Re: [opensc-devel] use algorithm_ref in set_security_env
Hello Andre, On Aug 31, 2010, at 9:39 PM, Andre Zepezauer wrote: Improving opensc that way, that it has a greater awareness of the pkcs15 structures on cards is a goal of mine. If this is the development you ask for, then I could do it. A second goal is, to use these cards according to the information found in the pkcs15 structures (on card). I'm sure we all agree that better and more complete support for PKCS#15 and related standards (ISO7816-15, IAS-ECC etc) is a wanted thing, In the long term this will hopefully let to a plug and play experience, where a completely new (but still initialised) card will instantly work with opensc. Without any hacks and emulations of course. That's all pkcs15 is about. Isn't it? Hacks and emulations are in place because some cards (like the Estonian eID) were created before PKCS#15 existed. And several others hacks exist because vendors tend to interpret standards their own way, or partially or just don't care about them. Yes, as identification smart cards and vendor companies and software becomes more widespread, hopefully they will be more standards compliant. But as some people have already expressed: I would not become too excited about them, as this far often real (personalized) cards have been the reference implementations you need to follow, not standards. Then again, this does not forbid OpenSC from being a top-notch PKCS#15 implementation. Just start rolling in those nice patches. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Personal Review Of The Upcoming 0.12.0 Release
Hello, Martin Paljak wrote: On Aug 30, 2010, at 2:52 PM, Emanuele Pucciarelli wrote: The handful of drivers with insecure operations I was talking about, I got with the following command: grep -n OPENSSL libopensc/card-*.c But looking closer to each drivers source, I must confess that there are only two of them affected: http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-westcos.c#L1244 http://www.opensc-project.org/opensc/browser/trunk/src/libopensc/card-rutoken.c#L1376 Looking at card-westcos.c:1117, I'd say that the insecure mode is only used with cards that do not have on-board RSA capabilities, but do have a private exportable key. In other words, it should only be a fallback. There used to be built in signaling for such scenarios, together with SC_ERROR_EXTRACTABLE_KEY return key that was not handled/implemented by the generic libopensc. That was not used and is removed since r4645 [1] Cards that don't support native RSA keys (meaning keys that can not be used for on-board operations) should be unsupported by default by OpenSC. Support for native but extractable keys is a whole different story. I doubt there are any modern smart cards that don't support native RSA these days. At least there is no reason to fake the support in OpenSC. Rutoken S is a very old devices (see [1]). They don't support on-board RSA, They have only on-board GOST 28147-89 cryptographic functions (GOST 28147-89 is a symmetric-key algorithm). On the other hand, it really seems that RSA is only done in software with card-rutoken.c. Perhaps that device does not support RSA in hardware at all? I suggest to remove the offending code and pay closer attention in the future to avoid such code. Will write it to the wiki as well. Apparently we need to clarify the capabilities of Rutoken (and different versions of it) regarding their RSA support *and* GOST support. Rutoken S [1] doesn't support on-board RSA (as opposed to Rutoken ECP). Rutoken ECP [2] have on-board RSA (with RSA keys up to 2048 bits), GOST R 34.10-2001 (public-key cryptography), GOST 34.11-94 (hash) and GOST 28147-89 (symmetric-key algorithm). The file card-rutoken.c provides support Rutoken S. And this code worked on old scheme OpenSC. Already now (new scheme) all old functionality aren't working at Rutoken S. Example: software key generation was removed [3]. Thanks [1] http://www.opensc-project.org/opensc/wiki/AktivRutokenS [2] http://www.opensc-project.org/opensc/wiki/AktivRutokenECP [3] http://www.opensc-project.org/opensc/changeset/4646 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initialisation of CardOS
