Menu
▾
▴
opensc-devel — discussion of developement of OpenSC and related projects
You can subscribe to this list here.
| 2012 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
(1) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2013 |
Jan
(26) |
Feb
(64) |
Mar
(78) |
Apr
(36) |
May
(51) |
Jun
(40) |
Jul
(43) |
Aug
(102) |
Sep
(50) |
Oct
(71) |
Nov
(42) |
Dec
(29) |
| 2014 |
Jan
(49) |
Feb
(52) |
Mar
(56) |
Apr
(30) |
May
(31) |
Jun
(52) |
Jul
(76) |
Aug
(19) |
Sep
(82) |
Oct
(95) |
Nov
(58) |
Dec
(76) |
| 2015 |
Jan
(135) |
Feb
(43) |
Mar
(47) |
Apr
(72) |
May
(59) |
Jun
(20) |
Jul
(17) |
Aug
(14) |
Sep
(34) |
Oct
(62) |
Nov
(48) |
Dec
(23) |
| 2016 |
Jan
(18) |
Feb
(55) |
Mar
(24) |
Apr
(20) |
May
(33) |
Jun
(29) |
Jul
(18) |
Aug
(15) |
Sep
(8) |
Oct
(21) |
Nov
(5) |
Dec
(23) |
| 2017 |
Jan
(3) |
Feb
|
Mar
(17) |
Apr
(4) |
May
|
Jun
(5) |
Jul
(1) |
Aug
(20) |
Sep
(17) |
Oct
(21) |
Nov
|
Dec
(3) |
| 2018 |
Jan
(62) |
Feb
(4) |
Mar
(4) |
Apr
(20) |
May
(16) |
Jun
|
Jul
(1) |
Aug
(9) |
Sep
(3) |
Oct
(11) |
Nov
|
Dec
(9) |
| 2019 |
Jan
(1) |
Feb
(1) |
Mar
(2) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
(2) |
Oct
(5) |
Nov
|
Dec
(5) |
| 2020 |
Jan
(11) |
Feb
(14) |
Mar
(7) |
Apr
|
May
|
Jun
(3) |
Jul
(3) |
Aug
(6) |
Sep
(2) |
Oct
(15) |
Nov
(11) |
Dec
(7) |
| 2021 |
Jan
(14) |
Feb
(21) |
Mar
(3) |
Apr
(1) |
May
(1) |
Jun
|
Jul
(1) |
Aug
(1) |
Sep
(3) |
Oct
|
Nov
|
Dec
|
| 2022 |
Jan
|
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
|
Oct
(4) |
Nov
(12) |
Dec
|
| 2023 |
Jan
(2) |
Feb
(4) |
Mar
|
Apr
(8) |
May
|
Jun
(2) |
Jul
|
Aug
(3) |
Sep
(1) |
Oct
|
Nov
(1) |
Dec
(1) |
| 2024 |
Jan
|
Feb
(2) |
Mar
(6) |
Apr
(1) |
May
|
Jun
(2) |
Jul
|
Aug
|
Sep
(1) |
Oct
|
Nov
(4) |
Dec
|
| 2025 |
Jan
(1) |
Feb
|
Mar
|
Apr
(5) |
May
|
Jun
|
Jul
(11) |
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Florent D. <fde...@gm...> - 2013-03-14 12:46:07
|
Hello,
I have the following environment :
Ubuntu 12.10 32bits
OpenSC 0.13
pcscd 1.8.5
pcsc-tools 1.4.20
libccid 1.4.7-1
I am using a Gemalto IAS/ECC smart into a Gemalto USB Shell Token V2.
The token is fully operational when used on a physical machine however when
my Ubuntu is a Virtual Machine running under VMware Player 5.0.2 I have a
problem.
The reader and the card are shown by pcsc_scan, however all OpenSC tools
(opensc-tools, pkcs15-init, etc.) fail because it cannot see the card, i.e.
I have the following error message:
"Failed to connect to card: Unresponsive card (correctly inserted?)"
