Re: [opensc-devel] new release?
Hello, 2012/8/5 Viktor Tarasov viktor.tara...@gmail.com: If anyone has more or less significant proposals, especially the ones that touch the common framework, please, create the pull requests for github OpenSC.git/staging until the next weekend . Don't worry if you will not arrive until this term -- I hope to make automatic the essential part of release process and so, to make releases more frequents. Someone just reported [1] a crash on Mountain Lion (OS X 10.8). I don't think I will have time to work on it. The next weekend I hope to start the advanced non-regression tests of the current 'staging' and to tag the candidate for release. Look also if something essential is missing in the current 'NEWS' of 'staging'. Sorry, 'NEWS' do not reflects in details all the contributions that have been made during the last year -- they are too numerous. I fixed some typos in the NEWS file. Available as a pull-request on github. 'Codereview' service of opensc-project.org is still not accessible and so there is no possibility to pick-up the 'useful' proposals that have been made there. I asked Martin to restart it. The Codereview service is now up and running. Bye [1] http://ludovicrousseau.blogspot.com/2012/08/mac-os-x-mountain-lion-and-smart-card.html?showComment=1344198899128#c8343187550094818437 -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
Le dimanche 05 août 2012 à 19:48 +0200, Viktor Tarasov a écrit : The next weekend I hope to start the advanced non-regression tests of the current 'staging' and to tag the candidate for release. I will open access to the development server and regression test server tonight. I was quite busy and failed to do any work these last days. Sorry! Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu smime.p7s Description: S/MIME cryptographic signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
Dear Jean-Michel, the name's just a name ;-) Right now it provides support for RSA and ECC keys with a special remote provisioning scheme, but later we will add support for DES and AES keys and more advanced key management functions. Andreas Am 04.08.2012 18:15, schrieb Jean-Michel Pouré - GOOZE: Le vendredi 03 août 2012 à 15:54 +0200, Andreas Schwier (ML) a écrit : we've put in a pull request in github/opensc/staging to include a card driver and PKCS#15 emulation module for our SmartCard-HSM [1]. Nice. Out of question, why is it called HSM? What does it provide more than a crypto card? Kind regards, ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 171 8334920 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
Il 06/08/2012 10:15, Andreas Schwier ha scritto: the name's just a name ;-) Probably he (like me) hoped it was something more like (would-be) MicroCA: a card taking a CSR and outputting a cert if constraints are satisfied... BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
I would assume, that checking constraints is the job of the RA, not the CA. Anyway, our design works the other way around: The card generates the CSR internally, so the RA/CA can prove the key was generated in a legitimate device. The device can be anywhere out in the wild. Andreas Am 06.08.2012 11:04, schrieb NdK: Il 06/08/2012 10:15, Andreas Schwier ha scritto: the name's just a name ;-) Probably he (like me) hoped it was something more like (would-be) MicroCA: a card taking a CSR and outputting a cert if constraints are satisfied... BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 171 8334920 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
On 2012-08-06 11:23, Andreas Schwier wrote: I would assume, that checking constraints is the job of the RA, not the CA. Anyway, our design works the other way around: The card generates the CSR internally, so the RA/CA can prove the key was generated in a legitimate device. The device can be anywhere out in the wild. Which is the future for smart cards, otherwise they must be physically distributed after provisioning. Anders Andreas Am 06.08.2012 11:04, schrieb NdK: Il 06/08/2012 10:15, Andreas Schwier ha scritto: the name's just a name ;-) Probably he (like me) hoped it was something more like (would-be) MicroCA: a card taking a CSR and outputting a cert if constraints are satisfied... BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren anders.rundg...@telia.com wrote: On 2012-08-06 11:23, Andreas Schwier wrote: I would assume, that checking constraints is the job of the RA, not the CA. Anyway, our design works the other way around: The card generates the CSR internally, so the RA/CA can prove the key was generated in a legitimate device. The device can be anywhere out in the wild. Which is the future for smart cards, otherwise they must be physically distributed after provisioning. But how do you prove that the key was generated in the card? You'd need some kind of provisioning to do that. regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Initial support for SmartCard-HSM
