opensc-devel

Re: [Opensc-devel] cryptomate64 support

[Pierre L. <pl...@ac...>]

Hi,

Just wanted to let you know the end of the story, it might help other
"lost" users.

ACS send us a "Linux client kit" which provide PKCS11 lib for their tokens.
The provided admin tool works quite well with Linux, allowing to manage the
tokens.
Ssh client, or pkcs11 compliant browser are working too, with that same lib.

Unfortunately the library (libacospkcs11.so) is not opensource, and ACS
does not seem to provide an full opensource opensc module.

Regards,
Pierre

2015-04-16 15:17 GMT+02:00 Pierre LADEN <pl...@ac...>:

> 2015-04-15 16:59 GMT+02:00 Martin Paljak <ma...@ma...>:
>
>> On 15/04/15 17:54, Pierre LADEN wrote:
>> > However it seems like opensc have some support for "acos5 / ACS ACOS5
>> > card", which is quite near the ACOS5-64 included in Cryptomate64 (64k
>> > instead of 32k).
>>
>> The driver is incomplete, it just displays some basic information.
>>
>
>

Re: [Opensc-devel] cryptomate64 support

[Carsten <ka6...@on...>]

>>On 24.04.2015, Pierre LADEN  wrote:
 >>
 >>Hi,
 >>
 >>Just wanted to let you know the end of the story, it might help other 
"lost" users.
 >>
 >>ACS send us a "Linux client kit" which provide PKCS11 lib for their 
tokens.
 >>The provided admin tool works quite well with Linux, allowing to 
manage the tokens.
 >>Ssh client, or pkcs11 compliant browser are working too, with that 
same lib.
 >>
 >>Unfortunately the library (libacospkcs11.so) is not opensource, and 
ACS does not seem to provide a full opensource opensc module.
 >>
 >>Regards,
 >>Pierre


Hi all,
the existence of a "Linux client kit" is good news for me, another 
"lost" user.
I tried to implement an "acos5_64"-driver for CryptoMate64 with some 
success, but I'm stuck finishing that.
What I can do and did, is implementing any functionality the reference 
manual exposes (except secure messaging so far), but don't know any more 
how to integrate that into the opensc framework.
After many hours of spare time spent on this open source project, I'm at 
the point to decide, either to give up and buy, or continue with 
substantiell help/co-working/take-over from/by somebody interested.


As an example of what is working (opensc-tool seems complete, 
opensc-explorer seems read-only complete), a listing of pkcs11-tool:
(The contents of my usb token have been set up based on an 
initialization with my employers windows client kit, populated/extended 
manually with 4 RSA keys, ODF, AODF, PrKDF, PuKDF, CDF (experimentell, 
self-signed), the pkcs#15-structure seems to be readable by opensc):

carsten@tux:~$ pkcs11-tool --module=/usr/lib/pkcs11/pkcs11-spy.so -lt
Using slot 1 with a present token (0x1)
Logging in to "(unknown) (Basic PIN)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (DecryptSignenL)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
  testing key 1 (1790 bits, label=DecryptSignenS) with 1 signature 
mechanism
  testing key 2 (4096 bits, label=Decrypten) with 1 signature mechanism 
-- can't be used to sign/verify, skipping
  testing key 3 (4095 bits, label=Signen) with 1 signature mechanism
Verify (currently only for RSA):
  testing key 0 (DecryptSignenL)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
  testing key 1 (DecryptSignenS) with 1 mechanism
    RSA-X-509: OK
  testing key 2 (Decrypten) with 1 mechanism
-- can't be used to sign/verify, skipping
  testing key 3 (Signen) with 1 mechanism
    RSA-X-509:   ERR: verification failed  ERR: C_Verify() returned 
CKR_SIGNATURE_INVALID (0xc0)
Unwrap: not implemented
Decryption (RSA)
  testing key 0 (DecryptSignenL)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 1 (DecryptSignenS)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 2 (Decrypten)
    RSA-X-509: OK
    RSA-PKCS: OK
  testing key 3 (Signen)  -- can't be used to decrypt, skipping
2 errors

Surprisingly, the first real word application, using openssh with the 
token, now suddenly does work, maybe due to upgrading to Ubuntu 15.04.
carsten@tux:~$ ssh-add -L
The agent has no identities.
carsten@tux:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11:
Card added: /usr/lib/pkcs11/opensc-pkcs11.so
carsten@tux:~$ ssh-add -l
4095 0b:b5:ce:fe:ec:b9:c9:41:49:b2:a8:10:6f:ae:83:b0 
/usr/lib/pkcs11/opensc-pkcs11.so (RSA)
4095 3f:a8:b8:ed:90:04:98:2b:00:d6:10:dc:ce:a3:ec:2c 
/usr/lib/pkcs11/opensc-pkcs11.so (RSA)
1790 f6:da:8c:a3:cd:72:fb:6b:da:8c:51:d5:b9:c5:70:d9 
/usr/lib/pkcs11/opensc-pkcs11.so (RSA)
4096 d9:37:92:15:0b:41:50:0d:25:a1:ef:04:41:d8:73:a0 
/usr/lib/pkcs11/opensc-pkcs11.so (RSA)


carsten@tux:~$ opensc-tool -D
Configured card drivers:
  cardos           Siemens CardOS
  ...
  acos5            ACS ACOS5 card
  acos5_64         ACS ACOS5-64 Cryptographic USB/Card
  ...


Any comments are highly appreciated.

Regards,

Carsten

Re: [Opensc-devel] cryptomate64 support

[Carsten B. <ka6...@on...>]

Hi all,

there is a new fork now, dedicated to an ACS acos5_64-driver (CryptoMate64):

https://github.com/carblue/OpenSC/tree/master/src

It's current status is:
The function 'acos5_64_compute_signature', called when a priv. key usage 
is sign only, is known not to work properly.
Secure Messaging is not implemented.
Changing contents on the card is not implemented.
If reading the card only, many usage scenarios should work, for example:
Konsole output
ssh-add -e /usr/lib/pkcs11/opensc-pkcs11.so

The procedure to compile/install is as described in
https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors
with 1 amendment: I didn't install the acsccid package (libccid seems to 
be sufficiant).
(Replacing 'sudo make install' by 'sudo checkinstall' might be an option 
for easy removal lateron.)

Feel free to contact me, if You want write access on this fork.

Regards,
Carsten

Re: [Opensc-devel] cryptomate64 support

[Douglas E E. <dee...@gm...>]

When you go to implement SM, please have a look at existing SM code in OpenSC such as the cwa14589.c and related files used by the card-dnie.c driver.


On 5/4/2015 9:50 AM, Carsten Blüggel wrote:
> Hi all,
>
> there is a new fork now, dedicated to an ACS acos5_64-driver (CryptoMate64):
>
> https://github.com/carblue/OpenSC/tree/master/src
>
> It's current status is:
> The function 'acos5_64_compute_signature', called when a priv. key usage is sign only, is known not to work properly.
> Secure Messaging is not implemented.
> Changing contents on the card is not implemented.
> If reading the card only, many usage scenarios should work, for example:
> Konsole output
> ssh-add -e /usr/lib/pkcs11/opensc-pkcs11.so
>
> The procedure to compile/install is as described in
> https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors
> with 1 amendment: I didn't install the acsccid package (libccid seems to be sufficiant).
> (Replacing 'sudo make install' by 'sudo checkinstall' might be an option for easy removal lateron.)
>
> Feel free to contact me, if You want write access on this fork.
>
> Regards,
> Carsten
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

-- 

  Douglas E. Engert  <DEE...@gm...>