Hello all,
Be warned, I am learning all of this as I go, so there may be some
obvious mistakes below that could easily solve my problems. Feel free
to point those out. :-)
I've recently finalized the lengthy NDA process that allows me access
to the keys for unlocking and initializing my CardOS 4.4 smartcards.
I have managed to decipher their "initialization scripts" A.K.A. "CSF"
files into APDU statements that I can send directly via opensc-tool.
I even threw together an ugly little limited bash script using awk,
sed, and grep to parse their CSF files into directly-executable APDU
statements via opensc-tool.
I received the cards in manufacturing lifecycle with their proprietary
factory Startkey.
I'm using an SCM SCR3311 USB card reader, and have it working quite
nicely in both Linux and Windows.
Here's a quick summary of what I can *successfully* accomplish with
the cards so far on my Linux workstation:
1. Send an APDU to change the Factory Startkey to the default "0xff" Startkey.
2. Send an APDU to move the card from Manufacturing lifecycle to
Administration lifecycle.
3. Send an APDU to fully erase the card, and set it back to
Manufacturing lifecycle (leaving the key at default)
4. Initialize the card via pkcs15-init with an SO PIN and a User PIN
as follows:
pkcs15-init -C --so-pin 12345678 --so-puk 09876543
pkcs15-init -P -a a2 -l "User PIN" --pin 09871234 --puk 12340987
5. Erase the card via pkcs15-init -E
6. Generate a certificate on-card via pkcs15-init -G
7. Import a certificate and private key from an Active-Directory
(2008 r2) generated user certificate as follows:
pkcs15-init -S PkiTestCertificate.pfx -f PKCS12 -a a2 -i 45
--passphrase PASSPHRASE --split-key
Now, let's say I perform steps 1, 2, 4, and 7 above on a new card.
Everything seems to work as expected. I can even do a pkcs15-tool -D
and see all the objects I expect to see from the card.
This is where the fun ends. Now I'm kind of stuck.
When I take this newly initialized card and plug it into a Windows 7
workstation on the Domain where the user certificate was created, I
can't get the windows system to recognize the card. I've taken the
following steps on the windows client:
1. Installed the 12.2 Win64 WindowsInstaller from the OpenSC downloads page.
2. Created the appropriate registry entries as suggested in the
minidriver wiki entry. (included below as "registry entries applied")
3. Rebooted
4. Inserted the card
5. From a command prompt, I execute "certutil -SCInfo".
This results in a series of 3 pop-ups stating that I need to insert a
smart card. The details on the pop-up state that the smart card
inserted is "OpenSC Card", and that "A smart card was detected, but is
not the one required for the current operation. The smart card you
are using may be missing required driver software or a required
certificate." I only have the option to "Cancel" these pop-ups.
Additionally, I get get the output below on the command-line.
(included below as "certutil output")
This is where I'm stuck. What am I missing to allow Windows 7 x64 to
see and access certificates on this smart card?
One notable issue that may be the solution: Included with the
proprietary CSF scripts were a series of 256-byte APDU commands to
apply a "service pack" to the cards prior to
initialization/personalization. But I am not familiar with how to
apply these super-long APDU's to the cards via the opensc-suite of
utilities.
I'd greatly appreciate any suggestions or good leads toward completing
this project.
Thanks in advance!
******registry entries applied******
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC
Card]
"ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="opensc-minidriver.dll"
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\OpenSC
Card]
"ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
"80000001"="opensc-minidriver.dll"
******registry entries applied******
******certutil output******
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
0: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
--- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: The card is available for use.
--- Card: OpenSC Card
--- ATR:
3b d2 18 02 c1 0a 31 fe 58 c8 0d 51 ;.....1.X..Q
=======================================================
Analyzing card in reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
--- Card: OpenSC Card
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]
Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. SCR33x USB Sm
art Card Reader 0
Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. SCR33x USB
Smart Card Reader 0
--------------===========================--------------
================ Certificate 0 ================
--- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0
--- Card: OpenSC Card
Provider = Microsoft Smart Card Key Storage Provider
Key Container = (null) [Default Container]
Cannot open the key for reader: SCM Microsystems Inc. SCR33x USB Smart Card Rea
der 0
--------------===========================--------------
Done.
CertUtil: -SCInfo command completed successfully.
******certutil output******
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