On 2012-08-06 12:51, Nikos Mavrogiannopoulos wrote: On Mon, Aug 6, 2012 at 11:30 AM, Anders Rundgren anders.rundg...@telia.com wrote: On 2012-08-06 11:23, Andreas Schwier wrote: I would assume, that checking constraints is the job of the RA, not the CA. Anyway, our design works the other way around: The card generates the CSR internally, so the RA/CA can prove the key was generated in a legitimate device. The device can be anywhere out in the wild. Which is the future for smart cards, otherwise they must be physically distributed after provisioning. But how do you prove that the key was generated in the card? You'd need some kind of provisioning to do that. The card (crypto module) should contain a key provisioned during manufacturing that is restricted to only attest public keys. A certificate fingerprint of the attestation key certificate is then typically used for identifying the crypto module. I see this primarily as a very useful method for cloning an ID. Lets say that you have an eID and you rather want a mobile ID in the Y2014 model of Android. Then browse to the eID RA, authenticate with your eID, type the 8 first characters of the Android attestation certificate fingerprint, and ask for a clone to device with phone +46. You get an SMS with an URL that you click on that will take you to enroll. If the eID RA accepts this device brand (based on attestation certificate) and the fingerprint matches you will get a new certificate in your phone. Naturally the entire process must be carried out using some kind of secure messaging mechanism. This could be called SCC (Secure Credential Cloning). Yes, the eID will most likely only be a bootstrap credential that you keep in a drawer... However, the same concept can also be used in M2M communication ike required by SPOC, ATMs, etc. Anders regards, Nikos ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Cryptoflex .NET support
Hello, I have a Gemalto/Axalto Cryptoflex .NET, but it appears not to be supported root@bt:~# opensc-tool -l Readers known about: Nr.Driver Name 0 openct OpenCT reader (detached) 1 openct OpenCT reader (detached) 2 pcsc Gemplus GemPC Key (ACC9CDDE) 00 00 root@bt:~# opensc-tool -r 2 --atr 3b:16:96:41:73:74:72:69:64 root@bt:~# opensc-tool -r 2 --name Unidentified card root@bt:~# root@bt:~# apt-cache show opensc|grep Version Version: 0.11.12-1ubuntu3.2 How can I make this card supported? Is writing opensc drivers difficult? Can someone besides me write them? -- Konrads Smelkovs Applied IT sorcery. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
I am going to send shortly, under a different subject, a problem dealing with user_consent, CK_ALWAYS_AUTHENTICATE, OpenSC and Thunderbird. I would like to see it addressed in the next release. On 8/5/2012 12:48 PM, Viktor Tarasov wrote: Hello, Le 22/07/2012 17:44, Viktor Tarasov a écrit : I would like to start preparation of the new release based on the 'staging' branch of GitHub OpenSC . Your suggestions proposals are heartily welcome. As far as I see all 'essential' proposals, that have be committed into the 'staging' branch of OpenSC git repository hosted in opensc-project.org (git://www.opensc-project.org/OpenSC.git), are present in github OpenSC. Unfortunately there is no access to the code review service (gerrit) of opensc-project.org and it's not currently possible to pick-up the 'interesting' requests. So, if anybody interested to see these proposals in the next release, please, do pull request to 'staging' branch of GitHub OpenSC (git://github.com/OpenSC/OpenSC.git) . If anyone has more or less significant proposals, especially the ones that touch the common framework, please, create the pull requests for github OpenSC.git/staging until the next weekend . Don't worry if you will not arrive until this term -- I hope to make automatic the essential part of release process and so, to make releases more frequents. The next weekend I hope to start the advanced non-regression tests of the current 'staging' and to tag the candidate for release. Look also if something essential is missing in the current 'NEWS' of 'staging'. Sorry, 'NEWS' do not reflects in details all the contributions that have been made during the last year -- they are too numerous. 'Codereview' service of opensc-project.org is still not accessible and so there is no possibility to pick-up the 'useful' proposals that have been made there. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Cryptoflex .NET support
2012/8/6 Konrads Smelkovs konrads.smelk...@gmail.com: Hello, Hi, I have a Gemalto/Axalto Cryptoflex .NET, but it appears not to be supported Exact. How can I make this card supported? Is writing opensc drivers difficult? Can someone besides me write them? I don't think the .NET card has anything to do with PKCS#15 (but I may be wrong). So it may be some work to add support of this card in OpenSC. Maybe you should have a look at Source code of PKCS#11 for .NET cards [1]. Bye [1] http://ludovicrousseau.blogspot.com/2010/04/source-code-of-pkcs11-for-net-cards.html -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] opensc-java problem
hello, I try to use opensc java package, trouble is that I can list all the information from the token (eToken Aladin PRO 72K -eTPKCS11.dll) but I cannot login , I get C_Login for PKCS11 slot 0 failed CKR_PIN_INCORRECT. Of course the pin is correct, I can login to token from the SafeNet application. Any clue on this kind of issues ? Vlad ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] OpenSC, CK_ALWAYS_AUTHENTICATE and Thunderbird
This past week, a situation has arising where the combination of OpenSC, Thunderbird and some newer cards have combined to make a signature operation fail. SITUATION: (1) Card enforces pin verify to be the last command to card before a crypto command to do signature for some keys on the card. (NIST-800-73-3 part 1 Section 3.2.3 PIN Always) (2) OpenSC card driver sets user_consent bit for these keys. (3) OpenSC supports CK_ALWAYS_AUTHENTICATE attribute on private key objects to tell caller PIN is required before a crypto operation. (3) OpenSC sc_pkcs15_pincache* routines will not cache a PIN that is used for any object that has user_consent. (4) On some systems if the user does not have privileges or the rlimit_memlock is to small, PIN caching will not be done. Solaris: requires PRIV_PROC_LOCK_MEMORY privilege, normal users don't have it. Ubuntu: CAP_IPC_LOCK privilege or rlimit_memlock is large enough. 64k default? (5) Productions versions of Thunderbird with NSS do not implement CK_ALWAYS_AUTHENTICATE and don't ask for the attribute. https://bugzilla.mozilla.org/show_bug.cgi?id=357025 is scheduled for NSS 3.14. (6) Thunderbird may send request to card between PIN and crypto even with the above patch. https://bugzilla.mozilla.org/show_bug.cgi?id=613507 is scheduled for NSS 3.1.4 SOFTWARE VERSIONS OUT OF SYNC: OpenSC is running as expected supporting cards that enforce PIN Always/user_consent/CK_ALWAYS_AUTHENTICATE, and will not cache PINs in this case. But the PKCS#11 caller must send the PIN just before a crypto opertation The PIN could have been from the initial C_Login or from C_Login with the CKU_CONTEXT_SPECIFIC flag. If the caller does not support CK_ALWAYS_AUTHENTICATE, a signature operation might work if the initial PIN was sent and no other operations were sent to the card before the crypto operation. (It would only work once.) The PIN is not being cached so sc_pkcs15_pincache_revalidate does not work. WHAT CAN WE DO? (1) Wait till NSS 3.14 is implemented in Thunderbird, and distributed by vendors. This is a timing issue, which is out of our control. (2) Modify OpenSC to back off and allow pin caching even for user_consent pins. (But mlock might get in the way, minor problem, as admin can allow it.) (3) Modify OpenSC to add pin_cache_user_consent as a parameter that would be off by default. (4) Create a opensc-pkcs11.tb.hack.so much like the opensc-pkcs11-onepin.so (5) Modify OpenSC to recognize NSS and if it supports CK_ALWAYS_AUTHENTICATE and allow user_concert pin caching. If we do nothing that is (1) and eventually things will work as expected. I don't think (5) can be done as it is too late in the process to cache the first PIN. A signature operation will fail, but a user might be able to try it again. (Makes both TB and OpenSC look bad, and is not user friendly.) (3) would work, but is ugly. Comment? Are there cards other then the PIV that have this problem? -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] opensc-java problem
On 8/6/2012 9:39 AM, Vlad Dimitriu wrote: hello, I try to use opensc java package, trouble is that I can list all the information from the token (eToken Aladin PRO 72K -eTPKCS11.dll) but I cannot login , I get C_Login for PKCS11 slot 0 failed CKR_PIN_INCORRECT. Of course the pin is correct, I can login to token from the SafeNet application. Any clue on this kind of issues ? Global PIN vs Application PIN? You can use pcscd -a -d -f to see the APUDs, and look if the command sent when using SafeNet is the same as when using OpenSC. Vlad ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
With SM enabled, I encountered the following warnings, that could be fixed: pkcs15-iasecc.c: In function 'iasecc_file_convert_acls': pkcs15-iasecc.c:327:30: warning: initialization discards 'const' qualifier from pointer target type [enabled by default] card-jcop.c: In function 'jcop_set_security_env': card-jcop.c:645:35: warning: passing argument 1 of 'memcpy' discards 'const' qualifier from pointer target type [enabled by default] In file included from card-jcop.c:23:0: /usr/include/string.h:44:14: note: expected 'void * __restrict__' but argument is of type 'const struct sc_security_env_t *' card-authentic.c: In function 'authentic_sm_get_wrapped_apdu': card-authentic.c:2327:3: warning: passing argument 1 of 'memcpy' discards 'const' qualifier from pointer target type [enabled by default] In file included from card-authentic.c:29:0: /usr/include/string.h:44:14: note: expected 'void * __restrict__' but argument is of type 'const u8 *' card-iasecc.c: In function 'iasecc_keyset_change': card-iasecc.c:2218:25: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] card-iasecc.c:2223:25: warning: assignment discards 'const' qualifier from pointer target type [enabled by default] -- Frank Morgner Virtual Smart Card Architecture http://vsmartcard.sourceforge.net OpenPACEhttp://openpace.sourceforge.net IFD Handler for libnfc Devices http://sourceforge.net/projects/ifdnfc pgp3laSrBzirK.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel