Re: [opensc-devel] Ticket #189 - Problems with opensc-pkcs11.so
Attached is a major update for the PIV smartcard. before being committed to the
OpenSC source, I would like some others to try this. The patch is against
0.11.8.
The major issue is with getting the length of an object or the cert
contained in an object. The PIV card does not have a directory on the card,
So the previous version tried to put off as long as possible the reading
of objects for performance so as to avoid having to read objects that would
not be used. The first standard, NIST 800-73, set maximum sizes for objects.
800-73-2 removed this for certificates.
A certificate object can contain a certificate which might be compressed.
The only way to get the length of the compressed certificate is to decompress
it.
Thus the decompressed certificate could be larger then the container object,
so even if the PIV card had a directory, one would still need to decompress
the certificate to find its length.
OpenSC sc_read_binary will use the length obtained by using
sc_select_file(...,&file_out), and thus the lengths must be determined
in sc_select_file.
Change are to card-piv.c and pkcs15-piv.c and include:
* The old cache code which was not working was removed.
* New cache code was added which caches all object read from the card
* If an object has a cert, the cert is decompressed and also cached.
* As part of reading an object the first 8 bytes are read
and this is then used to allocate a large buffer to read in the
object.
* If pkcs15 or pkcs11 asks about a certificate, the cert object
will be read, and the cert decompressed, to get the actual length.
* If piv_select_file is called with the file_out != NULL the object
will be read to get the length If called with NULL it will not be read.
* The enumeration of the objects now starts with 0.
* sc_ctx_suppress_errors_on and off are used to avoid file not found
messages which are are a by product of not having a directory.
* "Unsigned Card Holder Unique Identifier" object in card-piv and pkcs15-piv.c
had conflicting paths, as NIST 800-72-1 had two tables with different
paths. The enumtag for it in card-piv.c was also wrong.
--
Douglas E. Engert
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
--- ,card-piv.c Wed Aug 27 02:21:36 2008
+++ card-piv.c Thu Jul 16 11:29:53 2009
@@ -39,11 +39,37 @@
#include "compression.h"
#endif
-typedef struct {
- u8* data;
- size_t length;
- int enumtag;
-} piv_cache_item;
+enum {
+ PIV_OBJ_CCC = 0,
+ PIV_OBJ_CHUI,
+ PIV_OBJ_UCHUI, /* new with 800-73-2 */
+ PIV_OBJ_X509_PIV_AUTH,
+ PIV_OBJ_CHF,
+ PIV_OBJ_PI,
+ PIV_OBJ_CHFI,
+ PIV_OBJ_X509_DS,
+ PIV_OBJ_X509_KM,
+ PIV_OBJ_X509_CARD_AUTH,
+ PIV_OBJ_SEC_OBJ,
+ PIV_OBJ_9B03,
+ PIV_OBJ_9A06,
+ PIV_OBJ_9C06,
+ PIV_OBJ_9D06,
+ PIV_OBJ_9E06,
+ PIV_OBJ_LAST_ENUM
+};
+
+/* flags in the piv_obj_cache */
+
+#define PIV_OBJ_CACHE_VALID 1
+
+typedef struct piv_obj_cache {
+ u8* obj_data;
+ size_t obj_len;
+ u8* internal_obj_data; /* like a cert in the object */
+ size_t internal_obj_len;
+ int flags;
+} piv_obj_cache_t;
typedef struct piv_private_data {
struct sc_pin_cmd_pin pin_info;
@@ -51,68 +77,16 @@
int enumtag;
int selected_obj; /* The index into the piv_objects last selected */
int return_only_cert; /* return the cert from the object */
- int eof;
+ int rb_state; /* first time -1, 0, in middle, 1 at eof */
size_t max_recv_size; /* saved size, need to lie to pkcs15_read_file */
size_t max_send_size;
int key_ref; /* saved from set_security_env and */
int alg_id; /* used in decrypt, signature */
- piv_cache_item* cache;
- int cacheLen;
- piv_cache_item* current_item;
+ piv_obj_cache_t obj_cache[PIV_OBJ_LAST_ENUM];
} piv_private_data_t;
#define PIV_DATA(card) ((piv_private_data_t*)card->drv_data)
-static int add_cache_item(piv_private_data_t* priv, int enumtag, u8* data,
size_t length) {
- int idx, len = priv->cacheLen;
- piv_cache_item* cache = priv->cache;
- for(idx = 0; idx < len; idx++) {
- if(!cache[idx].data)
- break;
- if(cache[idx].enumtag == enumtag) /* Found matching tag */
- break;
- }
- if(idx == len)
- return -1; /* FAILED NO FREE ROOM */
- if(cache[idx].data)
- free(cache[idx].data);
- cache[idx].data = data;
- cache[idx].length = length;
- cache[idx].enumtag = enumtag;
- return 0;
-}
-
-static piv_cache_item* get_cache_item(piv_private_data_t* priv, int enumtag) {
- int idx, len = priv->cacheLen;
- piv_cache_item* cache = priv->cache;
-#if 1
-/* DEE some thing not right with the cache,
- * when used with the pkcs15-tool -C it can
Re: [opensc-devel] OpenCT:ChipCard Interface Descriptor:dwFeatures and ISO/IEC 7816-12:2005
Why is it needed?
Doesn't it report itself as CCID device?
On Thu, Jul 16, 2009 at 3:35 PM, Aktiv Co. Aleksey Samsonov
wrote:
> Could you please add patch for support Rutoken ECP tokens? (Patch for trunk
> revision 1158 is in attachment) Thanks.
