Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Mat A. <arg...@gm...> - 2013-08-29 07:26:57
|
That's a really cool idea. If you somehow wnat to have this adopted as an alternative to XML-DSIG and CMS and ported to other languages, i think you should make a seperate project out of it. cheers Mat On Wednesday 28. August 2013 18:06:43 Anders Rundgren wrote: > Since Google doesn't support XSD or XML DSig in Android I began looking at > other alternatives. There were none :-( Therefore I created a 2000-line > system that writes and reads JSON from Java. In addition, I adopted a > scaled-down version of XML DSig's enveloped-signatures. > > The concept of enveloped signatures have been slammed by some people due to > a belief that canonicalization issues will be hard. FWIW, I just wrote the > entire thing in just a week and I didn't find any problems all. > > https://code.google.com/p/openkeystore/source/browse/#svn%2Flibrary%2Ftrunk% > 2Fsrc%2Forg%2Fwebpki%2Fjson > > It seems that I will be able to replace 200,000 lines of Apache code with > about 2,000 lines of custom code. > > { > "MyLittleSignature": > { > "Version": "http://example.com/signature", > "Now": "2013-08-25T20:31:23+02:00", > "HRT": > { > "RTl": "67", > "YT": > { > "HTL": "656756#", > "INTEGER": -689, > "Fantastic": false > }, > "er": "33" > }, > "ARR": [], > "BARR": > [{ > "HTL": "656756#", > "INTEGER": -689, > "Fantastic": true > }, > { > "HTL": "656756#", > "INTEGER": -689, > "Fantastic": false > }], > "ID": "ihqQONXvN5_LnmdAG7YU", > "STRINGS": ["One","Two","Three"], > "Intra": 78, > "EnvelopedSignature": > { > "SignatureInfo": > { > "Algorithm": > "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "Reference": > { > "Name": "ID", > "Value": "ihqQONXvN5_LnmdAG7YU" > }, > "KeyInfo": > { > "PublicKey": > { > "EC": > { > "NamedCurve": > "http://xmlns.webpki.org/sks/algorithm#ec.p256", "X": > "lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk", "Y": > "LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA" } > } > } > }, > "SignatureValue": > "MEUCIEhZtArhp8O7d1n7SRWRQcs3qePGBCrnKY8x2O3o+nvPAiEA0On5hez2EHmEwJIm/UK7Gx > qZeWWcaFzK9OVAhygAWVk" } > } > } > > Why bother with this you may wonder? Well I can't imagine converting the > previous cool stuff to something yucky like JOSE's JWS: > > { > "message": > "eyJ0eXAiOibGciOiJIUzI1NiJ9.LmNvbS9pc19yb290Ijp0cnVlfQ.2K27uhbUJU1p1r_wW1gF > WFOEjXk" } > > Canonicalization (=removal of whitespace): > > "MyLittleSignature":{"Version":"http://example.com/signature","Now":"2013-08 > -25T20:31:23+02:00","HRT":{"RTl":"67","YT":{"HTL":"656756#","INTEGER":-689," > Fantastic":false},"er":"33"},"ARR":[],"BARR":[{"HTL":"656756#","INTEGER":-68 > 9,"Fantastic":true},{"HTL":"656756#","INTEGER":-689,"Fantastic":false}],"ID" > :"ihqQONXvN5_LnmdAG7YU","STRINGS":["One","Two","Three"],"Intra":78,"Envelope > dSignature":{"SignatureInfo":{"Algorithm":"http://www.w3.org/2001/04/xmldsig > -more#ecdsa-sha256","Reference":{"Name":"ID","Value":"ihqQONXvN5_LnmdAG7YU"} > ,"KeyInfo":{"PublicKey":{"EC":{"NamedCurve":"http://xmlns.webpki.org/sks/alg > orithm#ec.p256","X":"lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk"," > Y":"LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA"}}}} > > Cheers, > Anders > > > ---------------------------------------------------------------------------- > -- Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Anders R. <and...@gm...> - 2013-08-29 04:00:53
|
Hi JM, I think your conclusions regarding security are correct. I.e. this is not a perfect solution. Why do I still believe is it significant? Because it offers [improved] security for the mass-market. Storing the KEK inside of the CPU with a built-in security processor is a logical next step. I.e. the security processor would for example have a method like RSASign (EncryptedKeyBlob). I have built this in software and it was close to trivial. Here is PDF describing it: https://openkeystore.googlecode.com/svn/resources/trunk/docs/tee-se-combo.pdf Cheers Anders On 2013-08-28 18:55, Jean-Michel Pouré - GOOZE wrote: > Le mardi 27 août 2013 à 08:13 +0200, Anders Rundgren a écrit : >> http://nelenkov.blogspot.com/2013/08/credential-storage-enhancements-android-43.html > > Very interesting article, thank you. > > Let's focus on the article, before drawing any conclusion. > > Quoting the article: > **** > An interesting detail is that, the QSEE keystore trusted app (which may > not be a dedicated app, but part of more general purpose trusted > application) doesn't return simple references to protected keys, but > instead uses proprietary encrypted key blobs (not unlike nCipher Thales > HSMs). In this model, the only thing that is actually protected by > hardware is some form of 'master' key-encryption key (KEK), and > user-generated keys are only indirectly protected by being encrypted > with the KEK. > > [...] > > To sum this up, while TrustZone secure applications might provide > effective protection against Android malware running on the device, > given physical access, they, as well as the TrustZone kernel, are > exploitable themselves. > *** > > Here is what Android 4.3 does : > > * Only master key is backed-up in QSEE keystore hardware (when crypto > chip available). Otherwize, master key is backed-up in software (when no > crypto chip is available). Therefore only a tiny portion of 4.3 Android > systems are secure. > > * QSEE Slave keys are encrypted using master key. There are no real > details given on master key and we don't know to which extent it is safe > (crypto chip security level not described in article). > > * TrustZone secure applications are encrypted using QSEE slave keys > (sounds reasonable to believe so). > > * Therefore if master key is compromised, QSEE Slave keys and TrustZone > secure applications may be compromised. > > * If kernel is compromised, it may be possible to bypass QSEE and > TrustZone. > > Please correct me if I am wrong. > > Kind regards, > > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ludovic R. <lud...@gm...> - 2013-08-28 19:13:44
|
2013/8/28 Douglas E. Engert <dee...@an...>: > We keep saying in responses to e-mails statements like: > "The project do not use opensc-project.org any more. > Read https://github.com/OpenSC/OpenSC/wiki/OpenSC-Services" > > But if an ordinary users Googles for OpenSC subjects > a reference to github may not even show up in the first 100 > responses. > > This continues to lead users to the old pages and the project > appears to be dead! > > For example Google for: > Getting started with OpenSC > shows https://www.opensc-project.org/opensc/wiki/GetStarted > Last updated 2 years ago. > > But Google with it in quotes: "Getting started with OpenSC" > and github is first. > https://github.com/OpenSC/OpenSC/wiki/Getting-started-with-OpenSC > Updated 8 months ago. > (Don't ask me why Google does this, it just does.) > > One way to help users find the up to date pages would be to add > to every page on the old > https://www.opensc-project.org/opensc/wiki > > some box saying the project has moved to github, > and the Wiki can be found at: > https://www.opensc-project.org/opensc/wiki > > Or to search the new Wiki, preceed your search with site:github.com > to find this official wiki. > > Any other suggestions? Modify the opensc-project.org web configuartion to include a page documenting the migration. The problem is that opensc-project.org domain name is now maintained by Martin Paljak. But Martin to not want to migrate the project AFAIK. Martin, what do you think? Bye -- Dr. Ludovic Rousseau |
|
From: Ludovic R. <lud...@gm...> - 2013-08-28 19:09:46
|
2013/8/28 evalues evalues <eva...@gm...>: > Hi all, > > I'm trying to compile OpenSC in Windows7 64 Bits. I've followed the steps > in: > > https://www.opensc-project.org/opensc/wiki/WindowsInstaller > > https://www.opensc-project.org/opensc/wiki/NightlyBuilds You should use the nigthly builds from http://sourceforge.net/projects/opensc/files/OpenSC/nightly/tarball/ OpenSC moved away from opensc-project.org. See https://github.com/OpenSC/OpenSC/wiki/OpenSC-Services > However, when I execute ./bootstrap in MSYS I've the next error: > " > configure.ac:72: error: possibly undefined macro: AC_DEFINE > If this token and others are legitimate, please use m4_pattern_allow. > See the Autoconf documentation. > configure.ac:197: error: possibly undefined macro: AC_MSG_ERROR > configure.ac:281: error: possibly undefined macro: AC_CHECK_LIB > " > The autoconf versión is 2.68. > > If I use the Windows console with bash.exe -c ./bootstrap the result is: > console blocked. > > What should I do to make it work? Do not run ./bootstrap yourself. Use the nigthly builds with an already generated configure script. Bye -- Dr. Ludovic Rousseau |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-28 16:56:09
|
Le mardi 27 août 2013 à 08:13 +0200, Anders Rundgren a écrit : > http://nelenkov.blogspot.com/2013/08/credential-storage-enhancements-android-43.html Very interesting article, thank you. Let's focus on the article, before drawing any conclusion. Quoting the article: **** An interesting detail is that, the QSEE keystore trusted app (which may not be a dedicated app, but part of more general purpose trusted application) doesn't return simple references to protected keys, but instead uses proprietary encrypted key blobs (not unlike nCipher Thales HSMs). In this model, the only thing that is actually protected by hardware is some form of 'master' key-encryption key (KEK), and user-generated keys are only indirectly protected by being encrypted with the KEK. [...] To sum this up, while TrustZone secure applications might provide effective protection against Android malware running on the device, given physical access, they, as well as the TrustZone kernel, are exploitable themselves. *** Here is what Android 4.3 does : * Only master key is backed-up in QSEE keystore hardware (when crypto chip available). Otherwize, master key is backed-up in software (when no crypto chip is available). Therefore only a tiny portion of 4.3 Android systems are secure. * QSEE Slave keys are encrypted using master key. There are no real details given on master key and we don't know to which extent it is safe (crypto chip security level not described in article). * TrustZone secure applications are encrypted using QSEE slave keys (sounds reasonable to believe so). * Therefore if master key is compromised, QSEE Slave keys and TrustZone secure applications may be compromised. * If kernel is compromised, it may be possible to bypass QSEE and TrustZone. Please correct me if I am wrong. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Anthony F. <ant...@gm...> - 2013-08-28 16:54:45
|
Douglas, Markus -- Thanks very much for pursuing this. On Wed, Aug 28, 2013 at 10:19 AM, Douglas E. Engert <dee...@an...> wrote: > On 8/28/2013 10:37 AM, Markus Kötter wrote: > > Smartcard-HSM cards do not have cold/hot ATR, they are single ATR. And the ATR does match the registry entries. But the device manager is showing them with location "ScFilter", which I thought was the hot/cold handler? Could that be an issue? Snapshot of dev manager: http://foiani.home.dyndns.org/~tony/smart-card-dev-mgr.png > > I got these cards myself and they work fine for me on windows 7/x86_64 > > using the provided registry entries (Wow64 ..) and installing opensc 32 > > and 64 bit. > > Well then maybe Anthony's problem is not having both 32 and 64 bit opensc? So far as I know, I installed them both. Yes; "uninstall programs" is showing "OpenSC" and "OpenSC (64bit)". Best regards, Anthony Foiani |
|
From: Douglas E. E. <dee...@an...> - 2013-08-28 16:20:00
|
On 8/28/2013 10:37 AM, Markus Kötter wrote: > On 08/28/2013 03:50 PM, Douglas E. Engert wrote: >> There are number of messages like trying to read certificate 0 >> Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. >> Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. >> Cannot open the key for reader: SCM Microsystems Inc. SCR35xx USB >> >> This would lead me to believe the minidriver is not being called. >> by the Microsoft code. This maybe caused by the card changing the ATR >> (cold vs hot ATRs) > > Smartcard-HSM cards do not have cold/hot ATR, they are single ATR. > I got these cards myself and they work fine for me on windows 7/x86_64 > using the provided registry entries (Wow64 ..) and installing opensc 32 > and 64 bit. Well then maybe Anthony's problem is not having both 32 and 64 bit opensc? > > > > > MfG > Markus > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Anders R. <and...@gm...> - 2013-08-28 16:07:06
|
Since Google doesn't support XSD or XML DSig in Android I began looking at other alternatives. There were none :-( Therefore I created a 2000-line system that writes and reads JSON from Java. In addition, I adopted a scaled-down version of XML DSig's enveloped-signatures. The concept of enveloped signatures have been slammed by some people due to a belief that canonicalization issues will be hard. FWIW, I just wrote the entire thing in just a week and I didn't find any problems all. https://code.google.com/p/openkeystore/source/browse/#svn%2Flibrary%2Ftrunk%2Fsrc%2Forg%2Fwebpki%2Fjson It seems that I will be able to replace 200,000 lines of Apache code with about 2,000 lines of custom code. { "MyLittleSignature": { "Version": "http://example.com/signature", "Now": "2013-08-25T20:31:23+02:00", "HRT": { "RTl": "67", "YT": { "HTL": "656756#", "INTEGER": -689, "Fantastic": false }, "er": "33" }, "ARR": [], "BARR": [{ "HTL": "656756#", "INTEGER": -689, "Fantastic": true }, { "HTL": "656756#", "INTEGER": -689, "Fantastic": false }], "ID": "ihqQONXvN5_LnmdAG7YU", "STRINGS": ["One","Two","Three"], "Intra": 78, "EnvelopedSignature": { "SignatureInfo": { "Algorithm": "http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256", "Reference": { "Name": "ID", "Value": "ihqQONXvN5_LnmdAG7YU" }, "KeyInfo": { "PublicKey": { "EC": { "NamedCurve": "http://xmlns.webpki.org/sks/algorithm#ec.p256", "X": "lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk", "Y": "LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA" } } } }, "SignatureValue": "MEUCIEhZtArhp8O7d1n7SRWRQcs3qePGBCrnKY8x2O3o+nvPAiEA0On5hez2EHmEwJIm/UK7GxqZeWWcaFzK9OVAhygAWVk" } } } Why bother with this you may wonder? Well I can't imagine converting the previous cool stuff to something yucky like JOSE's JWS: { "message": "eyJ0eXAiOibGciOiJIUzI1NiJ9.LmNvbS9pc19yb290Ijp0cnVlfQ.2K27uhbUJU1p1r_wW1gFWFOEjXk" } Canonicalization (=removal of whitespace): "MyLittleSignature":{"Version":"http://example.com/signature","Now":"2013-08-25T20:31:23+02:00","HRT":{"RTl":"67","YT":{"HTL":"656756#","INTEGER":-689,"Fantastic":false},"er":"33"},"ARR":[],"BARR":[{"HTL":"656756#","INTEGER":-689,"Fantastic":true},{"HTL":"656756#","INTEGER":-689,"Fantastic":false}],"ID":"ihqQONXvN5_LnmdAG7YU","STRINGS":["One","Two","Three"],"Intra":78,"EnvelopedSignature":{"SignatureInfo":{"Algorithm":"http://www.w3.org/2001/04/xmldsig-more#ecdsa-sha256","Reference":{"Name":"ID","Value":"ihqQONXvN5_LnmdAG7YU"},"KeyInfo":{"PublicKey":{"EC":{"NamedCurve":"http://xmlns.webpki.org/sks/algorithm#ec.p256","X":"lNxNvAUEE8t7DSQBft93LVSXxKCiVjhbWWfyg023FCk"," Y":"LmTlQxXB3LgZrNLmhOfMaCnDizczC/RfQ6Kx8iNwfFA"}}}} Cheers, Anders |
|
From: Douglas E. E. <dee...@an...> - 2013-08-28 15:46:00
|
We keep saying in responses to e-mails statements like: "The project do not use opensc-project.org any more. Read https://github.com/OpenSC/OpenSC/wiki/OpenSC-Services" But if an ordinary users Googles for OpenSC subjects a reference to github may not even show up in the first 100 responses. This continues to lead users to the old pages and the project appears to be dead! For example Google for: Getting started with OpenSC shows https://www.opensc-project.org/opensc/wiki/GetStarted Last updated 2 years ago. But Google with it in quotes: "Getting started with OpenSC" and github is first. https://github.com/OpenSC/OpenSC/wiki/Getting-started-with-OpenSC Updated 8 months ago. (Don't ask me why Google does this, it just does.) One way to help users find the up to date pages would be to add to every page on the old https://www.opensc-project.org/opensc/wiki some box saying the project has moved to github, and the Wiki can be found at: https://www.opensc-project.org/opensc/wiki Or to search the new Wiki, preceed your search with site:github.com to find this official wiki. Any other suggestions? -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Markus K. <ko...@rr...> - 2013-08-28 15:38:06
|
On 08/28/2013 03:50 PM, Douglas E. Engert wrote: > There are number of messages like trying to read certificate 0 > Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. > Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. > Cannot open the key for reader: SCM Microsystems Inc. SCR35xx USB > > This would lead me to believe the minidriver is not being called. > by the Microsoft code. This maybe caused by the card changing the ATR > (cold vs hot ATRs) Smartcard-HSM cards do not have cold/hot ATR, they are single ATR. I got these cards myself and they work fine for me on windows 7/x86_64 using the provided registry entries (Wow64 ..) and installing opensc 32 and 64 bit. MfG Markus |
|
From: Douglas E. E. <dee...@an...> - 2013-08-28 13:50:47
|
On 8/28/2013 2:03 AM, Markus Kötter wrote: > On 08/27/2013 11:08 PM, Anthony Foiani wrote: >> 0: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 >> --- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 >> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED >> --- Status: The card is available for use. >> --- Card: SmartCard-HSM > > I guess certmgr.msc will show you the content of the card in the cert store. > In case I'm right, 'it works' as far as Windows/OpenSC is concerned. The above was only part of the output of certutil -scinfo -v There are number of messages like trying to read certificate 0 Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. Cannot open the key for reader: SCM Microsystems Inc. SCR35xx USB This would lead me to believe the minidriver is not being called. by the Microsoft code. This maybe caused by the card changing the ATR (cold vs hot ATRs) Since Anthony was able to use opensc tools that don't use the minidrive. I am assuming that there are certificates and keys on the card. I am not sure where the string SmartCard-HSM came from. It maybe the registry changes added to get it to find the cold ATR. > > The windows notification "no driver was installed" when inserting the > card can be ignored or worked around, but does not affect functionality. > > > MfG > Markus > > > ------------------------------------------------------------------------------ > Learn the latest--Visual Studio 2012, SharePoint 2013, SQL 2012, more! > Discover the easy way to master current and previous Microsoft technologies > and advance your career. Get an incredible 1,500+ hours of step-by-step > tutorial videos with LearnDevNow. Subscribe today and save! > http://pubads.g.doubleclick.net/gampad/clk?id=58040911&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: evalues e. <eva...@gm...> - 2013-08-28 09:58:50
|
Hi all, I'm trying to compile OpenSC in Windows7 64 Bits. I've followed the steps in: https://www.opensc-project.org/opensc/wiki/WindowsInstaller https://www.opensc-project.org/opensc/wiki/NightlyBuilds However, when I execute ./bootstrap in MSYS I've the next error: " configure.ac:72: error: possibly undefined macro: AC_DEFINE If this token and others are legitimate, please use m4_pattern_allow. See the Autoconf documentation. configure.ac:197: error: possibly undefined macro: AC_MSG_ERROR configure.ac:281: error: possibly undefined macro: AC_CHECK_LIB " The autoconf versión is 2.68. If I use the Windows console with bash.exe -c ./bootstrap the result is: console blocked. What should I do to make it work? Thanks. |
|
From: Markus K. <ko...@rr...> - 2013-08-28 07:03:56
|
On 08/27/2013 11:08 PM, Anthony Foiani wrote: > 0: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED > --- Status: The card is available for use. > --- Card: SmartCard-HSM I guess certmgr.msc will show you the content of the card in the cert store. In case I'm right, 'it works' as far as Windows/OpenSC is concerned. The windows notification "no driver was installed" when inserting the card can be ignored or worked around, but does not affect functionality. MfG Markus |
|
From: NdK <ndk...@gm...> - 2013-08-28 07:03:54
|
Il 28/08/2013 08:09, Andreas Jellinghaus ha scritto: > Sure, a smart card can do more, and for having a card that is powered > only when in a reader / next to the reader, an integrated system of > storage and crypto functions is nicer. But for security in the device > environment: why isn't the HSM like mechanism superior? it seems easier > to implement to me, and is far more flexible - no fuzzing around with > PKCS#15 structures, storing the credentials on the host is far easier. I agree with your vision to a great extent. But it's a partial vision (not all systems are constantly on-line). A smartcard is something you can bring around easily. You can't do the same w/ an HSM. Sure, it lacks some features (like a pinpad and a display), but that depends on the chosen security perimeter and ability to work offline. But extending the security perimeter makes it harder to defend. Probably (quite for sure...) nowadays the smartcard form factor is "wrong": microsd or USB token have many advantages (first of all: communication speed!) that could open many scenarios... BYtE, Diego. |
|
From: Andreas J. <an...@io...> - 2013-08-28 06:10:09
|
2013/8/27 Anders Rundgren <and...@gm...> > > http://nelenkov.blogspot.com/2013/08/credential-storage-enhancements-android-43.html > > Unlike the situation for discrete smart card there's no middeware to > install; it is provided by the OS vendor. > > Unless the smart card industry manage getting the same support they will > sooner or later face severe adoption issues except in isolated government > markets like e-passports. > This obivoisly calls for a completely standard PKI card... > Wow, you are still a huge believer in the smart card industry. Is there a good reason for that? Smart cards are incompatible !"/%"!"! and they don't work well anywhere, other in protected environments like closed systems - national eid cards, banking cards, access control cards etc. I can even understand well why that is: managing a single use card is so much easier than cooperating on a multi use card, with all the management nightmare as a fall out. Thus I believe there is no reason to hope the smart card situation will change, as there is no benefit for any player to change its behaviour. Still thank you for sharing that article. I find it very interesting to see how the security system moves into the HSM like direction with no integrated storage. I worked with ibm HSM systems, and there you too only have the master encryption key inside the HSM, and all other credentials are stored in encrypted form on the host, and handed in to the HSM on demand for performing some operation. Sure, a smart card can do more, and for having a card that is powered only when in a reader / next to the reader, an integrated system of storage and crypto functions is nicer. But for security in the device environment: why isn't the HSM like mechanism superior? it seems easier to implement to me, and is far more flexible - no fuzzing around with PKCS#15 structures, storing the credentials on the host is far easier. Regards, Andreas |
|
From: Douglas E. E. <dee...@an...> - 2013-08-27 21:54:41
|
On 8/27/2013 4:08 PM, Anthony Foiani wrote: > Douglas -- > > On Tue, Aug 27, 2013 at 9:20 AM, Douglas E. Engert <dee...@an...> wrote: >> >> >> On 8/27/2013 12:38 AM, Anthony Foiani wrote: >>> Greetings. >>> >>> I'm trying to chase down an interop bug with some utilities provided >>> by a group I'm doing work for. >>> >>> I've installed the latest nightly build of opensc on a >>> fully-up-to-date install of Windows 7 64-bit, and all the >>> opensc-provided command-line tools work fine: I can init the card with >>> sc-hsm-init, dump items with pkcs15-tool, etc. >>> >> >> Can you use the Microsoft command like utility: >> certutil -scinfo -v >> to read the smartcard, and verify the key. > > It sees the reader and the ATR matches the values given in the .reg > files I've tried. It then gives me 3-4 dialog boxes asking me to > insert a smart card, with the details being "A smart card was detected > but is not the one required for the current operation. The smart card > you are using may be missing required driver software or a required > certificate." > > Here's the output from certutil: > > C:\Windows\System32>certutil -scinfo -v > The Microsoft Smart Card Resource Manager is running. > Current reader/card status: > Readers: 1 > 0: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED > --- Status: The card is available for use. > --- Card: SmartCard-HSM > --- ATR: > 3b fe 18 00 00 81 31 fe 45 80 31 81 54 48 53 4d ;.....1.E.1.THSM > 31 73 80 21 40 81 07 fa 1s.!@... > There are some cards that change their ATR after they are plugged in. See: https://www.opensc-project.org/opensc/wiki/MiniDriver and the Caveats about warm and cold ATRs and http://support.microsoft.com/kb/981665 The OpenSC tools using the Open SC code may only be checking parts of the ATR. The Microsoft code using the base CSP uses the registry to match ATRs. Since you only have one card for now, you could play with the ATR and the ATRmask that you added to the registry to cover all the possibilities. and hopefully it will find your card. > > ======================================================= > Analyzing card in reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > > --------------===========================-------------- > ================ Certificate 0 ================ > --- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Card: SmartCard-HSM > Provider = Microsoft Base Smart Card Crypto Provider > Key Container = (null) [Default Container] > > Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. > SCR35xx USB Smart Card Reader 0 > Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. > SCR35xx USB Smart Card Reader 0 > > --------------===========================-------------- > ================ Certificate 0 ================ > --- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0 > --- Card: SmartCard-HSM > Provider = Microsoft Smart Card Key Storage Provider > Key Container = (null) [Default Container] > > Cannot open the key for reader: SCM Microsystems Inc. SCR35xx USB > Smart Card Reader 0 > > --------------===========================-------------- > > Done. > CertUtil: -SCInfo command completed successfully. > >> Do these utilities use PKCS#11 or the Microsoft CSP interface to the >> OpenSC minidriver? > > I don't know -- I'll have to get clarification from their author. > > As I mentioned in the first post, though, all the opensc command-line > tools seem to work. From what little I know about windows, I'm > assuming somehow the right driver isn't getting found -- but I have no > idea how to pursue that. :( > > Thanks for your help, regardless. > > Best regards, > Anthony Foiani > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Anthony F. <ant...@gm...> - 2013-08-27 21:09:06
|
Douglas --
On Tue, Aug 27, 2013 at 9:20 AM, Douglas E. Engert <dee...@an...> wrote:
>
>
> On 8/27/2013 12:38 AM, Anthony Foiani wrote:
>> Greetings.
>>
>> I'm trying to chase down an interop bug with some utilities provided
>> by a group I'm doing work for.
>>
>> I've installed the latest nightly build of opensc on a
>> fully-up-to-date install of Windows 7 64-bit, and all the
>> opensc-provided command-line tools work fine: I can init the card with
>> sc-hsm-init, dump items with pkcs15-tool, etc.
>>
>
> Can you use the Microsoft command like utility:
> certutil -scinfo -v
> to read the smartcard, and verify the key.
It sees the reader and the ATR matches the values given in the .reg
files I've tried. It then gives me 3-4 dialog boxes asking me to
insert a smart card, with the details being "A smart card was detected
but is not the one required for the current operation. The smart card
you are using may be missing required driver software or a required
certificate."
Here's the output from certutil:
C:\Windows\System32>certutil -scinfo -v
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
--- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: SmartCard-HSM
--- ATR:
3b fe 18 00 00 81 31 fe 45 80 31 81 54 48 53 4d ;.....1.E.1.THSM
31 73 80 21 40 81 07 fa 1s.!@...
=======================================================
Analyzing card in reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
--- Card: SmartCard-HSM
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc.
SCR35xx USB Smart Card Reader 0
Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc.
SCR35xx USB Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR35xx USB Smart Card Reader 0
--- Card: SmartCard-HSM
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]
Cannot open the key for reader: SCM Microsystems Inc. SCR35xx USB
Smart Card Reader 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
> Do these utilities use PKCS#11 or the Microsoft CSP interface to the
> OpenSC minidriver?
I don't know -- I'll have to get clarification from their author.
As I mentioned in the first post, though, all the opensc command-line
tools seem to work. From what little I know about windows, I'm
assuming somehow the right driver isn't getting found -- but I have no
idea how to pursue that. :(
Thanks for your help, regardless.
Best regards,
Anthony Foiani
|
|
From: Douglas E. E. <dee...@an...> - 2013-08-27 15:20:30
|
On 8/27/2013 12:38 AM, Anthony Foiani wrote: > Greetings. > > I'm trying to chase down an interop bug with some utilities provided > by a group I'm doing work for. > > I've installed the latest nightly build of opensc on a > fully-up-to-date install of Windows 7 64-bit, and all the > opensc-provided command-line tools work fine: I can init the card with > sc-hsm-init, dump items with pkcs15-tool, etc. > Can you use the Microsoft command like utility: certutil -scinfo -v to read the smartcard, and verify the key. Or use the IE tools->Internet Options->content->certificate to see the certificates on the card? > However, their utilities are failing (with something helpful like > "GENERAL ERROR"), and the smart card itself is not recognized -- > Device Manager shows that it is a smart card, but that there's no > driver for it. Specifically: > > The drivers for this device are not installed. (Code 28) > There is no driver selected for the device information set or element. Do these utilities use PKCS#11 or the Microsoft CSP interface to the OpenSC minidriver? > > I installed the registry patch on the wiki, adding the Wow6432Node > variants. Still no luck. > > It might be that this is completely unrelated to the actual problem > I'm working on, but in case it is, I'd like to know how to get this > card recognized. > > Thanks in advance! > > Best regards, > Anthony Foiani > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Johannes B. <Joh...@hr...> - 2013-08-27 10:45:06
|
Am Dienstag, 6. August 2013 schrieb Andreas Schwier <and...@ca...>: > With CardOS you always need to switch to ADMINSTRATIVE mode before you > can delete or create files: > > Try issuing a > > 80 10 00 00 > > before the delete. That works. Thank you very much! > And btw: If the card has been personalized using crytovision's > scManager, then there is not guarantee that the PKCS15 structure is > compatible with OpenSC. Reading a CV PKCS15 structure might work with > OpenSC, but updates to the PKCS15 structure and then reading it again > with the CV middleware will most likely fail. Yes. But it seems that after a certificate update you can go on using the card with opensc. I hope, there are no more traps... Regards Johannes |
|
From: Anders R. <and...@gm...> - 2013-08-27 06:13:23
|
http://nelenkov.blogspot.com/2013/08/credential-storage-enhancements-android-43.html Unlike the situation for discrete smart card there's no middeware to install; it is provided by the OS vendor. Unless the smart card industry manage getting the same support they will sooner or later face severe adoption issues except in isolated government markets like e-passports. This obivoisly calls for a completely standard PKI card... Anders |
|
From: Anthony F. <ant...@gm...> - 2013-08-27 05:38:33
|
Greetings. I'm trying to chase down an interop bug with some utilities provided by a group I'm doing work for. I've installed the latest nightly build of opensc on a fully-up-to-date install of Windows 7 64-bit, and all the opensc-provided command-line tools work fine: I can init the card with sc-hsm-init, dump items with pkcs15-tool, etc. However, their utilities are failing (with something helpful like "GENERAL ERROR"), and the smart card itself is not recognized -- Device Manager shows that it is a smart card, but that there's no driver for it. Specifically: The drivers for this device are not installed. (Code 28) There is no driver selected for the device information set or element. I installed the registry patch on the wiki, adding the Wow6432Node variants. Still no luck. It might be that this is completely unrelated to the actual problem I'm working on, but in case it is, I'd like to know how to get this card recognized. Thanks in advance! Best regards, Anthony Foiani |
|
From: Douglas E. E. <dee...@an...> - 2013-08-26 15:56:08
|
On 8/26/2013 10:38 AM, Charlie Bancroft wrote: > Ok, I finally tracked down the source of the issue. Markus, you were dead on. Thank you! It turns out that the APDU on the wiki to erase the previous certificate was being rejected by the card when > I provisioned it. The response was swallowed by my provisioning script and never reported to me. Because I reprovisioned the card without deleting the old cert, the public key was never updated for > the new private key which caused all of these signing issues to pop up. > > My solution was to change the PUT DATA APDU for the 9A key to the following: > piv-tool -A A:9B:03 -s 00:DB:3F:FF:07:5C:03:5F:C1:05:53:00 > > It seemed to like the 1 byte NULL instead of the 3 byte. I am not sure if that happens to be a quirk of the card I am using or if that is something that is seen everywhere and the documentation needs > to be updated. NIST 800-73 does not specify how to delete an object on the card. It only specifies there is a PUT DATA command. Each vendor may have a different way to do it, and each vendor may require different authentication before allowing a PUT DATA command. That is why the piv-tool -A [A|M]:key:ref -s is used to do it. Some cards I have worked with required -s 00:DB:3F:FF:09:5C:03:5F:C1:05:53:00:00:00 Consult the card vendor's documentation as to how to delete an object or replace the contents of an object. > > Thanks again for helping out with this Markus and Douglas -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Charlie B. <cha...@gm...> - 2013-08-26 15:38:32
|
Ok, I finally tracked down the source of the issue. Markus, you were dead on. Thank you! It turns out that the APDU on the wiki to erase the previous certificate was being rejected by the card when I provisioned it. The response was swallowed by my provisioning script and never reported to me. Because I reprovisioned the card without deleting the old cert, the public key was never updated for the new private key which caused all of these signing issues to pop up. My solution was to change the PUT DATA APDU for the 9A key to the following: piv-tool -A A:9B:03 -s 00:DB:3F:FF:07:5C:03:5F:C1:05:53:00 It seemed to like the 1 byte NULL instead of the 3 byte. I am not sure if that happens to be a quirk of the card I am using or if that is something that is seen everywhere and the documentation needs to be updated. Thanks again for helping out with this Markus and Douglas |
|
From: Douglas E. E. <dee...@an...> - 2013-08-26 15:20:36
|
On 8/23/2013 10:27 AM, Charlie Bancroft wrote: > Hi, > I am not sure if this is more of a question for the OpenSC-devel or for the OpenSSL lists but here it goes. > > I have been working on integrating PIV cards into our software program architecture and have run into an issue verifying the signatures generated by PIV cards. I have generated the signature using > openssl through engine_pkcs11 and opensc-pkcs11 and I cannot get it to verify. No matter what I do the output from OpenSSL returns with: > > 139868424963728:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: > 139868424963728:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: > > The script I am using to sign and verify this is: > > #!/bin/bash > # Usage: $0 <name of file to sign> <private key identifier for engine> > > cat >asn1.conf <<EOF > asn1 = SEQUENCE:digest_info_and_digest > > [digest_info_and_digest] > dinfo = SEQUENCE:digest_info > digest = FORMAT:HEX,OCT:`openssl dgst -sha1 $1 |cut -f 2 -d ' '` > > [digest_info] > algid = OID:1.3.14.3.2.26 > params = NULL > > EOF > > openssl << EOT > engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ > -pre ID:pkcs11 -pre NO_VCHECK:1 \ > -pre LIST_ADD:1 -pre LOAD \ > -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so > > asn1parse -i -genconf asn1.conf -out $1.dgst.asn1 > rsautl -engine pkcs11 -keyform engine -sign -in $1.dgst.asn1 -inkey $2 -out $1.sig.rsa > rsautl -engine pkcs11 -keyform engine -verify -in $1.sig.rsa -inkey $2 -out $1.dgst.asn1_v > EOT > > Note that this script was created to replicate an issue being seen in our code trying to verify using the EVP_Verify* API calls once the signature was generated and uses the script from > http://stackoverflow.com/questions/9951559/difference-between-openssl-rsautl-and-dgst as reference material. The above script was to show how rsautl has issues. Have your tried using the dgst instead, which will create the hash and then sign it. See this example: http://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature Also note that the PIV card has 4 certs and keys. The id=02 to use the 9C key and signature certificate. Also see the attached test.sig.2.sh script that uses dgst and slot_1-id_02 to identify the cert to use. If you want to see what is actually sent to and from the card. you can use pcscd debugging: pcscd -f -d -a or add to the opensc.conf something like: debug = 7; debug_file = /tmp/opensc.debug.txt; > > Am I doing something incorrect to generate the signature so that is can't be verified? Or could there be an issue with the signature generation from the card?? > Charles Bancroft > Software Engineer > Raytheon BBN Technologies > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Douglas E. E. <dee...@an...> - 2013-08-26 14:57:00
|
On 8/23/2013 10:27 AM, Charlie Bancroft wrote: > Hi, > I am not sure if this is more of a question for the OpenSC-devel or for the OpenSSL lists but here it goes. > > I have been working on integrating PIV cards into our software program architecture and have run into an issue verifying the signatures generated by PIV cards. I have generated the signature using > openssl through engine_pkcs11 and opensc-pkcs11 and I cannot get it to verify. No matter what I do the output from OpenSSL returns with: > > 139868424963728:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100: > 139868424963728:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:721: > > The script I am using to sign and verify this is: > > #!/bin/bash > # Usage: $0 <name of file to sign> <private key identifier for engine> > > cat >asn1.conf <<EOF > asn1 = SEQUENCE:digest_info_and_digest > > [digest_info_and_digest] > dinfo = SEQUENCE:digest_info > digest = FORMAT:HEX,OCT:`openssl dgst -sha1 $1 |cut -f 2 -d ' '` > > [digest_info] > algid = OID:1.3.14.3.2.26 > params = NULL > > EOF > > openssl << EOT > engine dynamic -vvvv -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so \ > -pre ID:pkcs11 -pre NO_VCHECK:1 \ > -pre LIST_ADD:1 -pre LOAD \ > -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so > > asn1parse -i -genconf asn1.conf -out $1.dgst.asn1 > rsautl -engine pkcs11 -keyform engine -sign -in $1.dgst.asn1 -inkey $2 -out $1.sig.rsa > rsautl -engine pkcs11 -keyform engine -verify -in $1.sig.rsa -inkey $2 -out $1.dgst.asn1_v > EOT > > Note that this script was created to replicate an issue being seen in our code trying to verify using the EVP_Verify* API calls once the signature was generated and uses the script from > http://stackoverflow.com/questions/9951559/difference-between-openssl-rsautl-and-dgst as reference material. The above script was to show how rsautl has issues. Have your tried using the dgst instead, which will create the hash and then sign it. See this example: http://stackoverflow.com/questions/5140425/openssl-command-line-to-verify-the-signature Also note that the PIV card has 4 certs and keys. The id=02 to use the 9C key and signature certificate. Also see the attached test.sig.2.sh script that uses dgst and slot_1-id_02 to identify the cert to use. If you want to see what is actually sent to and from the card. you can use pcscd debugging: pcscd -f -d -a or add to the opensc.conf something like: debug = 7; debug_file = /tmp/opensc.debug.txt; > > Am I doing something incorrect to generate the signature so that is can't be verified? Or could there be an issue with the signature generation from the card?? > Charles Bancroft > Software Engineer > Raytheon BBN Technologies > > > ------------------------------------------------------------------------------ > Introducing Performance Central, a new site from SourceForge and > AppDynamics. Performance Central is your source for news, insights, > analysis and resources for efficient Application Performance Management. > Visit us today! > http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
5 messages has been excluded from this view by a project administrator.
