date:20121022

Re: [opensc-devel] adding support for a java applet

2012-10-22 Thread aidin boghaniyan

Hello again,
Do anybody have any idea?

Thanks in advance

On Tue, Oct 16, 2012 at 9:54 AM, aidin boghaniyan aidinb...@gmail.comwrote:

 Hi,
 I have some kona25 http://www.tagsystems.net/downloads java card, and I
 must provide a pkcs11 interface for them.
 I know that the best way for using them with OpenSC is loading Muscle
 applet on it, but I was unsuccessful on this solution.
 Indeed, I have loaded muscle applet using 
 gpjhttp://sourceforge.net/projects/gpj/(java global platform), and I add my 
 card ATR to the list of Muscle card
 supported ATRs, but when I use this card with OpenSC, I got the
 unsupported card error, and when I debug code, I detect the problems is
 from muscle_match_card function. This function doesn't receive what it
 expects form card, so the card will be unsupported.
 I tried to load another cap file of the Muscle applet, but there was no
 change.
 Does anybody had any advise?

 Another solution for me is using Java Card 
 Signhttp://sourceforge.net/projects/javacardsign/
 applet, and writing a PKCS11 driver for this card. I have loaded this
 applet on my card and communicate successfully with this applet from host
 application of it. This applet and it's host application are open source.
 So my main question is that, Is this solution the best solution that I can
 choose?

 Regards

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] adding support for a java applet

2012-10-22 Thread helpcrypto helpcrypto

Maybe Im wrong, but AFAIK if opensc says unsupported card, then you
have to make a driver for it:
http://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions#Q:WhattodoifmycardisnotsupportedbyOpenSC


On Mon, Oct 22, 2012 at 8:48 AM, aidin boghaniyan aidinb...@gmail.com wrote:
 Hello again,
 Do anybody have any idea?

 Thanks in advance

 On Tue, Oct 16, 2012 at 9:54 AM, aidin boghaniyan aidinb...@gmail.com
 wrote:

 Hi,
 I have some kona25 java card, and I must provide a pkcs11 interface for
 them.
 I know that the best way for using them with OpenSC is loading Muscle
 applet on it, but I was unsuccessful on this solution.
 Indeed, I have loaded muscle applet using gpj (java global platform), and
 I add my card ATR to the list of Muscle card supported ATRs, but when I use
 this card with OpenSC, I got the unsupported card error, and when I debug
 code, I detect the problems is from muscle_match_card function. This
 function doesn't receive what it expects form card, so the card will be
 unsupported.
 I tried to load another cap file of the Muscle applet, but there was no
 change.
 Does anybody had any advise?

 Another solution for me is using Java Card Sign applet, and writing a
 PKCS11 driver for this card. I have loaded this applet on my card and
 communicate successfully with this applet from host application of it. This
 applet and it's host application are open source.
 So my main question is that, Is this solution the best solution that I can
 choose?

 Regards



 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] adding support for a java applet

2012-10-22 Thread Andreas Schwier

Dear Aidin,

for writing a card driver I would suggest to pick one of the existing
drivers and adapt to your specific needs. It's a little bit of work, but
it can be done.

It's probably best to start with the integration into opensc-explorer.
Once you get that to work, take the next step and develop a read/only
driver using a card specific pkcs15 module in libopensc. The final step
would be to provide a pkcs15 module in pkcs15init for write support.

Expect a lot of debugging, so select a comfortable development
environment (we use Eclipse for C/C++ for it).

Andreas


Am 22.10.2012 08:48, schrieb aidin boghaniyan:
 Hello again,
 Do anybody have any idea?

 Thanks in advance

 On Tue, Oct 16, 2012 at 9:54 AM, aidin boghaniyan aidinb...@gmail.com
 mailto:aidinb...@gmail.com wrote:

 Hi,
 I have some kona25 http://www.tagsystems.net/downloads java
 card, and I must provide a pkcs11 interface for them.
 I know that the best way for using them with OpenSC is loading
 Muscle applet on it, but I was unsuccessful on this solution.
 Indeed, I have loaded muscle applet using gpj
 http://sourceforge.net/projects/gpj/ (java global platform), and
 I add my card ATR to the list of Muscle card supported ATRs, but
 when I use this card with OpenSC, I got the unsupported card
 error, and when I debug code, I detect the problems is from
 muscle_match_card function. This function doesn't receive what
 it expects form card, so the card will be unsupported.
 I tried to load another cap file of the Muscle applet, but there
 was no change.
 Does anybody had any advise?

