Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Alex S. <ml...@os...> - 2013-07-22 17:49:21
|
On 07/22/2013 04:44 PM, Anders Rundgren wrote: > On 2013-07-20 12:03, Alex Samorukov wrote: >> Hi, >> >> After upgrading to OpenSC 0.13 i found that pkcs11 auth in FF is not >> working anymore. I was able to find and fix the reason, could someone >> from developers please take a look on this? >> >> https://github.com/OpenSC/OpenSC/issues/173 > We should be happy that for example the disk industry didn't adopt the concept > that "all hard drives are unique and needs unique settings and/or middleware". Thank you for reply: 1) Card was formatted using Windows utility and working correctly in it. 2) Card was working in 0.12.2 because we were adding _all_ keys, not only matched. 3) Card is working good in Windows with native drivers, so it is kind of "designed" behavior. Now situation is very simple - there is a regression in the Fetian card support. I am completely agree that it does not look right (different length), but its the way it was working before. Unfortunately we cant compare situation with hard drives, because with smart-cards situation is very different. I cant now reformat this card (because i am storing private key in it) but i will ask seller to provide dump from the card formatted in the OpenSC. May be we should add some kind of quirks to the driver definition? It would be great to have this fixed. Without this fix it is not possible to use card in Java apps or Firefox/Thunderbird. |
|
From: Anders R. <and...@te...> - 2013-07-22 14:45:02
|
On 2013-07-20 12:03, Alex Samorukov wrote: > Hi, > > After upgrading to OpenSC 0.13 i found that pkcs11 auth in FF is not > working anymore. I was able to find and fix the reason, could someone > from developers please take a look on this? > > https://github.com/OpenSC/OpenSC/issues/173 We should be happy that for example the disk industry didn't adopt the concept that "all hard drives are unique and needs unique settings and/or middleware". Anders > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Douglas E. E. <dee...@an...> - 2013-07-22 14:26:14
|
On 7/20/2013 5:03 AM, Alex Samorukov wrote: > Hi, > > After upgrading to OpenSC 0.13 i found that pkcs11 auth in FF is not > working anymore. I was able to find and fix the reason, could someone > from developers please take a look on this? > > https://github.com/OpenSC/OpenSC/issues/173 This sounds more like a problem with your card, or the way your card was initialized. Your fix does not fix the basic problem, of why when the card was initialized, the two Auth IDs are different. Have you looked at how your card was initialization was done? Can you find where the two authIDs are created? Why are they different lengths? > > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Alex S. <ml...@os...> - 2013-07-20 10:04:13
|
Hi, After upgrading to OpenSC 0.13 i found that pkcs11 auth in FF is not working anymore. I was able to find and fix the reason, could someone from developers please take a look on this? https://github.com/OpenSC/OpenSC/issues/173 |
|
From: Frank M. <mo...@in...> - 2013-07-19 09:53:20
|
Hi! In OpenSC's master there are currently a number of bugs for some corner cases that cause memory corruptions, segfaults and so on. The pull requests ([0] [1] [2]) are hanging for over a month now. (No new features, only bug fixes) Can one of the admins verify these patches? [0] https://github.com/OpenSC/OpenSC/pull/165 [1] https://github.com/OpenSC/OpenSC/pull/166 [2] https://github.com/OpenSC/OpenSC/pull/172 -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACE http://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc |
|
From: Anthony F. <ant...@gm...> - 2013-07-17 19:46:08
|
Mat -- On Tue, Jul 16, 2013 at 8:30 AM, Mat Arge <arg...@gm...> wrote: > Hello! > > I am tracking the connection of USB tokens via udev and want to do some > specific stuff with them (pass them through to certain virtual machines). For > that, I would like to get some token specifics (like the serial number or the > PKCS#11 label). So what I need is a connection (preferably with PKCS#11) to > the just inserted token. The problem is, that at the udev level where I am, I > only know the USB BUS Id, the vendor ID and such stuff. Is there some way to > get a PKCS#11 or pc/sc connection to the correct token? A quick look through the pcsc-lite stuff is discouraging; it seems that a string describing the specific port is indeed stored in the reader context structure, but there doesn't seem to be any existing way to get it out. See line 213 of: http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/src/readerfactory.c?revision=6668&view=markup For lilbusb, that "device" value is ultimately generated around line 516 of: http://anonscm.debian.org/viewvc/pcsclite/trunk/PCSC/src/hotplug_libusb.c?revision=6557&view=markup But I don't see any place where that value can be accessed. (But I'm certainly not an expert on this; I've just hacked a few things onto the source as I needed them -- see next point.) The cleanest way might be a vendor-specified attribute, but as the comment at the top of p11_attr.c says: "The number of layers we stack on top of each other here is frightening." > Or the other way round: Is there some way to find out for an existing > pcsc/pkcs11 connection which hardware address it is leading to? It's not exactly what you're looking for, but I did propose a patch to pcscd that restricted it to a particular USB port: http://opensc.1086184.n5.nabble.com/FYI-PATCH-restrict-pcscd-to-a-single-USB-port-path-td13800.html Worst case, your udev script could: 1. if it looks like a crypto token ... 2. spawn a pcscd that looks only at that port... 3. then query that specific pcscd to get label etc... 4. kill the pcscd... 5. bind the port to the VM appropriately. Not pretty, and not fast (pcscd takes a few seconds to come up even on my fast hardware, but maybe I just don't know how to strip out unnecessary bits). But it should work. Good luck! Tony |
|
From: Andreas S. (ML) <and...@ca...> - 2013-07-17 19:22:56
|
For those of you interested to understand the SmartCard-HSM's key backup and restore mechanism using a n-of-m threshold scheme we've provided a step-by-step tutorial at [1]. Andreas [1] https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM#using-key-backup-and-restore Am 07.02.2013 15:29, schrieb Andreas Schwier (ML): > Hi list, > > to satisfy enhanced key management requirements, we've added a n-of-m > threshold scheme to the sc-hsm-tool. > > Using this scheme you can place the SmartCard-HSM's Device Key > Encryption Key under sole control of m key custodians from which n can > together reconstruct the secret key. > > The scheme provides for even better security than the DKEK share > mechanism already available in the 0.13 version. Under the new scheme, a > lost share does not mean a complete loss of the secret key. A lost share > just reduces the number of available key custodians and has no impact on > the DKEK unless less than n share are left available. > > The code is available in our repository at GITHUB [1] and a pull request > has been created to move the code into the OpenSC master branch. > > > Kind regards, > > > Andreas > > [1] https://github.com/CardContact/OpenSC > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Alex S. <ml...@os...> - 2013-07-17 16:43:14
|
On 07/17/2013 06:28 PM, Douglas E. Engert wrote: > > I am using OpenSC and pkcs11 with firefox to access some websites using > my personal certificate and it works pretty well. But also i do have a > cart with proprietary pkcs11 driver. It works fine if FireFox is closed, > but if it is running it waits forever, probably trying to get exclusive > access. This card is not supported by OpenSC project, so for me it is a > little unclear why this happens. It seems that this provider is trying > to get some kind of exclusive access to pcscd and failing if it is not > possible. > Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls > loaded as "Security Devices" in FireFox? > > What order? > > If both are defined, and the card is inserted, what does the > FireFox-> options-> Advanced-> Security Devices show for each of > the loaded PKCS#11 modules? No, in NSS only OpenSC PKCS11 is connected. Second library is using by proprietary software, without web browser. I have found that Firefox and OpenSC PKCS11 using polling loop to get updates from readers and this probably preventing second lib from working correclty. Not 100% sure yet, but its very likely. >> Is it possible somehow to tell OpenSC to completely ignore this card >> based on it ATR? Or any other recommendations to prevent this issue, >> e.g. prevent firefox from auto scan? I am ready to send all the patches >> if needed. > An OpenSC trace, by changing the debug= in the opensc.conf would also help. > It sounds like OpenSC is trying to determine if it can support the card. > It would help show where OpenSC is failing to get access to the card. > > Your suggestion of a list of ATRs to ignore is an excellent idea. > It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11 > even if the card is supported by OpenSC. Thanks, i hope it will be implemented. I am ready to do any testing if needed. Also it would be great if anyone will fix this polling loop from FF NSS, it seems to be very non optimal. I also have another, unrelated issue - in 0.13 NSS is not working with FF, it asks for password but not showing any certificates in the list. Now i`m using 0.12.2 and it works very well. |