Hello, On Sep 1, 2010, at 12:59 AM, Andre Zepezauer wrote: Hello all, what do you think of dropping the possibility to initialise CardOS smart cards in 0.11.14? The reason of doing so, is to stop the production of more of these questionable split-key cards. What would be the rationale of doing it? I don't think turning it off is a good idea, but a fat warning (Use a more recent version!) could be used, if justified and needed (why?). If nobody is willing to write a proper pkcs15-emulation for split-key cards, then the support of it is dropped someday. But why should this ever happen? Because the remaining split-key specific code [1] may slow down new developments or prevent some kind of improvements in framework-pkcs15 and other places. Not yet, but for sure. Every change on framework-pkcs15 (maybe in other places too) must take split-keys into account. Therefore developers are forced to work around this strange concept for years. Hopefully not as many years. To disable the initialisation with split-keys now makes sense, because it will prevent the population to grow. In my opinion this is the best what could been done. Also it will prevent people form _accidentally_ initialise with split-keys. *to disable initialisation with split-keys in 0.11.14 may rise the awareness of the new method in 0.12.X *everyone who wants longer support can use 0.12.X for initialisation *everyone who wants to initialise with split-keys can do this with the releases up to 0.11.13 Since there is a better method of initialising CardOS, why not pushing that? Disabling functionality is not OK for a point release. A Big Fat Warning when using --split-keys is IMO enough in this case. Is it possible to upgrade split-keys cards? Something along the lines of [1] [1] http://www.opensc-project.org/opensc/changeset/4516 -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Personal Review Of The Upcoming 0.12.0 Release
Hello, On Sep 1, 2010, at 9:41 AM, Aleksey Samsonov wrote: On the other hand, it really seems that RSA is only done in software with card-rutoken.c. Perhaps that device does not support RSA in hardware at all? I suggest to remove the offending code and pay closer attention in the future to avoid such code. Will write it to the wiki as well. Apparently we need to clarify the capabilities of Rutoken (and different versions of it) regarding their RSA support *and* GOST support. Rutoken S [1] doesn't support on-board RSA (as opposed to Rutoken ECP). Rutoken ECP [2] have on-board RSA (with RSA keys up to 2048 bits), GOST R 34.10-2001 (public-key cryptography), GOST 34.11-94 (hash) and GOST 28147-89 (symmetric-key algorithm). The file card-rutoken.c provides support Rutoken S. And this code worked on old scheme OpenSC. Already now (new scheme) all old functionality aren't working at Rutoken S. Example: software key generation was removed [3]. Right. Software RSA support for Rutoken S should then be removed. OpenSC should be a gateway to key operations in hardware. Maybe, just maybe, it would make sense to support data objects over PKCS#11 for using smart cards like small secure flash drives (like TrueCrypt wants to use PKCS#11) but key material should never be automagically extracted into host memory and the user of OpenSC (PKCS#11) left the impression that key operations are taking place inside the token, when in fact they are not. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
Hey again, (my last message seems to have been discarded somehow) Martin, I tried the same setup with the open ccid driver and I'm posting my logs here. I got the same result as earlier, however following line is not present anymore reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x8013 ccid-1.3.9-3.el6.x86_64 pcsc-lite-1.5.2-5.el6.x86_64 pcsc-lite-libs-1.5.2-5.el6.x86_64 Any ideas what could be wrong ? /Patrik Martinsson, Sweden. logs.tar.gz Description: GNU Zip compressed data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Wed, 2010-09-01 at 09:11 +0200, Patrik Martinsson wrote: I got the same result as earlier, however following line is not present anymore reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x8013 Make sure you don't compile OpenCT or do not unable it. When OpenCT is enabled, there is a chance that it opens connection with the card and locks access. This is one reason why OpenCT should be integrated as a ifhandler in libccid. Read: http://www.gooze.eu/howto/smartcard-quickstarter-guide/known-issues -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
Hmm, yes i hear you, I've no openct packages installed, and in my opensc.conf there is only the pcsc driver enabled, is there some other way to disable it that i dont know of ? reader_drivers = pcsc; These lines indicates that something is wrong, doesnt they ? How can i debug this ? 