Here's a output of lsusb and pcsc_scan and finally opensc-tool in debug
mode :
Many thanks!
root@ubuntu12-10# lsusb
Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 006: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader
--------------------------------------------------------------------------------------------------
root@ubuntu12-10# pcsc_scan
PC/SC device scanner
V 1.4.20 (c) 2001-2011, Ludovic Rousseau <lud...@fr...>
Compiled with PC/SC lite version: 1.8.3
Using reader plug'n play mechanism
Scanning present readers...
Waiting for the first reader...found one
Scanning present readers...
0: Gemalto USB Shell Token V2 (309EF81F) 00 00
Thu Mar 14 13:35:49 2013
Reader 0: Gemalto USB Shell Token V2 (309EF81F) 00 00
Card state: Card inserted,
ATR: 3B 7F 96 00 00 00 31 B8 64 40 70 14 10 73 94 01 80 82 90 00
ATR: 3B 7F 96 00 00 00 31 B8 64 40 70 14 10 73 94 01 80 82 90 00
+ TS = 3B --> Direct Convention
+ T0 = 7F, Y(1): 0111, K: 15 (historical bytes)
TA(1) = 96 --> Fi=512, Di=32, 16 cycles/ETU
250000 bits/s at 4 MHz, fMax for Fi = 5 MHz => 312500 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
+ Historical bytes: 00 31 B8 64 40 70 14 10 73 94 01 80 82 90 00
Category indicator byte: 00 (compact TLV data object)
Tag: 3, len: 1 (card service data byte)
Card service data byte: B8
- Application selection: by full DF name
- BER-TLV data objects available in EF.DIR
- BER-TLV data objects available in EF.ATR
- EF.DIR and EF.ATR access services: by READ BINARY command
- Card with MF
Tag: 6, len: 4 (pre-issuing data)
Data: 40 70 14 10
Tag: 7, len: 3 (card capabilities)
Selection methods: 94
- DF selection by full DF name
- DF selection by file identifier
- Short EF identifier supported
Data coding byte: 01
- Behaviour of write functions: one-time write
- Value 'FF' for the first byte of BER-TLV tag fields: invalid
- Data unit in quartets: 2
Command chaining, length fields and logical channels: 80
- Command chaining
- Logical channel number assignment: No logical channel
- Maximum number of logical channels: 1
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 82 (Proprietary)
SW: 9000 (Normal processing.)
Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B 7F 96 00 00 00 31 B8 64 40 70 14 10 73 94 01 80 82 90 00
IAS/ECC Gemalto (eID)
---------------------------------------------------------------
root@ubuntu12-10# lsusb
Bus 001 Device 002: ID 0e0f:0003 VMware, Inc. Virtual Mouse
Bus 001 Device 003: ID 0e0f:0002 VMware, Inc. Virtual USB Hub
Bus 001 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 001 Device 006: ID 08e6:3438 Gemplus GemPC Key SmartCard Reader
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach# opensc-tool -a
Using reader with a card: Gemalto USB Shell Token V2 (309EF81F) 00 00
Failed to connect to card: Unresponsive card (correctly inserted?)
