel offer built-in security solutions in the CPU itself.
Maybe they think it's not that secure, after all...

> And none of my Google Nexus branded devices takes a microSD....
The micro-SD slot is one of the filters I use to select my phones. No sd
= no phone. :)

BYtE,
 Diego.

Re: [Opensc-devel] Google's secure micro-SD

[Martin P. <ma...@ma...>]

On 29/05/15 22:25, Anders Rundgren wrote:
> http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/
> 
> This is a pretty strange thing since both ARM and Intel offer built-in security solutions in the CPU itself.

And none of my Google Nexus branded devices takes a microSD....

m.

[Opensc-devel] Google's secure micro-SD

[Anders R. <and...@gm...>]

http://www.cnet.com/news/googles-project-vault-is-a-security-chip-disguised-as-an-micro-sd-card/

This is a pretty strange thing since both ARM and Intel offer built-in security solutions in the CPU itself.

Anders

Re: [Opensc-devel] fips compliant openssl

[Orc E. <13...@gm...>]

Thank you very much Douglas,

It was about the loading different ssl shared object. It was loading ssl
shared object in the ""/usr/lib/i386-linux-gnu/..."

On Wed, May 27, 2015 at 1:16 AM, Douglas E Engert <dee...@gm...>
wrote:

>
> On 5/26/2015 5:03 PM, Orc Erc wrote:
> > Hi All,
> >
> > I am trying to compile openssl fips compliant.
> >
> > I have compiled openssl-fips-2.0.1 with;
> > ./config
> > make
> > make install
> >
> > The fipscanister.o, fipscanister.o.sha1, fips_premain.c,
> fips_premain.c.sha1 files are created in the folder
> /usr/local/ssl/fips-2.0/lib.
> >
> > After that i compiled openssl-1.0.1c with;
> >
> > ./config fips shared
> > make depend
> > make
> > make install
> >
> > The libcrypto.so.1.0.0, libcrypto.so, libssl.so.1.0.0, libssl.so files
> are copied to /usr/local/ssl/lib folder.
>
> May be the problem.
>
> Run ldd on the application and libs to see what they want to load.
> You may be picking up the system versions and not the fips versions.
>
> Have you tried adding LD_LIBRARY_PATH=...
>
> >
> > I have referenced that crypto library and make my program with:
> >
> > g++ -L/usr/local/ssl/lib -o "OKC"  ./src/libp11/libpkcs11.o
> ./src/libp11/p11_attr.o ./src/libp11/p11_cert.o .. .. .. . . .   -lssl
> -lcrypto -lpcsclite -ldl
> >
> > When i call "FIPS_mode_set(1);" function, i am getting that error:
> >
> > error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not
> supported
> >
> > But when i checked the version of openssl it gives:
> >
> > ./openssl version
> > OpenSSL 1.0.1c-fips 10 May 2012
>
> Run ldd on the openssl to see what it is loading.
>
> >
> >
> > Also when i checked the fips compliant libraries it gives that list:
> >
> > ./openssl ciphers FIPS -v
> >
> > ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256)
> Mac=AEAD
> > ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA
> Enc=AESGCM(256) Mac=AEAD
> > ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)
> Mac=SHA384
> > ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)
> Mac=SHA384
> > ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
> > ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
> > DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256)
> Mac=AEAD
> > DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256)
> Mac=AEAD
> > DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)
> Mac=SHA256
> > DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)
> Mac=SHA256
> > DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
> > DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
> > AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
> > ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256)
> Mac=AEAD
> > ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)
> Mac=SHA256
> > ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
> > ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256)
> Mac=AEAD
> > ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH
> Enc=AESGCM(256) Mac=AEAD
> > ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
> Mac=SHA384
> > ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
> Mac=SHA384
> > ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
> > ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
> Mac=SHA1
> > AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256)
> Mac=AEAD
> > AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)
> Mac=SHA256
> > AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> > ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
> > ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168)
> Mac=SHA1
> > EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
> > EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
> > AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
> > ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
> > ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
> > ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168)
> Mac=SHA1
> > DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> > ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
> Mac=AEAD
> > ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA
> Enc=AESGCM(128) Mac=AEAD
> > ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)
> Mac=SHA256
> > ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
> Mac=SHA256
> > ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
> > ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
> > DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128)
> Mac=AEAD
> > DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
> Mac=AEAD
> > DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)
> Mac=SHA256
> > DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)
> Mac=SHA256
> > DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
> > DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
> > AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
> > ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128)
> Mac=AEAD
> > ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)
> Mac=SHA256
> > ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
> > ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128)
> Mac=AEAD
> > ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH
> Enc=AESGCM(128) Mac=AEAD
> > ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
> Mac=SHA256
> > ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
> Mac=SHA256
> > ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
> > ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
> Mac=SHA1
> > AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128)
> Mac=AEAD
> > AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)
> Mac=SHA256
> > AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
> >
> >
> >   I have tried with different version openssl and fips; but i could not
> succedded. Is there anythink that i can try?
> >
> >
> >
> >
> ------------------------------------------------------------------------------
> >
> >
> >
> > _______________________________________________
> > Opensc-devel mailing list
> > Ope...@li...
> > https://lists.sourceforge.net/lists/listinfo/opensc-devel
> >
>
> --
>
>   Douglas E. Engert  <DEE...@gm...>
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

[Opensc-devel] Fwd: [Bug 2240] Secure PIN entry for smartcards through the keypad on the reader (patch)

[Dirk-Willem v. G. <di...@we...>]

For those caring about PIN pad readers and OpenSSH; one less patch to apply once ssh 6.9 makes it into the various distributions.

Dw.	

> Begin forwarded message:
> 
> From: bug...@mi...
> Subject: [Bug 2240] Secure PIN entry for smartcards through the keypad on the reader (patch)
> Date: 27 May 2015 07:44:08 CEST
> To: di...@we...
> 
> https://bugzilla.mindrot.org/show_bug.cgi?id=2240
> 
> Damien Miller <dj...@mi...> changed:
> 
>           What    |Removed                     |Added
> ----------------------------------------------------------------------------
>         Resolution|---                         |FIXED
>             Status|NEW                         |RESOLVED
> 
> --- Comment #5 from Damien Miller <dj...@mi...> ---
> This has been committed and will be in openssh-6.9. The final patch is:
> 
> https://anongit.mindrot.org/openssh.git/patch/?id=a71ba58adf34e599f30cdda6e9b93ae6e3937eea
> 
> -- 
> You are receiving this mail because:
> You reported the bug.
> 

From a71ba58adf34e599f30cdda6e9b93ae6e3937eea Mon Sep 17 00:00:00 2001
From: "dj...@op..." <dj...@op...>
Date: Wed, 27 May 2015 05:15:02 +0000
Subject: upstream commit

support PKCS#11 devices with external PIN entry devices
 bz#2240, based on patch from Dirk-Willem van Gulik; feedback and ok dtucker@

Upstream-ID: 504568992b55a8fc984375242b1bd505ced61b0d
---
 ssh-pkcs11.c | 32 ++++++++++++++++++++------------
 1 file changed, 20 insertions(+), 12 deletions(-)

diff --git a/ssh-pkcs11.c b/ssh-pkcs11.c
index f4971ad..e074175 100644
--- a/ssh-pkcs11.c
+++ b/ssh-pkcs11.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh-pkcs11.c,v 1.18 2015/04/24 01:36:01 deraadt Exp $ */
+/* $OpenBSD: ssh-pkcs11.c,v 1.19 2015/05/27 05:15:02 djm Exp $ */
 /*
  * Copyright (c) 2010 Markus Friedl.  All rights reserved.
  *
@@ -237,7 +237,7 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 		{CKA_ID, NULL, 0},
 		{CKA_SIGN, NULL, sizeof(true_val) }
 	};
-	char			*pin, prompt[1024];
+	char			*pin = NULL, prompt[1024];
 	int			rval = -1;
 
 	key_filter[0].pValue = &private_key_class;
@@ -255,22 +255,30 @@ pkcs11_rsa_private_encrypt(int flen, const u_char *from, u_char *to, RSA *rsa,
 	si = &k11->provider->slotinfo[k11->slotidx];
 	if ((si->token.flags & CKF_LOGIN_REQUIRED) && !si->logged_in) {
 		if (!pkcs11_interactive) {
-			error("need pin");
+			error("need pin entry%s", (si->token.flags &
+			    CKF_PROTECTED_AUTHENTICATION_PATH) ?
+			    " on reader keypad" : "");
 			return (-1);
 		}
-		snprintf(prompt, sizeof(prompt), "Enter PIN for '%s': ",
-		    si->token.label);
-		pin = read_passphrase(prompt, RP_ALLOW_EOF);
-		if (pin == NULL)
-			return (-1);	/* bail out */
-		rv = f->C_Login(si->session, CKU_USER,
-		    (u_char *)pin, strlen(pin));
-		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
+		if (si->token.flags & CKF_PROTECTED_AUTHENTICATION_PATH)
+			verbose("Deferring PIN entry to reader keypad.");
+		else {
+			snprintf(prompt, sizeof(prompt),
+			    "Enter PIN for '%s': ", si->token.label);
+			pin = read_passphrase(prompt, RP_ALLOW_EOF);
+			if (pin == NULL)
+				return (-1);	/* bail out */
+		}
+		rv = f->C_Login(si->session, CKU_USER, (u_char *)pin,
+		    (pin != NULL) ? strlen(pin) : 0);
+		if (pin != NULL) {
+			explicit_bzero(pin, strlen(pin));
 			free(pin);
+		}
+		if (rv != CKR_OK && rv != CKR_USER_ALREADY_LOGGED_IN) {
 			error("C_Login failed: %lu", rv);
 			return (-1);
 		}
-		free(pin);
 		si->logged_in = 1;
 	}
 	key_filter[1].pValue = k11->keyid;
-- 
cgit v0.11.2

Re: [Opensc-devel] Oberthur Cosmo v7.0-n card support

[Douglas E E. <dee...@gm...>]

On 5/26/2015 7:01 AM, Fabian Leiros Carrera wrote:
> Hello everyone,
>
> I'm trying to make OpenSC work with different models of Oberthur smartcards:
>
> - Cosmo64 RSA v5.2 (applet: 2.17)
> - Cosmo v7.0-n (applet: 2.17)

How did you get them?
Are the blank?
Did you get a manual with transport keys, etc.

Do they an applet on the card?

Card issuers like governments, usually have the manufacturer provide the cards with
an applet installed. You could write an applet, like muscle to the card,
but you need the manual with the keys.

Google for: Oberthur Cosmo v7.0-n muscle
or Oberthur Cosmo v7.0-n

>
> Up until now I only have been able to make the first card model work with OpenSC 0.14.0.
>
> After reading this https://github.com/OpenSC/OpenSC/wiki/Oberthur-AuthentIC-applet-v2.2 I assumed that Cosmo v7.0-n model is not supported, but I am not quite sure.
>
> Could anyone confirm if Cosmo v7.0-n model is supported by OpenSC please?
>
> If no, what would need to be done in order to support it?
>
> If it is supported, I am detailing at the end of the email how I am installing and setting up OpenSC. What am I doing wrong?
>
> Thank you so much for your help.
> Best regards
> Fabián
>
> ------------------------------------------------------------------------------------------------------------------
>
> - Install both x86 and x64 versions of OpenSC on a Windows 7 x64 computer
> - Add a new entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\" for Cosmo64 RSA v5.2 including its ATR:
>
>          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthenticV5]
>          "80000001"="opensc-minidriver.dll"
>          "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>          "ATR"=hex:3b,7d,18,00,00,00,31,80,71,8e,64,77,e3,01,00,82,90,00
>          "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>          "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>
> - Add the same entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\"
> - Restart "Certificate Propagation" service.
>
> - Plug-in the Cosmo64 RSA v5.2:
>          - the certificate will be imported correctly to Windows certificate store.
>          - "opensc-tool.exe -n" will return the name of the card correctly
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  AuthentIC v5
>
>          -  "opensc-tool.exe -a" returns the card's ATR
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:7d:18:00:00:00:31:80:71:8e:64:77:e3:01:00:82:90:00
>
>          - "pkcs15-tool.exe -c" will output information about my certificate
>
> - So far, so good, so now I add two new Registry entries, on both x86 and x64 hives, for the Cosmo v7.0-n card:
>
>          [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthentIC v7]
>          "80000001"="opensc-minidriver.dll"
>          "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>          "ATR"=hex:3b,5b,96,00,00,31,c0,64,ba,fc,10,00,0f,90,00
>          ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>          "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>
> - Now I plug in the Cosmo v7.0-n card and:
>          - the certificate is not imported to Windows certificate store.
>          -"opensc-tool -n" returns " Unsupported card"
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Unsupported card
>
>          - "opensc-tool.exe -a" returns the card's ATR
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>
>          - "pkcs15-tool.exe -c" also returns an error:
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: Card is invalid or cannot be handled
>
> - "opensc-tool.exe --list-drivers " shows two Oberthur drivers:
>          oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
>          authentic        Oberthur AuthentIC v3.1
>
> - I add a new "atr" entry on "opensc.conf" at "Program Files" and "Program Files (x86)" folders:
>
>          # Oberthur's AuthentIC v7
>          card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>                                  type = 11100;
>                                  driver = "authentic";
>                                  name = "AuthentIC v7";
>                  }
>
> - Plug in the Cosmo v7.0-n card and:
>          -"opensc-tool -n" changes its output:
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
>          - Same thing with "opensc-tool.exe -a":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
>          - And with "pkcs15-tool.exe -c":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  Failed to connect to card: File not found
>
> - Now I change the "atr" entries on "opensc.conf" files to:
>
>          # Oberthur's AuthentIC v7
>          card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
>                                  type = 11100;
>                                  driver = "oberthur";
>                                  name = "AuthentIC v7";
>                  }
>
> - And I get this outputs with Cosmo v7.0-n card plugged in:
>          -"opensc-tool -n":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  AuthentIC v5
>
>          -"opensc-tool -a":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00
>
>          - "pkcs15-tool.exe -c":
>                  C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
>                  Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
>                  PKCS#15 binding failed: Unsupported card
>
> ________________________________
>
> AVISO DE CONFIDENCIALIDAD.
> Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.
>
> CONFIDENTIALITY WARNING.
> This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] fips compliant openssl

[Douglas E E. <dee...@gm...>]

On 5/26/2015 5:03 PM, Orc Erc wrote:
> Hi All,
>
> I am trying to compile openssl fips compliant.
>
> I have compiled openssl-fips-2.0.1 with;
> ./config
> make
> make install
>
> The fipscanister.o, fipscanister.o.sha1, fips_premain.c, fips_premain.c.sha1 files are created in the folder /usr/local/ssl/fips-2.0/lib.
>
> After that i compiled openssl-1.0.1c with;
>
> ./config fips shared
> make depend
> make
> make install
>
> The libcrypto.so.1.0.0, libcrypto.so, libssl.so.1.0.0, libssl.so files are copied to /usr/local/ssl/lib folder.

May be the problem.

Run ldd on the application and libs to see what they want to load.
You may be picking up the system versions and not the fips versions.

Have you tried adding LD_LIBRARY_PATH=...

>
> I have referenced that crypto library and make my program with:
>
> g++ -L/usr/local/ssl/lib -o "OKC"  ./src/libp11/libpkcs11.o ./src/libp11/p11_attr.o ./src/libp11/p11_cert.o .. .. .. . . .   -lssl -lcrypto -lpcsclite -ldl
>
> When i call "FIPS_mode_set(1);" function, i am getting that error:
>
> error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not supported
>
> But when i checked the version of openssl it gives:
>
> ./openssl version
> OpenSSL 1.0.1c-fips 10 May 2012

Run ldd on the openssl to see what it is loading.

>
>
> Also when i checked the fips compliant libraries it gives that list:
>
> ./openssl ciphers FIPS -v
>
> ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256) Mac=AEAD
> ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256) Mac=AEAD
> ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
> ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA384
> ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
> ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
> DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256) Mac=AEAD
> DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
> DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
> DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
> DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
> AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
> ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
> ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
> ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
> ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
> ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256) Mac=AEAD
> ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
> ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA384
> ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
> ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
> AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
> AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
> AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
> ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
> ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
> EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
> EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
> AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
> ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
> ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
> ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
> DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
> ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128) Mac=AEAD
> ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128) Mac=AEAD
> ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
> ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA256
> ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
> ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
> DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128) Mac=AEAD
> DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
> DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
> DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
> DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
> AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
> ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
> ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
> ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
> ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
> ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128) Mac=AEAD
> ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
> ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA256
> ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
> ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
> AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
> AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
> AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1
>
>
>   I have tried with different version openssl and fips; but i could not succedded. Is there anythink that i can try?
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] fips compliant openssl

[Orc E. <13...@gm...>]

Hi All,

I am trying to compile openssl fips compliant.

I have compiled openssl-fips-2.0.1 with;
./config
make
make install

The fipscanister.o, fipscanister.o.sha1, fips_premain.c, fips_premain.c.sha1
files are created in the folder /usr/local/ssl/fips-2.0/lib.

After that i compiled openssl-1.0.1c with;

./config fips shared
make depend
make
make install

The libcrypto.so.1.0.0, libcrypto.so, libssl.so.1.0.0, libssl.so files are
copied to /usr/local/ssl/lib folder.

I have referenced that crypto library and make my program with:

g++ -L/usr/local/ssl/lib -o "OKC"  ./src/libp11/libpkcs11.o
./src/libp11/p11_attr.o ./src/libp11/p11_cert.o .. .. .. . . .   -lssl
-lcrypto -lpcsclite -ldl

When i call "FIPS_mode_set(1);" function, i am getting that error:

error:0F06D065:common libcrypto routines:FIPS_mode_set:fips mode not
supported

But when i checked the version of openssl it gives:

./openssl version
OpenSSL 1.0.1c-fips 10 May 2012


Also when i checked the fips compliant libraries it gives that list:

./openssl ciphers FIPS -v

ECDHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(256)
Mac=AEAD
ECDHE-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(256)
Mac=AEAD
ECDHE-RSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA384
ECDHE-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(256)
 Mac=SHA384
ECDHE-RSA-AES256-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-ECDSA-AES256-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(256)
Mac=AEAD
DHE-RSA-AES256-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA256
DHE-DSS-AES256-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA256
DHE-RSA-AES256-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(256)  Mac=SHA1
DHE-DSS-AES256-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(256)  Mac=SHA1
AECDH-AES256-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(256)  Mac=SHA1
ADH-AES256-GCM-SHA384   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(256) Mac=AEAD
ADH-AES256-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(256)  Mac=SHA256
ADH-AES256-SHA          SSLv3 Kx=DH       Au=None Enc=AES(256)  Mac=SHA1
ECDH-RSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256)
Mac=AEAD
ECDH-ECDSA-AES256-GCM-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(256)
Mac=AEAD
ECDH-RSA-AES256-SHA384  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
 Mac=SHA384
ECDH-ECDSA-AES256-SHA384 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)
 Mac=SHA384
ECDH-RSA-AES256-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(256)  Mac=SHA1
ECDH-ECDSA-AES256-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(256)  Mac=SHA1
AES256-GCM-SHA384       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(256) Mac=AEAD
AES256-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA256
AES256-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(256)  Mac=SHA1
ECDHE-RSA-DES-CBC3-SHA  SSLv3 Kx=ECDH     Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH     Au=ECDSA Enc=3DES(168) Mac=SHA1
EDH-RSA-DES-CBC3-SHA    SSLv3 Kx=DH       Au=RSA  Enc=3DES(168) Mac=SHA1
EDH-DSS-DES-CBC3-SHA    SSLv3 Kx=DH       Au=DSS  Enc=3DES(168) Mac=SHA1
AECDH-DES-CBC3-SHA      SSLv3 Kx=ECDH     Au=None Enc=3DES(168) Mac=SHA1
ADH-DES-CBC3-SHA        SSLv3 Kx=DH       Au=None Enc=3DES(168) Mac=SHA1
ECDH-RSA-DES-CBC3-SHA   SSLv3 Kx=ECDH/RSA Au=ECDH Enc=3DES(168) Mac=SHA1
ECDH-ECDSA-DES-CBC3-SHA SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=3DES(168) Mac=SHA1
DES-CBC3-SHA            SSLv3 Kx=RSA      Au=RSA  Enc=3DES(168) Mac=SHA1
ECDHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AESGCM(128)
Mac=AEAD
ECDHE-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AESGCM(128)
Mac=AEAD
ECDHE-RSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA256
ECDHE-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH     Au=ECDSA Enc=AES(128)
 Mac=SHA256
ECDHE-RSA-AES128-SHA    SSLv3 Kx=ECDH     Au=RSA  Enc=AES(128)  Mac=SHA1
ECDHE-ECDSA-AES128-SHA  SSLv3 Kx=ECDH     Au=ECDSA Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=DSS  Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=DH       Au=RSA  Enc=AESGCM(128)
Mac=AEAD
DHE-RSA-AES128-SHA256   TLSv1.2 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA256
DHE-DSS-AES128-SHA256   TLSv1.2 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA256
DHE-RSA-AES128-SHA      SSLv3 Kx=DH       Au=RSA  Enc=AES(128)  Mac=SHA1
DHE-DSS-AES128-SHA      SSLv3 Kx=DH       Au=DSS  Enc=AES(128)  Mac=SHA1
AECDH-AES128-SHA        SSLv3 Kx=ECDH     Au=None Enc=AES(128)  Mac=SHA1
ADH-AES128-GCM-SHA256   TLSv1.2 Kx=DH       Au=None Enc=AESGCM(128) Mac=AEAD
ADH-AES128-SHA256       TLSv1.2 Kx=DH       Au=None Enc=AES(128)  Mac=SHA256
ADH-AES128-SHA          SSLv3 Kx=DH       Au=None Enc=AES(128)  Mac=SHA1
ECDH-RSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
ECDH-ECDSA-AES128-GCM-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AESGCM(128)
Mac=AEAD
ECDH-RSA-AES128-SHA256  TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
 Mac=SHA256
ECDH-ECDSA-AES128-SHA256 TLSv1.2 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)
 Mac=SHA256
ECDH-RSA-AES128-SHA     SSLv3 Kx=ECDH/RSA Au=ECDH Enc=AES(128)  Mac=SHA1
ECDH-ECDSA-AES128-SHA   SSLv3 Kx=ECDH/ECDSA Au=ECDH Enc=AES(128)  Mac=SHA1
AES128-GCM-SHA256       TLSv1.2 Kx=RSA      Au=RSA  Enc=AESGCM(128) Mac=AEAD
AES128-SHA256           TLSv1.2 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA256
AES128-SHA              SSLv3 Kx=RSA      Au=RSA  Enc=AES(128)  Mac=SHA1


 I have tried with different version openssl and fips; but i could not
succedded. Is there anythink that i can try?

[Opensc-devel] Oberthur Cosmo v7.0-n card support

[Fabian L. C. <FAB...@EV...>]

Hello everyone,

I'm trying to make OpenSC work with different models of Oberthur smartcards:

- Cosmo64 RSA v5.2 (applet: 2.17)
- Cosmo v7.0-n (applet: 2.17)

Up until now I only have been able to make the first card model work with OpenSC 0.14.0.

After reading this https://github.com/OpenSC/OpenSC/wiki/Oberthur-AuthentIC-applet-v2.2 I assumed that Cosmo v7.0-n model is not supported, but I am not quite sure.

Could anyone confirm if Cosmo v7.0-n model is supported by OpenSC please?

If no, what would need to be done in order to support it?

If it is supported, I am detailing at the end of the email how I am installing and setting up OpenSC. What am I doing wrong?

Thank you so much for your help.
Best regards
Fabián

------------------------------------------------------------------------------------------------------------------

- Install both x86 and x64 versions of OpenSC on a Windows 7 x64 computer
- Add a new entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\" for Cosmo64 RSA v5.2 including its ATR:

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthenticV5]
        "80000001"="opensc-minidriver.dll"
        "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
        "ATR"=hex:3b,7d,18,00,00,00,31,80,71,8e,64,77,e3,01,00,82,90,00
        "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
        "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"

- Add the same entry at "HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\"
- Restart "Certificate Propagation" service.

- Plug-in the Cosmo64 RSA v5.2:
        - the certificate will be imported correctly to Windows certificate store.
        - "opensc-tool.exe -n" will return the name of the card correctly
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                AuthentIC v5

        -  "opensc-tool.exe -a" returns the card's ATR
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                3b:7d:18:00:00:00:31:80:71:8e:64:77:e3:01:00:82:90:00

        - "pkcs15-tool.exe -c" will output information about my certificate

- So far, so good, so now I add two new Registry entries, on both x86 and x64 hives, for the Cosmo v7.0-n card:

        [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\AuthentIC v7]
        "80000001"="opensc-minidriver.dll"
        "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
        "ATR"=hex:3b,5b,96,00,00,31,c0,64,ba,fc,10,00,0f,90,00
        ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
        "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"

- Now I plug in the Cosmo v7.0-n card and:
        - the certificate is not imported to Windows certificate store.
        -"opensc-tool -n" returns " Unsupported card"
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                Unsupported card

        - "opensc-tool.exe -a" returns the card's ATR
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00

        - "pkcs15-tool.exe -c" also returns an error:
                C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                Failed to connect to card: Card is invalid or cannot be handled

- "opensc-tool.exe --list-drivers " shows two Oberthur drivers:
        oberthur         Oberthur AuthentIC.v2/CosmopolIC.v4
        authentic        Oberthur AuthentIC v3.1

- I add a new "atr" entry on "opensc.conf" at "Program Files" and "Program Files (x86)" folders:

        # Oberthur's AuthentIC v7
        card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
                                type = 11100;
                                driver = "authentic";
                                name = "AuthentIC v7";
                }

- Plug in the Cosmo v7.0-n card and:
        -"opensc-tool -n" changes its output:
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                Failed to connect to card: File not found

        - Same thing with "opensc-tool.exe -a":
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                Failed to connect to card: File not found

        - And with "pkcs15-tool.exe -c":
                C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                Failed to connect to card: File not found

- Now I change the "atr" entries on "opensc.conf" files to:

        # Oberthur's AuthentIC v7
        card_atr 3B:5B:96:00:00:31:C0:64:BA:FC:10:00:0F:90:00 {
                                type = 11100;
                                driver = "oberthur";
                                name = "AuthentIC v7";
                }

- And I get this outputs with Cosmo v7.0-n card plugged in:
        -"opensc-tool -n":
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -n
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                AuthentIC v5

