Re: [opensc-devel] Consistence between the OpenSC and proprietary drivers
Le lundi 10 janvier 2011 à 11:13 -0600, Douglas E. Engert a écrit : > Google for "Windows Vista Smart Card Infrastructure" > There was a 67 page document from 2007 that could be interesting. Thanks a lot. Highly interesting. -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Consistence between the OpenSC and proprietary drivers
On 1/8/2011 9:11 AM, Jean-Michel Pouré - GOOZE wrote: >> But OpenSC implements the emulation of pkcs15 and pkcs15init and thus >> this card can be initialized and used by OpenSC and can stay >> compatible with the native middleware. > > I want to make sure, so that everyone understands: the Feitian PKI can > be initialized and used under GNU/Linux, Windows and MacOSX. > > It is only that initialization under Windows gives additional flags. > > I would like to know the importance of these flags for Windows OS. It > seems that the Windows OS requires some flags and this is not yet > documented on OpenSC mailing list. I suspect these flags to allow > smartcard logon and so on. On Windows 7 and Vista are you using the OpenSC drivers with some CSP/minidriver, or Feitian provided drivers and CSP/minidriver, or does Windows come with a Feitian driver? My experiance with Windows smartcard login, is using the smartcard with login to a domain. This uses the Kerberos PKINIT protocol, RFC 4556. Windows 2000 could do an earlier version of this too. There are no additional flags for a smartcard driver but the certificate may need to have a subjectAltName with a MSUPN, and the CA must be trusted by AD. as well as some extensions. These are outside of any PKCS#15 or OpenSC flags. Google for "Windows Vista Smart Card Infrastructure" There was a 67 page document from 2007 that could be interesting. But as has been pointed out, the PKCS#15 flags initialized by OpenSC for the PIN and the private keys don't look correct, and may only be working in Unix systems with OpenSC because they are being ignored, whereas on Windows they maybe being checked. i.e. Windows driver looks for a certificate (and maybe pubkey) that can verify and matching private key that can sign. Martin's note 1/9/2011 looks like it addresses all these ifferences. P.S. PKINIT can also work on Unix to AD (or to other Kerberos KDC) by using pam_krb5 that has pkinit support that uses PKCS#11 to OpenSC. I can use my government issued PIV card or a PIV card where I get a certificate from our Windows CA to login at a windows or Unix machine to AD. > > Kind regards, -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Braking change in OpenSC 0.12.0 tokenInfo
This patch should fix it:
Index: libopensc/pkcs15.c
===
--- libopensc/pkcs15.c (revision 5078)
+++ libopensc/pkcs15.c (working copy)
@@ -42,8 +42,8 @@
{ "algorithmPKCS#11", SC_ASN1_INTEGER,SC_ASN1_TAG_INTEGER,
0, NULL, NULL },
{ "parameters", SC_ASN1_NULL, SC_ASN1_TAG_NULL,
0, NULL, NULL },
{ "supportedOperations",SC_ASN1_BIT_FIELD, SC_ASN1_TAG_BIT_STRING,
0, NULL, NULL },
- { "objId", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT,
0, NULL, NULL },
- { "algRef", SC_ASN1_INTEGER,SC_ASN1_TAG_INTEGER,
0, NULL, NULL },
+ { "objId", SC_ASN1_OBJECT, SC_ASN1_TAG_OBJECT,
SC_ASN1_OPTIONAL, NULL, NULL },
+ { "algRef", SC_ASN1_INTEGER,SC_ASN1_TAG_INTEGER,
SC_ASN1_OPTIONAL, NULL, NULL },
{ NULL, 0, 0, 0, NULL, NULL }
};
On Mon, 2011-01-10 at 11:21 +0200, Aventra development wrote:
> Hi,
>
>
>
> I have been testing the new release and sadly found a braking change
> that causes cards that are not initialized with (the current version
> of) OpenSC to result in the message “Unsupported card”. The cause is
> the token info (5032 file). There is some element that OpenSC
> requires, otherwise it results in “Unsupported Card”.
>
>
>
> Previously OpenSC worked well with cards not initialized with it, but
> now it seems that it does not. Does anybody know what changed and why?
>
> I tried to browse the source and the changes, but did not manage to
> track it back to any change that affected this… I’m not even sure when
> this change has been done, but somewhere between versions 0.11.13 and
> 0.12.0.
>
>
>
> Any help would be appreciated. Below is a log that shows the error and
> the content of the tokenInfo file. The major difference is that cards
> not initialized by OpenSC does not have the lastUpdate value.
>
>
>
> Debug log and below that there is a more detailed log about ASN.1
> parsing:
>
>
>
> 2011-01-05 12:26:07.066 [pkcs15-tool] card.c:548:sc_select_file:
> called; type=2, path=3f0050155032
>
> 2011-01-05 12:26:07.066 [pkcs15-tool]
> card-myeid.c:202:myeid_select_file: called
>
>
>
> 2011-01-05 12:26:07.066 [pkcs15-tool] apdu.c:527:sc_transmit_apdu:
> called
>
> 2011-01-05 12:26:07.066 [pkcs15-tool] card.c:295:sc_lock: called
>
> 2011-01-05 12:26:07.081 [pkcs15-tool] reader-pcsc.c:242:pcsc_transmit:
> reader 'O2 O2Micro CCID SC Reader 0'
>
> 2011-01-05 12:26:07.081 [pkcs15-tool] apdu.c:187:sc_apdu_log:
>
> Outgoing APDU data [ 10 bytes] =
>
> 00 A4 08 00 04 50 15 50 32 FF .P.P2.
>
> ==
>
> 2011-01-05 12:26:07.081 [pkcs15-tool]
> reader-pcsc.c:175:pcsc_internal_transmit: called
>
> 2011-01-05 12:26:07.175 [pkcs15-tool] apdu.c:187:sc_apdu_log:
>
> Incoming APDU data [ 27 bytes] =
>
> 6F 17 80 02 00 46 82 01 01 83 02 50 32 86 03 03 oF.P2...
>
> 3F FF 85 02 00 00 8A 01 07 90 00?..
>
> ==
>
> 2011-01-05 12:26:07.175 [pkcs15-tool] card.c:329:sc_unlock: called
>
> 2011-01-05 12:26:07.175 [pkcs15-tool]
> card-myeid.c:240:myeid_process_fci: called
>
>
>
> 2011-01-05 12:26:07.191 [pkcs15-tool]
> iso7816.c:304:iso7816_process_fci: processing FCI bytes
>
> 2011-01-05 12:26:07.191 [pkcs15-tool]
> iso7816.c:309:iso7816_process_fci: file identifier: 0x5032
>
> 2011-01-05 12:26:07.191 [pkcs15-tool]
> iso7816.c:316:iso7816_process_fci: bytes in file: 70
>
> 2011-01-05 12:26:07.191 [pkcs15-tool]
> iso7816.c:335:iso7816_process_fci: shareable: no
>
> 2011-01-05 12:26:07.191 [pkcs15-tool]
> iso7816.c:355:iso7816_process_fci: type: working EF
>
> 2011-01-05 12:26:07.206 [pkcs15-tool]
> iso7816.c:357:iso7816_process_fci: EF structure: 1
>
> 2011-01-05 12:26:07.206 [pkcs15-tool]
> card-myeid.c:256:myeid_process_fci: id (5032) sec_attr (3 3F FF)
>
> 2011-01-05 12:26:07.206 [pkcs15-tool]
> card-myeid.c:269:myeid_process_fci: File id (5032) status
> SC_FILE_STATUS_ACTIVATED (0x7)
>
> 2011-01-05 12:26:07.222 [pkcs15-tool]
> card-myeid.c:274:myeid_process_fci: returning with: 0 (Success)
>
> 2011-01-05 12:26:07.222 [pkcs15-tool]
> card-myeid.c:208:myeid_select_file: returning with: 0 (Success)
>
> 2011-01-05 12:26:07.222 [pkcs15-tool] card.c:569:sc_select_file:
> returning with: 0 (Success)
>
> 2011-01-05 12:26:07.222 [pkcs15-tool] card.c:416:sc_read_binary:
> called; 70 bytes at index 0
>
> 2011-01-05 12:26:07.222 [pkcs15-tool] apdu.c:527:sc_transmit_apdu:
> called
>
> 2011-01-05 12:26:07.238 [pkcs15-tool] card.c:295:sc_lock: called
>
> 2011-01-05 12:26:07.238 [pkcs15-tool] reader-pcsc.c:242:pcsc_transmit:
> reader 'O2 O2Micro CCID SC Reader 0'
>
> 2011-01-05 12:26:07.238 [pkcs15
Re: [opensc-devel] Consistence between the OpenSC and proprietary drivers
Le lundi 10 janvier 2011 à 09:50 +0100, Viktor TARASOV a écrit : > Do we have any chance to influence the card producer and to change > behavior of their middlewares ? > If so, then it make a sense to wait. > > If not, and if we are interested by the result (functionality, > flexibility of OpenSC), > we can implement the on-card file system expected by the native > middleware . > Actual 'emulation' concept allows to do it. Dear Viktor, We are in contact nearly everyday with Feitian to discuss this. I will get back to you with proposals. Kind regards, Jean-Michel -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Braking change in OpenSC 0.12.0 tokenInfo
Hi, I have been testing the new release and sadly found a braking change that causes cards that are not initialized with (the current version of) OpenSC to result in the message Unsupported card. The cause is the token info (5032 file). There is some element that OpenSC requires, otherwise it results in Unsupported Card. Previously OpenSC worked well with cards not initialized with it, but now it seems that it does not. Does anybody know what changed and why? I tried to browse the source and the changes, but did not manage to track it back to any change that affected this Im not even sure when this change has been done, but somewhere between versions 0.11.13 and 0.12.0. Any help would be appreciated. Below is a log that shows the error and the content of the tokenInfo file. The major difference is that cards not initialized by OpenSC does not have the lastUpdate value. Debug log and below that there is a more detailed log about ASN.1 parsing: 2011-01-05 12:26:07.066 [pkcs15-tool] card.c:548:sc_select_file: called; type=2, path=3f0050155032 2011-01-05 12:26:07.066 [pkcs15-tool] card-myeid.c:202:myeid_select_file: called 2011-01-05 12:26:07.066 [pkcs15-tool] apdu.c:527:sc_transmit_apdu: called 2011-01-05 12:26:07.066 [pkcs15-tool] card.c:295:sc_lock: called 2011-01-05 12:26:07.081 [pkcs15-tool] reader-pcsc.c:242:pcsc_transmit: reader 'O2 O2Micro CCID SC Reader 0' 2011-01-05 12:26:07.081 [pkcs15-tool] apdu.c:187:sc_apdu_log: Outgoing APDU data [ 10 bytes] = 00 A4 08 00 04 50 15 50 32 FF .P.P2. == 2011-01-05 12:26:07.081 [pkcs15-tool] reader-pcsc.c:175:pcsc_internal_transmit: called 2011-01-05 12:26:07.175 [pkcs15-tool] apdu.c:187:sc_apdu_log: Incoming APDU data [ 27 bytes] = 6F 17 80 02 00 46 82 01 01 83 02 50 32 86 03 03 oF.P2... 3F FF 85 02 00 00 8A 01 07 90 00?.. == 2011-01-05 12:26:07.175 [pkcs15-tool] card.c:329:sc_unlock: called 2011-01-05 12:26:07.175 [pkcs15-tool] card-myeid.c:240:myeid_process_fci: called 2011-01-05 12:26:07.191 [pkcs15-tool] iso7816.c:304:iso7816_process_fci: processing FCI bytes 2011-01-05 12:26:07.191 [pkcs15-tool] iso7816.c:309:iso7816_process_fci: file identifier: 0x5032 2011-01-05 12:26:07.191 [pkcs15-tool] iso7816.c:316:iso7816_process_fci: bytes in file: 70 2011-01-05 12:26:07.191 [pkcs15-tool] iso7816.c:335:iso7816_process_fci: shareable: no 2011-01-05 12:26:07.191 [pkcs15-tool] iso7816.c:355:iso7816_process_fci: type: working EF 2011-01-05 12:26:07.206 [pkcs15-tool] iso7816.c:357:iso7816_process_fci: EF structure: 1 2011-01-05 12:26:07.206 [pkcs15-tool] card-myeid.c:256:myeid_process_fci: id (5032) sec_attr (3 3F FF) 2011-01-05 12:26:07.206 [pkcs15-tool] card-myeid.c:269:myeid_process_fci: File id (5032) status SC_FILE_STATUS_ACTIVATED (0x7) 2011-01-05 12:26:07.222 [pkcs15-tool] card-myeid.c:274:myeid_process_fci: returning with: 0 (Success) 2011-01-05 12:26:07.222 [pkcs15-tool] card-myeid.c:208:myeid_select_file: returning with: 0 (Success) 2011-01-05 12:26:07.222 [pkcs15-tool] card.c:569:sc_select_file: returning with: 0 (Success) 2011-01-05 12:26:07.222 [pkcs15-tool] card.c:416:sc_read_binary: called; 70 bytes at index 0 2011-01-05 12:26:07.222 [pkcs15-tool] apdu.c:527:sc_transmit_apdu: called 2011-01-05 12:26:07.238 [pkcs15-tool] card.c:295:sc_lock: called 2011-01-05 12:26:07.238 [pkcs15-tool] reader-pcsc.c:242:pcsc_transmit: reader 'O2 O2Micro CCID SC Reader 0' 2011-01-05 12:26:07.238 [pkcs15-tool] apdu.c:187:sc_apdu_log: Outgoing APDU data [5 bytes] = 00 B0 00 00 46 F == 2011-01-05 12:26:07.238 [pkcs15-tool] reader-pcsc.c:175:pcsc_internal_transmit: called 2011-01-05 12:26:07.285 [pkcs15-tool] apdu.c:187:sc_apdu_log: Incoming APDU data [ 72 bytes] = 30 44 02 01 00 04 0A 18 99 90 65 01 02 93 90 98 0De. 85 0C 0A 41 76 65 6E 74 72 61 20 4F 79 80 13 41 ...Aventra Oy..A 63 74 69 76 65 50 65 72 73 6F 20 4D 61 6E 61 67 ctivePerso Manag 65 72 03 02 04 10 A2 0E 30 0C 02 01 00 02 01 00 er..0... 05 00 03 02 00 45 90 00 .E.. == 2011-01-05 12:26:07.300 [pkcs15-tool] card.c:329:sc_unlock: called 2011-01-05 12:26:07.300 [pkcs15-tool] iso7816.c:135:iso7816_read_binary: returning with: 70 2011-01-05 12:26:07.316 [pkcs15-tool] card.c:447:sc_read_binary: returning with: 70 2011-01-05 12:26:07.316 [pkcs15-tool] pkcs15.c:148:sc_pkcs15_parse_tokeninfo: ASN.1 parsing of EF(TokenInfo) failed: Required ASN.1 object not found 2011-01-05 12:26:07.316 [pkcs15-tool] pkcs15-syn.c:124:sc_pkcs15_bind_synthetic: ca
Re: [opensc-devel] Consistence between the OpenSC and proprietary drivers
On 09.01.2011 12:41, Martin Paljak wrote: >> Proprietary card dump: >> >> PKCS#15 Card [Gooze ]: >> Version: 0 >> Serial number : 0834493916261110 >> Manufacturer ID: www.ftsafe.com >> Flags : Login required > This flag should not be used: > "login (i.e. authentication) is required before accessing any data". This > should not be used and is incorrect. > In fact, the correctness of the flags should be checked against actual > behavior of the card as well as the "wished behavior of the host software". > OpenSC can probably read certificates without any authentication, so the flag > is false. IMHO. Do we have any chance to influence the card producer and to change behavior of their middlewares ? If so, then it make a sense to wait. If not, and if we are interested by the result (functionality, flexibility of OpenSC), we can implement the on-card file system expected by the native middleware . Actual 'emulation' concept allows to do it. -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
