opensc-devel — discussion of developement of OpenSC and related projects

[Opensc-devel] Pending pull requests

[Andreas S. (ML) <and...@ca...>]

Dear Viktor,

is there any chance to get our pull request integrated any time soon ?

https://github.com/OpenSC/OpenSC/pull/157

Kind regards,

Andreas

-- 

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org

[Opensc-devel] Please roll a new release (belpic regression)

[Laurent B. <bi...@de...>]

Hello,

Could you please create a new release of opensc.

The current one (0.13.0) has a regression that breaks authentication on
websites using a belpic card. This is a regression from 0.12.2.

I've tested the current git HEAD and it is working fine.

Cheers

Laurent Bigonville

[Opensc-devel] Fwd: pkcs11-tool + libmypkcs11 cant test sign?

[helpcrypto h. <hel...@gm...>]

Sent to another maillist, cause i dont know which is the correct
one...Sorry!


---------- Forwarded message ----------
To: "ope...@li..." <
ope...@li...>


Hi.


Probably im missing something, but could any of you tell me why this is
happening? What should I implement?


$ pkcs11-tool --module libmypkcs11.so -M
Using slot 0 with a present token (0x1)
Supported mechanisms:
  RSA-PKCS, keySize={1024,1024}, decrypt, sign
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,1024}, generate_key_pair

$ pkcs11-tool --module libmypkcs11.so --sign --login -v --key-type rsa:1024
Using slot 0 with a present token (0x1)
Logging in to "My Card".
Please enter User PIN:
error: No appropriate mechanism found
Aborting.


Thanks!

Re: [Opensc-devel] Reading PIV-II CHUID & Printed Information

[Frank M. <mo...@in...>]

On Tuesday, June 04 at 09:39AM, Luke B wrote:
> On 6/3/2013 4:05 PM, Luke B wrote:
> > >
> > > I am sorry if this is the wrong place to ask. I am interested in reading
> > the CHUID off of a PIV-II card and getting it in a format that I could
> > easily process in a Bash script.
> > >
> > > Is there an easy way to do this using OpenSC? I am able to read objects
> > using PKCS15-Tool -R , but then I am not sure how to process the object
> > dump. Are there tools for this?
> > >
> >
> > Yes. I will send you by seperate e-mail a program(s) to look at some of
> > the objects on the card.>
> >
> 
> Thanks, I got it and it looks really helpful!
> 
> 
> 
> > > Right now I am using a contact reader. I also have a contactless reader.
> > Looking at 800-73, it looks like the CHUID should also be accessible
> > through the contactless reader. I have libnfc up and
> > > running and I am able to see the card, but I am unable to find out how
> > to pull down the objects or process them.
> >
> > I would be interested in that too.
> >
> > AFAIK, NIST does not want authentication being done over NFC.
> >
> 
> That is probably wise...
> 
> I did find this project, which may help but I have not been able to get it
> to work:
> https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed

Make sure your libnfc-device is mentioned in the Info.plist
https://code.google.com/p/ifdnfc/source/browse/src/Info.plist.in


-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

Re: [Opensc-devel] Reading PIV-II CHUID & Printed Information

[Douglas E. E. <dee...@an...>]

On 6/4/2013 8:39 AM, Luke B wrote:
>
>
>
>     On 6/3/2013 4:05 PM, Luke B wrote:
>      >
>      > I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.
>      >
>      > Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?
>      >
>
>     Yes. I will send you by seperate e-mail a program(s) to look at some of the objects on the card.>
>
>
> Thanks, I got it and it looks really helpful!
>
>      > Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and
>      > running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.
>
>     I would be interested in that too.
>
>     AFAIK, NIST does not want authentication being done over NFC.
>
>
> That is probably wise...

NIST 800-73-3 part 4 table 1 says the CHUID, X.509 Certificate for Card Authentication, and
Discovery Object are accessible via contactless.

NIST 800-73-3 part 2 table 2 lists the commands that can be used in contactless.
and also says:
  "Note: Cryptographic protocols using private/secret keys requiring “PIN”
security condition shall not be used on the contactless interface."

The "X.509 Certificate for Card Authentication" and its key, can be used for the card
to authenticate itself without using a PIN. (Useful for a physical access, just proves
it is the card, but not that the user is in possession of the card.)


>
> I did find this project, which may help but I have not been able to get it to work: https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed


My LG Android phone with Jelly Bean and a NFC app (NFC TagInfo 1.09c from NFC Research Lab Hagenberg) can
read the ATR and default app and can tell it is a DOD PIV card, but does not know what else to do with it.

There are Type A and Type B cards. Mine is a type A. I have a set of 16 NIST test cards,
some type A some type B. The NFC app can tell there is a type A card near, but cant read
anything off of it. It does not see the type B card. (The test cards appear to not be
initialized for contactless.)