>
> diff -u -r openct-trunk-r1158/etc/openct.conf.in
> new/openct-trunk-r1158/etc/openct.conf.in
> --- openct-trunk-r1158/etc/openct.conf.in 2009-02-06 12:33:08.0
> +0300
> +++ new/openct-trunk-r1158/etc/openct.conf.in 2009-07-16 16:25:20.0
> +0400
> @@ -134,6 +134,7 @@
> usb:0b97/7772, # O2 Micro, Inc. Oz776 SmartCard Reader
> usb:0bf8/1006, # fujitsu siemens 3.5" drive size reader
> usb:0dc3/1004, # Athena Smartcard Solutions, Inc. ASEKey
> + usb:0a89/0030, # Aktiv Rutoken ECP
> };
> };
> driver pertosmart1030 {
>
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenCT:ChipCard Interface Descriptor:dwFeatures and ISO/IEC 7816-12:2005
2009/7/16 Aktiv Co. Aleksey Samsonov :
> Could you please add patch for support Rutoken ECP tokens? (Patch for trunk
> revision 1158 is in attachment) Thanks.
>
> diff -u -r openct-trunk-r1158/etc/openct.conf.in
> new/openct-trunk-r1158/etc/openct.conf.in
> --- openct-trunk-r1158/etc/openct.conf.in 2009-02-06
> 12:33:08.0 +0300
> +++ new/openct-trunk-r1158/etc/openct.conf.in 2009-07-16
> 16:25:20.0 +0400
> @@ -134,6 +134,7 @@
> usb:0b97/7772, # O2 Micro, Inc. Oz776 SmartCard Reader
> usb:0bf8/1006, # fujitsu siemens 3.5" drive size reader
> usb:0dc3/1004, # Athena Smartcard Solutions, Inc. ASEKey
> + usb:0a89/0030, # Aktiv Rutoken ECP
> };
> };
> driver pertosmart1030 {
Applied in revision 1159
--
Dr. Ludovic Rousseau
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenCT:ChipCard Interface Descriptor:dwFeatures and ISO/IEC 7816-12:2005
Hello,
Ludovic Rousseau:
It looks like your patch is correct. All the ICCD devices I know have
dwFeatures & 0x = 0x840.
Patch applied in revision 1158
Thanks!
Could you please add patch for support Rutoken ECP tokens? (Patch for
trunk revision 1158 is in attachment) Thanks.
diff -u -r openct-trunk-r1158/etc/openct.conf.in
new/openct-trunk-r1158/etc/openct.conf.in
--- openct-trunk-r1158/etc/openct.conf.in 2009-02-06 12:33:08.0
+0300
+++ new/openct-trunk-r1158/etc/openct.conf.in 2009-07-16 16:25:20.0
+0400
@@ -134,6 +134,7 @@
usb:0b97/7772, # O2 Micro, Inc. Oz776 SmartCard Reader
usb:0bf8/1006, # fujitsu siemens 3.5" drive size reader
usb:0dc3/1004, # Athena Smartcard Solutions, Inc. ASEKey
+ usb:0a89/0030, # Aktiv Rutoken ECP
};
};
driver pertosmart1030 {
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenCT:ChipCard Interface Descriptor:dwFeatures and ISO/IEC 7816-12:2005
2009/7/15 Aktiv Co. Aleksey Samsonov :
> Hello,
Hello,
> ISO/IEC 7816-12:2005
> 7.2 The Class Specific Descriptor
> Table 8 - Class specific descriptor for a USB-ICC
>
> Offset: 40
> Field: dwFeatures
> Size: 4
> Value: 00840h
> 0002 00840h
> 0004 00840h
> Description:
> The value of the lower word (=0840) indicates
> that the host will only send requests that are valid
> for the USB-ICC.
> The value of the upper word is the level of data
> exchange with the USB-ICC:
> h Character level exchanges
> 0002h Short APDU level exchanges
> 0004h Short and extended APDU level exchanges
>
> But
>
> Smart Card CCID version 1.1
> 5 Smart Card Device Class
> 5.1 Descriptor
> Table 5.1-1 Smart Card Device Class Descriptors
>
> for dwFeatures: "3) When a CCID doesn't declare the value 0010h the
> frequency must be made via the manufacturer proprietary PC_to_RDR_Escape
> command, same thing for the baud rate when the value 0020h is not
> declared."
>
>
> Patch for trunk revision 1157 is in attachment.
> Thanks
>
> diff -u -r openct-trunk-r1157/src/ifd/ifd-ccid.c
> openct-trunk-r1157_new/src/ifd/ifd-ccid.c
> --- openct-trunk-r1157/src/ifd/ifd-ccid.c 2009-02-26
> 11:58:13.0 +0300
> +++ openct-trunk-r1157_new/src/ifd/ifd-ccid.c 2009-07-15
> 16:34:36.0 +0400
> @@ -727,8 +727,13 @@
> /* "When a CCID doesn't declare the values 0010h and 0020h, the
> * frequency or the baud rate must be made via manufacturer proprietary
> * PC_to_RDR_Escape command." - ccid class specification v1.00
> + *
> + * "The value of the lower word (=0840) indicates that the host will only
> + * send requests that are valid for the USB-ICC." - ISO/IEC 7816-12:2005
> + * 7.2/Table 8
> */
> - if (~ccid.dwFeatures & (0x10 | 0x20)) {
> + if ((ccid.dwFeatures & 0x) != 0x0840
> + && ~ccid.dwFeatures & (0x10 | 0x20)) {
> ct_error("ccid: required card initialization features
> missing");
> free(st);
> ifd_device_close(dev);
It looks like your patch is correct. All the ICCD devices I know have
dwFeatures & 0x = 0x840.
Patch applied in revision 1158
--
Dr. Ludovic Rousseau
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