|
From: Douglas E. E. <dee...@an...> - 2013-07-17 16:28:28
|
On 7/17/2013 3:27 AM, Alex Samorukov wrote: > Hi, > > I am using OpenSC and pkcs11 with firefox to access some websites using > my personal certificate and it works pretty well. But also i do have a > cart with proprietary pkcs11 driver. It works fine if FireFox is closed, > but if it is running it waits forever, probably trying to get exclusive > access. This card is not supported by OpenSC project, so for me it is a > little unclear why this happens. It seems that this provider is trying > to get some kind of exclusive access to pcscd and failing if it is not > possible. Do you have both OpenSC PKCS#11 and the vendor's PKCS#11 libs/dlls loaded as "Security Devices" in FireFox? What order? If both are defined, and the card is inserted, what does the FireFox-> options-> Advanced-> Security Devices show for each of the loaded PKCS#11 modules? > > Is it possible somehow to tell OpenSC to completely ignore this card > based on it ATR? Or any other recommendations to prevent this issue, > e.g. prevent firefox from auto scan? I am ready to send all the patches > if needed. An OpenSC trace, by changing the debug= in the opensc.conf would also help. It sounds like OpenSC is trying to determine if it can support the card. It would help show where OpenSC is failing to get access to the card. Your suggestion of a list of ATRs to ignore is an excellent idea. It could solve your problem, as well as allow NSS to use of a vendor's PKCS#11 even if the card is supported by OpenSC. > > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Douglas E. E. <dee...@an...> - 2013-07-17 16:17:56
|
On 7/17/2013 3:33 AM, Mat Arge wrote: > Are you sure you are using opensc with firefox. I am asking, because Firefox > usually uses NSS to access smartcards. Yes Firefox uses NSS. The NSS "Security Devices" are PKCS#11 shared libs or dlls. Thus NSS cal load multiple PKCS#11 libs, for different cards. > > cheers > Mat > > On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote: >> Hi, >> >> I am using OpenSC and pkcs11 with firefox to access some websites using >> my personal certificate and it works pretty well. But also i do have a >> cart with proprietary pkcs11 driver. It works fine if FireFox is closed, >> but if it is running it waits forever, probably trying to get exclusive >> access. This card is not supported by OpenSC project, so for me it is a >> little unclear why this happens. It seems that this provider is trying >> to get some kind of exclusive access to pcscd and failing if it is not >> possible. >> >> Is it possible somehow to tell OpenSC to completely ignore this card >> based on it ATR? Or any other recommendations to prevent this issue, >> e.g. prevent firefox from auto scan? I am ready to send all the patches >> if needed. >> >> >> ---------------------------------------------------------------------------- >> -- See everything from the browser to the database with AppDynamics >> Get end-to-end visibility with application monitoring from AppDynamics >> Isolate bottlenecks and diagnose root cause in seconds. >> Start your free trial of AppDynamics Pro today! >> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel > > ------------------------------------------------------------------------------ > See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Alex S. <ml...@os...> - 2013-07-17 10:11:28
|
On 07/17/2013 11:31 AM, Mat Arge wrote: > I am using /usr/lib/opensc-pkcs11.so which i added to NSS using FF > configuration, so yes, of course i am sure. Problem is that when firefox > is running it preventing other, proprietary PKCS11 driver to access > card, and this specific card is not supported by OpenSC anyway, so i > have no idea why it is blocked. > But you said before, that your card is not supported by opensc. Or are you > talking about two different smartcards? Yes, i have a lot of cards. Most of them are supported by OpenSC and thats why i need this OpenSC-PKCS11 driver in the browser. But also i do have a card which is not supported by opensc and using own PKCS11 library. Problem is that if FF is running i am unable to use this driver. I posted dump of the falied session (using OpenSC PKCS#11 spy) to the http://pastebin.com/8s9ErZJ1 . It starts to work very slowly on C_Initialize and finally dying on C_OpenSession. If FF is closed everything works well. So i assume that for some reason opensc-pkcs11.so with FF is locking this card and want to fix that. |
|
From: Mat A. <arg...@gm...> - 2013-07-17 09:32:07
|
On Wednesday 17. July 2013 11:16:39 Alex Samorukov wrote: > On 07/17/2013 10:33 AM, Mat Arge wrote: > > Are you sure you are using opensc with firefox. I am asking, because > > Firefox usually uses NSS to access smartcards. > > > > cheers > > Mat > > I am using /usr/lib/opensc-pkcs11.so which i added to NSS using FF > configuration, so yes, of course i am sure. Problem is that when firefox > is running it preventing other, proprietary PKCS11 driver to access > card, and this specific card is not supported by OpenSC anyway, so i > have no idea why it is blocked. But you said before, that your card is not supported by opensc. Or are you talking about two different smartcards? |
|
From: Alex S. <ml...@os...> - 2013-07-17 09:16:51
|
On 07/17/2013 10:33 AM, Mat Arge wrote: > Are you sure you are using opensc with firefox. I am asking, because Firefox > usually uses NSS to access smartcards. > > cheers > Mat I am using /usr/lib/opensc-pkcs11.so which i added to NSS using FF configuration, so yes, of course i am sure. Problem is that when firefox is running it preventing other, proprietary PKCS11 driver to access card, and this specific card is not supported by OpenSC anyway, so i have no idea why it is blocked. |
|
From: Mat A. <arg...@gm...> - 2013-07-17 08:34:11
|
Are you sure you are using opensc with firefox. I am asking, because Firefox usually uses NSS to access smartcards. cheers Mat On Wednesday 17. July 2013 10:27:06 Alex Samorukov wrote: > Hi, > > I am using OpenSC and pkcs11 with firefox to access some websites using > my personal certificate and it works pretty well. But also i do have a > cart with proprietary pkcs11 driver. It works fine if FireFox is closed, > but if it is running it waits forever, probably trying to get exclusive > access. This card is not supported by OpenSC project, so for me it is a > little unclear why this happens. It seems that this provider is trying > to get some kind of exclusive access to pcscd and failing if it is not > possible. > > Is it possible somehow to tell OpenSC to completely ignore this card > based on it ATR? Or any other recommendations to prevent this issue, > e.g. prevent firefox from auto scan? I am ready to send all the patches > if needed. > > > ---------------------------------------------------------------------------- > -- See everything from the browser to the database with AppDynamics > Get end-to-end visibility with application monitoring from AppDynamics > Isolate bottlenecks and diagnose root cause in seconds. > Start your free trial of AppDynamics Pro today! > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Alex S. <ml...@os...> - 2013-07-17 08:27:18
|
Hi, I am using OpenSC and pkcs11 with firefox to access some websites using my personal certificate and it works pretty well. But also i do have a cart with proprietary pkcs11 driver. It works fine if FireFox is closed, but if it is running it waits forever, probably trying to get exclusive access. This card is not supported by OpenSC project, so for me it is a little unclear why this happens. It seems that this provider is trying to get some kind of exclusive access to pcscd and failing if it is not possible. Is it possible somehow to tell OpenSC to completely ignore this card based on it ATR? Or any other recommendations to prevent this issue, e.g. prevent firefox from auto scan? I am ready to send all the patches if needed. |
|
From: Mat A. <arg...@gm...> - 2013-07-16 14:31:00
|
Hello! I am tracking the connection of USB tokens via udev and want to do some specific stuff with them (pass them through to certain virtual machines). For that, I would like to get some token specifics (like the serial number or the PKCS#11 label). So what I need is a connection (preferably with PKCS#11) to the just inserted token. The problem is, that at the udev level where I am, I only know the USB BUS Id, the vendor ID and such stuff. Is there some way to get a PKCS#11 or pc/sc connection to the correct token? Or the other way round: Is there some way to find out for an existing pcsc/pkcs11 connection which hardware address it is leading to? cheers Mat |
|
From: Hiroshi K. <hi...@du...> - 2013-07-15 09:09:45
|
Hi,
I think that the limitation of SC_PKCS15_MAX_PINS=8 in
src/libopensc/pkcs15.h is not enough for Aventra MyEID smart card.
