[opensc-devel] Comments on the OpenSC cardmod mini-driver
I have some questions about the cardmod mini-driver in OpenSC 0.12.0 It appears that the code in CardAcquireContext is trying to store in the registry two handles, pcsc_ctx and pcscd_card in the HKEY_LOCAL_MACHINE, "SOFTWARE\\OpenSC Project\\Opensc" Using the registry for this does not look correct for a number of reasons: (1) there maybe multiple mini-drivers being run at the same time. (2) The location in the registry can only be written be the system, yet the min-driver may be called as a user. (3) The DLLMain routine attempts to see if the key is readable but is called before the CardAcquireContext can create the key. (4) I don't see how the pcsc_ctx or pcscd_card can ever be changed. I have not done much with mini-drivers, but have made changes to a number of CSPs and using the registry looks wrong. I would suggest that some other way to store this data is needed, by the cardmod_detect_readers in reader-pcsc.c In addition to these issues, the debugging in logprintf depends on opensc which is way to later in the process to catch errors like the above. I built the opensc-cardmod32.dll on Ubuntu using mingw and was testing on Vista as a local admin running: runas /netonly /smartcard /user:xxx@yyy cmd.exe -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] IAS ECC
Dear Andre, On 17.01.2011 17:09, Andre Zepezauer wrote: > Hello Viktor, > > from Changeset 5094 [1]: > "[...] 'path' is [now] mandatory for the 'Local' PINs." > > I think of it as a temporary solution to fix a weakness of "IAS ECC" > cards as specified by The Gixel Group [2]. But keep in mind that the > behaviour up to revision 4927 was conforming with PKCS#15 and ISO > 7816-15. After your changes [3] that isn't the case any longer. Please, what of the following do not conforms the PKCS#15 or is IAS/ECC specific: 1. "A local PIN may only be used to protect data within a given application." 2. OpenSC pkcs#15 framework need the complete context of the PIN usage . 3. According to previous, path to the 'given application' has to be present in the sc_pkcs15_pin_info . 4. Verification of local PIN cannot be obstructed by selection of the 'given application'. > As stated in another thread [4] it will break Java Cards Please, don't speak about this thread. I've spent two days on asking the same question, without getting comprehensible answer. As an answer only some mysterious "very special semantics" and the links, that I was studying carefully and that revealed to be absolutely without connection with this topic. During two days you were absolutely incapable to explain by what mechanism the Java Card could be broken, and I suppose that you still are. Please, don't start it again. > and you should be prepared to move that hack into an emulator. 1. For me it's not a hack. It's a righteous demand of OpenSC pkcs#15 framework to have full description of the PIN usage context . 2. Please, show me where it's IAS/ECC specific, and when the movement will start for complete eradication of the card specific issues in the common parts, be sure I'll be not far . > Regards > Andre Best regards, Viktor. > [1] http://www.opensc-project.org/opensc/changeset/5094 > [2] > http://www.gixel.fr/includes/cms/_contenus/bibliotheque/file/CAP%20/IAS%20ECC%20v1_0_1UK.pdf > [3] > http://www.opensc-project.org/opensc/changeset?reponame=&new=5094%40trunk%2Fsrc%2Flibopensc%2Fpkcs15-pin.c&old=4927%40trunk%2Fsrc%2Flibopensc%2Fpkcs15-pin.c > [4] > http://www.opensc-project.org/pipermail/opensc-devel/2011-January/015697.html > > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 12 with minidriver
On 1/17/2011 10:49 AM, Peter Stuge wrote: > Brian Thomas wrote: >> To meet our customer's deadline we cannot perform a modification to >> OpenSC due to the amount of V&V efforts associated with it. > > All you need to do is send a clean patch with a commit message that > makes sense. But I guess that's too much. :\ It looks like its more then deleting a single line. The OpenSC cardmod code has some #ifdefs L640 to add code to address this problem, and provides its own sc_get_cardmod_driver. Just commenting out line 622 might work for Brian's needs but will break OpenSC for use without his mini-driver. Maybe the code need to be more flexible, and use a weak external reference to see if a mini-driver is calling it, and use a routine provided by the min-driver. > > > //Peter > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- Douglas E. Engert Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 12 with minidriver
Brian Thomas wrote: > To meet our customer's deadline we cannot perform a modification to > OpenSC due to the amount of V&V efforts associated with it. All you need to do is send a clean patch with a commit message that makes sense. But I guess that's too much. :\ //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] IAS ECC
Hello Viktor, from Changeset 5094 [1]: "[...] 'path' is [now] mandatory for the 'Local' PINs." I think of it as a temporary solution to fix a weakness of "IAS ECC" cards as specified by The Gixel Group [2]. But keep in mind that the behaviour up to revision 4927 was conforming with PKCS#15 and ISO 7816-15. After your changes [3] that isn't the case any longer. As stated in another thread [4] it will break Java Cards and you should be prepared to move that hack into an emulator. Regards Andre [1] http://www.opensc-project.org/opensc/changeset/5094 [2] http://www.gixel.fr/includes/cms/_contenus/bibliotheque/file/CAP%20/IAS%20ECC%20v1_0_1UK.pdf [3] http://www.opensc-project.org/opensc/changeset?reponame=&new=5094%40trunk%2Fsrc%2Flibopensc%2Fpkcs15-pin.c&old=4927%40trunk%2Fsrc%2Flibopensc%2Fpkcs15-pin.c [4] http://www.opensc-project.org/pipermail/opensc-devel/2011-January/015697.html ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Review of HSM:s
A very nice report. I agree with your findings about diversity of authorization models :-) for smart cards or usb tokens there of course don't exist any "enforced" security models or backup models etc. One could discuss how it would be possible to implement such models (using routines etc) in a satisfactory way. Cheers, Tomas On 01/17/2011 10:41 AM, Rickard Bellgrim wrote: > Hi > > We have written a review of four different HSM:s (AEP, Safenet, Thales, and > Utimaco) with focus on creating signatures for DNSSEC with the PKCS#11 > interface. Other topics was also addressed like the security model, > administration, and backup/HA-mode. > > It is typically TLD:s that uses HSM:s for DNSSEC, but others are probably > more interested in some cheaper alternatives but still be sure that the keys > are stored safe. > > We were wondering if there would be someone willing to continue this work but > focusing on alternatives like smartcards and USB-tokens. > > You can read the full report here: > http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf > > Thanks > // Rickard > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 12 with minidriver
opensc-devel-boun...@lists.opensc-project.org a écrit sur 17/01/2011 15:27:45 : > [image supprimée] > > Re: [opensc-devel] OpenSC 12 with minidriver > > Brian Thomas > > A : > > opensc-devel > > 17/01/2011 15:30 > > Envoyé par : > > opensc-devel-boun...@lists.opensc-project.org > > We got this working but had to comment the following line in the > OpenSC code: src/libopensc/ctx.c, line 662: sc_ctx_detect_readers(ctx) Amazing, you comment this line and it's working? > > To meet our customer’s deadline we cannot perform a modification to > OpenSC due to the amount of V&V efforts associated with it. Does It seems that you only need to comment one line and you have done this so you done the job, provide your customer your own opensc release. > anybody have any recommendation on how to make OpenSC 12 work with > the minidriver without modifying the OpenSC code? It's your minidriver or I mistake, so I don't think that we can answer since you have two elements opensc and your minidriver, if we can change opensc like you ask the only changes possible is on the minidriver and we don't have it ... > > Thanks, > Brian Thomas > > From: Brian Thomas > Sent: Friday, January 14, 2011 10:39 AM > To: opensc-devel@lists.opensc-project.org > Subject: OpenSC 12 with minidriver > > Hello: > > We have developed a mini driver which is used for Windows XP smart > card login using OpenSC 0.11.13. > We have tried to update it to use OpenSC 0.12, but for some reason > sc_context_create() hangs until the card is removed. > Does anyone have any idea what would cause this? Does this mini driver available, I'll very interresting on it, I've worked on such librairies and don't find way to use opensc on minidriver without opensc sources code review since windows logon take hand on pcsc reader, so this reader become unvalaible for other sofware. if you have found solution to this issue the best is to include it on opensc to let future release working with window logon... > > Thanks, > Brian Thomas___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel Regards, François. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 12 with minidriver
We got this working but had to comment the following line in the OpenSC code: src/libopensc/ctx.c, line 662: sc_ctx_detect_readers(ctx) To meet our customer's deadline we cannot perform a modification to OpenSC due to the amount of V&V efforts associated with it. Does anybody have any recommendation on how to make OpenSC 12 work with the minidriver without modifying the OpenSC code? Thanks, Brian Thomas From: Brian Thomas Sent: Friday, January 14, 2011 10:39 AM To: opensc-devel@lists.opensc-project.org Subject: OpenSC 12 with minidriver Hello: We have developed a mini driver which is used for Windows XP smart card login using OpenSC 0.11.13. We have tried to update it to use OpenSC 0.12, but for some reason sc_context_create() hangs until the card is removed. Does anyone have any idea what would cause this? Thanks, Brian Thomas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Review of HSM:s
2011/1/17 Rickard Bellgrim : > On 17 jan 2011, at 12.56, Martin Paljak wrote: >> From the report: >> "For the test of the PKCS#11 interface (review point A.2) we used a >> specially developed test tool called pkcs11-testing. If desired, please >> contact the authors to obtain the source code." >> Feel free to e-mail me directly with this, if you don't want to publish it >> anywhere. > > I wrote a program for the testing team. It perhaps needs some more work. > Currently the functionality of e.g. DSA and ECDH is not tested, I only check > the C_GetMechanismInfo. > > But you can find the code here: > http://trac.opendnssec.org/browser/trunk/pkcs11-testing Thanks for sharing the source code. I had a quick look at the source code. Maybe such a testing program can be easier to write/maintain using a higher level language and PKCS#11 binding. For example using Python and PyKCS11 [1]. Bye [1] http://www.bit4id.org/trac/pykcs11 -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Review of HSM:s
On 17 jan 2011, at 12.56, Martin Paljak wrote: > Most smart cards, especially smart cards personalized by OpenSC, don't have > very fancy and varying managing capabilities, comparable to HSM-s. Yes, so you probably have to create another set of review points in this case. > Yet an overall review of smart cards, their security models, FIPS validations > etc would do good, as this information is currently not systematically > gathered to OpenSC wiki nor easy to compare. We see that many are requesting some alternatives to the expensive HSM:s, but are not sure of what to buy. It would therefor be good to setup some review points so that you can compare the smart cards / USB-tokens. To date, we do not have so much extra time to commit on a second review and was wondering if there were someone else who could continue this work? > From the report: > "For the test of the PKCS#11 interface (review point A.2) we used a specially > developed test tool called pkcs11-testing. If desired, please contact the > authors to obtain the source code." > Feel free to e-mail me directly with this, if you don't want to publish it > anywhere. I wrote a program for the testing team. It perhaps needs some more work. Currently the functionality of e.g. DSA and ECDH is not tested, I only check the C_GetMechanismInfo. But you can find the code here: http://trac.opendnssec.org/browser/trunk/pkcs11-testing // Rickard ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Review of HSM:s
Hello. On Jan 17, 2011, at 11:41 AM, Rickard Bellgrim wrote: > We have written a review of four different HSM:s (AEP, Safenet, Thales, and > Utimaco) with focus on creating signatures for DNSSEC with the PKCS#11 > interface. Other topics was also addressed like the security model, > administration, and backup/HA-mode. Very interesting read, thanks for sharing this. > > It is typically TLD:s that uses HSM:s for DNSSEC, but others are probably > more interested in some cheaper alternatives but still be sure that the keys > are stored safe. > > We were wondering if there would be someone willing to continue this work but > focusing on alternatives like smartcards and USB-tokens. Most smart cards, especially smart cards personalized by OpenSC, don't have very fancy and varying managing capabilities, comparable to HSM-s. Yet an overall review of smart cards, their security models, FIPS validations etc would do good, as this information is currently not systematically gathered to OpenSC wiki nor easy to compare. > > You can read the full report here: > http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf >From the report: "For the test of the PKCS#11 interface (review point A.2) we used a specially developed test tool called pkcs11-testing. If desired, please contact the authors to obtain the source code." Feel free to e-mail me directly with this, if you don't want to publish it anywhere. -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Review of HSM:s
Hi We have written a review of four different HSM:s (AEP, Safenet, Thales, and Utimaco) with focus on creating signatures for DNSSEC with the PKCS#11 interface. Other topics was also addressed like the security model, administration, and backup/HA-mode. It is typically TLD:s that uses HSM:s for DNSSEC, but others are probably more interested in some cheaper alternatives but still be sure that the keys are stored safe. We were wondering if there would be someone willing to continue this work but focusing on alternatives like smartcards and USB-tokens. You can read the full report here: http://www.opendnssec.org/wp-content/uploads/2011/01/A-Review-of-Hardware-Security-Modules-Fall-2010.pdf Thanks // Rickard ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