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach#
root@ubuntu12-10:/home/fdeybach# opensc-tool -a -vvvvv
0xb72806c0 13:39:22.704 [opensc-tool] sc.c:231:sc_detect_card_presence:
called
0xb72806c0 13:39:22.704 [opensc-tool]
reader-pcsc.c:370:pcsc_detect_card_presence: called
0xb72806c0 13:39:22.704 [opensc-tool] reader-pcsc.c:283:refresh_attributes:
Gemalto USB Shell Token V2 (309EF81F) 00 00 check
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:299:refresh_attributes:
returning with: 0 (Success)
0xb72806c0 13:39:22.705 [opensc-tool]
reader-pcsc.c:375:pcsc_detect_card_presence: returning with: 1
0xb72806c0 13:39:22.705 [opensc-tool] sc.c:236:sc_detect_card_presence:
returning with: 1
Using reader with a card: Gemalto USB Shell Token V2 (309EF81F) 00 00
0xb72806c0 13:39:22.705 [opensc-tool] sc.c:231:sc_detect_card_presence:
called
0xb72806c0 13:39:22.705 [opensc-tool]
reader-pcsc.c:370:pcsc_detect_card_presence: called
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:283:refresh_attributes:
Gemalto USB Shell Token V2 (309EF81F) 00 00 check
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:299:refresh_attributes:
returning with: 0 (Success)
0xb72806c0 13:39:22.705 [opensc-tool]
reader-pcsc.c:375:pcsc_detect_card_presence: returning with: 1
0xb72806c0 13:39:22.705 [opensc-tool] sc.c:236:sc_detect_card_presence:
returning with: 1
Connecting to card in reader Gemalto USB Shell Token V2 (309EF81F) 00 00...
0xb72806c0 13:39:22.705 [opensc-tool] card.c:125:sc_connect_card: called
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:450:pcsc_connect: called
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:283:refresh_attributes:
Gemalto USB Shell Token V2 (309EF81F) 00 00 check
0xb72806c0 13:39:22.705 [opensc-tool] reader-pcsc.c:299:refresh_attributes:
returning with: 0 (Success)
0xb72806c0 13:39:22.738 [opensc-tool] reader-pcsc.c:472:pcsc_connect:
Gemalto USB Shell Token V2 (309EF81F) 00 00:SCardConnect failed: 0x80100066
0xb72806c0 13:39:22.738 [opensc-tool] card.c:249:sc_connect_card: returning
with: -1113 (Unresponsive card (correctly inserted?))
Failed to connect to card: Unresponsive card (correctly inserted?)
0xb72806c0 13:39:22.738 [opensc-tool] ctx.c:787:sc_release_context: called
0xb72806c0 13:39:22.738 [opensc-tool] reader-pcsc.c:745:pcsc_finish: called
|
|
From: Sushma <sus...@gm...> - 2013-03-14 09:34:06
|
Hello All, I'm developing a smart card mini driver based on OpenSC code. I have few basic questions regarding the smart card. 1. Can I use blank card (empty content) for testing with OpenSC mini driver code? If not, what should be the initial content of smart card? 2. Can I use OpenSC mini driver for non-PKCS#15 smart cards? If not, where can I procure sample PKCS#15 cards? 3. Does OpenSC mini driver support PKCS#11 smart cards? 4. The card I'm using at this moment is a non-standard card. Can I still use the OpenSC mini driver code where I can implement card-xxx.c/.h which contains my card specific details? Any answers would help me understand better. Thanks and Regards, Sushma |
|
From: Martin P. <ma...@ma...> - 2013-03-13 14:16:53
|
On Tue, Mar 12, 2013 at 2:58 PM, Tim Spencer <sam...@gm...> wrote: > receive help and direction on how to develop my own driver. Some thoughts for starting: - Search the internet / ask the vendor for specification/reference - Browse the card content (opensc-explorer can probably help) for hints (PKCS#15? etc) - Use a Windows computer inside a VM on Linux and sniff USB traffic for hints Martin |
|
From: Tim S. <sam...@gm...> - 2013-03-12 12:58:24
|
Hello I have been trying to play with OpenSC and I am very amazed by the work. I discovered that I have an unsupported card. I also trolled and discovered that someone else had written to this list with the same card but was very undiligent at supplying required information. I tried understanding what would be required to write my own card driver but have failed sofar. What information I have gathered: I have two cards, one initialised with a invalid certificate on it and one not initialised. As far as I can gather this (3b:7f:14:00:00:80:41:00:57:4a:2d:49:44:4d:36:34:83:7f:90:00) is a Electronic CPF in Brazil manufactured chip. opensc-tool --atr Using reader with a card: OMNIKEY CardMan 3x21 0 3b:7f:14:00:00:80:41:00:57:4a:2d:49:44:4d:36:34:83:7f:90:00 Would be very grateful if this card could be supported or receive help and direction on how to develop my own driver. Thanks a lot Lo5t |
