Menu
▾
▴
opensc-devel
|
From: Grzegorz K. <gk...@le...> - 2017-12-31 00:43:58
|
Hello, Excuse me if it was answered before but I can't find it anywhere. Also excuse my ignorance in SC standards and protocols. I think that OpenSC supports normal OpenPGP cards for some time, directly, without software like scute. For example there is openpgp-tool and with opensc-pkcs11.so programs like Firefox can access OpenPGP card as a key/cert store for TLS client certificate auth. Yubikey 4 is supposed to emulate OpenPGP card (and support other protocols, including PIV and U2F). But openpgp-tool doesn't seem to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox seems to only discover PIV side of Yubikey 4. Also https://github.com/sektioneins/micro-ca-tool does not seem to talk with Yubikey 4, probably because OpenSC doesn't recognize it as OpenPGP card. Since in our organization we care about compatibility with "normal" OpenPGP cards, we want to configure OpenSC to support Yubikey 4 as a normal OpenPGP card (in addition or instead of PIV). Is it possible? If not: why? If yes: how? Thank you in advance. -- Grzegorz Kulewski |
|
From: Douglas E E. <dee...@gm...> - 2017-12-31 13:41:41
|
You may want to read this issue and the comment: https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 The main problem comes from having two applets on the same card that can not both be active at the same time because they interfere with each other and lose the login state or two different applications try to have exclusive access to the card and lock each other out for long periods. Which makes it impossible to get the serial number or determine if the applet even exists or is being used. Yubico could have solved this by treating the PGP and PIV apps as separate USB devices on the same Yubikey. They already emulate multiple USB devices but all the CCID applets look like they are on the same device. Best I can tell U2F does not use CCID so to the OS the Yubikey looks like multiple devices and U2F can work independently from the PIV or PGP. Right now OpenSC does not have a good way to determine which applet the user wants to use, PIV or PGP, other then to turn off one of the drivers in the opensc.conf file. Right now, if there is a PIV applet It is selected. As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 I am going to look at what it would take to change the PIV driver to see if the PIV applet looks like it is active i.e. has some certificate or other indication that it is initialized. If not, then let the PGP driver have a look at it. OR use environment variable to say which one to select. OR see if both the PIV and PGP applets could be selected within OpenSC and present then as multiple slots to PKCS#11. The Yubikey is the only device I know of that has two applets OpenSC can support and OpenSC only selects one. On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: > Hello, > > Excuse me if it was answered before but I can't find it anywhere. Also excuse my ignorance in SC standards and protocols. > > I think that OpenSC supports normal OpenPGP cards for some time, directly, without software like scute. For example there is openpgp-tool and with opensc-pkcs11.so programs like Firefox can access OpenPGP card as a key/cert store for TLS client certificate auth. > > Yubikey 4 is supposed to emulate OpenPGP card (and support other protocols, including PIV and U2F). But openpgp-tool doesn't seem to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox seems to only discover PIV side of Yubikey 4. Also https://github.com/sektioneins/micro-ca-tool does not seem to talk with Yubikey 4, probably because OpenSC doesn't recognize it as OpenPGP card. > > Since in our organization we care about compatibility with "normal" OpenPGP cards, we want to configure OpenSC to support Yubikey 4 as a normal OpenPGP card (in addition or instead of PIV). Is it possible? If not: why? If yes: how? > > Thank you in advance. > -- Douglas E. Engert <DEE...@gm...> |
|
From: Grzegorz K. <gk...@le...> - 2017-12-31 13:56:55
|
I saw that issue before. Thank you for looking into it. What is the easiest/best way to disable PIV for now in the config file? W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: > You may want to read this issue and the comment: > https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > > The main problem comes from having two applets on the same card that can not both be active > at the same time because they interfere with each other and lose the login state or two different applications > try to have exclusive access to the card and lock each other out for long periods. Which makes it > impossible to get the serial number or determine if the applet even exists or is being used. > > Yubico could have solved this by treating the PGP and PIV apps as separate USB devices on the same Yubikey. > They already emulate multiple USB devices but all the CCID applets look like they are on the same device. > Best I can tell U2F does not use CCID so to the OS the Yubikey looks like multiple devices and U2F can work > independently from the PIV or PGP. > > Right now OpenSC does not have a good way to determine which applet the user wants to use, PIV or PGP, > other then to turn off one of the drivers in the opensc.conf file. Right now, if there is a PIV applet > It is selected. > > As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > I am going to look at what it would take to change the PIV driver to see if the PIV applet looks > like it is active i.e. has some certificate or other indication that it is initialized. If not, then > let the PGP driver have a look at it. OR use environment variable to say which one to select. OR see > if both the PIV and PGP applets could be selected within OpenSC and present then as multiple slots to PKCS#11. > > The Yubikey is the only device I know of that has two applets OpenSC can support and OpenSC only selects one. > > > > On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: >> Hello, >> >> Excuse me if it was answered before but I can't find it anywhere. Also excuse my ignorance in SC standards and protocols. >> >> I think that OpenSC supports normal OpenPGP cards for some time, directly, without software like scute. For example there is openpgp-tool and with opensc-pkcs11.so programs like Firefox can access OpenPGP card as a key/cert store for TLS client certificate auth. >> >> Yubikey 4 is supposed to emulate OpenPGP card (and support other protocols, including PIV and U2F). But openpgp-tool doesn't seem to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox seems to only discover PIV side of Yubikey 4. Also https://github.com/sektioneins/micro-ca-tool does not seem to talk with Yubikey 4, probably because OpenSC doesn't recognize it as OpenPGP card. >> >> Since in our organization we care about compatibility with "normal" OpenPGP cards, we want to configure OpenSC to support Yubikey 4 as a normal OpenPGP card (in addition or instead of PIV). Is it possible? If not: why? If yes: how? -- Grzegorz Kulewski |
|
From: Jakub J. <jj...@re...> - 2018-01-02 15:37:51
|
On Sun, 2017-12-31 at 14:56 +0100, Grzegorz Kulewski wrote: > I saw that issue before. Thank you for looking into it. > > What is the easiest/best way to disable PIV for now in the config > file? Hello. The referenced issue is from my point of view about consecutive usage of OpenPGP card and PIV at the same time from PKCS#11 and PGP directly. This question looks more like if we can access the OpenPGP card on yubikey using OpenSC. We have a openpgp driver and if we adjust the driver priority using card_drivers in /etc/opensc.conf, we should achieve this. But it does not work for me and I am not able to make the OpenSC detect the OpenPGP applet over PKCS#11 (with OpenSC 0.17.0). I don't have a lot of experience with OpenPGP, but it might be the case that the driver does not support the version on yubikey or the vice versa. The debug log should say more. Regards, Jakub > W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: > > You may want to read this issue and the comment: > > https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 > > > > The main problem comes from having two applets on the same card > > that can not both be active > > at the same time because they interfere with each other and lose > > the login state or two different applications > > try to have exclusive access to the card and lock each other out > > for long periods. Which makes it > > impossible to get the serial number or determine if the applet even > > exists or is being used. > > > > Yubico could have solved this by treating the PGP and PIV apps as > > separate USB devices on the same Yubikey. > > They already emulate multiple USB devices but all the CCID applets > > look like they are on the same device. > > Best I can tell U2F does not use CCID so to the OS the Yubikey > > looks like multiple devices and U2F can work > > independently from the PIV or PGP. > > > > Right now OpenSC does not have a good way to determine which applet > > the user wants to use, PIV or PGP, > > other then to turn off one of the drivers in the opensc.conf file. > > Right now, if there is a PIV applet > > It is selected. > > > > As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomme > > nt-353591483 > > I am going to look at what it would take to change the PIV driver > > to see if the PIV applet looks > > like it is active i.e. has some certificate or other indication > > that it is initialized. If not, then > > let the PGP driver have a look at it. OR use environment variable > > to say which one to select. OR see > > if both the PIV and PGP applets could be selected within OpenSC and > > present then as multiple slots to PKCS#11. > > > > The Yubikey is the only device I know of that has two applets > > OpenSC can support and OpenSC only selects one. > > > > > > > > On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: > > > Hello, > > > > > > Excuse me if it was answered before but I can't find it anywhere. > > > Also excuse my ignorance in SC standards and protocols. > > > > > > I think that OpenSC supports normal OpenPGP cards for some time, > > > directly, without software like scute. For example there is > > > openpgp-tool and with opensc-pkcs11.so programs like Firefox can > > > access OpenPGP card as a key/cert store for TLS client > > > certificate auth. > > > > > > Yubikey 4 is supposed to emulate OpenPGP card (and support other > > > protocols, including PIV and U2F). But openpgp-tool doesn't seem > > > to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox > > > seems to only discover PIV side of Yubikey 4. Also https://github > > > .com/sektioneins/micro-ca-tool does not seem to talk with Yubikey > > > 4, probably because OpenSC doesn't recognize it as OpenPGP card. > > > > > > Since in our organization we care about compatibility with > > > "normal" OpenPGP cards, we want to configure OpenSC to support > > > Yubikey 4 as a normal OpenPGP card (in addition or instead of > > > PIV). Is it possible? If not: why? If yes: how? > > -- Jakub Jelen Software Engineer Security Technologies Red Hat, Inc. |
|
From: Douglas E E. <dee...@gm...> - 2018-01-02 16:36:15
|
I opened an issue yesterday on this: https://github.com/OpenSC/OpenSC/issues/1230 Can you try the simple fix in: https://github.com/OpenSC/OpenSC/issues/1230#issuecomment-354787390 This would show it the problem is in just the select file vs select AID or if more is needed. On 1/2/2018 9:37 AM, Jakub Jelen wrote: > On Sun, 2017-12-31 at 14:56 +0100, Grzegorz Kulewski wrote: >> I saw that issue before. Thank you for looking into it. >> >> What is the easiest/best way to disable PIV for now in the config >> file? > > Hello. > The referenced issue is from my point of view about consecutive usage > of OpenPGP card and PIV at the same time from PKCS#11 and PGP directly. > > This question looks more like if we can access the OpenPGP card on > yubikey using OpenSC. > > We have a openpgp driver and if we adjust the driver priority using > card_drivers in /etc/opensc.conf, we should achieve this. > > But it does not work for me and I am not able to make the OpenSC detect > the OpenPGP applet over PKCS#11 (with OpenSC 0.17.0). I don't have a > lot of experience with OpenPGP, but it might be the case that the > driver does not support the version on yubikey or the vice versa. The > debug log should say more. > > Regards, > Jakub > >> W dniu 31.12.2017 o 14:41, Douglas E Engert pisze: >>> You may want to read this issue and the comment: >>> https://github.com/OpenSC/OpenSC/issues/953#issuecomment-353591483 >>> >>> The main problem comes from having two applets on the same card >>> that can not both be active >>> at the same time because they interfere with each other and lose >>> the login state or two different applications >>> try to have exclusive access to the card and lock each other out >>> for long periods. Which makes it >>> impossible to get the serial number or determine if the applet even >>> exists or is being used. >>> >>> Yubico could have solved this by treating the PGP and PIV apps as >>> separate USB devices on the same Yubikey. >>> They already emulate multiple USB devices but all the CCID applets >>> look like they are on the same device. >>> Best I can tell U2F does not use CCID so to the OS the Yubikey >>> looks like multiple devices and U2F can work >>> independently from the PIV or PGP. >>> >>> Right now OpenSC does not have a good way to determine which applet >>> the user wants to use, PIV or PGP, >>> other then to turn off one of the drivers in the opensc.conf file. >>> Right now, if there is a PIV applet >>> It is selected. >>> >>> As I said in https://github.com/OpenSC/OpenSC/issues/953#issuecomme >>> nt-353591483 >>> I am going to look at what it would take to change the PIV driver >>> to see if the PIV applet looks >>> like it is active i.e. has some certificate or other indication >>> that it is initialized. If not, then >>> let the PGP driver have a look at it. OR use environment variable >>> to say which one to select. OR see >>> if both the PIV and PGP applets could be selected within OpenSC and >>> present then as multiple slots to PKCS#11. >>> >>> The Yubikey is the only device I know of that has two applets >>> OpenSC can support and OpenSC only selects one. >>> >>> >>> >>> On 12/30/2017 6:25 PM, Grzegorz Kulewski wrote: >>>> Hello, >>>> >>>> Excuse me if it was answered before but I can't find it anywhere. >>>> Also excuse my ignorance in SC standards and protocols. >>>> >>>> I think that OpenSC supports normal OpenPGP cards for some time, >>>> directly, without software like scute. For example there is >>>> openpgp-tool and with opensc-pkcs11.so programs like Firefox can >>>> access OpenPGP card as a key/cert store for TLS client >>>> certificate auth. >>>> >>>> Yubikey 4 is supposed to emulate OpenPGP card (and support other >>>> protocols, including PIV and U2F). But openpgp-tool doesn't seem >>>> to work with Yubikey 4 and opensc-pkcs11.so loaded in Firefox >>>> seems to only discover PIV side of Yubikey 4. Also https://github >>>> .com/sektioneins/micro-ca-tool does not seem to talk with Yubikey >>>> 4, probably because OpenSC doesn't recognize it as OpenPGP card. >>>> >>>> Since in our organization we care about compatibility with >>>> "normal" OpenPGP cards, we want to configure OpenSC to support >>>> Yubikey 4 as a normal OpenPGP card (in addition or instead of >>>> PIV). Is it possible? If not: why? If yes: how? >> >> -- Douglas E. Engert <DEE...@gm...> |
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X