Re: [opensc-devel] new release?

2012-09-25 Thread Peter Stuge 
Jean-Michel Pouré - GOOZE wrote:
> I was quite busy and failed to do any work these last days.

Remember how much easier it is to write email with opinion.


//Peter


pgpNhpOSPqCvo.pgp
Description: PGP signature
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] pam_p11 (without pin) and ssh (with pin) on one card

2012-09-25 Thread Simon Hafner 
Hey y'all

I have an ePass2003, and I'd like to use it for pam_p11 and ssh. The
pam_p11 key should be usable without a pin, or can I provide the pin
by using the password field? I'd like to know which paths are
possible. The other object stored is an ssh key secured by a pin.

My problem is now that I initialize my card with

pkcs15-init --create-pkcs15 --profile pkcs15+onepin

I only have one pin, but I'd like to have two auth-ids, one with and
one without pin.

-- Simon
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Andreas Jellinghaus 
2012/9/25 Peter Stuge 

> NdK wrote:
> > >> IIUC that bit is not authenticated, so a MITM attack can force both
> the
> > >> reader and the card think the other party doesn't support PIN auth,
> > >> making the card sign the transaction anyway, regardless the amount
> > >> involved. So IMVHO it's quite serious...
> > > http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
> > Tks. That's the (or one of) article I remembered but couldn't find...
>
> http://google.com/search?q=chip+and+pin+broken


but the broken security demonstrated so far is related to misconfiguration,
and many other banks have correct card profiles and are not affected.

Regards, Andreas
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new release?

2012-09-25 Thread Andreas Schwier 
Hi Viktor,

we are testing on Windows XP SP3, Debian Lenny and a current Ubuntu
version. Our focus is on PKCS#11 and integration with Firefox,
Thunderbird and XCA. We already tested minidriver with IE and Outlook,
but we do short regression tests with each new build.

We've set up automated tests using our Smart Card Shell, which
interfaces with PKCS#11 using opensc-java. This way we test key
generation of all kinds (RSA/EC), certificates issuance and storing as
well as data element reading/writing. We also have a quick regression
test using a script with various pkcs11-tool commands. We've also done
tests using the IAIK PKCS#11 wrapper that worked well.

So far we're quite confident that the current code base is stable.

We have three things left on our list, but they are not pressing:

1. Adding support to have domain parameter at the PKCS#11 interface for
EC public keys after on card generation (i.e. serialize/ deserialize
public keys as spki)
2. Adding support for explicit domain parameter in EC_PARAMS
3. Fast-track C_Initialize and C_SetPIN into the card-driver (The
SmartCard-HSM uses a PKCS#11 like token initialization)

Given the fact, that these changes touch core code, we would schedule
this topics for the .14 release.

