Re: [opensc-devel] Resetting USB device in OpenCT
Martin Preuss wrote: Hi, On Friday 03 November 2006 00:40, Andrey Jivsov wrote: [...] I was thinking to implement the cyberJack PIN pad reader support. Unfortunately, I ran into a problem when I must reset the reader with usb_reset(device_handle). However, I don't see ifd_device_ops.reset [...] What problem did you run into? I'm just asking because I recently took over maintenance of the CTAPI driver for Linux provided by the manufacturer and might be of assistence. regards Martin I was testing without "cyberjack" kernel module. The reset was necessary to initialize the reader. The reader would not send even a single byte to the host without this USB reset. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Resetting USB device in OpenCT
Martin Preuss wrote: Hi, On Friday 03 November 2006 00:40, Andrey Jivsov wrote: [...] I was thinking to implement the cyberJack PIN pad reader support. [...] Just curious: Are you implementing support for both types of Cyberjack devices (0x100 and 0x300, even though they look identical they are very different internally)? Regards Martin Only tried with 0c4b:0100. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Resetting USB device in OpenCT
Andreas Jellinghaus wrote: Andrey Jivsov wrote: I was thinking to implement the cyberJack PIN pad reader support. that is a good idea! if I can be of any help please let me know. I thought about it myself, but never found time for that (and most likely neither will anytime soon, so please go ahead!). Hello Andreas and everyone who responded. Sorry for slow reply. I wanted to try a few things first before replying to ensure that my answer is precise. I will write up a question today about integration of PIN-pad authentication. It's unclear to me how this should work in openct framework. Unfortunately, I ran into a problem when I must reset the reader with usb_reset(device_handle). However, I don't see ifd_device_ops.reset implemented. Is there a way to cleanly invoke the USB device reset functionality? I attached the patch that I think is needed. It would be nice to integrate it into the tree. Hi Andrey, thanks for the patch, commited. I hope it doesn't cause side effects. the proble with usb reset is that the device will get a new device number on the usb bus, and thus the old openct ifdhandler will need to die and exit, and udev will spawn a new one for the new device. so usb reset is like unplugging and plugging in again. except for the absolute worst case scenario it should never be necessary to do that. Thank you for adding the patch. Turns out, on Linux RedHat FC5 with 2.6.18 kernel at least, this is not the case. The device will retain its address. I assume there is a logic in the kernel to try to reuse the device address, since the kernel knows that the current device is being reset. However, I now realize that usb_reset may not be so clean on other systems and perhaps is not guaranteed to behave exactly as I described in mentioned kernel under race conditions. Still, I tried multiple times and confirm that resetting the device is necessary to make cyberJack power-up the card. Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new opensc pre release 0.11.2-pre2
Douglas E. Engert wrote: Please consider adding the attached patch to pkcs15-gemsafe.c which I originally sent August 10. This version is against the 0.11.2-pre2. committed. Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Using engine_pkcs11 with openssl for OCSP
Jesus Luna wrote: Dear all, I'm trying to add HSM support to our OCSP Responder by integrating engine_pkcs11 with openssl to it, however in our tests we have found that RSA Signature operations are not implemented Do you mean: signing ocsp responses with openssl (the command line tool ?) doesn't work with our pkcs11 engine ? Cheers, Nils ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Datev Smart Card support for PKCS11?
Hi
> I've noticed that the wiki is not up to date in this section
> (http://www.opensc-project.org/opensc/wiki/GermanEid). According to the
> Datev Homepage, the Smart Card is based upon the Telesec TCOS 2.03 MIN
> and the Siemens SLE66CX322P-Microchip (http://datev.de/info-db/0903358).
>
> opensc-explorer works fine and can browse all directories ("info", "ls").
> pkcs15-tool.exe or pkcs11-tool.exe report "unsupported card".
>
> I can't tell if there is a fundamental difference to the supported TCOS
> 2.0 cards. I know that these cards aren't available for the public.
There is none. All TCOS 2.0 card are in fact TCOS 2.03 cards, but supporting
a signature card means to support BOTH the card operating system
(TCOS in this case) AND the file layout of the card.
I heard rumours that DATEV cards are some sort of NetKey E4 cards, but
obviously that's wrong since if that was the case OpenSC would recognize them
as such.
Adding support for a card without a test card is possible but needs some time.
If at all possible I would prefer to get a testcard.
opensc-tool -f ouput may be helpful too.
Peter
_
Der WEB.DE SmartSurfer hilft bis zu 70% Ihrer Onlinekosten zu sparen!
http://smartsurfer.web.de/?mc=100071&distributionid=0066
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Datev Smart Card support for PKCS11?
