[opensc-devel] Consistence between the OpenSC and proprietary drivers

Fri, 07 Jan 2011 13:22:15 -0800 

Dear all,

Because users have smartcards in the wallet and need to connect from any
computer, including Mac OS X, Windows and GNU/Linux, and they don't know
in advance which framework is installed, it seems important that card
initialization is consistent between proprietary drivers and OpenSC.

I tried different scenarios with the Feitian PKI.

It seems that initializing a Feitian PKI on Windows 7 64bits (CSP), you
are able to use the card on GNU/Linux (OpenSC). But the converse is not
always true. Windows may not accept the PIN code or declare certificates
invalid.

So I did a simple test:
* Under Windows 7 64 bit: use only Feitian tools.
* Under GNU/Linux: use only OpenSC 0.10.0 + Firefox.

I initialized a card with PIN code 0000 and transferred a certificate
using Firefox. This is what users are going to do if they enroll on
online servers, which I expect.

Please find hereafter a compared dump of the cards.

My questions are:
1) Should the PIN and RSA/certificate flags consistent for all drivers.
Is that important for Windows 7 or OpenSC? Please notice the difference
in the PIN flags.
2) If the flags are important, could we consider some kind of
initialization option like --windows, which would add the same flags as
if initialized by proprietary drivers.
3) Can the flags be modified after a card is initialized by OpenSC. I
would like to study the importance of flags.
4) The PIN flags are from OpenSC.
5) Most flags are from RSA/X.509 certs. Do OpenSC or Firefox add flags
during transfer of certs.

Basically, I would like to be able to initialize cards and users are
never aware this was OpenSC and not the proprietary drivers. Is that
possible?

Sorry for all these questions, I hope this can be useful for basic
users.

Kind regards,
-- 
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

*****************
Proprietary card dump:

PKCS#15 Card [Gooze                           ]:
        Version        : 0
        Serial number  : 0834493916261110
        Manufacturer ID: www.ftsafe.com
        Flags          : Login required

PIN [User Pin]
        Object Flags   : [0x3], private, modifiable
        ID             : ff
        Flags          : [0x933], case-sensitive, local, initialized,
needs-padding, disable_allowed, exchangeRefData
        Length         : min_len:4, max_len:8, stored_len:8
        Pad char       : 0x00
        Reference      : 0
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [nolabel]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0xD], sensitive, alwaysSensitive, neverExtract
        ModLength      : 2048
        Key ref        : 1
        Native         : yes
        Path           : 3f005015
        Auth ID        : ff00
        ID             :
37453638353137422d384131332d344637392d383133382d4136374545423134464546423100

Public RSA Key [nolabel]
        Object Flags   : [0x2], modifiable
        Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 1
        Native         : yes
        Path           : 3f0050154300
        ID             :
37453638353137422d384131332d344637392d383133382d4136374545423134464546423100

X.509 Certificate [Jean-Michel Pouré's CAcert Class 3 Root ID]
        Object Flags   : [0x2], modifiable
        Authority      : no
        Path           : 3f0050154300
        ID             :
37453638353137422d384131332d344637392d383133382d4136374545423134464546423100
        Encoded serial : 02 03 00BB5E

****************************************

Initialized with OpenSC dump:

PKCS#15 Card [Gooze]:
        Version        : 0
        Serial number  : 0834493916261110
        Manufacturer ID: EnterSafe
        Last update    : 20110107185446Z
        Flags          : EID compliant

PIN [User PIN]
        Object Flags   : [0x3], private, modifiable
        ID             : 01
        Flags          : [0x32], local, initialized, needs-padding
        Length         : min_len:4, max_len:16, stored_len:16
        Pad char       : 0x00
        Reference      : 1
        Type           : ascii-numeric
        Path           : 3f005015

Private RSA Key [ID CAcert Inc. de Jean-Michel Pouré]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x4], sign
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 1
        Native         : yes
        Path           : 3f005015
        Auth ID        : 01
        ID             : 5bcac4c3fb1259ae7ade586200136759cba22bdc

Public RSA Key [Public Key]
        Object Flags   : [0x2], modifiable
        Usage          : [0x4], sign
        Access Flags   : [0x0]
        ModLength      : 2048
        Key ref        : 0
        Native         : no
        Path           : 3f0050153000
        Auth ID        : 01
        ID             : 5bcac4c3fb1259ae7ade586200136759cba22bdc

X.509 Certificate [ID CAcert Inc. de Jean-Michel Pouré]
        Object Flags   : [0x2], modifiable
        Authority      : no
        Path           : 3f0050153100
        ID             : 5bcac4c3fb1259ae7ade586200136759cba22bdc
        Encoded serial : 02 03 00BB5E

************

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to