According to the wiki (OpenSC/wiki/Aventra-MyEID-PKI-card), MyEID smart
card supports up to 14 PINs. But, because of this limitation,
"pkcs11-tool -L" command shows only first 7 slots.
Please consider to increase SC_PKCS15_MAX_PINS value to at least 14.
Thanks,
Hiroshi KIHIRA
---
src/libopensc/pkcs15.h | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/src/libopensc/pkcs15.h b/src/libopensc/pkcs15.h
index f46a9b7..9ac48f7 100644
--- a/src/libopensc/pkcs15.h
+++ b/src/libopensc/pkcs15.h
@@ -30,7 +30,7 @@ extern "C" {
#define SC_PKCS15_CACHE_DIR ".eid"
#define SC_PKCS15_PIN_MAGIC 0x31415926
-#define SC_PKCS15_MAX_PINS 8
+#define SC_PKCS15_MAX_PINS 14
#define SC_PKCS15_MAX_LABEL_SIZE 255
#define SC_PKCS15_MAX_ID_SIZE 255
--
Hiroshi KIHIRA <hi...@du...>
|
|
From: Andreas S. <and...@ca...> - 2013-07-06 11:33:30
|
Hi Evgeny, we've done a similar thing with a lightweight CT-API/PKCS#11 stack, not specifically for EFI but for embedded devices. We found the full OpenSC stack to heavyweight for a port to a memory constrained device. The CTCCID part currently talks to libusb for interfacing with an CCID card reader, but that layer can easily be replaced with a different USB-API. The project is hosted at [1]. Andreas [1] https://github.com/CardContact/sc-hsm-embedded On 07/06/2013 12:21 PM, Evgeny Yakovlev wrote: > Hello, > > I am interested in porting OpenSC/OpenCT to EFI however i am very new to > both projects and haven't yet got accustomed to their architecture and > sources. What i did managed to figure out is that i will have to > implement ifd_sysdep_usb_* on EFI USB stack. > > I will greatly appriciate any tips, pointers and possible pitfalls on > doing the port from more experienced people. Sorry i don't have a > specific question yet, but i have to start somewhere and i figured any > information might be helpful. > > Thanks. > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > > > > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Evgeny Y. <ins...@gm...> - 2013-07-06 10:22:01
|
Hello, I am interested in porting OpenSC/OpenCT to EFI however i am very new to both projects and haven't yet got accustomed to their architecture and sources. What i did managed to figure out is that i will have to implement ifd_sysdep_usb_* on EFI USB stack. I will greatly appriciate any tips, pointers and possible pitfalls on doing the port from more experienced people. Sorry i don't have a specific question yet, but i have to start somewhere and i figured any information might be helpful. Thanks. |
|
From: Alon Bar-L. <alo...@gm...> - 2013-07-05 18:18:52
|
Hello, Please send log file with --verb 255. Thanks, Alon On Fri, Jul 5, 2013 at 10:17 AM, Matthias Barmeier <bar...@ba...> wrote: > Hi, > > I have a setup with OpenSC version 0.13.0-0git-2012112910105 supplied as > debian package from gooze.eu and OpenVPN version 2.2.1-8 on Mint 14 LMDE. > My OpenVPN tunnel runs perfect when I use certificate and key as files. > The tunnel comes up and works as expected. > I added the certificate and the key to an ePass2003 token. > > When I try to use the token with the opensc-pkcs11.so provider I get the > following Log-Output: > > Fri Jul 5 09:07:41 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] > [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 > (2.2RC2)] built on Mar 23 2012 > Fri Jul 5 09:07:41 2013 PKCS#11: Adding PKCS#11 provider > '/usr/lib/opensc-pkcs11.so' > Fri Jul 5 09:07:48 2013 WARNING: No server certificate verification > method has been enabled. See http://openvpn.net/howto.html#mitm for > more info. > Fri Jul 5 09:07:48 2013 NOTE: OpenVPN 2.1 requires '--script-security > 2' or higher to call user-defined scripts or executables > Fri Jul 5 09:07:48 2013 LZO compression initialized > Fri Jul 5 09:07:48 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 > EB:0 ET:0 EL:0 ] > Fri Jul 5 09:07:48 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 > EB:135 ET:0 EL:0 AF:3/1 ] > Fri Jul 5 09:07:48 2013 Local Options hash (VER=V4): '41690919' > Fri Jul 5 09:07:48 2013 Expected Remote Options hash (VER=V4): '530fdded' > Fri Jul 5 09:07:48 2013 UDPv4 link local: [undef] > Fri Jul 5 09:07:48 2013 UDPv4 link remote: [AF_INET]123.231.22.53:1194 > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=2, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=SIKON_CA/emailAddress=Ope...@fo... > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=1, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=STUFE3/emailAddress=Ope...@fo... > Fri Jul 5 09:07:54 2013 VERIFY OK: depth=0, > /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=vpn.foobar.biz > Enter John Doe (User PIN) token Password: > Fri Jul 5 09:08:00 2013 PKCS#11: Cannot perform signature > 32:'CKR_DATA_INVALID' > Fri Jul 5 09:08:00 2013 TLS_ERROR: BIO read tls_read_plaintext error: > error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib > Fri Jul 5 09:08:00 2013 TLS Error: TLS object -> incoming plaintext > read error > Fri Jul 5 09:08:00 2013 TLS Error: TLS handshake failed > Fri Jul 5 09:08:00 2013 TCP/UDP: Closing socket > Fri Jul 5 09:08:00 2013 SIGUSR1[soft,tls-error] received, process > restarting > > I think the second line seems to be the problem, but I do not understand > what this means. > > To verify that the token is configured correctly I added the > opensc-pkcs11.so to firefox and configured an apache server to make > client authentication with the certificate and key added to > the token. After entering the tokens PIN authentication works perfect. > > My first question is where is this a OpenSC Problem or a Problem of > OpenVPN ? > What does CKR_DATA_INVALID mean ? > Are there any diagnostics I can make to solve the problem ? > > Thanks. > > Ciao > Matthias > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Matthias B. <bar...@ba...> - 2013-07-05 07:18:02
|
Hi, I have a setup with OpenSC version 0.13.0-0git-2012112910105 supplied as debian package from gooze.eu and OpenVPN version 2.2.1-8 on Mint 14 LMDE. My OpenVPN tunnel runs perfect when I use certificate and key as files. The tunnel comes up and works as expected. I added the certificate and the key to an ePass2003 token. When I try to use the token with the opensc-pkcs11.so provider I get the following Log-Output: Fri Jul 5 09:07:41 2013 OpenVPN 2.2.1 x86_64-linux-gnu [SSL] [LZO2] [EPOLL] [PKCS11] [eurephia] [MH] [PF_INET6] [IPv6 payload 20110424-2 (2.2RC2)] built on Mar 23 2012 Fri Jul 5 09:07:41 2013 PKCS#11: Adding PKCS#11 provider '/usr/lib/opensc-pkcs11.so' Fri Jul 5 09:07:48 2013 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info. Fri Jul 5 09:07:48 2013 NOTE: OpenVPN 2.1 requires '--script-security 2' or higher to call user-defined scripts or executables Fri Jul 5 09:07:48 2013 LZO compression initialized Fri Jul 5 09:07:48 2013 Control Channel MTU parms [ L:1542 D:138 EF:38 EB:0 ET:0 EL:0 ] Fri Jul 5 09:07:48 2013 Data Channel MTU parms [ L:1542 D:1450 EF:42 EB:135 ET:0 EL:0 AF:3/1 ] Fri Jul 5 09:07:48 2013 Local Options hash (VER=V4): '41690919' Fri Jul 5 09:07:48 2013 Expected Remote Options hash (VER=V4): '530fdded' Fri Jul 5 09:07:48 2013 UDPv4 link local: [undef] Fri Jul 5 09:07:48 2013 UDPv4 link remote: [AF_INET]123.231.22.53:1194 Fri Jul 5 09:07:54 2013 VERIFY OK: depth=2, /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=SIKON_CA/emailAddress=Ope...@fo... Fri Jul 5 09:07:54 2013 VERIFY OK: depth=1, /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=STUFE3/emailAddress=Ope...@fo... Fri Jul 5 09:07:54 2013 VERIFY OK: depth=0, /C=DE/ST=Berlin/L=Berlin/O=Foobar/OU=Operations/CN=vpn.foobar.biz Enter John Doe (User PIN) token Password: Fri Jul 5 09:08:00 2013 PKCS#11: Cannot perform signature 32:'CKR_DATA_INVALID' Fri Jul 5 09:08:00 2013 TLS_ERROR: BIO read tls_read_plaintext error: error:14099004:SSL routines:SSL3_SEND_CLIENT_VERIFY:RSA lib Fri Jul 5 09:08:00 2013 TLS Error: TLS object -> incoming plaintext read error Fri Jul 5 09:08:00 2013 TLS Error: TLS handshake failed Fri Jul 5 09:08:00 2013 TCP/UDP: Closing socket Fri Jul 5 09:08:00 2013 SIGUSR1[soft,tls-error] received, process restarting I think the second line seems to be the problem, but I do not understand what this means. To verify that the token is configured correctly I added the opensc-pkcs11.so to firefox and configured an apache server to make client authentication with the certificate and key added to the token. After entering the tokens PIN authentication works perfect. My first question is where is this a OpenSC Problem or a Problem of OpenVPN ? What does CKR_DATA_INVALID mean ? Are there any diagnostics I can make to solve the problem ? Thanks. Ciao Matthias |
|
From: Douglas E. E. <dee...@an...> - 2013-06-25 14:30:25
|
On 6/25/2013 5:59 AM, Daniel Pocock wrote: > > Hi, > > Can anybody comment on the Elliptic Curve support in OpenSC and which > cards are suggested? > > I found this ticket about ECDSA with PIV card support but it is not > clear if this is also supported for other cards now: > > https://www.opensc-project.org/opensc/ticket/295 > > Is the PIV card concept only relevant to those in organisations that use > PIV cards, or can these cards be useful for any arbitrary project? Yes and no. The PIV standards from NIST were designed for the US government and its contractors, which also defined Government ID info to be in some objects, such as the FASC-N in the CHUID. But there are PIV-I (Interoperable) not issued by the US government, and could be trusted somewhat. And PIV-C (Compatible) cards that use the same cards but not trusted by the US Government. The the CHUID object on the card contains a GUID and a FASCN starting with 9999 that indicates that this is not a PIV but a PIV-C card. The Smart Card Alliance has started calling them CIV cards. Google for PIV-C or piv-compatible smart cards or CIV smart cards. This is a nice starting point: http://www.smartcardalliance.org/pages/publications-piv-i-for-non-federal-issuers http://www.securitysystemsnews.com/article/civ-cards-just-piv-cards-commercial-market?page=0,0 http://www.quantumsecure.com/solutions/functional-solutions/civ-credential/ The same cards are used in each, its the information on the card and the PKI used that is different. The OpenSC operates at the card level, and is not concerned with the differences between PIV, PIV-I or PIV-C. (as does the Microsoft Windows CAPI.) The bare minimum card would have a PIV Authentication certificate and key and a CHUID using the FASC-N=9999... and GUID. The Microsoft CAPI has built in support for PIV, and expects a CHUID. You will still need some type of card management system and cards. > > I found that some of the Athena cards offer ECC support, I understand > these are on the OpenSC supported list, but it's not clear if the ECC > support is in all variations of the card: > http://www.athena-scs.com/docs/products-solutions-datasheets/athena-idprotect-client.pdf > > Regards, > > Daniel > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <DEE...@an...> Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 |