0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11] reader-pcsc.c:1139:pcsc_wait_for_event: return allocated 'reader states' 0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11] reader-pcsc.c:1143:pcsc_wait_for_event: returning with: -1112 0x7fb5c06507c0 10:04:06.850 [opensc-pkcs11] pkcs11-global.c:664:C_WaitForSlotEvent: sc_wait_for_event() returned -1112 0x7f79065f07c0 09:59:44.216 [opensc-pkcs11] misc.c:59:sc_to_cryptoki_error_common: opensc error: Timeout while waiting for event from card reader (-1112) /Patrik Martinsson, Sweden. On 09/01/2010 09:29 AM, Jean-Michel Pouré - GOOZE wrote: On Wed, 2010-09-01 at 09:11 +0200, Patrik Martinsson wrote: I got the same result as earlier, however following line is not present anymore reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x8013 Make sure you don't compile OpenCT or do not unable it. When OpenCT is enabled, there is a chance that it opens connection with the card and locks access. This is one reason why OpenCT should be integrated as a ifhandler in libccid. Read: http://www.gooze.eu/howto/smartcard-quickstarter-guide/known-issues ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Wed, 2010-09-01 at 10:06 +0200, Patrik Martinsson wrote: I've no openct packages installed, and in my opensc.conf there is only the pcsc driver enabled, is there some other way to disable it that i dont know of ? reader_drivers = pcsc; These settings should suffice. Another possibility is a PKCS#11 application having access to your card. This is the case of some applications. Usually, I put lock_login = false; When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point. Setting lock_login = less is less secure, but it avoids locking. Your problem probably lays somewhere else. Use a recent and supported smartcard and this should be Okay. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point. Just for information, a nice project would be to participate in Gnome-Keyring to have good support for PKCS#11 and let Gnome-Keyring manage security based on smartcards. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
These settings should suffice. Ok, cool. When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point. Hmm, i dont have anything else running on the computer at this time. Your problem probably lays somewhere else. Use a recent and supported smartcard and this should be Okay. Yeah, well unfortunately i can not make this happen, since my company bought these cards to all the employes (+500). I'm putting my faith in this mailing-list.. :) /Patrik Martinsson, Sweden. On 09/01/2010 10:25 AM, Jean-Michel Pouré - GOOZE wrote: On Wed, 2010-09-01 at 10:06 +0200, Patrik Martinsson wrote: I've no openct packages installed, and in my opensc.conf there is only the pcsc driver enabled, is there some other way to disable it that i dont know of ? reader_drivers = pcsc; These settings should suffice. Another possibility is a PKCS#11 application having access to your card. This is the case of some applications. Usually, I put lock_login = false; When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point. Setting lock_login = less is less secure, but it avoids locking. Your problem probably lays somewhere else. Use a recent and supported smartcard and this should be Okay. Kind regards, ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
When using Gnome for example, Iceweasel, evolution and seahorse can have simultaneous access, which may throw an error at some point. Just for information, a nice project would be to participate in Gnome-Keyring to have good support for PKCS#11 and let Gnome-Keyring manage security based on smartcards. Yeah, i would love that, however my programming skills are limited, and my smart-card skills even more. I would like to see a couple of things on the smart-card side when it comes to Linux though, 1. Support for integrated readers (like the one's in hp's laptops (6930p/8440p etc.), i guess the hardware manufacturers are the only ones that could change this. 2. Support by gdm/screensaver/or any application actually that uses pkcs11, to handle locked cards. (I think if the card is locked you should get the possibility to unlock it with your puk, I don't know why this is not possible today ? ) 3. Support for NM to handle pkcs11 tokens when authenticating to 802x wireless networks. I guess 2 and 3 are application-specific rather then opensc, however i though i would share my two cents. /Patrik Martinsson, Sweden. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Sep 1, 2010, at 10:29 AM, Jean-Michel Pouré - GOOZE wrote: On Wed, 2010-09-01 at 09:11 +0200, Patrik Martinsson wrote: I got the same result as earlier, however following line is not present anymore reader-pcsc.c:284:refresh_attributes: OMNIKEY CardMan 3x21 00 00:SCardGetStatusChange failed: 0x8013 Make sure you don't compile OpenCT or do not unable it. When OpenCT is enabled, there is a chance that it opens connection with the card and locks access. This is one reason why OpenCT should be integrated as a ifhandler in libccid. Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Sep 1, 2010, at 11:25 AM, Jean-Michel Pouré - GOOZE wrote: On Wed, 2010-09-01 at 10:06 +0200, Patrik Martinsson wrote: I've no openct packages installed, and in my opensc.conf there is only the pcsc driver enabled, is there some other way to disable it that i dont know of ? reader_drivers = pcsc; These settings should suffice. Another possibility is a PKCS#11 application having access to your card. This is the case of some applications. Usually, I put lock_login = false; OpenSC 0.12.0-svn has lock_login = false by default, also written in the log file (lock_login=0): 0x7ffd4bc067c0 16:23:28.457 [opensc-pkcs11] misc.c:325:load_pkcs11_parameters: PKCS#11 options: plug_and_play=1 max_virtual_slots=16 slots_per_card=4 hide_empty_tokens=1 lock_login=0 pin_unblock_style=0 zero_ckaid_for_ca_certs=0 -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