Andreas

Am 25.09.2012 17:04, schrieb Viktor Tarasov:
> Hi Andreas,
>
> On Tue, Sep 25, 2012 at 9:14 AM, Andreas Schwier
>  > wrote:
>
> we've completed the development of write support for the SmartCard-HSM
> and are in the middle of testing and bug-fixing.
>
>
> Fine, 
> what part of the common OpenSC libraries are involved into your tests
> (pkcs11, minidriver, pkcs15, ...) ?
> What are the OSs?
>
>  
>
>
> The code is based on the latest version in OpenSC/staging and changes
> mostly apply to our own code.
>
> Is there a chance to get write support into the upcomin release ?
>
> If yes, I would prepare a pull request against the CardContact/staging
> branch.
>
>
> Ok, 
> you can make pull request to 'staging' or 'master' of OpenSC/OpenSC --
> two branches are kept syncronized.
>
>
> Andreas
>
>
> Kind wishes,
> Viktor.
>  
>
>
>
>
> Am 17.09.2012 22:00, schrieb Viktor Tarasov:
> > Hello,
> >
> > Le 15/09/2012 16:52, Kalev Lember a écrit :
> >> On 09/06/2012 08:06 PM, Viktor Tarasov wrote:
> >>> Hello,
> >>>
> >>> current github 'staging' is tagged as v0.13.0-pre1.
> >>>
> >>> If no objections, I will merge this branch into github
> 'master' -- it will be base version to test
> >>> and to prepare the coming release candidate.
> >> Very good idea. I think it makes a lot of sense to have just one
> >> 'master' branch for development; this is what people coming
> over from
> >> other projects tend to expect.
> >
> > 'Master' and 'staging' are actually synchronized and for the new
> pull requests I propose to create them relative to the 'master'
> branch.
> > Until the end of this release the pull requests to 'staging' are
> also accepted.
> >
> > The tag name 'v0.13.0-pre1' has been changed (sorry) to
> '0.13.0pre1' -- still cannot understand which common set of characters
> > could be used for the release-version/tag-name to satisfy 'git',
> 'obs', 'dpkg-build', ...
> >
> > Commits to 'master' and new tags trigger the jenkins jobs of
> build, packaging and some rudimentary test of package and unit
> tests (for Suse).
> > https://opensc.fr/jenkins/view/Open
> SC-release/
> 
> >
> > The resulting packages are transfered to 'download' part of the
> opensc-project.org  file server:
> >  - commits to
> > http://www.opensc-project.org/downloads/projects/opensc/nightly/
> >  - releases to
> >
> http://www.opensc-project.org/downloads/projects/opensc/releases/
> >
> >
> > For a while there are only source tarballs, MSIs for x32 and x64
> and rpm i586 for opensSuSE 12.1 .
> > Hope that rapidly the building of releases packages for some
> debian/ubuntu distributions will be connected.
> >
> > It would be nice if you could look/test the tarball or packages
> of the release 0.13.0pre1.
> > Your remarks, proposals, contributions are heartily welcome.
> >
> > Kind regards,
> > Viktor.
> > ___
> > opensc-devel mailing list
> > opensc-devel@lists.opensc-project.org
> 
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
> --
>
> -CardContact Software & System Consulting
>|.##> <##.|   Andreas Schwier
>|#   #|   Schülerweg 38
>|#   #|   32429 Minden, Germany
>|'##> <##'|   Phone +49 571 56149 
>

Re: [opensc-devel] new release?

2012-09-25 Thread Viktor Tarasov 
Hi Andreas,

On Tue, Sep 25, 2012 at 9:14 AM, Andreas Schwier <
andreas.schw...@cardcontact.de> wrote:

> we've completed the development of write support for the SmartCard-HSM
> and are in the middle of testing and bug-fixing.
>

Fine,
what part of the common OpenSC libraries are involved into your tests
(pkcs11, minidriver, pkcs15, ...) ?
What are the OSs?



>
> The code is based on the latest version in OpenSC/staging and changes
> mostly apply to our own code.
>
> Is there a chance to get write support into the upcomin release ?
>
> If yes, I would prepare a pull request against the CardContact/staging
> branch.
>

Ok,
you can make pull request to 'staging' or 'master' of OpenSC/OpenSC -- two
branches are kept syncronized.


> Andreas
>

Kind wishes,
Viktor.