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

Re: [Opensc-devel] Reading PIV-II CHUID & Printed Information

[Luke B <lu...@gm...>]

On 6/3/2013 4:05 PM, Luke B wrote:
> >
> > I am sorry if this is the wrong place to ask. I am interested in reading
> the CHUID off of a PIV-II card and getting it in a format that I could
> easily process in a Bash script.
> >
> > Is there an easy way to do this using OpenSC? I am able to read objects
> using PKCS15-Tool -R , but then I am not sure how to process the object
> dump. Are there tools for this?
> >
>
> Yes. I will send you by seperate e-mail a program(s) to look at some of
> the objects on the card.>
>

Thanks, I got it and it looks really helpful!



> > Right now I am using a contact reader. I also have a contactless reader.
> Looking at 800-73, it looks like the CHUID should also be accessible
> through the contactless reader. I have libnfc up and
> > running and I am able to see the card, but I am unable to find out how
> to pull down the objects or process them.
>
> I would be interested in that too.
>
> AFAIK, NIST does not want authentication being done over NFC.
>

That is probably wise...

I did find this project, which may help but I have not been able to get it
to work:
https://code.google.com/p/ifdnfc/source/browse/#git%253Fstate%253Dclosed

Re: [Opensc-devel] prevent pcscd auto start

[Florent D. <fde...@gm...>]

> However, if your distro has upstart and pcscd playing nice together
> already, then you can probably disable the pcscd socket through the
> upstart config mechanisms.
>

Ok thanks for the reference, I'll dig into that. I am also thinking about a
more "brutal" solution based on scripting/symbolic links ;)
(my context is somewhat special in a virtual environment: both the guest
and the host do have pcscd but they might conflict sometimes...)


> If I'm wrong on that, someone please correct me -- this isn't
> something I've worked on in detail.
>
> Either way, good luck to you, Florent.
>

Many thanks for the time you took Anthony,

Best regards,
Florent

Re: [Opensc-devel] Reading PIV-II CHUID & Printed Information

[Douglas E. E. <dee...@an...>]

On 6/3/2013 4:05 PM, Luke B wrote:
>
> I am sorry if this is the wrong place to ask. I am interested in reading the CHUID off of a PIV-II card and getting it in a format that I could easily process in a Bash script.
>
> Is there an easy way to do this using OpenSC? I am able to read objects using PKCS15-Tool -R , but then I am not sure how to process the object dump. Are there tools for this?
>

Yes. I will send you by seperate e-mail a program(s) to look at some of the objects on the card.


> Are there any good walk throughs on how to PIN in and also retrieve the "Printed Information"? 800-73 says that Printed Info needs a PIN to access. Is this always the case? Do some implementations put
> it in the clear?

The printed info needs the user's PIN. Its not in the clear.

>
> Right now I am using a contact reader. I also have a contactless reader. Looking at 800-73, it looks like the CHUID should also be accessible through the contactless reader. I have libnfc up and
> running and I am able to see the card, but I am unable to find out how to pull down the objects or process them.

I would be interested in that too.

AFAIK, NIST does not want authentication being done over NFC.

>
> Sorry if this is OT, I am not sure where else to ask.
>
>   - Luke
>
>
>
> --
> _________________________________________________________
> What's for dinner? Visit www.cookography.com <http://www.cookography.com> to find out!
>
>
> ------------------------------------------------------------------------------
> How ServiceNow helps IT people transform IT departments:
> 1. A cloud service to automate IT design, transition and operations
> 2. Dashboards that offer high-level views of enterprise services
> 3. A single system of record for all IT processes
> http://p.sf.net/sfu/servicenow-d2d-j
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

[Opensc-devel] Reading PIV-II CHUID & Printed Information

[Luke B <lu...@gm...>]

I am sorry if this is the wrong place to ask. I am interested in reading
the CHUID off of a PIV-II card and getting it in a format that I could
easily process in a Bash script.

Is there an easy way to do this using OpenSC? I am able to read objects
using PKCS15-Tool -R , but then I am not sure how to process the object
dump. Are there tools for this?

Are there any good walk throughs on how to PIN in and also retrieve the
"Printed Information"? 800-73 says that Printed Info needs a PIN to access.
Is this always the case? Do some implementations put it in the clear?

Right now I am using a contact reader. I also have a contactless reader.
Looking at 800-73, it looks like the CHUID should also be accessible
through the contactless reader. I have libnfc up and running and I am able
to see the card, but I am unable to find out how to pull down the objects
or process them.

Sorry if this is OT, I am not sure where else to ask.

 - Luke



-- 
_________________________________________________________
What's for dinner? Visit www.cookography.com to find out!

Re: [Opensc-devel] Link OpenSC against libASEP11.so?

[Douglas E. E. <dee...@an...>]

On 6/3/2013 7:48 AM, Guest, Iestyn - 1140 - MITLL wrote:
> Hello,
>
> Athena ships libASEP11.so with their IDProtect card software to provide PKCS#11 support for apps such as Mozilla, PGP etc... Which works for Firefox.  Do I need to link this library with OpenSC at
> compile time for OpenSC to be able to talk to the card? I'd like to be able to use the card for PAM authentication.
>

OpenSC implements the PKCS#11 API for a number of smart cards.
It sounds like libASEP11.so also implements a PKCS#11 API for their cards.

The Mozilla  apps can load multiple "security devices" that are shared libs
that implement a PKCS#11 API. The Mozilla NSS tales care of keeping track of the
multiple PKCS#11 libs and which card is supported by them.

Depending on how you PAM uses PKCS#11, it can either support multiple
PKCS#11 libs, or just one. If its just one, and you only have one
type of card, the IDProtect card, you don't need OpenSC at all just use
the libASEP11.so.

There are many PAM modules out there, that can use smart cards. I
would assume being from MIT that you want to use the card with
Kerberos PKINIT. In which case look at the Kerberos doc on
how to use a PKCS#11 module.

Linking the OpenSC and libASEP11.so wont work.

But one could write the card drivers for the IDProtect card in OpenSC,
which is at a lower level then PKCS#11, so OpenSC could also support
the IDProtect card.

> Running opensc-tool --reader 0 --name gives me "Unsupported INS byte in APDU".
>
> Can someone push me in the right direction?

There have been similar qusetions in the past Google for: athena IDProtect OpenSC

Also Google for pkinit-nss

This would let PKINIT use multiple PKCS#11 libs.

>
> Thanks in advance.
>
> Iestyn Guest.
>
> Reader 0: Broadcom 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
>    Card state: Card inserted, Shared Mode,
>    ATR: 3B DC 18 FF 81 91 FE 1F C3 80 73 C8 21 13 66 01 0B 03 52 00 05 38
>    Athena IDProtect Smart Card Logon Card
>
>
> ------------------------------------------------------------------------------
> Get 100% visibility into Java/.NET code with AppDynamics Lite
> It's a free troubleshooting tool designed for production
> Get down to code-level detail for bottlenecks, with <2% overhead.
> Download for free and get started troubleshooting in minutes.
> http://p.sf.net/sfu/appdyn_d2d_ap2
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@an...>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

[Opensc-devel] Link OpenSC against libASEP11.so?

[Guest, I. - 1. - M. <ig...@ll...>]

Hello,

Athena ships libASEP11.so with their IDProtect card software to provide 
PKCS#11 support for apps such as Mozilla, PGP etc... Which works for 
Firefox.  Do I need to link this library with OpenSC at compile time for 
OpenSC to be able to talk to the card? I'd like to be able to use the 
card for PAM authentication.

Running opensc-tool --reader 0 --name gives me "Unsupported INS byte in 
APDU".

Can someone push me in the right direction?

Thanks in advance.

Iestyn Guest.

Reader 0: Broadcom 5880 [Contacted SmartCard] (0123456789ABCD) 00 00
   Card state: Card inserted, Shared Mode,
   ATR: 3B DC 18 FF 81 91 FE 1F C3 80 73 C8 21 13 66 01 0B 03 52 00 05 38
   Athena IDProtect Smart Card Logon Card

Re: [Opensc-devel] prevent pcscd auto start

[Anthony F. <ant...@gm...>]

Florent --

On Fri, May 31, 2013 at 12:53 AM, Florent Deybach <fde...@gm...> wrote:
> Hi,
>
> Thanks for answer!
>
>
>> If you are talking about pcscd starting automatically when the system
>> boots, then that is a question for your system init framework.  I
>> believe that Ubuntu uses "upstart":
>>
>>
>> http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting
>
>
> No, I am talking about the pcscd daemon starting when libpcsclite starts the
> communication.

Hm.  I looked around for a while, seeing where this was done, only to see this:

http://anonscm.debian.org/viewvc/pcsclite?view=revision&revision=6105

$ svn log -r 6105
------------------------------------------------------------------------
r6105 | rousseau | 2011-11-14 03:19:44 -0700 (Mon, 14 Nov 2011) | 8 lines

Remove pcscd autostart feature

The auto start feature (launch pcscd from the library if not already
running) was a fragile code with some issues. This service is far better
implemented by systemd.

Thanks to Kalev Lember for pushing the systemd patches.

So if your libpcsclite is still spawning pcscd, then it's relatively old.

Further, it sounds like the logic for this is now run by systemd,
which means that (since you're using upstart) you'll either need to
contribute bits that provide the same support, or find a way to have
your upstart install provide this feature.

(As far as I understand it, systemd can act a bit like inetd / xinetd;
it "knows" about a socket (and hence creates it), but it doesn't
launch the actual daemon until someone tries to connect to it.)

However, if your distro has upstart and pcscd playing nice together
already, then you can probably disable the pcscd socket through the
upstart config mechanisms.

If I'm wrong on that, someone please correct me -- this isn't
something I've worked on in detail.

Either way, good luck to you, Florent.

Best regards,
Anthony Foiani

[Opensc-devel] Status of Web-Provisioning of Security Elements

[Anders R. <and...@te...>]

Since the smart card industry considers it to be an "asset" having unique
interfaces it has proven to be impossible creating a universal system for
on-line provisioning of PKI to traditional smart cards.

In the meantime, another camp which is relying on *embedded* security elements
has done considerable progress the last 12 months:

Virtual Smart Cards are now shipping in Windows 8:
http://www.microsoft.com/en-us/download/details.aspx?id=29076

SKS/KeyGen2 is currently in a "feature complete" Proof-of-Concept state running in Android:
https://mobilepki.org/scc

One may say that using embedded security elements is "cheating" since you don't have to
bother about third-party middleware and cryptographic APIs defined before we had the
Internet (like PKCS #11), but I would rather say that it is about using technology in a
smarter way :-)

Personally I don't see why embedded and connected security elements couldn't share
a common architecture but apparently the smart card community prefer marginalization
before omnipresence!

Anders

Re: [Opensc-devel] prevent pcscd auto start

[Florent D. <fde...@gm...>]

Hi,

Thanks for answer!


If you are talking about pcscd starting automatically when the system
> boots, then that is a question for your system init framework.  I
> believe that Ubuntu uses "upstart":
>
>
> http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting
>

No, I am talking about the pcscd daemon starting when libpcsclite starts
the communication.


> If you're talking about pcscd being started when a token is inserted,
>

Yes. btw, are there other event that could make pcscd "respawn"?


> this is probably driven by udev (the user-space helper that receives
> hotplug events from the kernel and acts according to certain rules).
>
> In the latter case, you need to modify the udev rules to not start
> pcscd when the token is inserted.  I'm not sure exactly how that is
> done, but you can start by looking at the package you installed on
> your machine; it should have the relevant ruleset files.  (On my
> Fedora system, they are stored in /etc/udev/rules.d, but apparently
> most of the magic is done in the hwdb.bin file there anymore...)
>

I do have a file in /lib/udev/rules.d/92-libccid.rules but I am not sure
whether it is used to auto start pcscd.
As said in the beginning of this file, udev rules are set the access rights
of CCID card readers so they can be used by pcscd.

Cheers,
Florent

Re: [Opensc-devel] prevent pcscd auto start

[Anthony F. <ant...@gm...>]

Florent --

On Thu, May 30, 2013 at 9:50 AM, Florent Deybach <fde...@gm...> wrote:
> I am more
> interested in preventing pcscd from auto-starting.
> Is there a way to do it ? By modifying the pcscd files in
> /lib/systemd/system/ ?
> However on my Ubuntu 12.04LTS using libpcsclite 1.7.4 and I don't have these
> files...

If you are talking about pcscd starting automatically when the system
boots, then that is a question for your system init framework.  I
believe that Ubuntu uses "upstart":

http://upstart.ubuntu.com/cookbook/#disabling-a-job-from-automatically-starting

Other systems use "SysV init scripts" or systemd, which all aim to
accomplish the same basic task -- do all the tasks and start all the
processes that take a unix-like system from "booted and running one
process" to "ready to be used": mounting filesystems, bringing up and
configuring network interfaces, starting GUIs or servers, etc.

If you're talking about pcscd being started when a token is inserted,
this is probably driven by udev (the user-space helper that receives
hotplug events from the kernel and acts according to certain rules).

In the latter case, you need to modify the udev rules to not start
pcscd when the token is inserted.  I'm not sure exactly how that is
done, but you can start by looking at the package you installed on
your machine; it should have the relevant ruleset files.  (On my
Fedora system, they are stored in /etc/udev/rules.d, but apparently
most of the magic is done in the hwdb.bin file there anymore...)

If you're trying to do something else, then you'll have to be more specific.

Good luck,
Anthony Foiani

Re: [Opensc-devel] prevent pcscd auto start

[Ludovic R. <lud...@gm...>]

2013/5/30 Florent Deybach <fde...@gm...>:
> Hello,

Hello,

> I've been reading the article about the pcscd auto start feature using
> systemd
> (http://ludovicrousseau.blogspot.fr/2011/11/pcscd-auto-start-using-systemd.html)
> The article is focusing on how to enable the feature but I am more
> interested in preventing pcscd from auto-starting.

You do not want pcscd to auto-start. What do you want instead?

Bye

--
 Dr. Ludovic Rousseau

[Opensc-devel] prevent pcscd auto start

[Florent D. <fde...@gm...>]

Hello,

I've been reading the article about the pcscd auto start feature using
systemd (
http://ludovicrousseau.blogspot.fr/2011/11/pcscd-auto-start-using-systemd.html
)
The article is focusing on how to enable the feature but I am more
interested in preventing pcscd from auto-starting.
Is there a way to do it ? By modifying the pcscd files in
/lib/systemd/system/ ?
However on my Ubuntu 12.04LTS using libpcsclite 1.7.4 and I don't have
these files...

Thanks in advance!

Regards,
Florent

Re: [Opensc-devel] memory leaks with engine_pkcs11

[Anthony F. <ant...@gm...>]

Greetings --

I've been using this patch for a few weeks, and it seems to be holding up
just fine (and this is with a use case that loads a new key every minute --
previously, I was leaking 2MB/hr...).

I don't see myself working on this much further, so I'd like to see this
branch integrated into the mainline (assuming that the primary custodians
aren't too appalled by the techniques applied).  As such, I've submitted a
pull request on github:

https://github.com/OpenSC/engine_pkcs11/pull/3

If I can make it more palatable in small ways, let me know, and I'll try to
do so.  Big changes are probably right out; if the current form is
unacceptable on a fundamental level, I'll just have to move on and use my
patched version.

Either way, thanks to everyone for providing me with a great base of code
to work with, warts and all.  :)

Best regards,
Anthony Foiani



On Tue, May 7, 2013 at 5:49 PM, Anthony Foiani <ant...@gm...>wrote:

> Greetings, all --
>
> On Thu, May 2, 2013 at 10:25 AM, Anthony Foiani
> <ant...@gm...> wrote:
> >
> >
> > On Thu, May 2, 2013 at 10:15 AM, Anthony Foiani
> > <ant...@gm...> wrote:
> >
> > > Or does the private key structure rely on information held in
> > > the enumeration?
> >
> > So apparently it does.
> >
> > > If the latter, do we need to somehow provide a way for the key to
> > > release the entire enumeration when the key itself is freed?
>
> I have a solution, but it's very ugly.
>
> Please take a look at this branch:
>
>   https://github.com/tkil/engine_pkcs11/commits/ajf-fixes-201305
>
> It's mostly cleanup patches, but the punchline is in this commit:
>
>
> https://github.com/tkil/engine_pkcs11/commit/91133b719c71d0c92c233a0c29b0d5b94c4ee102
>   (or: http://preview.tinyurl.com/cdabyyf)
>
> The commit message tells the story:
>
> Without this patch:
>
>   ==25864== LEAK SUMMARY:
>   ==25864==    definitely lost: 4,920 bytes in 27 blocks
>   ==25864==    indirectly lost: 147,092 bytes in 3,137 blocks
>   ==25864==      possibly lost: 0 bytes in 0 blocks
>   ==25864==    still reachable: 14,231 bytes in 429 blocks
>   ==25864==         suppressed: 0 bytes in 0 blocks
>
> With this patch:
>
>   ==25989== LEAK SUMMARY:
>   ==25989==    definitely lost: 4,600 bytes in 23 blocks
>   ==25989==    indirectly lost: 328 bytes in 5 blocks
>   ==25989==      possibly lost: 0 bytes in 0 blocks
>   ==25989==    still reachable: 14,231 bytes in 429 blocks
>   ==25989==         suppressed: 0 bytes in 0 blocks
>
> Note the change in "indirectly lost".
>
> The ugly part is that I could not find any way to do it transparently.
>
> When we get a key through the OpenSSL engine interface, all we get
> back is an EVP_PKEY*.  I looked, and it doesn't seem that there's any
> way to add on arbitrary data; even if there were, there's no obvious
> way for external/third-party programs to modify the set of methods
> used by a given key.
>
> If there were, the right answer would have been:
>
> 1. Add the pointer to list of slots, and count of slots, as auxiliary
> data on the EVP_PKEY;
> 2. Modify the pkey_free method to free those and then chain to the
> original.
>
> I couldn't find anywhere to stick (1), and (2) was blocked because
> that method is behind an opaque pointer (the structure itself is
> defined in the openssl source package under crypto/asn1/asn1_locl.h,
> but that is not installed into the system headers directory, and it's
> explicitly mentioned that it's not for external use.)
>
> There are ways to get a pointer to the methods, duplicate it, and set
> a new free function -- but no way to get the original free function
> (!), so I couldn't chain to the original.
>
> Maybe I just missed something.
>
> It looks like someone else had a similar idea; in the hw_pcsk11.c
> file, there was an "#if 0" block with something that tries to chain
> the rsa_finish method ... but it was obviously not in use.
>
> Instead, I modified the engine to keep a separate list of EVP_PKEY* ->
> slot_list, slot_count mappings, and added an ENGINE_ctrl method to
> release the slot data given an EVP_PKEY*.
>
> I thought that I would still have to free the EVP_PKEY*, but it turns
> out that freeing the slots frees the keys:
>
> PKCS11_release_all_slots calls
> pkcs11_release_slot, which calls
> pkcs11_destroy_token, which calls
> pkcs11_destroy_keys, which calls
> EVP_PKEY_free
>
> This is also the reason that I could not just release the slots before
> returning the EVP_PKEY* out of engine_pkcs11.c:pkcs11_load_key
>
> Anyway.  Hopefully others will find this useful.  I can submit a
> proper pull request if you would like.
>
> Best regards,
> Anthony Foiani
>

Re: [Opensc-devel] Bug in PIN_VERIFY_STRUCTURE and???PIN_MODIFY_STRUCTURE

[Frank M. <mo...@in...>]

On Tuesday, May 28 at 10:22AM, Ludovic Rousseau wrote:
> 
> 2013/5/28 Ludovic Rousseau <lud...@gm...>:
> > 2013/5/27 Frank Morgner <mo...@in...>:
> >> Hi!
> >
> > Hello,
> >
> >> Enabling compiler warnings, I just found a bug in OpenSC. An array is
> >> accessed out of bounds. The pull request is issued, but the same bug
> >> also exists in PCSC-Lite (Drivers/ccid/MacOSX/reader.h and
> >> PCSC/src/PCSC/reader.h). Ludovic, you might want to have a look:
> >>
> >> https://github.com/frankmorgner/OpenSC/commit/e74d33441e87826b3409446d2e7b5c917b2697c4
> >
> > It is not a bug but a feature.
> > Ideally I would like to use  abData[0] or abData[] but some compilers complain.
> > It is called "C99 flexible array member"
> >
> > Maybe I should use something like
> > https://github.com/LudovicRousseau/libusbx/commit/53134e90f2f8fc516cc9794d79e754703da9e894
> 
> Done in revision 6638
> http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2013-May/006191.html

OK, good. I adapted your patch for OpenSC and made sure, that the buffer
which gets casted to a pin_verification_structure is always big enough
for holding an additional APDU.

> >> And by the way, do you think it is usefull to add
> >> __attribute__((packed)) to the struct? Otherwise there might be some
> >> padding between the members...
> >
> > Good idea. I will have a look.
> 
> I already use a packed structure using:
> 
> /* Set structure elements aligment on bytes
>  * http://gcc.gnu.org/onlinedocs/gcc/Structure_002dPacking-Pragmas.html */
> #if defined(__APPLE__) | defined(sun)
> #pragma pack(1)
> #else
> #pragma pack(push, 1)
> #endif

OK, fine.


--
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

Re: [Opensc-devel] Bug in PIN_VERIFY_STRUCTURE and PIN_MODIFY_STRUCTURE

[Ludovic R. <lud...@gm...>]

2013/5/28 Ludovic Rousseau <lud...@gm...>:
> 2013/5/27 Frank Morgner <mo...@in...>:
>> Hi!
>
> Hello,
>
>> Enabling compiler warnings, I just found a bug in OpenSC. An array is
>> accessed out of bounds. The pull request is issued, but the same bug
>> also exists in PCSC-Lite (Drivers/ccid/MacOSX/reader.h and
>> PCSC/src/PCSC/reader.h). Ludovic, you might want to have a look:
>>
>> https://github.com/frankmorgner/OpenSC/commit/e74d33441e87826b3409446d2e7b5c917b2697c4
>
> It is not a bug but a feature.
> Ideally I would like to use  abData[0] or abData[] but some compilers complain.
> It is called "C99 flexible array member"
>
> Maybe I should use something like
> https://github.com/LudovicRousseau/libusbx/commit/53134e90f2f8fc516cc9794d79e754703da9e894

Done in revision 6638
http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2013-May/006191.html

>> And by the way, do you think it is usefull to add
>> __attribute__((packed)) to the struct? Otherwise there might be some
>> padding between the members...
>
> Good idea. I will have a look.

I already use a packed structure using:

/* Set structure elements aligment on bytes
 * http://gcc.gnu.org/onlinedocs/gcc/Structure_002dPacking-Pragmas.html */
#if defined(__APPLE__) | defined(sun)
#pragma pack(1)
#else
#pragma pack(push, 1)
#endif

Bye

--
 Dr. Ludovic Rousseau

Re: [Opensc-devel] Bug in PIN_VERIFY_STRUCTURE and PIN_MODIFY_STRUCTURE

[Ludovic R. <lud...@gm...>]

2013/5/27 Frank Morgner <mo...@in...>:
> Hi!

Hello,

> Enabling compiler warnings, I just found a bug in OpenSC. An array is
> accessed out of bounds. The pull request is issued, but the same bug
> also exists in PCSC-Lite (Drivers/ccid/MacOSX/reader.h and
> PCSC/src/PCSC/reader.h). Ludovic, you might want to have a look:
>
> https://github.com/frankmorgner/OpenSC/commit/e74d33441e87826b3409446d2e7b5c917b2697c4

It is not a bug but a feature.
Ideally I would like to use  abData[0] or abData[] but some compilers complain.
It is called "C99 flexible array member"

Maybe I should use something like
https://github.com/LudovicRousseau/libusbx/commit/53134e90f2f8fc516cc9794d79e754703da9e894

The idea is that the PIN_VERIFY_STRUCTURE is just the _header_ in a
larger structure.
You have to allocate a big enough structure to store the
PIN_VERIFY_STRUCTURE header _and_ the complete APDU.

> And by the way, do you think it is usefull to add
> __attribute__((packed)) to the struct? Otherwise there might be some
> padding between the members...

Good idea. I will have a look.

Bye

--
 Dr. Ludovic Rousseau

[Opensc-devel] Bug in PIN_VERIFY_STRUCTURE and PIN_MODIFY_STRUCTURE

[Frank M. <mo...@in...>]

Hi!

Enabling compiler warnings, I just found a bug in OpenSC. An array is
accessed out of bounds. The pull request is issued, but the same bug
also exists in PCSC-Lite (Drivers/ccid/MacOSX/reader.h and
PCSC/src/PCSC/reader.h). Ludovic, you might want to have a look:

https://github.com/frankmorgner/OpenSC/commit/e74d33441e87826b3409446d2e7b5c917b2697c4

And by the way, do you think it is usefull to add
__attribute__((packed)) to the struct? Otherwise there might be some
padding between the members...

-- 
Frank Morgner

Virtual Smart Card Architecture http://vsmartcard.sourceforge.net
OpenPACE                        http://openpace.sourceforge.net
IFD Handler for libnfc Devices  http://sourceforge.net/projects/ifdnfc

[Opensc-devel] Double locking/double initialization deadlock after being called by ENGINE_init?

[Rico H. <ri...@gm...>]

Hi,

I have a problem when trying to use the Feitian ePass2003 in combination
with OpenSC 0.13.0, in mod_ssl.

Now, mod_ssl cannot actually use the PKCS11 engine by itself, but I found a
patch that properly seems to load the engine here:
https://issues.apache.org/bugzilla/show_bug.cgi?id=52473 (also posted this
issue there)

After applying the patch, the PKCS11 engine seems to be loaded correctly,
but deadlocks during its 2nd initialization (mod_ssl does 2
initializations, one to check the config and then one to actually start up.
It does clean up in between.).

It seems to be a non-reentrant double-locking problem (see stack trace:
ENGINE_init (#23) acquires a lock, but then later in engine_table_select
(#7) the thread tries to acquire the same lock again and deadlocks), but
then I have no problem why it doesn't deadlock on the first call to
ENGINE_init().

I don't know enough about the internals of OpenSSL to further comment on
what library is at fault here, so I hope you guys can figure that out.

I would post this as a bug on Trac but that won't let me log in so I'm
posting it here, hope that's okay.

Best regards,
Rico

-----

stack trace:

#0  0xb776c424 in __kernel_vsyscall ()
#1  0xb76bb4d2 in __lll_lock_wait () from
/lib/i386-linux-gnu/libpthread.so.0
#2  0xb76b6ed4 in _L_lock_776 () from /lib/i386-linux-gnu/libpthread.so.0
#3  0xb76b6d13 in pthread_mutex_lock () from
/lib/i386-linux-gnu/libpthread.so.0
#4  0xb76e07d0 in apr_thread_mutex_lock () from /usr/lib/libapr-1.so.0
#5  0xb7380617 in ssl_util_thr_lock () from
/usr/lib/apache2/modules/mod_ssl.so
#6  0xb718f9f5 in CRYPTO_lock (mode=mode@entry=9, type=type@entry=30,
file=file@entry=0xb72a73f4 "eng_table.c", line=line@entry=258) at
cryptlib.c:604
#7  0xb71fc077 in engine_table_select (table=table@entry=0xb72fe8d4
<cipher_table>, nid=nid@entry=418) at eng_table.c:258
#8  0xb71fdb55 in ENGINE_get_cipher_engine (nid=418) at tb_cipher.c:115
#9  0xb72118c2 in EVP_CipherInit_ex (ctx=ctx@entry=0xbf89b7c0,
cipher=cipher@entry=0xb72ef9e0 <aes_128_ecb>, impl=impl@entry=0x0,
key=key@entry=0xb6e60068
"\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\277\303)\021\307\030\303@",
iv=iv@entry=0xbf89b84c "", enc=enc@entry=1) at evp_enc.c:147
#10 0xb7211a33 in EVP_EncryptInit_ex (ctx=0xbf89b7c0, cipher=0xb72ef9e0
<aes_128_ecb>, impl=0x0, key=0xb6e60068
"\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\001\002\003\004\005\006\a\b\t\n\v\f\r\016\017\020\277\303)\021\307\030\303@",
iv=0xbf89b84c "") at evp_enc.c:292
#11 0xb6d63aa3 in ?? () from /usr/lib/libopensc.so.3
#12 0xb6d65aa5 in ?? () from /usr/lib/libopensc.so.3
#13 0xb6d66d05 in ?? () from /usr/lib/libopensc.so.3
#14 0xb6d670f7 in ?? () from /usr/lib/libopensc.so.3
#15 0xb6d6729f in ?? () from /usr/lib/libopensc.so.3
#16 0xb6d01c85 in sc_connect_card () from /usr/lib/libopensc.so.3
#17 0xb6fcdadd in ?? () from /usr/lib/opensc-pkcs11.so
#18 0xb6fce076 in ?? () from /usr/lib/opensc-pkcs11.so
#19 0xb6fc9521 in ?? () from /usr/lib/opensc-pkcs11.so
#20 0xb703d973 in PKCS11_CTX_load () from
/usr/lib/i386-linux-gnu/libp11.so.2
#21 0xb704cdde in ?? () from /usr/lib/engines/engine_pkcs11.so
#22 0xb71fae8b in engine_unlocked_init (e=e@entry=0xb8c383f8) at
eng_init.c:67
#23 0xb71fb000 in ENGINE_init (e=0xb8c383f8) at eng_init.c:130
#24 0xb736a68a in ssl_ossle_get_engine () from
/usr/lib/apache2/modules/mod_ssl.so
#25 0xb736b03f in ssl_init_Engine () from
/usr/lib/apache2/modules/mod_ssl.so
#26 0xb736ae1d in ssl_init_Module () from
/usr/lib/apache2/modules/mod_ssl.so
#27 0xb77c51ee in ap_run_post_config (pconf=pconf@entry=0xb7492018,
plog=0xb7460018, ptemp=0xb745e018, s=s@entry=0xb748c6a8) at config.c:95
#28 0xb77ae587 in main (argc=3, argv=0xbf89c464) at main.c:688

Re: [Opensc-devel] opensc-explorer, PIN length 10

[Martin P. <ma...@ma...>]

Hello,

Keep in mind that opensc-explorer is a "low level tool". Your best
option is to compare the actual commands (opensc-explorer -vvv) to
what succeeds above (00 20 00 81 0A 30 34 35 32 39 31 FF FF FF FF).
Also, if the PKCS#11 module selects some DF-s beforehand, you need to
manually do that with opensc-explorer.

Martin
--
Martin
+372 5156495


On Fri, May 17, 2013 at 12:48 PM, Johannes Becker
<Joh...@hr...> wrote:
> Am Montag 06 Mai 2013 schrieb Martin Paljak <ma...@ma...>:
>
>
>
>>
>
>> As said before: do have a peek at the log of an actual verification
>
>> performed by Firefox.
>
>
>
> Firefox, pkcs11-tool and pkcs15-tool work with the card.
>
> They send the pin with lenth 10, padded with FF (see below).
>
>
>
> It is only opensc-explorer, that doesn't pass the pin with length 10
>
>
>
> I guess now I have to learn how to write the certificat to the card using
> pkcs11-tool
>
>
>
> I tested with opensc 0.12.2
>
>
>
> Johannes
>
>
>
> -----
>
>
>
> 0x7f05005d3700 10:11:20.803 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
>
> Outgoing APDU data [ 15 bytes] =====================================
>
> 00 20 00 81 0A 30 34 35 32 39 31 FF FF FF FF . ...045291....
>
> ======================================================================
>
> 0x7f05005d3700 10:11:20.803 [opensc-pkcs11]
> reader-pcsc.c:176:pcsc_internal_transmit: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
>
> Incoming APDU data [ 2 bytes] =====================================
>
> 90 00 ..
>
> ======================================================================
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] sec.c:204:sc_pin_cmd: returning
> with: 0 (Success)
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11]
> pkcs15-pin.c:509:sc_pkcs15_pincache_add: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11]
> pkcs15-pin.c:543:sc_pkcs15_pincache_add: PIN(User Pin) cached
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock:
> called
>
> 0x7f05005d3700 10:11:20.861 [opensc-pkcs11]
> pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)

Re: [Opensc-devel] Feitian FTCOS/PK-01 w/ OpenSC

[Anders R. <and...@te...>]

On 2013-05-23 14:34, Markus Koetter wrote:
> On 05/17/2013 04:03 PM, Jean-Michel Pouré - GOOZE wrote:
>> Please refer to:
>> http://www.gooze.eu/howto/smartcard-quickstarter-guide/recommendations
> 
> Using (full install including the mini driver) 32bit OpenSC 0.13 on 
> Windows 7 x86 and the following registry entries
> 
> ---------
> Windows Registry Editor Version 5.00

I guess these guys will define a "Web Token" token so we can put this
[unmotivated] middleware hell to rest once for all:

http://goo.gl/DFLnS

Anders

> 
> 
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\FTCOS-PK-01C]
> "80000001"="opensc-minidriver.dll"
> "ATR"=hex:3b,9f,95,81,31,fe,9f,00,65,46,53,05,30,06,71,df,00,00,00,80,6a,82,5e
> "ATRMask"=hex:FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,FF,00,FF,FF,FF,FF,FF,FF,00,00,00,00
> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage 
> Provider"
> ---------
> 
> I grabbed the ATR&mask from the entersafe driver in OpenSC.
> 
> I have the same problem as you reported here:
> http://permalink.gmane.org/gmane.comp.encryption.opensc.devel/12439
> SCardGetCardTypeProviderName: The system cannot find the file specified. 
> 0x2 (WIN32: 2)
> 
> The thread does not provide a solution to the problem though.
> 
> I did not modify the inf file - I just installed OpenSC, added the 
> registry entries, and expected things to work.
> 
> 
> MfG
> Markus Kötter
> 
> ------------------------------------------------------------------------------
> Try New Relic Now & We'll Send You this Cool Shirt
> New Relic is the only SaaS-based application performance monitoring service 
> that delivers powerful full stack analytics. Optimize and monitor your
> browser, app, & servers with just a few lines of code. Try New Relic
> and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>