Hello, On Sep 1, 2010, at 12:12 PM, Patrik Martinsson wrote: 1. Support for integrated readers (like the one's in hp's laptops (6930p/8440p etc.), i guess the hardware manufacturers are the only ones that could change this. Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do secure digital and smart card. Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list... 2. Support by gdm/screensaver/or any application actually that uses pkcs11, to handle locked cards. (I think if the card is locked you should get the possibility to unlock it with your puk, I don't know why this is not possible today ? ) Why should a screensaver handle locked cards? Unlocking PIN-s via PKCS#11 is somewhat tricky/impossible. I can understand, that for usability, if you have a single workstation and you get locked out of your computer, how else could you unlock your card. But from security perspective handling a locked token as a dysfunctional token is OK. Depending on the setup, maybe you need to talk to a security officer to get your card unlocked or do a more complicated (remote) unlock procedure. PKCS#11 only provides C_SetPIN which is meant to change the PIN code of the current user. 3. Support for NM to handle pkcs11 tokens when authenticating to 802x wireless networks. wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI. I guess 2 and 3 are application-specific rather then opensc, however i though i would share my two cents. OpenSC can use any smart card reader that has a functioning driver in either pcsc-lite (preferred), OpenCT (might exist for exotic devices on Linux) or CT-API (you'll probably not find them). To collect such wishlist items, I created a small wiki page [1] for things that would really be nice to have one day, but what are not realistic or are not actionable enough to create a ticket at this current moment. Feel free to update it. [1] http://www.opensc-project.org/opensc/wiki/WishList -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Wed, 2010-09-01 at 11:12 +0200, Patrik Martinsson wrote:
2. Support by gdm/screensaver/or any application actually that uses
pkcs11, to handle locked cards. (I think if the card is locked you
should get the possibility to unlock it with your puk, I don't know
why
this is not possible today ? )
Locking gdm screen is possible. A user sent me the solution:
pkcs11_eventmgr {
# Run in background? Implies debug=false if true
daemon = true;
# show debug messages?
debug = false;
# polling time in seconds
polling_time = 1;
# expire time in seconds
# default = 0 ( no expire )
expire_time = 0;
# pkcs11 module to use
pkcs11_module = /usr/lib/opensc-pkcs11.so;
#
# list of events and actions
# Card inserted
event card_insert {
# what to do if an action fail?
# ignore : continue to next action
# return : end action sequence
# quit: end program
on_error = ignore ;
# You can enter several, comma-separated action entries
# they will be executed in turn
action = gnome-screensaver-command --poke;
}
# Card has been removed
event card_remove {
on_error = ignore;
action = gnome-screensaver-command --lock;
}
# Too much time card removed
event expire_time {
on_error = ignore;
action = /bin/false;
}
}
3. Support for NM to handle pkcs11 tokens when authenticating to 802x
wireless networks.
This can be done using a FreeRadius server and LDAP. You authenticate to
LDAP using a smartcard, and the wireless access point (AP) should
authenticate to the FreeRadius server. But this only works on your local
wireless network. And you need a Freeradius compatible AP. Some very
cheap Linux-based AP are available today.
I am not aware of a solution which would keep your WEP keys directly on
smartcard.
Gnome and gnome-keyring + seahorse are able to store the wireless keys
securely. You connect to Gnome using a smartcard and this unlocks the
wireless keys. In most cases, this is sufficient.
You may read these tutorials:
http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-p11
http://www.gooze.eu/howto/gnu-linux-smartcard-logon-using-pam-pkcs11
After connection to Gnome using PAM, this should unlock the wireless
keys.
Kind regards,
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
smime.p7s
Description: S/MIME cryptographic signature
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Sep 1, 2010, at 1:28 PM, Jean-Michel Pouré - GOOZE wrote: Hello, On Wed, 2010-09-01 at 11:12 +0200, Patrik Martinsson wrote: 2. Support by gdm/screensaver/or any application actually that uses pkcs11, to handle locked cards. (I think if the card is locked you should get the possibility to unlock it with your puk, I don't know why this is not possible today ? ) Locking gdm screen is possible. GDM/screensaver handling locked cards (with a blocked PIN code) by supporting unlocking them with a PUK code is not the same as locking gdm screen when a card is removed. 3. Support for NM to handle pkcs11 tokens when authenticating to 802x wireless networks. I am not aware of a solution which would keep your WEP keys directly on smartcard. Why mix WEP (a totally broken crypto system) with smart cards (still pretty good protection for good crypto keys, if properly implemented) ?? There is EAP-TLS purely on a smart card prototype [1]. Smart card authentication usually means using the keys on the card, not storing plaintext keys to the card. [1] http://perso.telecom-paristech.fr/~urien/openeapsmartcard/ -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
About gdm, screensaver etc. Yes i know its possible to lock the screen at removals and poke the screensaver at insertions, my suggestion was the ability to unlock the pin on the card at those times. (eg. entered wrong pin x number of times and pin gets locked.) Whether this is a good security practice or not I leave unsaid, I can only compare to our Windows users that gets the possibility to unlock their pin through their puk when they insert a card and it's pin is locked. (whether it's at logon or at the screensaver it doesn't matter, they use a third party software for this and maybe this behavior is bad, however that's what i was comparing against.) As a Linux user today at our company you need to find a Windows computer or go to our helpdesk to get your card unlocked, you also need to call the helpdesk to get your puk. I guess what I'm asking for is a simple way for the user to understand that their card is locked, eg. telling the user that the 'card is locked' instead of 'logon failure' as it is today. But again, maybe this is not possible, or maybe this is applications specific rather then opensc. Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do secure digital and smart card. Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list... Yep, i was actually talking about one of those chips,R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ? wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI. Exactly, we got this working with wpa_supplicant, however it would be gold for the users if they simply could connect through NM with this type of security. I've seen some patches around this at Ubuntu's launchpad, https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/120363, unfortunately i didn't got this working. Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting. Hmm yes, I've checked the logs, and as i understand it you correctly, it's a pcsc-lite issue ? So i should take it on their mailinglist instead ? /Patrik Martinsson, Sweden On 09/01/2010 11:55 AM, Martin Paljak wrote: Hello, On Sep 1, 2010, at 12:12 PM, Patrik Martinsson wrote: 1. Support for integrated readers (like the one's in hp's laptops (6930p/8440p etc.), i guess the hardware manufacturers are the only ones that could change this. Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do secure digital and smart card. Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list... 2. Support by gdm/screensaver/or any application actually that uses pkcs11, to handle locked cards. (I think if the card is locked you should get the possibility to unlock it with your puk, I don't know why this is not possible today ? ) Why should a screensaver handle locked cards? Unlocking PIN-s via PKCS#11 is somewhat tricky/impossible. I can understand, that for usability, if you have a single workstation and you get locked out of your computer, how else could you unlock your card. But from security perspective handling a locked token as a dysfunctional token is OK. Depending on the setup, maybe you need to talk to a security officer to get your card unlocked or do a more complicated (remote) unlock procedure. PKCS#11 only provides C_SetPIN which is meant to change the PIN code of the current user. 3. Support for NM to handle pkcs11 tokens when authenticating to 802x wireless networks. wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI. I guess 2 and 3 are application-specific rather then opensc, however i though i would share my two cents. OpenSC can use any smart card reader that has a functioning driver in either pcsc-lite (preferred), OpenCT (might exist for exotic devices on Linux) or CT-API (you'll probably not find them). To collect such wishlist items, I created a small wiki page [1] for things that would really be nice to have one day, but what are
Re: [opensc-devel] Opensc and SetCOS.