>
>
>
> Am 17.09.2012 22:00, schrieb Viktor Tarasov:
> > Hello,
> >
> > Le 15/09/2012 16:52, Kalev Lember a écrit :
> >> On 09/06/2012 08:06 PM, Viktor Tarasov wrote:
> >>> Hello,
> >>>
> >>> current github 'staging' is tagged as v0.13.0-pre1.
> >>>
> >>> If no objections, I will merge this branch into github 'master' -- it
> will be base version to test
> >>> and to prepare the coming release candidate.
> >> Very good idea. I think it makes a lot of sense to have just one
> >> 'master' branch for development; this is what people coming over from
> >> other projects tend to expect.
> >
> > 'Master' and 'staging' are actually synchronized and for the new pull
> requests I propose to create them relative to the 'master' branch.
> > Until the end of this release the pull requests to 'staging' are also
> accepted.
> >
> > The tag name 'v0.13.0-pre1' has been changed (sorry) to '0.13.0pre1' --
> still cannot understand which common set of characters
> > could be used for the release-version/tag-name to satisfy 'git', 'obs',
> 'dpkg-build', ...
> >
> > Commits to 'master' and new tags trigger the jenkins jobs of build,
> packaging and some rudimentary test of package and unit tests (for Suse).
> > https://opensc.fr/jenkins/view/Open <
> https://opensc.fr/jenkins/view/OpenSC-release/>SC-release/ <
> https://opensc.fr/jenkins/view/OpenSC-release/>
> >
> > The resulting packages are transfered to 'download' part of the
> opensc-project.org file server:
> >  - commits to
> > http://www.opensc-project.org/downloads/projects/opensc/nightly/
> >  - releases to
> > http://www.opensc-project.org/downloads/projects/opensc/releases/
> >
> >
> > For a while there are only source tarballs, MSIs for x32 and x64 and rpm
> i586 for opensSuSE 12.1 .
> > Hope that rapidly the building of releases packages for some
> debian/ubuntu distributions will be connected.
> >
> > It would be nice if you could look/test the tarball or packages of the
> release 0.13.0pre1.
> > Your remarks, proposals, contributions are heartily welcome.
> >
> > Kind regards,
> > Viktor.
> > ___
> > opensc-devel mailing list
> > opensc-devel@lists.opensc-project.org
> > http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
> --
>
> -CardContact Software & System Consulting
>|.##> <##.|   Andreas Schwier
>|#   #|   Schülerweg 38
>|#   #|   32429 Minden, Germany
>|'##> <##'|   Phone +49 571 56149
> -http://www.cardcontact.de
>  http://www.tscons.de
>  http://www.openscdp.org
>
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair

2012-09-25 Thread Viktor Tarasov 
Hi,

On Tue, Sep 25, 2012 at 4:39 PM, Andreas Schwier <
andreas.schw...@cardcontact.de> wrote:

> Hi Douglas,
>
> the same problem exists for RSA keys. If you specify an invalid key
> size, the code tries to generate invalid objects.
>
> Our fix ist at
>
>
> https://github.com/CardContact/OpenSC/commit/a9682fd704dca5abc028b32e5ec577aa1c12ee78



Thanks for patch and testing.

It was a bug.
It appeared in 9a63e03e when support of the soft-generated keys was removed
from pkcs15-init and pkcs11.



> Andreas
>

Kind regards,
Viktor.


>
> Am 25.09.2012 16:31, schrieb Douglas E. Engert:
> >
> > On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote:
> >> Dear all,
> >>
> >> we've come a across a strange issue in OpenSC. When we try to generate a
> >> key pair with parameters not supported by the card, then the framework
> >> code still tries to allocate private/public key objects rather than
> >> returning an error code.
> >>
> >> The questionable code is in line 2675 of framework-pkcs15.c /
> >> pkcs15_gen_keypair.
> >>
> >> Is that an intended behaviour or a plain bug ?
> > Same problem as before. No one has had a PKCS#15 card that supports ECC.
> >
> > The original ECC code added to OpenSC was for client use only, and used
> > the PIV card. For testing the piv-tool could tell the card to generate
> > a key pair, but that was not via and PKCS standards.
> >
> >> Andreas
> >>
>
>
> --
>
> -CardContact Software & System Consulting
>|.##> <##.|   Andreas Schwier
>|#   #|   Schülerweg 38
>|#   #|   32429 Minden, Germany
>|'##> <##'|   Phone +49 571 56149
> -http://www.cardcontact.de
>  http://www.tscons.de
>  http://www.openscdp.org
>
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair

2012-09-25 Thread Andreas Schwier 
Hi Douglas,

the same problem exists for RSA keys. If you specify an invalid key
size, the code tries to generate invalid objects.

