Hello, I have no 'Windows 7 x64' neither 'CardOS 4.4' to test. Have been testing with 'CardOS v4.3b' on 'WinXP 32bit'.
The MSI were build by 'nightly built', that uses 'SM' branch: http://www.opensc-project.org/downloads/nightly/viktor/win32/OpenSC-build102.71a73a59648aa4648d42dca2596cb624cd309af7.msi Card were initialized and cert/key imported on the linux, using the package build on the 'SM' branch: # cardos-tool -f # pkcs15-init -E # pkcs15-init -C --label "Test" -P --auth-id 53434D --so-pin "12345678" --so-puk "123456" --pin "9999" --puk "8888" # pkcs15-init -a 53434D --label "SmartCard Logon" -S basic-user-smartcard-logon.p12 -f pkcs12 --passphrase coucou --so-pin "12345678" --pin "9999" Then in Windows: C:\WINDOWS>certutil -SCinfo 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: OMNIKEY CardMan 3x21 0 --- Reader: OMNIKEY CardMan 3x21 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE --- Status: The card is being shared by a process. --- Card: OpenSC CardOS v4.3B Analyzing card in reader: OMNIKEY CardMan 3x21 0 ================ Certificate 0 ================ --- Reader: OMNIKEY CardMan 3x21 0 --- Card: OpenSC CardOS v4.3B Provider = Microsoft Base Smart Card Crypto Provider Key Container = {017ba2c9-da88-742d-29d0-03f33451a7d7} Performing AT_SIGNATURE public key matching test... Public key matching test succeeded Key Container = {017ba2c9-da88-742d-29d0-03f33451a7d7} Provider = Microsoft Base Smart Card Crypto Provider ProviderType = 1 Flags = 1 KeySpec = 2 Private key verifies Performing cert chain verification... ... and so on ... I propose you to try the upper MSI, activate debug (set in opensc.conf debug-level = 8' and meaningful value to 'debug-file'). In this MSI the minidriver debug is activated; you should have valid path 'c:\tmp\' -- this path is encoded into the sources . Send here the md.log and opensc-debug.log. Kind regards, Viktor. Le 22/12/2011 17:37, LinuxChuck a écrit : > Hello all, > > Be warned, I am learning all of this as I go, so there may be some > obvious mistakes below that could easily solve my problems. Feel free > to point those out. :-) > > I've recently finalized the lengthy NDA process that allows me access > to the keys for unlocking and initializing my CardOS 4.4 smartcards. > I have managed to decipher their "initialization scripts" A.K.A. "CSF" > files into APDU statements that I can send directly via opensc-tool. > I even threw together an ugly little limited bash script using awk, > sed, and grep to parse their CSF files into directly-executable APDU > statements via opensc-tool. > > I received the cards in manufacturing lifecycle with their proprietary > factory Startkey. > > I'm using an SCM SCR3311 USB card reader, and have it working quite > nicely in both Linux and Windows. > > Here's a quick summary of what I can *successfully* accomplish with > the cards so far on my Linux workstation: > 1. Send an APDU to change the Factory Startkey to the default "0xff" > Startkey. > 2. Send an APDU to move the card from Manufacturing lifecycle to > Administration lifecycle. > 3. Send an APDU to fully erase the card, and set it back to > Manufacturing lifecycle (leaving the key at default) > 4. Initialize the card via pkcs15-init with an SO PIN and a User PIN > as follows: > pkcs15-init -C --so-pin 12345678 --so-puk 09876543 > pkcs15-init -P -a a2 -l "User PIN" --pin 09871234 --puk 12340987 > 5. Erase the card via pkcs15-init -E > 6. Generate a certificate on-card via pkcs15-init -G > 7. Import a certificate and private key from an Active-Directory > (2008 r2) generated user certificate as follows: > pkcs15-init -S PkiTestCertificate.pfx -f PKCS12 -a a2 -i 45 > --passphrase PASSPHRASE --split-key > > > Now, let's say I perform steps 1, 2, 4, and 7 above on a new card. > Everything seems to work as expected. I can even do a pkcs15-tool -D > and see all the objects I expect to see from the card. > > This is where the fun ends. Now I'm kind of stuck. > > When I take this newly initialized card and plug it into a Windows 7 > workstation on the Domain where the user certificate was created, I > can't get the windows system to recognize the card. I've taken the > following steps on the windows client: > 1. Installed the 12.2 Win64 WindowsInstaller from the OpenSC downloads page. > 2. Created the appropriate registry entries as suggested in the > minidriver wiki entry. (included below as "registry entries applied") > 3. Rebooted > 4. Inserted the card > 5. From a command prompt, I execute "certutil -SCInfo". > > This results in a series of 3 pop-ups stating that I need to insert a > smart card. The details on the pop-up state that the smart card > inserted is "OpenSC Card", and that "A smart card was detected, but is > not the one required for the current operation. The smart card you > are using may be missing required driver software or a required > certificate." I only have the option to "Cancel" these pop-ups. > > Additionally, I get get the output below on the command-line. > (included below as "certutil output") > > This is where I'm stuck. What am I missing to allow Windows 7 x64 to > see and access certificates on this smart card? > > One notable issue that may be the solution: Included with the > proprietary CSF scripts were a series of 256-byte APDU commands to > apply a "service pack" to the cards prior to > initialization/personalization. But I am not familiar with how to > apply these super-long APDU's to the cards via the opensc-suite of > utilities. > > I'd greatly appreciate any suggestions or good leads toward completing > this project. > > Thanks in advance! > > ******registry entries applied****** > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC > Card] > "ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff > "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" > "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" > "80000001"="opensc-minidriver.dll" > > Windows Registry Editor Version 5.00 > > [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\OpenSC > Card] > "ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff > "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" > "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" > "80000001"="opensc-minidriver.dll" > ******registry entries applied****** > > ******certutil output****** > The Microsoft Smart Card Resource Manager is running. > Current reader/card status: > Readers: 1 > 0: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 > --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED > --- Status: The card is available for use. > --- Card: OpenSC Card > --- ATR: > 3b d2 18 02 c1 0a 31 fe 58 c8 0d 51 ;.....1.X..Q > > > ======================================================= > Analyzing card in reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 > > --------------===========================-------------- > ================ Certificate 0 ================ > --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 > --- Card: OpenSC Card > Provider = Microsoft Base Smart Card Crypto Provider > Key Container = (null) [Default Container] > > Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. SCR33x USB > Sm > art Card Reader 0 > Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. SCR33x > USB > Smart Card Reader 0 > > --------------===========================-------------- > ================ Certificate 0 ================ > --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 > --- Card: OpenSC Card > Provider = Microsoft Smart Card Key Storage Provider > Key Container = (null) [Default Container] > > Cannot open the key for reader: SCM Microsystems Inc. SCR33x USB Smart Card > Rea > der 0 > > --------------===========================-------------- > > Done. > CertUtil: -SCInfo command completed successfully. > ******certutil output****** > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