Hello, On Sep 1, 2010, at 1:58 PM, Patrik Martinsson wrote: As a Linux user today at our company you need to find a Windows computer or go to our helpdesk to get your card unlocked, you also need to call the helpdesk to get your puk. I guess what I'm asking for is a simple way for the user to understand that their card is locked, eg. telling the user that the 'card is locked' instead of 'logon failure' as it is today. But again, maybe this is not possible, or maybe this is applications specific rather then opensc. That can be improved in gdm/screensaver. OpenSC returns CKF_USER_PIN_LOCKED after a PIN entrr try if the method got blocked. Even NSS/Firefox used to ignore this return code for a long time and as a result asked for a PIN 3 times (hardcoded apparently) even if the PIN was already locked. That got fixed lately, don't know when it will arrive in Firefox though. Also see ticket #250, for further flags to check for usability (e.g. This will be your final PIN try, failing this will block your PIN message). Only if they integrate standard CCID readers directly to the USB bus. Unfortunately they use integrated chips that do secure digital and smart card. Some Linux tutorials in the wild, that talk about OpenSC, direct people to memory card reader listings (where, indeed, some chips support smart cards but AFAIK only on Windows) instead of libccid's extensive list... Yep, i was actually talking about one of those chips,R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ? This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3]. Check the logs. OpenCT has nothing to do with it. The culprit, failing C_WaitForSlotEvent amd pcsc_wait_for_event has been identified a few e-mails back. reader-pcsc.c needs fixing for a) card re-insertion detecion b) event waiting. Hmm yes, I've checked the logs, and as i understand it you correctly, it's a pcsc-lite issue ? So i should take it on their mailinglist instead ? No, it is a bug in OpenSC pcsc driver. Just wanted to draw the attention to the fact that it has nothing to do with Open*CT*. [1] http://www.opensc-project.org/opensc/ticket/250 [2] http://lists.drizzle.com/pipermail/muscle/2009-December/008009.html [3] http://lists.drizzle.com/pipermail/muscle/2009-December/008013.html -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
On Wed, 2010-09-01 at 12:58 +0200, Patrik Martinsson wrote: wpa_supplicant, which NetworkManager uses, should support PKCS#11, but apparently the functionality is not important enough to be exposed via the GUI. Exactly, we got this working with wpa_supplicant, however it would be gold for the users if they simply could connect through NM with this type of security. I've seen some patches around this at Ubuntu's launchpad, https://bugs.launchpad.net/ubuntu/+source/network-manager/+bug/120363, unfortunately i didn't got this working. This is a very cool feature that I was not aware of. And it seems reasonable! The place to discuss network manager smartcard features is probably the project page http://projects.gnome.org/NetworkManager/ I registered the Gnome mailing list to discuss this feature. Thanks. -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with 2K keys and MyEID
Hi, I don’t have any objections on the change you proposed Andre. I have also prepared and attached to this message a patch, please review and commit. It adds the following features to the MyEID driver (based on trunk) includes also some fixes on whitespace: - Card initialization and finalization (activation) - Key generation (thanks to Viktor, however now I have some problem with pcsc transmit failing after some time while the card is generating the key) - PIN change and unblock (code added to MyEID driver, but it does not work with pkcs15-tool (does nothing), pkcs11-tool works, but pkcs#11 module does not when using Firefox). Other problems with firefox is that certificate enrollment does not work when using the pkcs#11 module, e.g. when using this site: pkitest.gdm.de/starsign Anyway it's a step forward. If somebody is able to help with the Firefox problem or knows why the pkcs15-tool does not work, feel free to edit the code or send some information to me so we will get also these working. Kind regards, Toni -Original Message- From: opensc-devel-boun...@lists.opensc-project.org [mailto:opensc-devel- boun...@lists.opensc-project.org] On Behalf Of Andre Zepezauer Sent: 31. elokuuta 2010 21:02 To: Viktor TARASOV Cc: 'OpenSC-devel' Subject: Re: [opensc-devel] Problem with 2K keys and MyEID On Tue, 2010-08-31 at 18:40 +0200, Viktor TARASOV wrote: Andre Zepezauer wrote: On Mon, 2010-08-30 at 15:19 +0200, Viktor TARASOV wrote: Aventra development wrote: The 1K key generation works nicely, but we are having a problem generating a 2K key using OpenSC 0.11.13 and our own MyEID card. OpenSC correctly finds a new file id and creates the file, and after that it tries to store the key to that file. The issue is that the created file’s size is only 1024 bytes, so the card will answer with 67 00 (Wrong length). Some code in OpenSC decides to create the wrong sized file, but I have not been able to find it. Now I’m curious that, does other cards work when generating (or just loading) 2048 byte keys? For me, to generate the 2048 bits key on the Aventra card, the following path was needed to be applied to the OpenSC trunk. If no objection, I'll commit this patch to trunk. Hello Viktor, I would write the check for supported modulus length a bit more generic. But it's functional the same like yours, because myeid supports only 1024 and 2048 bit (at least the driver does). Therefore it doesn't matter a lot. #include internal.h pkcs15init/pkcs15-myeid.c:513 /* check that the card supports the requested modulus length */ if (_sc_card_find_rsa_alg(p15card-card, keybits) == NULL) SC_TEST_RET(ctx, LEVEL, ERROR, MSG); Agree, it's much better. I hope that Toni (maintainer of myEID driver) have no objections. On the other hand it would be fine to give a good example, because someone may want to copy+paste your code. See copy+paste in the card drivers [1]. The same check also occurs in line 427, 514, 574, 637. And interestingly _always_ some lines below there is the following conditional assignment: if (file-size 1024) file-size = 1024; Will you prepare the patch? Haven't the required hardware, therefore testing isn't possible to me. But if someone would send me some pieces of these cards, I could do it myself the next time. Regards Andre Kind wishes, Viktor. [1]http://www.opensc-project.org/pipermail/opensc-devel/2010- August/014615.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel opensc-myeid.patch Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Opensc and SetCOS.
Martin Paljak wrote: R5C822 (http://www.ricoh.com/LSI/product_pcif/pcc/5c821/index.html). According to the homepage the chip is discontinued however HP still delivers them in their brand new models, 8440p for example, god knows why. Is there any chance that we would see some support on these chipsets under Linux ? This has been discussed before [2] on MUSCLE mailing list. I doubt it will happen [3]. Unfortunately I'd say you are quite right, Martin. HP do not make the computers they sell. There's a small group of companies called ODMs, Original Design Manufacturer, typically in Taiwan, which design and manufacture pretty much all consumer electronics today. The ODMs have the documentation for the chips, but they have typically signed absurdly strict NDAs with the chip makers. Some chip makers welcome the open source community and try to help them out, others run away screaming. (Or decline politely.) Unless the chip vendor wants to help, be it officially, or unofficially, through some side channel, then reverse engineering is the only way to get a device supported, but that requires tremendous amounts of work, it can't really be justified economically by 500 users, or even 5000. :\ The (not-so-)quick fix would be in procurement. An open source aware organization must factor software support into purchasing decisions, maybe together with the group(s) which create technical requirements in the organization, so the relevant pieces of hardware can be ignored. The purchasing task is hard, specifically because of the gap between OEMs (HP, Lenovo, Dell, etc) and ODMs. There's maybe a handful of people at HP worldwide who really know the details of components in the systems they sell. There is no channel from consumers with a clue to peers within the very long production chain for the products we hold in our hands. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] MyEID microSD
Hello Toni, by visiting the webshop of Aventra I have noticed, that there is a smart card in microSD format in there portfolio. I have been looking for such a device for a while, but haven't found a supplier so far. Are you able to provide some more information on it. Most important to me is the existence of an ifd-handler for Linux. Kind Regards Andre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with 2K keys and MyEID
Hello, On Sep 1, 2010, at 7:23 PM, Aventra development wrote: - Card initialization and finalization (activation) From the patch: +static int card_state; + card_state is now a card driver property, not a card property. I suspect this is not what you want. - Key generation (thanks to Viktor, however now I have some problem with pcsc transmit failing after some time while the card is generating the key) Which reader do you use? Can you try with some other reader? - PIN change and unblock (code added to MyEID driver, but it does not work with pkcs15-tool (does nothing), pkcs11-tool works, but pkcs#11 module does not when using Firefox). myeid_pin_cmd looks redundant, except for the card state check. You need to only set pin-pad_length=8 and pin-pad_char=0xFF and delegate to iso_pin_cmd. Anyway it's a step forward. If somebody is able to help with the Firefox problem or knows why the pkcs15-tool does not work, feel free to edit the code or send some information to me so we will get also these working. Please provide a debug log. -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with 2K keys and MyEID
Hello, On Sep 1, 2010, at 7:23 PM, Aventra development wrote: Hi, I don’t have any objections on the change you proposed Andre. I have also prepared and attached to this message a patch, please review and commit. It adds the following features to the MyEID driver (based on trunk) includes also some fixes on whitespace: While at it, also myeid_set_security_env seems to be a 1:1 copy of iso7816_set_security_env? -- Martin Paljak @martinpaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