Our fix ist at

https://github.com/CardContact/OpenSC/commit/a9682fd704dca5abc028b32e5ec577aa1c12ee78

Andreas

Am 25.09.2012 16:31, schrieb Douglas E. Engert:
>
> On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote:
>> Dear all,
>>
>> we've come a across a strange issue in OpenSC. When we try to generate a
>> key pair with parameters not supported by the card, then the framework
>> code still tries to allocate private/public key objects rather than
>> returning an error code.
>>
>> The questionable code is in line 2675 of framework-pkcs15.c /
>> pkcs15_gen_keypair.
>>
>> Is that an intended behaviour or a plain bug ?
> Same problem as before. No one has had a PKCS#15 card that supports ECC.
>
> The original ECC code added to OpenSC was for client use only, and used
> the PIV card. For testing the piv-tool could tell the card to generate
> a key pair, but that was not via and PKCS standards.
>
>> Andreas
>>


-- 

-CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
-http://www.cardcontact.de
 http://www.tscons.de
 http://www.openscdp.org

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair

2012-09-25 Thread Douglas E. Engert 


On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote:
> Dear all,
>
> we've come a across a strange issue in OpenSC. When we try to generate a
> key pair with parameters not supported by the card, then the framework
> code still tries to allocate private/public key objects rather than
> returning an error code.
>
> The questionable code is in line 2675 of framework-pkcs15.c /
> pkcs15_gen_keypair.
>
> Is that an intended behaviour or a plain bug ?

Same problem as before. No one has had a PKCS#15 card that supports ECC.

The original ECC code added to OpenSC was for client use only, and used
the PIV card. For testing the piv-tool could tell the card to generate
a key pair, but that was not via and PKCS standards.

>
> Andreas
>

-- 

  Douglas E. Engert  
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new release?

2012-09-25 Thread Douglas E. Engert 

Thunderbird 13.0.1 can now sign e-mail.
I had forgot to uncomment in opensc.conf:

   pin_cache_ignore_user_consent = true;

a new feature of 0.13.0pre1

See:
http://www.opensc-project.org/pipermail/opensc-devel/2012-August/018282.html

--

 Douglas E. Engert  
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444





smime.p7s
Description: S/MIME Cryptographic Signature
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Peter Stuge 
NdK wrote:
> >> IIUC that bit is not authenticated, so a MITM attack can force both the
> >> reader and the card think the other party doesn't support PIN auth,
> >> making the card sign the transaction anyway, regardless the amount
> >> involved. So IMVHO it's quite serious...
> > http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
> Tks. That's the (or one of) article I remembered but couldn't find...

http://google.com/search?q=chip+and+pin+broken
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread NdK 
Il 25/09/2012 11:50, Peter Stuge ha scritto:

>> IIUC that bit is not authenticated, so a MITM attack can force both the
>> reader and the card think the other party doesn't support PIN auth,
>> making the card sign the transaction anyway, regardless the amount
>> involved. So IMVHO it's quite serious...
> http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
Tks. That's the (or one of) article I remembered but couldn't find...

BYtE,
 Diego.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair

2012-09-25 Thread Andreas Schwier (ML) 
Dear all,

we've come a across a strange issue in OpenSC. When we try to generate a
key pair with parameters not supported by the card, then the framework
code still tries to allocate private/public key objects rather than
returning an error code.

The questionable code is in line 2675 of framework-pkcs15.c /
pkcs15_gen_keypair.

Is that an intended behaviour or a plain bug ?