Hi,
I've noticed that the wiki is not up to date in this section
(http://www.opensc-project.org/opensc/wiki/GermanEid). According to the
Datev Homepage, the Smart Card is based upon the Telesec TCOS 2.03 MIN
and the Siemens SLE66CX322P-Microchip (http://datev.de/info-db/0903358).
opensc-explorer works fine and can browse all directories ("info", "ls").
pkcs15-tool.exe or pkcs11-tool.exe report "unsupported card".
I can't tell if there is a fundamental difference to the supported TCOS
2.0 cards. I know that these cards aren't available for the public.
However i could provide more detailled information (e.g. card output,
etc.). If this doesn't suffice, i'm sure that there can be found a way
to give a developer access to one of those cards (contact me).
Greetings
Daniel
___
Der frühe Vogel fängt den Wurm. Hier gelangen Sie zum neuen Yahoo! Mail:
http://mail.yahoo.de
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Re: [opensc-user] Using engine_pkcs11 with openssl for OCSP
Jesus Luna wrote: I'm trying to add HSM support to our OCSP Responder by integrating engine_pkcs11 with openssl to it, however in our tests we have found that RSA Signature operations are not implemented and in fact that seems to be an active ticket (#7 "Please support rsautl sign"). Are there any plans to support these operations in the sort-term? no idea, guess so far no one is working on it. are changes needed to engine_pkcs11, openssl or both? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Using engine_pkcs11 with openssl for OCSP
Dear all, I'm trying to add HSM support to our OCSP Responder by integrating engine_pkcs11 with openssl to it, however in our tests we have found that RSA Signature operations are not implemented and in fact that seems to be an active ticket (#7 "Please support rsautl sign"). Are there any plans to support these operations in the sort-term? Best regards, Jesus Luna Garcia CertiVeR Developer Barcelona, Spain [EMAIL PROTECTED] ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] pinpad with pam authentication
Hi Johannes, It requires modification of g/kdm, something we intend to suggest/propose/modify in the future. -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390 Johannes Becker wrote: Hello, I got pam_pkcs11 working. If I use the card reader's pin pad, there is still the prompt to enter the PIN. No matter what you enter, after 'return' the pinpad awakes and you can enter the PIN there. This is a confusing behaviour, especially if you have a graphical login with gdm or kdm. How to get rid off this prompt? begin:vcard fn:Eddy Nigg n:Nigg;Eddy org:StartCom Ltd. - StartCom CA - MediaHost (TM) adr:;;P.O.Box 1630;Eilat;;88000;Israel email;internet:[EMAIL PROTECTED] tel;work:+1-(213)-341-0390 tel;cell:+972-57-631-5629 note;quoted-printable:StartCom Ltd: http://www.startcom.org=0D=0A= StartCom Linux: http://linux.startcom.org=0D=0A= StartCom Certification Authority: http://cert.startcom.org=0D=0A= MediaHost (TM) http://www.mediahost.org=0D=0A= =0D=0A= StartCom Root CA import: http://cert.startcom.org/?app=3D109=0D=0A= Skype me: startcom x-mozilla-html:TRUE url:http://www.startcom.org version:2.1 end:vcard smime.p7s Description: S/MIME Cryptographic Signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pinpad with pam authentication
Hello, I got pam_pkcs11 working. If I use the card reader's pin pad, there is still the prompt to enter the PIN. No matter what you enter, after 'return' the pinpad awakes and you can enter the PIN there. This is a confusing behaviour, especially if you have a graphical login with gdm or kdm. How to get rid off this prompt? -- Grüße Johannes ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Netkey-card with multiple certs per private key
Hi, On Tue, Oct 31, 2006 at 07:11:19PM +0100, Andreas Steffen wrote: > Try strongSwan from http://www.strongswan.org which has a regular > PKCS#11 smartcard interface and allows to select certificates > according to position e.g. > > leftcert=%smartcard#4 > > which is the fourth certificate in the enumeration shown by > > ipsec listcards Finally came to try it out, - strongswan 2.8.0 doesnt build on fc6 at the moment, 2.5.7 is the last one compiling without problems there - 2.8.0 compiles on debian/unstable However ineed the klips-usage that OpenSwan offers with 2.6 kernel, until klips/netkey are merged i need OpenSwan. Also i had to patch out some checks if the ID of the tunnelendpoint matches the subject of the cert its sending. Thanks for noting, ill have a look at strongswan again after the merge of netkey/klips. Christian ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