|
From: Andreas S. (ML) <and...@ca...> - 2013-06-25 11:14:58
|
Hi Daniel, the SmartCard-HSM card has build-in support for ECC [1] and is supported by OpenSC. Andreas [1] https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM Am 25.06.2013 12:59, schrieb Daniel Pocock: > Hi, > > Can anybody comment on the Elliptic Curve support in OpenSC and which > cards are suggested? > > I found this ticket about ECDSA with PIV card support but it is not > clear if this is also supported for other cards now: > > https://www.opensc-project.org/opensc/ticket/295 > > Is the PIV card concept only relevant to those in organisations that use > PIV cards, or can these cards be useful for any arbitrary project? > > I found that some of the Athena cards offer ECC support, I understand > these are on the OpenSC supported list, but it's not clear if the ECC > support is in all variations of the card: > http://www.athena-scs.com/docs/products-solutions-datasheets/athena-idprotect-client.pdf > > Regards, > > Daniel > > > > ------------------------------------------------------------------------------ > This SF.net email is sponsored by Windows: > > Build for Windows Store. > > http://p.sf.net/sfu/windows-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Daniel P. <da...@po...> - 2013-06-25 11:00:23
|
Hi, Can anybody comment on the Elliptic Curve support in OpenSC and which cards are suggested? I found this ticket about ECDSA with PIV card support but it is not clear if this is also supported for other cards now: https://www.opensc-project.org/opensc/ticket/295 Is the PIV card concept only relevant to those in organisations that use PIV cards, or can these cards be useful for any arbitrary project? I found that some of the Athena cards offer ECC support, I understand these are on the OpenSC supported list, but it's not clear if the ECC support is in all variations of the card: http://www.athena-scs.com/docs/products-solutions-datasheets/athena-idprotect-client.pdf Regards, Daniel |
|
From: Daniel P. <da...@po...> - 2013-06-17 21:37:04
|
Hi, I just had a look at this page: https://www.opensc-project.org/opensc/wiki/SupportedHardware and it has OpenPGP card below the `Unsupported' heading Is that still the case? There appears to be a lot of detail on the OpenPGP page: https://www.opensc-project.org/opensc/wiki/OpenPGP Would it be possible to annotate the unsupported cards with some comments to distinguish those that will never be supported from those that are work-in-progress? Looking at it from the other angle, the OpenSC FAQ took me to this page: https://sites.google.com/site/alonbarlev/gnupg-pkcs11 which has a very brief statement about "The GnuPG developers insist of implementing smartcard support from scratch, what makes a low smartcard variety" - for an outsider, it's not exactly clear what that means. Is there any document the explains, at arm's length, the current state of play with free-software related smart card technology and with some practical comments about how people can mix-and-match all their different use cases (e.g. ssh keys, gpg keys, X.509 certs for web/email, VPN that use any of the above types of key, disk encryption, private root CA key)? Regards, Daniel |
5 messages has been excluded from this view by a project administrator.