|
From: Sushma <sus...@gm...> - 2013-03-11 04:37:06
|
Thanks for the reply. But I could find only one tar file (opensc-0.13.0.tar.gz) which contains the source code of mini driver. There is no separate tar file for x64 and x86. Regards, Sushma On Sun, Mar 10, 2013 at 5:16 PM, Viktor Tarasov <vik...@gm...> wrote: > Le 08/03/2013 12:50, Sushma a écrit : >> Thank you for the reply. Can you provide the link where I can download >> both the versions? I was not able to find a separate link for each >> version. > > https://github.com/OpenSC/OpenSC/wiki > >> Regards, >> Sushma >> >> On Fri, Mar 8, 2013 at 4:16 PM, Martin Paljak <ma...@ma...> wrote: >>> On Fri, Mar 8, 2013 at 12:23 PM, Sushma <sus...@gm...> wrote: >>> >>>> or Is there separate build for x64 and x86 versions? >>> Yes. >> ------------------------------------------------------------------------------ >> Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester >> Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the >> endpoint security space. For insight on selecting the right partner to >> tackle endpoint security challenges, access the full report. >> http://p.sf.net/sfu/symantec-dev2dev >> _______________________________________________ >> Opensc-devel mailing list >> Ope...@li... >> https://lists.sourceforge.net/lists/listinfo/opensc-devel >> > > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Viktor T. <vik...@gm...> - 2013-03-10 12:33:30
|
Hello, Le 06/03/2013 08:26, Andreas Schwier (ML) a écrit : > Right now the Wiki is Github is more accurate than the one at OpenSC and > I favour to turn the later of. > > We are losing our user base and our credibility with these kind of > activities. We already turned-off the mailing list without further > notice, leaving a good bunch of infrequent follower behind. Sure, we lost a lot when had migrated wiki from trac to github. As for me, Trac is more friendly and pleasant to use. But, afais, we do not have sufficient of continuous humane resources to maintain the stuff on the dedicated platforms. And so, imho, it's better to loose somewhat in usability, but keep the project independent, as much as possible, of the individual availability/efforts/willing. > Andreas Kind regards, Viktor. > > > Am 05.03.2013 15:24, schrieb Martin Paljak: >> On Mon, Mar 4, 2013 at 3:44 PM, Andreas Schwier >> <and...@ca...> wrote: >>> I'm confused ! >>> >>> So which website (and in particular which wiki) are we going to maintain >>> ? The one at www.opensc-project.org or the one at Github ? >> https://www.opensc-project.org must be updated to reference github >> exclusively for all things source. >> >> Point-blank copying of the wiki to github and removal of it degrades >> at least parts of the content and can't happen. In the end what >> matters is that relevant, correct and up to date information is easily >> available. And that knowledge doesn't create and organize itself. >> >> Martin > |
|
From: Viktor T. <vik...@gm...> - 2013-03-10 12:13:46
|
Hello, Le 08/03/2013 05:45, Nguyễn Hồng Quân a écrit : > I'm implementing DATA object support for pkcs15-openpgp emulation layer. > These pkcs15 DATA objects are mapped to private DOs of OpenPGP card and > need PIN2 to access. > > However, when listing objects by pkcs11-tools, these pkcs15 DATA objects > appears in the slot of PIN1: http://paste.ubuntu.com/5595070/ and cannot > be read. Private DATA object, by definition, is protected by some AuthentificationObject (PIN). The object's 'auth_id' has to reference this authObject. So, in your emulation layer, when creating PKCS#15 DATA object, you have to set it's 'auth_id' to reference PIN2, in the same manner as you do it for private key PKCS#15 objects: https://github.com/OpenSC/OpenSC/blob/master/src/libopensc/pkcs15-openpgp.c#L283 > I want to move it to slot 2, to be able to use PIN2 to read it. How can > I do? > > (Other objects, KEY and CERT, are listed in slot 2: > http://paste.ubuntu.com/5595074/) Kind regards, Viktor. |
|
From: Viktor T. <vik...@gm...> - 2013-03-10 11:46:27
|
Le 08/03/2013 12:50, Sushma a écrit : > Thank you for the reply. Can you provide the link where I can download > both the versions? I was not able to find a separate link for each > version. https://github.com/OpenSC/OpenSC/wiki > Regards, > Sushma > > On Fri, Mar 8, 2013 at 4:16 PM, Martin Paljak <ma...@ma...> wrote: >> On Fri, Mar 8, 2013 at 12:23 PM, Sushma <sus...@gm...> wrote: >> >>> or Is there separate build for x64 and x86 versions? >> Yes. > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel > |
|
From: Sushma <sus...@gm...> - 2013-03-08 11:50:38
|
Thank you for the reply. Can you provide the link where I can download both the versions? I was not able to find a separate link for each version. Regards, Sushma On Fri, Mar 8, 2013 at 4:16 PM, Martin Paljak <ma...@ma...> wrote: > On Fri, Mar 8, 2013 at 12:23 PM, Sushma <sus...@gm...> wrote: > >> or Is there separate build for x64 and x86 versions? > > Yes. |
|
From: Martin P. <ma...@ma...> - 2013-03-08 10:46:58
|
On Fri, Mar 8, 2013 at 12:23 PM, Sushma <sus...@gm...> wrote: > or Is there separate build for x64 and x86 versions? Yes. |
|
From: Sushma <sus...@gm...> - 2013-03-08 10:23:59
|
Hello All, I'm developing smart card mini driver using OpenSC sample mini driver for my smart card. In Win 7 x64 with Certutil -scinfo, I see CardGetProperty(), CardReadFile(),... function calls after CardAcquireContext() ends. However, in Win 7 x86 no routines are invoked after CardAcquireContext(). Is there some thing I need to take care for x86 configuration? or Is there separate build for x64 and x86 versions? Any suggestions? Regards, Sushma |
|
From: Martin P. <ma...@ma...> - 2013-03-08 07:39:32
|
Hello, On Fri, Mar 8, 2013 at 6:45 AM, Nguyễn Hồng Quân <qua...@mb...> wrote: > I want to move it to slot 2, to be able to use PIN2 to read it. How can > I do? I think you mean PIN1 (not the signature PIN) ? > (Other objects, KEY and CERT, are listed in slot 2: > http://paste.ubuntu.com/5595074/) The association with a PIN code is created explicitly in in pkcs15-openpgp.c. You should also set up the mapping (done by ID-s, grep the pkcs11 module log for "Adding data object") Martin |
|
From: liuhuan <lan...@ya...> - 2013-03-08 06:38:32
|
Nobody can avoid the actuality of Christian Louboutin shoes in the appearance world. The wellknown red outsole and top heel both shaped the characteristic appearance of Christian Louboutin. In Europe and America, a abundant bulk of stars block the agitation of Christian http://desirecl4u.com/Christian-Louboutin-Pumps-category-3.html louboutin pumps Louboutin. If you see a red outsole you can absolutely bulk it out and say that is the Christian Louboutin shoes. Red outsole has become the logo back it appeared. However, you can never overlook the adorableness that the Christian Louboutin shoesChristian Louboutin brings to you. You don't even accept to airing out of the calm circumstance, and your slim,beautiful and adroitness leg could calmly bolt people's eyes. Now you get this adventitious to be a allotment of them, you alone accept to chooes the one you like. -- View this message in context: http://opensc.1086184.n5.nabble.com/tissot-tp13756.html Sent from the Developer mailing list archive at Nabble.com. |
|
From: Nguyễn H. Q. <qua...@mb...> - 2013-03-08 05:14:09
|
Hello I'm implementing DATA object support for pkcs15-openpgp emulation layer. These pkcs15 DATA objects are mapped to private DOs of OpenPGP card and need PIN2 to access. However, when listing objects by pkcs11-tools, these pkcs15 DATA objects appears in the slot of PIN1: http://paste.ubuntu.com/5595070/ and cannot be read. I want to move it to slot 2, to be able to use PIN2 to read it. How can I do? (Other objects, KEY and CERT, are listed in slot 2: http://paste.ubuntu.com/5595074/) -- Regards, Quân Y!IM: ng_hquan_vn GTalk: ng.hong.quan |
|
From: Martin P. <ma...@ma...> - 2013-03-06 09:23:10
|
On Tue, Mar 5, 2013 at 5:12 PM, Ondrej Mikle <ond...@ni...> wrote: >> I don't remember >> if it was the case with Feitian cards or not, but there is also a >> "wipe all" command. > > Do you happen to have reference to the "wipe all" APDU by any chance? I haven't > seen such instruction anywhere. pkcs15-init -E ? With the standard Feitian card it seems to work. |
|
From: Andreas S. (ML) <and...@ca...> - 2013-03-06 07:26:55
|
HI Martin, I think Viktor did a great job migrating the Wiki to Github and yes, we need to work on the information provided and improve it. For the card specific part that should be done by the maintainer of the driver code. For the common parts we should organize the work using the mailing list. Right now the Wiki is Github is more accurate than the one at OpenSC and I favour to turn the later of. We are losing our user base and our credibility with these kind of activities. We already turned-off the mailing list without further notice, leaving a good bunch of infrequent follower behind. Andreas Am 05.03.2013 15:24, schrieb Martin Paljak: > On Mon, Mar 4, 2013 at 3:44 PM, Andreas Schwier > <and...@ca...> wrote: >> I'm confused ! >> >> So which website (and in particular which wiki) are we going to maintain >> ? The one at www.opensc-project.org or the one at Github ? > https://www.opensc-project.org must be updated to reference github > exclusively for all things source. > > Point-blank copying of the wiki to github and removal of it degrades > at least parts of the content and can't happen. In the end what > matters is that relevant, correct and up to date information is easily > available. And that knowledge doesn't create and organize itself. > > Martin -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Ondrej M. <ond...@ni...> - 2013-03-05 15:12:49
|
On 03/05/2013 01:46 PM, Martin Paljak wrote: > Hello, > On Tue, Mar 5, 2013 at 2:09 PM, Ondrej Mikle <ond...@ni...> wrote: >> 1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN >> 2. Certificate files (31xx) can be deleted or replaced by anyone without PIN >> 3. Private key files (29xx) can be deleted by anyone without PIN > > Have you checked that the card actually does what the ACL-s say it should do? Yes, I've tested it. In 3F00/5015 DF, using 'rm 2900', 'rm 3000' in opensc-explorer or equivalent APDU deletes the file. Pubkeys and certs can be replaced using 'put' or delete/create/put sequence (to account for different filesize). After changing ACL to UPDATE/DELETE to $PIN or NEVER, it works as expected. >> Question: Is there any reason why such ACL behavior is desired > Driver author can tell more. I'd be interested as well. >> or should it be >> fixed to authenticate to card if $PIN is required for UPDATE/DELETE? > > Probably should be fixed. But keep in mind that if you lose control > over your card (for example your machine is compromised and unwanted > code is running on it) the card can be "bricked" by blocking all PIN > codes and other authentication keys. Attacker could do that by erasing card and creating undeletable MF 3F00 (DELETE=$PIN ACL). I accidentally managed to achieve that on one token while trying to understand how the epass2003 ACLs work. > I don't remember > if it was the case with Feitian cards or not, but there is also a > "wipe all" command. Do you happen to have reference to the "wipe all" APDU by any chance? I haven't seen such instruction anywhere. Ondrej |
|
From: Andreas S. (ML) <and...@ca...> - 2013-03-05 14:42:24
|
Hi Martin, thanks for the update. We hope to make the MicroSD card available any time soon at www.cardomatic.de. Andreas Am 05.03.2013 15:31, schrieb Martin Paljak: > On Tue, Mar 5, 2013 at 3:33 PM, Andreas Schwier (ML) > <and...@ca...> wrote: >> Hi, >> >> does anyone have an overview on the current status of OpenSC for Android >> ? The seek-for-android project did a port of the 0.11.13 version, so is >> anyone working on a port of the 0.13 release ? > > IIRC the only thing required was direct linking (pcsc-lite). I've not > found the time/interest of trying to re-build android.... > > >> Background is, that we've ported the SmartCard-HSM applet to run on a >> MicroSD card that can be embedded into a mobile phone. > > Where can you buy such cards from? > >> The >> remote-management interface of the SmartCard-HSM works independent of >> the PKCS#11 stack, but of course we need a full middleware stack to make >> PKI functions available to other applications. > > As much as I've followed the topic I don't know of a universal "CSP" > style approach for Android and the only option is a) rooting b) > bundling a lot of stuff into applications that can then access the > devices. > > I don't know if/how OpenMobile API can actually help with accessing > the secure element without patching/rooting. > > The best option this far has seemed to be either NFC or Apriva bluetooth reader. > > Martin > -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Martin P. <ma...@ma...> - 2013-03-05 14:31:43
|
On Tue, Mar 5, 2013 at 3:33 PM, Andreas Schwier (ML) <and...@ca...> wrote: > Hi, > > does anyone have an overview on the current status of OpenSC for Android > ? The seek-for-android project did a port of the 0.11.13 version, so is > anyone working on a port of the 0.13 release ? IIRC the only thing required was direct linking (pcsc-lite). I've not found the time/interest of trying to re-build android.... > Background is, that we've ported the SmartCard-HSM applet to run on a > MicroSD card that can be embedded into a mobile phone. Where can you buy such cards from? > The > remote-management interface of the SmartCard-HSM works independent of > the PKCS#11 stack, but of course we need a full middleware stack to make > PKI functions available to other applications. As much as I've followed the topic I don't know of a universal "CSP" style approach for Android and the only option is a) rooting b) bundling a lot of stuff into applications that can then access the devices. I don't know if/how OpenMobile API can actually help with accessing the secure element without patching/rooting. The best option this far has seemed to be either NFC or Apriva bluetooth reader. Martin |
|
From: Martin P. <ma...@ma...> - 2013-03-05 14:24:41
|
On Mon, Mar 4, 2013 at 3:44 PM, Andreas Schwier <and...@ca...> wrote: > I'm confused ! > > So which website (and in particular which wiki) are we going to maintain > ? The one at www.opensc-project.org or the one at Github ? https://www.opensc-project.org must be updated to reference github exclusively for all things source. Point-blank copying of the wiki to github and removal of it degrades at least parts of the content and can't happen. In the end what matters is that relevant, correct and up to date information is easily available. And that knowledge doesn't create and organize itself. Martin |
|
From: Andreas S. (ML) <and...@ca...> - 2013-03-05 13:33:07
|
Hi, does anyone have an overview on the current status of OpenSC for Android ? The seek-for-android project did a port of the 0.11.13 version, so is anyone working on a port of the 0.13 release ? Background is, that we've ported the SmartCard-HSM applet to run on a MicroSD card that can be embedded into a mobile phone. The remote-management interface of the SmartCard-HSM works independent of the PKCS#11 stack, but of course we need a full middleware stack to make PKI functions available to other applications. Andreas [1] http://code.google.com/p/seek-for-android/wiki/SmartCardPKI -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Martin P. <ma...@ma...> - 2013-03-05 12:46:53
|
Hello, On Tue, Mar 5, 2013 at 2:09 PM, Ondrej Mikle <ond...@ni...> wrote: > 1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN > 2. Certificate files (31xx) can be deleted or replaced by anyone without PIN > 3. Private key files (29xx) can be deleted by anyone without PIN Have you checked that the card actually does what the ACL-s say it should do? > Question: Is there any reason why such ACL behavior is desired Driver author can tell more. > or should it be > fixed to authenticate to card if $PIN is required for UPDATE/DELETE? Probably should be fixed. But keep in mind that if you lose control over your card (for example your machine is compromised and unwanted code is running on it) the card can be "bricked" by blocking all PIN codes and other authentication keys. The ability to delete/overwrite files if a card is lost is probably an obvious risk. I don't remember if it was the case with Feitian cards or not, but there is also a "wipe all" command. Martin > > Regards, > Ondrej > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel |
|
From: Ondrej M. <ond...@ni...> - 2013-03-05 12:29:00
|
Hi, I noticed that ACLs of many files created with default /usr/share/opensc/epass2003.profile are quite permissive, compared to rest of the profiles for other cards. Comparison with entersafe.profile for instance: 1. Pubkey files (30xx) can be deleted or replaced by anyone without PIN epass2003: ACL = *=NONE; entersafe: ACL = *=NEVER,READ=NONE,UPDATE=$PIN; 2. Certificate files (31xx) can be deleted or replaced by anyone without PIN epass2003: ACL = READ=NONE,UPDATE=NONE; entersafe: ACL = *=NEVER,READ=NONE,UPDATE=$PIN; 3. Private key files (29xx) can be deleted by anyone without PIN Turns out that it's not as simple as changing the default ACLs. Generating a keypair on the card first creates 30xx pubkey file, then writes the pubkey into the file in epass2003_gen_key(). That requires UPDATE privilege, but setting UPDATE=$PIN will fail since writing to pubkey file happens before calling epass2003_pin_cmd(). Question: Is there any reason why such ACL behavior is desired or should it be fixed to authenticate to card if $PIN is required for UPDATE/DELETE? Regards, Ondrej |
|
From: Andreas S. <and...@ca...> - 2013-03-04 14:01:21
|
I'm confused ! So which website (and in particular which wiki) are we going to maintain ? The one at www.opensc-project.org or the one at Github ? Andreas Am 25.02.2013 13:28, schrieb Martin Paljak: > On Mon, Feb 25, 2013 at 12:15 PM, Ludovic Rousseau > <lud...@gm...> wrote: >> Trac is not working on the server. > Apparently non-https site has been misconfigured ever since and > smoketesting with Chrome seems to be misleading, meaning that removing > the S from the https URL still somehow automagically loads up the > secure version of the site (which has been Trac all the time). This is > fixed. > > Martin > > ------------------------------------------------------------------------------ > Everyone hates slow websites. So do we. > Make your web apps faster with AppDynamics > Download AppDynamics Lite for free today: > http://p.sf.net/sfu/appdyn_d2d_feb > _______________________________________________ > Opensc-devel mailing list > Ope...@li... > https://lists.sourceforge.net/lists/listinfo/opensc-devel -- --------- CardContact Software & System Consulting |.##> <##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'##> <##'| Phone +49 571 56149 --------- http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org |
|
From: Roberto R. <rob...@gm...> - 2013-03-01 19:51:36
|
2013/2/17 Antonio Russo <aru...@ya...>:
> Hi,
> I'm owner of an Italian CIE issued in the past few months.
> I'm trying to develop a service that uses it for authentication through a
> java applet, my code is an open source project on SF ("authentic").
>
> I can see all the files on the card as pkcs11 data objects, read
> certificates, login on the card, but i have problems signing. Am i hitting a
> bug or an unimplemented feature?
Hello Antonio. Italian CIE should be functionally equivalent to a CNS, and so
perfectly usable (only the authentication keys/certificate) with
itacns OpenSC Driver .
I can do some test and report my findings.
In the meanwhile, may you try to authenticate,
configuring opensc-pkcs11.so in Firefox to an on-line test page such as:
https://webapps.comune.trento.it/ssltest
?
bye,
rob
|
5 messages has been excluded from this view by a project administrator.