        -"opensc-tool -a":
                C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool.exe -a
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                3b:5b:96:00:00:31:c0:64:ba:fc:10:00:0f:90:00

        - "pkcs15-tool.exe -c":
                C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
                Using reader with a card: SCM Microsystems Inc. SCR3310 v2.0 USB SC Reader 0
                PKCS#15 binding failed: Unsupported card

________________________________

AVISO DE CONFIDENCIALIDAD.
Este correo y la información contenida o adjunta al mismo es privada y confidencial y va dirigida exclusivamente a su destinatario. everis informa a quien pueda haber recibido este correo por error que contiene información confidencial cuyo uso, copia, reproducción o distribución está expresamente prohibida. Si no es Vd. el destinatario del mismo y recibe este correo por error, le rogamos lo ponga en conocimiento del emisor y proceda a su eliminación sin copiarlo, imprimirlo o utilizarlo de ningún modo.

CONFIDENTIALITY WARNING.
This message and the information contained in or attached to it are private and confidential and intended exclusively for the addressee. everis informs to whom it may receive it in error that it contains privileged information and its use, copy, reproduction or distribution is prohibited. If you are not an intended recipient of this E-mail, please notify the sender, delete it and do not read, act upon, print, disclose, copy, retain or redistribute any portion of this E-mail.

Re: [Opensc-devel] Libp11, engine_pkcs11 and OpenSC-0.15.0

[David W. <dw...@in...>]

> Now that OpenSC-0.15.0 is releases, is it time for updated releases of
> libp11 and engine_pkcs11?

Yes, definitely. I'm already shipping engine_pkcs11 in Fedora 22 with the
RFC7512 URI support and default p11-kit-proxy.so provider, but I stopped
short of doing the ECDSA support too.

We could do with a new pkcs11-helper release with URI support too, and the
POSIX violations fixed.

As well as OpenSC 0.15.1 with #333 fixed of course.

-- 
dwmw2

[Opensc-devel] Libp11, engine_pkcs11 and OpenSC-0.15.0

[Douglas E E. <dee...@gm...>]

Now that OpenSC-0.15.0 is releases, is it time for updated releases of libp11 and engine_pkcs11?

libp11 and engine_pkcs11 have a number of fixes, URI support and ECDSA support.
ECDSA support works with OpenSSL-1.0.2.

-- 

  Douglas E. Engert  <DEE...@gm...>

Re: [Opensc-devel] Modify PAM-AUTHTOK for next modules

[Douglas E E. <dee...@gm...>]

On 5/22/2015 6:03 AM, Emmanuel Nazareno de Lima Ferro wrote:
> Hi guys,
>
> I am working to make login authentication using smart card over an ldap server. My company ask me to use only smart card PIN do do all the work. In other words I have to do groups.so and mount.so
> (need ldap password) and this password is cryptpassword field in ldap server.=20
>
> So I have read all pkcs11 and PAM documentation and do not discovery how to do that. I think the only way to do the work is modify pam-pkcs11 to make it change PAM-AUTHTOK doing a search in ldap server.
>
(Most likely, because retrieving a user password is not the way to do it. You should be able to eliminate the need for a user password.)

> I would like hear your opinion for this subject. Thank you in advantage.

The bindDN used to get the user's groups does not have to be the same as the bindDN used to authenticate the user.
They could be used with different LDAP databases too.

So an existing NSS database could be used. http://en.wikipedia.org/wiki/Name_Service_Switch

A generic read only account could be used for binding to NSS, with the password stored on the client machine.
The same account could be shared by many machines. This assumes that the data being read is not sensitive
as any client machine could read the data for any user (but not any passwords.)

I think I mentioned this before, If your company has Windows Active Directory and your users are in AD, look
at pam_krb that supports PKINIT that uses smart cards. Your linux distro may already have this.
Look for pkinit in the man pages for your distro's pam_krb5.

https://packages.debian.org/wheezy/libpam-krb5

http://www.eyrie.org/~eagle/software/pam-krb5/pam-krb5.html
This uses PKCS#11 to access the smart card, and works with OpenSC.

What I am also saying is the OpenSC pam_pkcs11 is not a network authentication, whereas the pam_krb5 is
it gives you back kerberos tickets, that can be used for further authentication to other services.
You may want to consider if you are looking for an enterprise wide solution or just authentication to
a handful of local clients.






>
> --
> “Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)
> --------------------------------------------------------------------------------
> Emmanuel Ferro
> SERPRO - Escritório São Luís
> SUPOP/OPFLA/OPSLS
> Comitê Regional de Software Livre
> --------------------------------------------------------------------------------
>
> -
>
>
> "Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter
> informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza,
> reenviá-la ao emitente, esclarecendo o equívoco."
>
> "This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain
> confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it
> back, elucidating the failure."
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] Modify PAM-AUTHTOK for next modules

[Emmanuel N. de L. F. <emm...@se...>]

Hi guys, 

I am working to make login authentication using smart card over an ldap server. My company ask me to use only smart card PIN do do all the work. In other words I have to do groups.so and mount.so (need ldap password) and this password is cryptpassword field in ldap server.=20

So I have read all pkcs11 and PAM documentation and do not discovery how to do that. I think the only way to do the work is modify pam-pkcs11 to make it change PAM-AUTHTOK doing a search in ldap server.

I would like hear your opinion for this subject. Thank you in advantage.

-- 

“Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)

--------------------------------------------------------------------------------

Emmanuel Ferro 

SERPRO - Escritório São Luís

SUPOP/OPFLA/OPSLS

Comitê Regional de Software Livre

--------------------------------------------------------------------------------


-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."

Re: [Opensc-devel] CAC and PIV support

[Douglas E E. <dee...@gm...>]

On 5/19/2015 5:24 PM, David Karam wrote:
> Hello, we wish to use OpenSC in an application that should support CAC and PIV cards.
>
>  From the supported cards <https://www.opensc-project.org/opensc/wiki/SupportedHardware> page for OpenSC I can only see PIV, but am confused what the difference between them is. CAC seems to be for
> military personnel while PIV is for the wider civilian gov population. Also CAC seems to be PIV-compliant but am not sure if that means OpenSC can read that.

http://www.cac.mil/

CAC was the original DOD card and were from a single vendor. HSPD-12 (August 2004):

  http://www.dhs.gov/homeland-security-presidential-directive-12

mandated that all federal agencies including DOD would adopt a common smart card and NIST being part of Commerce
wrote the PIV specifications and FIPS 201 so that multiple vendors would produce the cards and infrastructure:

   http://csrc.nist.gov/groups/SNS/piv/

DOD started issuing PIV_compliant cards that were also CAC cards to comply with HSPD-12 and the NIST standards.

You might find this interesting:
  https://militarycac.com/


Here is an online version of why I got involved with writing the PIV drivers:

   http://workshop.openafs.org/afsbpw07/talks/deengert.pdf

ALso see:

  http://csrc.nist.gov/publications/nistir/ir7427/NISTIR7427_PKI_2007.pdf

So to answer your question, the OpenSC code can use CAC cards if they are PIV compliant. The CAC card
may have additional data on the card that is not PIV compliant, and may vary by branch of DOD.

OpenSC does not implement the full PIV middl eware but implements a PKCS#11 interface
to used any of the PIV certificates/keys on the card for use with COTS programs that
can use PKCS#11.

>
> So am a bit confused here and was hoping someone with more experience on the subject can clear this up!
>
>
> Thanks,
> David
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>

[Opensc-devel] CAC and PIV support

[David K. <ds...@gm...>]

Hello, we wish to use OpenSC in an application that should support CAC and
PIV cards.

>From the supported cards
<https://www.opensc-project.org/opensc/wiki/SupportedHardware> page for
OpenSC I can only see PIV, but am confused what the difference between them
is. CAC seems to be for military personnel while PIV is for the wider
civilian gov population. Also CAC seems to be PIV-compliant but am not sure
if that means OpenSC can read that.

So am a bit confused here and was hoping someone with more experience on
the subject can clear this up!


Thanks,
David

[Opensc-devel] pksc11 messages in other language

[Emmanuel N. de L. F. <emm...@se...>]

Hi, I've translated pkcs11 messages to brazilian portuguese but it appears only on unblock screen and never on login screen (ligthdm). What's wrong?


-- 
-- 

“Se você quer ir rápido, vá sozinho. Se quer ir longe, vá acompanhado." (provérbio africano)

--------------------------------------------------------------------------------

Emmanuel Ferro 

SERPRO - Escritório São Luís

SUPOP/OPFLA/OPSLS

Comitê Regional de Software Livre

--------------------------------------------------------------------------------


-


"Esta mensagem do SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO), empresa pública federal regida pelo disposto na Lei Federal nº 5.615, é enviada exclusivamente a seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional. Sua utilização desautorizada é ilegal e sujeita o infrator às penas da lei. Se você a recebeu indevidamente, queira, por gentileza, reenviá-la ao emitente, esclarecendo o equívoco."

"This message from SERVIÇO FEDERAL DE PROCESSAMENTO DE DADOS (SERPRO) -- a government company established under Brazilian law (5.615/70) -- is directed exclusively to its addressee and may contain confidential data, protected under professional secrecy rules. Its unauthorized use is illegal and may subject the transgressor to the law's penalties. If you're not the addressee, please send it back, elucidating the failure."

Re: [Opensc-devel] Release 0.15.0

[David W. <dw...@in...>]

On Mon, 2015-05-18 at 13:38 +0200, Viktor Tarasov wrote:
> > It does still crash when I run 'pkcs11-tool -t -l' from the build
> > directory, however. Although /usr/lib64/pkcs11/opensc-pkcs11.so now
> > does *load* the old /usr/lib64/libopensc.so.3, it still doesn't *use*
> > it because it uses functions from the new libopensc-0.15.0.so instead.
> 
> I have not seen this with opensc-pkcs11 and libopensc.so from the 
> same revision.

Right. It's only when the pkcs11-tool in the build tree is picking up
opensc-pkcs11.so from the installed system, that we get the mixture.

Normally, we expect that if we run a program from its build tree,
libtool magically makes things work for us — it sets LD_LIBRARY_PATH
and does whatever else is needed to ensure we are only running the code
from the build tree. And pkcs11-tool itself *was* picking up the
version of libopensc.so.3 from ../libopensc/.libs, instead of the one
in /usr/lib64.

But in the case of the module it *loads*, that isn't working.

Yes, I can supply a --module argument which explicitly points to
../pkcs11/.libs/opensc-pkcs11.so. But if we're making the --module
argument optional because we want it to Do The Right Thing without
having to be told... then shouldn't we actually make it do the right
thing? :)

-- 
dwmw2

Re: [Opensc-devel] Release 0.15.0

[Viktor T. <vik...@gm...>]

On 05/18/2015 12:52 PM, David Woodhouse wrote:
> On Mon, 2015-05-18 at 09:29 +0200, Viktor Tarasov wrote:
>>> As discussed in ticket #468 this version of libopensc.so.3 is
>>> binary-incompatible with the libopensc.so.3 from previous OpenSC
>>> releases. So anything linked against it may just crash on updating to
>>> 0.15.0.
>> For me the libopensc.so was always an internal OpenSC library.
>> Maybe I'm missing something.
> In that case, perhaps all we should do is make it stop *looking* like
> it's a "proper" shared library with a coherently-managed ABI. If you
> ever look at *anything* with an soname of 'libfoo.so.3' you're going to
> be inclined to believe that the soname is actually meaningful. If it
> ends '.so.0' then you might be more careful.
>
> If we do this...
>
> diff --git a/src/libopensc/Makefile.am b/src/libopensc/Makefile.am
> index 1d42b0d..a0fc0e4 100644
> --- a/src/libopensc/Makefile.am
> +++ b/src/libopensc/Makefile.am
> @@ -64,7 +64,7 @@ if WIN32
>   libopensc_la_LIBADD += -lws2_32
>   endif
>   libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
> -       -version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
> +       -release @PACKAGE_VERSION@ \
>          -export-symbols "$(srcdir)/libopensc.exports" \
>          -no-undefined
>   
> ... then we end up with 'libopensc-0.15.0.so' which seems somewhat
> clearer.
>
> It does still crash when I run 'pkcs11-tool -t -l' from the build
> directory, however. Although /usr/lib64/pkcs11/opensc-pkcs11.so now
> does *load* the old /usr/lib64/libopensc.so.3, it still doesn't *use*
> it because it uses functions from the new libopensc-0.15.0.so instead.

I have not seen this with opensc-pkcs11 and libopensc.so from the same revision.

> To fix *that* we'd want symbol versioning.
>
> But perhaps we should just fix the 'run from build tree' case for
> pkcs11-tool instead, so it's not using opensc-pkcs11.so from the
> installed system?

You can use pkcs11-tool with the "--module" argument.

Re: [Opensc-devel] Release 0.15.0

[David W. <dw...@in...>]

On Mon, 2015-05-18 at 09:29 +0200, Viktor Tarasov wrote:
> 
> > As discussed in ticket #468 this version of libopensc.so.3 is
> > binary-incompatible with the libopensc.so.3 from previous OpenSC
> > releases. So anything linked against it may just crash on updating to
> > 0.15.0.
> 
> For me the libopensc.so was always an internal OpenSC library.
> Maybe I'm missing something.

In that case, perhaps all we should do is make it stop *looking* like
it's a "proper" shared library with a coherently-managed ABI. If you
ever look at *anything* with an soname of 'libfoo.so.3' you're going to
be inclined to believe that the soname is actually meaningful. If it
ends '.so.0' then you might be more careful.

If we do this...

diff --git a/src/libopensc/Makefile.am b/src/libopensc/Makefile.am
index 1d42b0d..a0fc0e4 100644
--- a/src/libopensc/Makefile.am
+++ b/src/libopensc/Makefile.am
@@ -64,7 +64,7 @@ if WIN32
 libopensc_la_LIBADD += -lws2_32
 endif
 libopensc_la_LDFLAGS = $(AM_LDFLAGS) \
-       -version-info @OPENSC_LT_CURRENT@:@OPENSC_LT_REVISION@:@OPENSC_LT_AGE@ \
+       -release @PACKAGE_VERSION@ \
        -export-symbols "$(srcdir)/libopensc.exports" \
        -no-undefined
 
... then we end up with 'libopensc-0.15.0.so' which seems somewhat
clearer.

It does still crash when I run 'pkcs11-tool -t -l' from the build
directory, however. Although /usr/lib64/pkcs11/opensc-pkcs11.so now
does *load* the old /usr/lib64/libopensc.so.3, it still doesn't *use*
it because it uses functions from the new libopensc-0.15.0.so instead.

To fix *that* we'd want symbol versioning. 

But perhaps we should just fix the 'run from build tree' case for
pkcs11-tool instead, so it's not using opensc-pkcs11.so from the
installed system?

-- 
David Woodhouse                            Open Source Technology Centre
Dav...@in...                              Intel Corporation

Re: [Opensc-devel] Release 0.15.0

[Viktor T. <vik...@gm...>]

On 05/17/2015 09:41 AM, David Woodhouse wrote:
> On Sat, 2015-05-16 at 23:17 +0200, Viktor Tarasov wrote:
>> release 0.15.0 is published,
> Um,... really?
>
> As discussed in ticket #468 this version of libopensc.so.3 is
> binary-incompatible with the libopensc.so.3 from previous OpenSC
> releases. So anything linked against it may just crash on updating to
> 0.15.0.

For me the libopensc.so was always an internal OpenSC library.
Maybe I'm missing something.

> And it still doesn't seem to work with OpenVPN because of issue #333
> (which affects all platforms except Windows, I believe). We merged a
> *test* case for that bug, but AFAICT didn't actually fix the bug.
>
> (I say both those things looking at the commit logs but without actually
> re-testing. I'm a little busy right now but I'd tried to make sure those
> bugs were both known so that the release didn't happen without them
> fixed...)
>
> Should we be looking to do a 0.15.1 release within the next few days
> with those addressed?

Yes, we'll be looking for release 0.15.1 .