Andreas

-- 

-CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
-http://www.cardcontact.de
 http://www.tscons.de
 http://www.openscdp.org

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread Peter Stuge 
NdK wrote:
> IIUC that bit is not authenticated, so a MITM attack can force both the
> reader and the card think the other party doesn't support PIN auth,
> making the card sign the transaction anyway, regardless the amount
> involved. So IMVHO it's quite serious...

http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf
http://youtu.be/gv3dxjvqk7Y


//Peter
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] Technical Description - Android Embedded SE

2012-09-25 Thread NdK 
Il 25/09/2012 07:58, Andreas Jellinghaus ha scritto:

>> EMV for sure: there's an unauthenticated bit that tells the card to
>> authenticate the transaction without asking for the PIN...
> Thats ok, it is a valid feature. If people buy something for less than a
> dollar, and the transaction is authenticated with the
> signature of a rsa key in the smart card, and we haven't reached the
> consecutive lower boundary amount yet, then simply
> approving the transaction is perfectly fine - getting a PIN or doing an
> online transaction isn't worth doing for such a small
> amount of money.
IIUC that bit is not authenticated, so a MITM attack can force both the
reader and the card think the other party doesn't support PIN auth,
making the card sign the transaction anyway, regardless the amount
involved. So IMVHO it's quite serious...

> Most vending machines still use modems and dial up for every transaction
> and hang up again later.
The stupid thing is that it seems they do the same for cellular-based
readers too... What a waste!

> Thats why card transactions are so slow. Once the standard is to have a
> permanent internet connection,
that won't change anything: many banks still use *mainframes* ! Some
still backup to (and transfer data with) tape *wheels* ! (when we
dismissed our IBM 9000, I think one of the tape units got sold to the
bank...). As long as "it works", they don't change it.

BYtE,
 Diego.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] new release?

2012-09-25 Thread Andreas Schwier 
Hi Viktor,

we've completed the development of write support for the SmartCard-HSM
and are in the middle of testing and bug-fixing.

The code is based on the latest version in OpenSC/staging and changes
mostly apply to our own code.

Is there a chance to get write support into the upcomin release ?

If yes, I would prepare a pull request against the CardContact/staging
branch.


Andreas



Am 17.09.2012 22:00, schrieb Viktor Tarasov:
> Hello,
>
> Le 15/09/2012 16:52, Kalev Lember a écrit :
>> On 09/06/2012 08:06 PM, Viktor Tarasov wrote:
>>> Hello,
>>>
>>> current github 'staging' is tagged as v0.13.0-pre1.
>>>
>>> If no objections, I will merge this branch into github 'master' -- it will 
>>> be base version to test
>>> and to prepare the coming release candidate.
>> Very good idea. I think it makes a lot of sense to have just one
>> 'master' branch for development; this is what people coming over from
>> other projects tend to expect.
>
> 'Master' and 'staging' are actually synchronized and for the new pull 
> requests I propose to create them relative to the 'master' branch.
> Until the end of this release the pull requests to 'staging' are also 
> accepted.
>
> The tag name 'v0.13.0-pre1' has been changed (sorry) to '0.13.0pre1' -- still 
> cannot understand which common set of characters
> could be used for the release-version/tag-name to satisfy 'git', 'obs', 
> 'dpkg-build', ...
>
> Commits to 'master' and new tags trigger the jenkins jobs of build, packaging 
> and some rudimentary test of package and unit tests (for Suse).
> https://opensc.fr/jenkins/view/Open 
> SC-release/ 
> 
>
> The resulting packages are transfered to 'download' part of the 
> opensc-project.org file server:
>  - commits to
> http://www.opensc-project.org/downloads/projects/opensc/nightly/
>  - releases to
> http://www.opensc-project.org/downloads/projects/opensc/releases/
>
>
> For a while there are only source tarballs, MSIs for x32 and x64 and rpm i586 
> for opensSuSE 12.1 .
> Hope that rapidly the building of releases packages for some debian/ubuntu 
> distributions will be connected.
>
> It would be nice if you could look/test the tarball or packages of the 
> release 0.13.0pre1.
> Your remarks, proposals, contributions are heartily welcome.
>
> Kind regards,
> Viktor.
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel


-- 

-CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
-http://www.cardcontact.de
 http://www.tscons.de
 http://www.openscdp.org

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel