Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Anders R. <and...@te...> - 2013-08-09 15:34:06
|
On 2013-08-09 16:42, Andreas Schwier wrote: > Build-in SEs in a mobile device don't make sense if you can also have a > centrally managed SE. And mobile phones tend to have good network > coverage at any point where interactions via NFC happen. A centrally managed SE is maybe something for Google but not for the Internet in general. That was essentially the #1 problem with the GP model; only Google had the keys to the kingdom that was baaaaaaaaaaad :-) > > No need to have any local risk processing if you are online anyway. > > And with EMV cards you're absolutely right. I don't really understand > why I need to key-in my credit card number into unsafe webforms, provide > an additional 3D secure password into a form that pops-up and probably > screws the transaction underway. I want to put my credit card into the > cheap reader I use for homebanking already and perform an EMV > transaction via the net. I don't know what prevents banks from offering > such a solution (oh sorry of course I know: This would benefit me and > not my bank). Agree but the true problem is that the Financial industry and the former tech leader (Microsoft) never got together. It is essentially the same with Governments. The Swedish government has now given up on smart cards and client certificates and is now about to launch a pretty expensive centralized signature service. Anyway, I believe 3D Secure actually will be reborn! ------ As you probably know the big credit card networks already back in 1999 launched a "Web Payment" scheme called 3D Secure. Nowadays it is known as VbV (Verified by VISA) and SecureCode (MasterCard's variant). Short description: - The payment request (from the merchant) is routed (redirected) to the card issuer. - The issuer performs an extra authentication step for the cardholder which results in a signed card holder authenticity response which gives the merchant assurance that the payer is legitimate. 3D Secure system is mandatory in Scandinavia but have without exception been ignored by US e-tailers. IMO, 3D Secure is probably the most user-hostile payment-system ever. So why bother? I do because the core concept is cool and could in a revised format become useful. Currently we are stuck with "User ID" (Card Number) and "Password" (CCV) printed in clear (!) on the card and that is neither convenient nor secure. The following WebCrypto extension proposal http://webpki.org/papers/PKI/pki-webcrypto.pdf offers dynamically loaded "Trusted Chrome" which can support both POS-style and 3D Secure-like payments. thanx, Anders > > Andreas > > > > On 08/09/2013 11:28 AM, Anders Rundgren wrote: >> http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/ >> >> I believe this is because a Security Element based on smart card concepts >> like GP (GlobalPlatform) doesn't really work on the Internet. >> >> There are already hundreds of millions of EMV-cards out there and they >> never got a connection to the Internet either. >> >> Anders >> >> ------------------------------------------------------------------------------ >> Get 100% visibility into Java/.NET code with AppDynamics Lite! >> It's a free troubleshooting tool designed for production. >> Get down to code-level detail for bottlenecks, with <2% overhead. >> Download for free and get started troubleshooting in minutes. >> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > |
|
From: Florent D. <fde...@gm...> - 2013-08-09 15:14:15
|
Sorry, just saw you mentioned the version details in your first mail. Maybe you could try the new version of rdesktop (1.8.1) which was just released today. Compile it yourself with debugging options. Still, if it doesn't work for you I still suggest you ask someone on the rdesktop mailing list. Cheers 2013/8/9 Florent Deybach <fde...@gm...> > If you can login with the windows mstsc program then you should have a > more specific look on what you're using on your Linux machine. > > What is the output of the pcsc_scan command ? (if you have the package > pcsc-tools installed) > > What version of rdesktop do you use? > What version of pcsclite do you use? > > Again, I don't think you need the PKCS11 drivers on your Linux. You just > redirect the smartcard through RDP thanks to libpcsclite. > > If you compile yourself rdesktop, you want to get a more verbose output by > compiling it with --with-debug-smartcard to get more info. > > But if you go that way, I suggest you use the rdesktop-users mailing list. > > > > 2013/8/9 Steven D Brown <sb...@ca...> > >> Admittedly I should have included more details. >> >> Through RDesktop the Windows Server 2008 machine can see the card reader >> and it knows if there is a card inserted or not. >> >> When the card is inserted, it says No valid certificates found. >> >> If I use a Virtual Box with the card reader redirected into the VM >> instance >> of Windows 7 and use mstsc it works as expected. >> >> The card reader seems to be fully supported under pcsclite, the card >> itself >> seems to be the problem. >> >> If I don't need this Gemalto library, how can I get this card supported >> under OpenSC so I can use it via RDesktop? >> >> Steven Brown, Support Consultant >> ISM Canada An IBM Global Services Company >> 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 >> Mail: sb...@ca... >> Direct: 1.306.337.5620 >> >> >> >> From: Florent Deybach <fde...@gm...> >> >> To: Steven D Brown/CanWest/IBM@IBMCA, >> >> Cc: ope...@li... >> >> Date: 2013/08/09 02:23 AM >> >> Subject: Re: [Opensc-devel] PCSClite + OpenSC + RDesktop + Gemalto >> IDPrime .NET SmartCard >> >> >> >> >> >> >> >> >> Hello >> >> I would like to be able to use my Gemalto IDPrime .NET ( >> http://www.gemalto.com/products/dotnet_card/ ) card to login to a >> Windows >> Server from my Linux laptops. >> >> What will you use to do that? rdesktop? freerdp? >> >> I answer myself: with rdesktop you'll have to use the smartcard >> redirection. >> >> e.g. >> rdesktop -d AC -k fr -z -a 16 -u login windows_server -r scard >> >> I've tested it with with Windows 2008R2 but I was unable to make it work >> with W2012... >> >> In my opinion you don't need the PKCS11 drivers on Linux but windows will >> need the smartcard drivers. >> >> Good luck, keep us updated if you managed to do something >> >> >> > |
|
From: Florent D. <fde...@gm...> - 2013-08-09 15:06:10
|
If you can login with the windows mstsc program then you should have a more specific look on what you're using on your Linux machine. What is the output of the pcsc_scan command ? (if you have the package pcsc-tools installed) What version of rdesktop do you use? What version of pcsclite do you use? Again, I don't think you need the PKCS11 drivers on your Linux. You just redirect the smartcard through RDP thanks to libpcsclite. If you compile yourself rdesktop, you want to get a more verbose output by compiling it with --with-debug-smartcard to get more info. But if you go that way, I suggest you use the rdesktop-users mailing list. 2013/8/9 Steven D Brown <sb...@ca...> > Admittedly I should have included more details. > > Through RDesktop the Windows Server 2008 machine can see the card reader > and it knows if there is a card inserted or not. > > When the card is inserted, it says No valid certificates found. > > If I use a Virtual Box with the card reader redirected into the VM instance > of Windows 7 and use mstsc it works as expected. > > The card reader seems to be fully supported under pcsclite, the card itself > seems to be the problem. > > If I don't need this Gemalto library, how can I get this card supported > under OpenSC so I can use it via RDesktop? > > Steven Brown, Support Consultant > ISM Canada An IBM Global Services Company > 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 > Mail: sb...@ca... > Direct: 1.306.337.5620 > > > > From: Florent Deybach <fde...@gm...> > > To: Steven D Brown/CanWest/IBM@IBMCA, > > Cc: ope...@li... > > Date: 2013/08/09 02:23 AM > > Subject: Re: [Opensc-devel] PCSClite + OpenSC + RDesktop + Gemalto > IDPrime .NET SmartCard > > > > > > > > > Hello > > I would like to be able to use my Gemalto IDPrime .NET ( > http://www.gemalto.com/products/dotnet_card/ ) card to login to a > Windows > Server from my Linux laptops. > > What will you use to do that? rdesktop? freerdp? > > I answer myself: with rdesktop you'll have to use the smartcard > redirection. > > e.g. > rdesktop -d AC -k fr -z -a 16 -u login windows_server -r scard > > I've tested it with with Windows 2008R2 but I was unable to make it work > with W2012... > > In my opinion you don't need the PKCS11 drivers on Linux but windows will > need the smartcard drivers. > > Good luck, keep us updated if you managed to do something > > > |
|
From: Andreas S. <and...@ca...> - 2013-08-09 14:42:26
|
Build-in SEs in a mobile device don't make sense if you can also have a centrally managed SE. And mobile phones tend to have good network coverage at any point where interactions via NFC happen. No need to have any local risk processing if you are online anyway. And with EMV cards you're absolutely right. I don't really understand why I need to key-in my credit card number into unsafe webforms, provide an additional 3D secure password into a form that pops-up and probably screws the transaction underway. I want to put my credit card into the cheap reader I use for homebanking already and perform an EMV transaction via the net. I don't know what prevents banks from offering such a solution (oh sorry of course I know: This would benefit me and not my bank). Andreas On 08/09/2013 11:28 AM, Anders Rundgren wrote: > http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/ > > I believe this is because a Security Element based on smart card concepts > like GP (GlobalPlatform) doesn't really work on the Internet. > > There are already hundreds of millions of EMV-cards out there and they > never got a connection to the Internet either. > > Anders > > ------------------------------------------------------------------------------ > Get 100% visibility into Java/.NET code with AppDynamics Lite! > It's a free troubleshooting tool designed for production. > Get down to code-level detail for bottlenecks, with <2% overhead. > Download for free and get started troubleshooting in minutes. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Steven D B. <sb...@ca...> - 2013-08-09 14:32:49
|
Admittedly I should have included more details.
Through RDesktop the Windows Server 2008 machine can see the card reader
and it knows if there is a card inserted or not.
When the card is inserted, it says No valid certificates found.
If I use a Virtual Box with the card reader redirected into the VM instance
of Windows 7 and use mstsc it works as expected.
The card reader seems to be fully supported under pcsclite, the card itself
seems to be the problem.
If I don't need this Gemalto library, how can I get this card supported
under OpenSC so I can use it via RDesktop?
Steven Brown, Support Consultant
ISM Canada An IBM Global Services Company
1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1
Mail: sb...@ca...
Direct: 1.306.337.5620
From: Florent Deybach <fde...@gm...>
To: Steven D Brown/CanWest/IBM@IBMCA,
Cc: ope...@li...
Date: 2013/08/09 02:23 AM
Subject: Re: [Opensc-devel] PCSClite + OpenSC + RDesktop + Gemalto IDPrime .NET SmartCard
Hello
I would like to be able to use my Gemalto IDPrime .NET (
http://www.gemalto.com/products/dotnet_card/ ) card to login to a
Windows
Server from my Linux laptops.
What will you use to do that? rdesktop? freerdp?
I answer myself: with rdesktop you'll have to use the smartcard
redirection.
e.g.
rdesktop -d AC -k fr -z -a 16 -u login windows_server -r scard
I've tested it with with Windows 2008R2 but I was unable to make it work
with W2012...
In my opinion you don't need the PKCS11 drivers on Linux but windows will
need the smartcard drivers.
Good luck, keep us updated if you managed to do something
|
|
From: Anders R. <and...@te...> - 2013-08-09 09:29:00
|
http://www.nfcworld.com/2013/07/30/325212/no-secure-element-in-new-nexus-7/ I believe this is because a Security Element based on smart card concepts like GP (GlobalPlatform) doesn't really work on the Internet. There are already hundreds of millions of EMV-cards out there and they never got a connection to the Internet either. Anders |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-09 09:04:40
|
Le vendredi 09 août 2013 à 10:43 +0200, Jean-Michel Pouré - GOOZE a écrit : > I am trying to use the ePass2003 with OpenSC minidriver. This is issue #160: https://github.com/OpenSC/OpenSC/issues/160 Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Jean-Michel P. - G. <jm...@go...> - 2013-08-09 08:44:11
|
Dear all, I am trying to use the ePass2003 with OpenSC minidriver. I would like to understand how to format the REG file: http://download.gooze.eu/pki/opensc/windows/minidriver/exported-ePass2003.reg Obviously, this does not work. Could some of you clarify the formatting rules of this REG file? Where can other REG files be found to understand formatting? Most of users needs CSP support in Windows and the only solution is a working registry file. Could we agree on these REG files and store them in GIT? Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu |
|
From: Florent D. <fde...@gm...> - 2013-08-09 08:23:28
|
Hello > > I would like to be able to use my Gemalto IDPrime .NET ( >> http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows >> Server from my Linux laptops. >> > > What will you use to do that? rdesktop? freerdp? > I answer myself: with rdesktop you'll have to use the smartcard redirection. e.g. rdesktop -d AC -k fr -z -a 16 -u login windows_server -r scard I've tested it with with Windows 2008R2 but I was unable to make it work with W2012... In my opinion you don't need the PKCS11 drivers on Linux but windows will need the smartcard drivers. Good luck, keep us updated if you managed to do something |
|
From: Florent D. <fde...@gm...> - 2013-08-09 07:43:22
|
Hello I would like to be able to use my Gemalto IDPrime .NET ( > http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows > Server from my Linux laptops. > What will you use to do that? rdesktop? freerdp? I was hoping maybe someone here could help me. I have received a ZIP > file from Gemalto which contains their PKCS11 Library for use with these > cards. > So I guess you've received the PKCS11 library files for Linux. Compile it under your OS, you'll get a file to use with the opensc-tools (* libgtop11dotnet.so*) This file is needed to interact with the smarcard to (create keys, store certificates, etc.) e.g. pkcs11-tool --module=/usr/lib/libgtop11dotnet.so --keypairgen --key-type rsa:2048 -l --id 001 --label 001 However I doubt you will need this file under Linux. You'll also need the IDPrime .NET under Windows if you want this latter to recognize your smartcard. Cheers |
|
From: Steven D B. <sb...@ca...> - 2013-08-08 22:16:27
|
Hello Folks, This is my first post here, I did some searches of the mailing list via Google but didn't see anything relevant. I have the following setup: RedHat 6.4 / Ubuntu 12.xx laptops Rdesktop 1.7.1 PSCSlite 1.8.5 Gemalto Reader as shown here: http://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 , although it is a USB model I would like to be able to use my Gemalto IDPrime .NET ( http://www.gemalto.com/products/dotnet_card/ ) card to login to a Windows Server from my Linux laptops. I have spent the past week or so speaking to Dr Rousseau about PCSClite and he says that the Windows server is asking for some attributes that PCSC is currently unequipped to handle on these cards. Because this is a self-motivated project within my department, I am unable to fund a massive research project to sort this out. I was hoping maybe someone here could help me. I have received a ZIP file from Gemalto which contains their PKCS11 Library for use with these cards. Would someone here be willing to work with me to make these cards compatible with PSCS / OpenSC / OpenCT / Whatever? Is it possible? Steven Brown, Support Consultant ISM Canada An IBM Global Services Company 1 Research Drive, Regina, Saskatchewan, Canada,S4S7H1 Mail: sb...@ca... Direct: 1.306.337.5620 |
|
From: Viktor T. <vik...@gm...> - 2013-08-08 09:56:28
|
Hi, now the build of debian (ubuntu) packages is connected to 'nightly builds' part of CI service. The packages are automatically deployed into the dedicated repository: http://opensc.fr/ Packages are signed with key: http://opensc.fr/vik...@gm...y Kind regards, Viktor. |
|
From: Andreas S. <and...@ca...> - 2013-08-06 10:33:02
|
With CardOS you always need to switch to ADMINSTRATIVE mode before you can delete or create files: Try issuing a 80 10 00 00 before the delete. And btw: If the card has been personalized using crytovision's scManager, then there is not guarantee that the PKCS15 structure is compatible with OpenSC. Reading a CV PKCS15 structure might work with OpenSC, but updates to the PKCS15 structure and then reading it again with the CV middleware will most likely fail. Andreas Schwier On 08/06/2013 11:52 AM, Johannes Becker wrote: > Am Dienstag 06 August 2013 schrieb Viktor Tarasov: >> Strange. I don't sufficiently know this card. >> Have no this kind of problems with the one that I have -- also CardOS 4.3b. >> >> Does it formatted with OpenSC? > > No, it's formatted by cryptovision. > I have a log of cryptovision's scManger replacing the certificate: > http://www.uni-giessen.de/~g013/opensc/scMan-Import-Cert.txt > > There you have the line > 00000050 APDU: 00 E4 00 00 02 43 02 > which - I presume - deletes the file 4302. > > If I try to send this apdu with opensc-explorer, I again get the INS-error: > $ opensc-explorer > OpenSC Explorer version 0.13.0 > Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 > OpenSC [3F00]> cd 5015 > OpenSC [3F00/5015]> cd 4304 > OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF > Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF > Received (SW1=0x90, SW2=0x00) > Success! > OpenSC [3F00/5015/4304]> apdu 00 E4 00 00 02 43 02 > Sending: 00 E4 00 00 02 43 02 > Received (SW1=0x6D, SW2=0x00) > Failure: Unsupported INS byte in APDU > > > >> Question aside, >> why do you manually erase the certificate file? After that you will need, >> also manually, update the PKCS#15 CDF data? >> Would it be better for you to use the pkcs15-init tool? It knows what to do >> with these data. >> > > There the PIN is not accepted: > > $ pkcs15-init --pin 234567 --id 46 --update-certificate Testperson1117-46.pem > Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 > Failed to store data object: PIN code or key incorrect > > I suppose this is because the maximal PIN length is 10. > > Kind regards > Johannes > > > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Johannes B. <Joh...@hr...> - 2013-08-06 09:53:10
|
Am Dienstag 06 August 2013 schrieb Viktor Tarasov: > Strange. I don't sufficiently know this card. > Have no this kind of problems with the one that I have -- also CardOS 4.3b. > > Does it formatted with OpenSC? No, it's formatted by cryptovision. I have a log of cryptovision's scManger replacing the certificate: http://www.uni-giessen.de/~g013/opensc/scMan-Import-Cert.txt There you have the line 00000050 APDU: 00 E4 00 00 02 43 02 which - I presume - deletes the file 4302. If I try to send this apdu with opensc-explorer, I again get the INS-error: $ opensc-explorer OpenSC Explorer version 0.13.0 Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 OpenSC [3F00]> cd 5015 OpenSC [3F00/5015]> cd 4304 OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00/5015/4304]> apdu 00 E4 00 00 02 43 02 Sending: 00 E4 00 00 02 43 02 Received (SW1=0x6D, SW2=0x00) Failure: Unsupported INS byte in APDU > Question aside, > why do you manually erase the certificate file? After that you will need, > also manually, update the PKCS#15 CDF data? > Would it be better for you to use the pkcs15-init tool? It knows what to do > with these data. > There the PIN is not accepted: $ pkcs15-init --pin 234567 --id 46 --update-certificate Testperson1117-46.pem Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 Failed to store data object: PIN code or key incorrect I suppose this is because the maximal PIN length is 10. Kind regards Johannes |
|
From: Viktor T. <vik...@gm...> - 2013-08-06 08:44:08
|
Strange. I don't sufficiently know this card. Have no this kind of problems with the one that I have -- also CardOS 4.3b. Does it formatted with OpenSC? Question aside, why do you manually erase the certificate file? After that you will need, also manually, update the PKCS#15 CDF data? Would it be better for you to use the pkcs15-init tool? It knows what to do with these data. On Mon, Aug 5, 2013 at 1:07 PM, Johannes Becker < Joh...@hr...> wrote: > ** > > Hello, > > > > Am Samstag 03 August 2013 schrieb Viktor Tarasov <vik...@gm... > >: > > > > > In opensc-explorer I propose you to not use the 'verify' command but > direct 'apdu' one. > > > > Thanks, that works! > > I could log in and I could overwrite a certificate. > > > > Now there's a new problem. I cannot delete the certificate from the card > > and therefore I cannot set a new certificate length. > > > > This is what happens: > > > > OpenSC Explorer version 0.13.0 > > Using reader with a card: KOBIL KAAN Advanced (E_043208292) 02 00 > > OpenSC [3F00]> cd 5015 > > OpenSC [3F00/5015]> cd 4304 > > OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF > > Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF > > Received (SW1=0x90, SW2=0x00) > > Success! > > OpenSC [3F00/5015/4304]> rm 4302 > > DELETE FILE failed: Unsupported INS byte in APDU > > > > I put the log for this to > > http://www.uni-giessen.de/~g013/opensc/remove-fails.log > > > > @Ludovic: > > Unfortunately I don't know how to debug in sec.c . > > > > Kind regards > > Johannes > > > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > > |
|
From: Alex S. <ml...@os...> - 2013-08-05 13:42:14
|
On 08/04/2013 09:50 PM, Viktor Tarasov wrote: > Once more > I invite your to (re)read the comments of this pull request > and find there the proposal of how to 'do it properly'. > > Your current patch proposal is not acceptable for number of reasons, > one of them is that there is a possibility to 'do it properly'. > > 'Do it properly' and create a new pull request. Ok, thanks for the explanation, will try to do this. |
|
From: Johannes B. <Joh...@hr...> - 2013-08-05 11:08:30
|
Hello, Am Samstag 03 August 2013 schrieb Viktor Tarasov <vik...@gm...>: > In opensc-explorer I propose you to not use the 'verify' command but direct 'apdu' one. Thanks, that works! I could log in and I could overwrite a certificate. Now there's a new problem. I cannot delete the certificate from the card and therefore I cannot set a new certificate length. This is what happens: OpenSC Explorer version 0.13.0 Using reader with a card: KOBIL KAAN Advanced (E_043208292) 02 00 OpenSC [3F00]> cd 5015 OpenSC [3F00/5015]> cd 4304 OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00/5015/4304]> rm 4302 DELETE FILE failed: Unsupported INS byte in APDU I put the log for this to http://www.uni-giessen.de/~g013/opensc/remove-fails.log @Ludovic: Unfortunately I don't know how to debug in sec.c . Kind regards Johannes |
|
From: Frank M. <mo...@in...> - 2013-08-05 09:26:31
|
Never mind, I just saw those changes integrated. Sorry for the noise. On Monday, August 05 at 11:15AM, frankmorgner wrote: > Hi, Viktor! > > Thanks for your work! > > I think you forgot > https://github.com/frankmorgner/OpenSC/commit/d6a2bf953ae805b352c2743c1ad4047fc29d749d > which removes an error in sc-hsm-tool > > Also I'd like to mention that apdu->data should be const again, which > removes a ton of warnings... > https://github.com/frankmorgner/OpenSC/commit/284c53b3837d845da2aa2498255a732d0be9d263 > > > On Saturday, August 03 at 10:26AM, viktorTarasov wrote: > > Closed #165. > > > > --- > > Reply to this email directly or view it on GitHub: > > https://github.com/OpenSC/OpenSC/pull/165 > > > Greets, Frank. > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACE http://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc |
|
From: frankmorgner <mo...@in...> - 2013-08-05 09:16:05
|
Hi, Viktor! Thanks for your work! I think you forgot https://github.com/frankmorgner/OpenSC/commit/d6a2bf953ae805b352c2743c1ad4047fc29d749d which removes an error in sc-hsm-tool Also I'd like to mention that apdu->data should be const again, which removes a ton of warnings... https://github.com/frankmorgner/OpenSC/commit/284c53b3837d845da2aa2498255a732d0be9d263 On Saturday, August 03 at 10:26AM, viktorTarasov wrote: > Closed #165. > > --- > Reply to this email directly or view it on GitHub: > https://github.com/OpenSC/OpenSC/pull/165 Greets, Frank. |
|
From: Viktor T. <vik...@gm...> - 2013-08-04 19:50:27
|
Le 04/08/2013 18:54, Alex Samorukov a écrit : > Hi, > > As OpenSC user it is unclear for me why bug 173 was closed without any > resolution. From my personal point of view proposed patch was not able > to cause any issues for OpenSC users. I am agree that problem is > probably with standard compliance, but i don`t understand why OpenSC > should drop support of popular hardware because of this reason. E.g. > ACPI code in the Linux kernel supports many exceptions or buggy > chipsets. I don`t see any benefits that users with similar problems will > use third-party patches instead. It would be great if other developers > can take a look on this issue. > > If my patch is done in a wrong way - please recommend how to do it > properly, but i think that closing real issue (even if it is caused by > wrong windows official driver) is not a good approach. Once more I invite your to (re)read the comments of this pull request and find there the proposal of how to 'do it properly'. Your current patch proposal is not acceptable for number of reasons, one of them is that there is a possibility to 'do it properly'. 'Do it properly' and create a new pull request. Best wishes, Viktor. > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Ludovic R. <lud...@gm...> - 2013-08-04 17:08:07
|
2013/8/4 Alex Samorukov <ml...@os...>: > Hi, Hello, > As OpenSC user it is unclear for me why bug 173 was closed without any > resolution. From my personal point of view proposed patch was not able > to cause any issues for OpenSC users. I am agree that problem is > probably with standard compliance, but i don`t understand why OpenSC > should drop support of popular hardware because of this reason. E.g. > ACPI code in the Linux kernel supports many exceptions or buggy > chipsets. I don`t see any benefits that users with similar problems will > use third-party patches instead. It would be great if other developers > can take a look on this issue. > > If my patch is done in a wrong way - please recommend how to do it > properly, but i think that closing real issue (even if it is caused by > wrong windows official driver) is not a good approach. Viktor tried to explain why your code is not accepted. You are patching a core function src/pkcs11/framework-pkcs15.c to fix a bug for a non standard card. The correct way to add specific code is to use/create a card-* and/or pkcs15-* file. Bye -- Dr. Ludovic Rousseau |
|
From: Alex S. <ml...@os...> - 2013-08-04 16:54:20
|
Hi, As OpenSC user it is unclear for me why bug 173 was closed without any resolution. From my personal point of view proposed patch was not able to cause any issues for OpenSC users. I am agree that problem is probably with standard compliance, but i don`t understand why OpenSC should drop support of popular hardware because of this reason. E.g. ACPI code in the Linux kernel supports many exceptions or buggy chipsets. I don`t see any benefits that users with similar problems will use third-party patches instead. It would be great if other developers can take a look on this issue. If my patch is done in a wrong way - please recommend how to do it properly, but i think that closing real issue (even if it is caused by wrong windows official driver) is not a good approach. |
|
From: Alex S. <ml...@os...> - 2013-08-03 20:33:04
|
On 08/03/2013 10:47 AM, Jean-Michel Pouré - GOOZE wrote: > Le mardi 23 juillet 2013 à 11:31 +0200, Alex Samorukov a écrit : >> Done, in https://github.com/OpenSC/OpenSC/pull/174/files. I tested >> this >> patch and it works for me. I don`t think that we need to add all keys >> like before because it does looks to be good. This workaround >> addressing >> only this specific issue. > Thanks for this patch. > I will try and report. > > Thank you. Please also see notes in [1], it would be great to get it resolved somehow. Now i reformatted card using OpenSC but at least website claim r/o compatibility with Windows tool, so it would be great to have it in recent version. [1] https://github.com/OpenSC/OpenSC/issues/173 |
|
From: Viktor T. <vik...@gm...> - 2013-08-03 20:14:08
|
Hi, Le 30/07/2013 12:45, evalues evalues a écrit : > I'm trying to compile the opensc-minidriver, for this I've linked > opensc.dll. However I've had some problems with internal functions as > _sc_match_atr_block. Has opensc.dll some equivalent function? Is there a > document with this information? Somehow I can link these functions ? A'm afraid that I do not understood your question. _sc_match_atr_block is defined in opensc.dll (opensc_a.lib) and currently, as it built by CI service, the minidriver dll is linked with the static opensc_a.lib . You can see the logs of MSI build in, for ex. https://opensc.fr/jenkins/view/OpenSC-master/job/OpenSC-master-Win32/100/console > > Thanks for all. > > > ------------------------------------------------------------------------------ > Get your SQL database under version control now! > Version control is standard for application code, but databases havent > caught up. So what steps can you take to put your SQL databases under > version control? Why should you start doing it? Read more to find out. > http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Viktor T. <vik...@gm...> - 2013-08-03 19:28:08
|
Hello, Le 26/07/2013 14:17, Johannes Becker a écrit : > > > finally I found time to produce log files for the following problem: > > > > chipcard CardOS V4.3B > > OpenSC 0.13.0 > > > > opensc-explorer fails to verify the PIN: > > > > $ opensc-explorer > > OpenSC Explorer version 0.13.0 > > Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 > > OpenSC [3F00]> cd 5015 > > OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF:FF:FF > > Unable to verify PIN code: Invalid arguments > > OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF > > Incorrect code. > > OpenSC [3F00/5015]> exit > > > > On the other hand pkcs15-tool has no problems with the command > > pkcs15-tool --change-pin --pin 234567 --new-pin 234567 > > > > The log files are > > http://www.uni-giessen.de/~g013/opensc/opensc-explorer.log > > http://www.uni-giessen.de/~g013/opensc/pkcs15-tool.log > > > > Below the output of pkcs15-tool --dump > As it currently implemented, in opensc-explorer, you cannot use 'verify' command to verify CardOS PIN with the length other then 8 bytes. At the low (card driver) level, when there is no info about the PIN max/min, the padding length is set to 8. Card itself do not support (afaik) the 'get-pin-info' facility and the only way to get this info is the PKCS#15 data. That's why it works when PIN is verified in PKCS#15 context. 'Opensc-explorer' is the low level tool, and it do not parse the on-card PKCS#15 data. In opensc-explorer I propose you to not use the 'verify' command but direct 'apdu' one. So that you pass-by the formatting of the PIN data by cardos driver. vtarasov@sequoia:~/projects/sc/github/viktorTarasov-OpenSC$ ./build/bin/opensc-explorer OpenSC Explorer version 0.13.0 Using reader with a card: OmniKey CardMan 3121 01 00 OpenSC [3F00]> cd 5015 OpenSC [3F00/5015]> apdu 00 20 00 83 0A 39 39 39 39 00 00 00 00 00 00 Sending: 00 20 00 83 0A 39 39 39 39 00 00 00 00 00 00 Received (SW1=0x90, SW2=0x00) Success! OpenSC [3F00/5015]> > > Regards > > Johannes > Kind wishes, Viktor. > > > > > > > pkcs15-tool --dump > > Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00 > > PKCS#15 Card [Test Card]: > > Version : 0 > > Serial number : 7BFF203BF6052E35 > > Manufacturer ID: cv cryptovision gmbh (c) v1.0n > > Flags : Login required, PRN generation, EID compliant > > > > PIN [User Pin] > > Object Flags : [0x3], private, modifiable > > Auth ID : 02 > > ID : 01 > > Flags : [0x133], case-sensitive, local, initialized, needs-padding, disable_allowed > > Length : min_len:4, max_len:10, stored_len:10 > > Pad char : 0xFF > > Reference : 129 (0x81) > > Type : ascii-numeric > > Path : 3f005015 > > > > PIN [SO Pin] > > Object Flags : [0x3], private, modifiable > > ID : 02 > > Flags : [0x1BB], case-sensitive, local, unblock-disabled, initialized, needs-padding, soPin, disable_allowed > > Length : min_len:4, max_len:10, stored_len:10 > > Pad char : 0xFF > > Reference : 130 (0x82) > > Type : ascii-numeric > > Path : 3f005015 > > > > AuthKey [Challenge Response Key] > > Object Flags : [0x3], private, modifiable > > ID : 02 > > Derived : 1 > > SecretKeyID : 01 > > > > Private RSA Key [JLUSIGNCERT] > > Object Flags : [0x3], private, modifiable > > Usage : [0x6], decrypt, sign > > Access Flags : [0x9], sensitive, neverExtract > > ModLength : 2048 > > Key ref : 1 (0x1) > > Native : yes > > Path : 3f00501550724b21 > > Auth ID : 01 > > ID : 45 > > GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0} > > > > Private RSA Key [JLUAUTHCERT] > > Object Flags : [0x3], private, modifiable > > Usage : [0x6], decrypt, sign > > Access Flags : [0x9], sensitive, neverExtract > > ModLength : 2048 > > Key ref : 1 (0x1) > > Native : yes > > Path : 3f00501550724b22 > > Auth ID : 01 > > ID : 46 > > GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70} > > > > Public RSA Key [JLUSIGNCERT] > > Object Flags : [0x2], modifiable > > Usage : [0x41], encrypt, verify > > Access Flags : [0x0] > > ModLength : 2048 > > Key ref : 1 (0x1) > > Native : no > > Path : 3f00501550754b21 > > ID : 45 > > DirectValue : <absent> > > > > Public RSA Key [JLUAUTHCERT] > > Object Flags : [0x2], modifiable > > Usage : [0x41], encrypt, verify > > Access Flags : [0x0] > > ModLength : 2048 > > Key ref : 1 (0x1) > > Native : no > > Path : 3f00501550754b22 > > ID : 46 > > DirectValue : <absent> > > > > X.509 Certificate [JLUSIGNCERT] > > Object Flags : [0x2], modifiable > > Authority : no > > Path : 3f00501543044301 > > ID : 45 > > GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0} > > Encoded serial : 02 07 1599ED6129A5C1 > > X.509 Certificate [JLUAUTHCERT] > > Object Flags : [0x2], modifiable > > Authority : no > > Path : 3f00501543044302 > > ID : 46 > > GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70} > > Encoded serial : 02 07 1599ED65D8554B > > X.509 Certificate [Deutsche Telekom Root CA 2] > > Object Flags : [0x2], modifiable > > Authority : no > > Path : 3f00501543044303 > > ID : 50 > > GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae} > > Encoded serial : 02 01 26 > > X.509 Certificate [DFN-Verein PCA Global - G01] > > Object Flags : [0x2], modifiable > > Authority : no > > Path : 3f00501543044304 > > ID : 50 > > GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae} > > Encoded serial : 02 02 00C7 > > X.509 Certificate [JLUCACERT] > > Object Flags : [0x2], modifiable > > Authority : no > > Path : 3f00501543044305 > > ID : 50 > > GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae} > > Encoded serial : 02 04 109C4834 > > Data object 'cardid' > > applicationName: cvmd > > Path: 3f0050156377 > > Data (16 bytes): 36ED3BC2D4AF7D41A4632F4026C27D6F > > Data object 'cardcf' > > applicationName: cvmd > > Path: 3f0050156378 > > Data (6 bytes): 010109000A00 > > Data object 'cardapps' > > applicationName: cvmd > > Path: 3f00501544444401 > > Data (8 bytes): 6D73637000000000 > > Data object 'mscp\' > > applicationName: cvmd > > Path: 3f00501544444402 > > Data (0 bytes): > > Data object 'mscp\cmapfile' > > applicationName: cvmd > > Path: 3f00501544444403 > > Data (0 bytes): > > Data object 'CARDVERSION' > > applicationName: > > Path: 3f00501544444404 > > Data (3 bytes): 322E30 > > > > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
5 messages has been excluded from this view by a project administrator.