 Another solution for me is using Java Card Sign
 http://sourceforge.net/projects/javacardsign/ applet, and
 writing a PKCS11 driver for this card. I have loaded this applet
 on my card and communicate successfully with this applet from host
 application of it. This applet and it's host application are open
 source.
 So my main question is that, Is this solution the best solution
 that I can choose?

 Regards




 ___
 opensc-devel mailing list
 opensc-devel@lists.opensc-project.org
 http://www.opensc-project.org/mailman/listinfo/opensc-devel


-- 

-CardContact Software  System Consulting
   |.## ##.|   Andreas Schwier
   |#   #|   Schülerweg 38
   |#   #|   32429 Minden, Germany
   |'## ##'|   Phone +49 571 56149
-http://www.cardcontact.de
 http://www.tscons.de
 http://www.openscdp.org

___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] PIN not sent to card before signing

2012-10-22 Thread Douglas E. Engert


Based on the information in this thread, it looks like
pkcs11-tool is is missing two lines that would check
if the CKA_ALWAYS_AUTHENTICATE is set for the key
in the sign_data routine.

Can you try the attached patch?


On 10/22/2012 3:10 AM, Mathias Tausig wrote:

On Sunday 21. October 2012 17:24:41 you wrote:

Hello,

Le 19/10/2012 15:02, Mathias Tausig a écrit :

I am writing a PKCS#15 application for a (cardos v4.4) smartcard which
references an external signature application. The RSA key and the PIN are
stored in that external application, the PIN needs to be verified upon
every key usage.

To accomplish this, I have set the userConsent value in the
PrivateKeyDictionaryFile to 1.

Here is the content of the PrkDF (output from openssl):

0:d=0  hl=2 l=  67 cons: SEQUENCE

 2:d=1  hl=2 l=  30 cons:  SEQUENCE
 4:d=2  hl=2 l=  18 prim:   UTF8STRING:Signaturschlüssel

24:d=2  hl=2 l=   2 prim:   BIT STRING

    - 07 80 ..

28:d=2  hl=2 l=   1 prim:   OCTET STRING

    - 11.

31:d=2  hl=2 l=   1 prim:   INTEGER   :01
34:d=1  hl=2 l=  14 cons:  SEQUENCE
36:d=2  hl=2 l=   1 prim:   OCTET STRING  :B
39:d=2  hl=2 l=   2 prim:   BIT STRING

    - 05.
   0002 - SPACES/NULS

43:d=2  hl=2 l=   2 prim:   BIT STRING

    - 03 b8 ..

47:d=2  hl=2 l=   1 prim:   INTEGER   :02
50:d=1  hl=2 l=  17 cons:  cont [ 1 ]
52:d=2  hl=2 l=  15 cons:   SEQUENCE
54:d=3  hl=2 l=   6 cons:SEQUENCE
56:d=4  hl=2 l=   4 prim: OCTET STRING

    - 3f 00 1f ff   ?...

62:d=3  hl=2 l=   2 prim:INTEGER   :0400
66:d=3  hl=2 l=   1 prim:INTEGER   :14
69:d=0  hl=2 l=   0 prim: EOC

The problem is, that when I try to use the card with pkcs11-tool (either
with the --test option or with a --sign command), it doesn't verify the
pin before signing. Here is the relevant part of the APDU output:

Oct 19 14:40:20 off17 pcscd[4590]: 6755 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 1410 APDU: 00 20 00 81 06 31 32 33
34 35 36
Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 5039 APDU: 00 A4 08 00 02 50 15
Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 1737 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 0164 APDU: 00 22 01 B6 03 83 01 02
Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 0185 APDU: 00 2A 9E 9A 80 00 01 FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
FF FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03
02 1A 05 00 04 14 04 75 9
5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82

In the first two commands the signature DF (1fff) is entered and the PIN
verified, thant it switches back to the PKCS#15 DF without doing anything
there (APDU#3). Than the signature DF is reentered and a signing command
is tried without prior authentication.

Is this a bug, is the userConsent field not heeded, or am I missing
something?

Please confirm (or not) -- in your test you are not using the current OpenSC
pkcs#11 module but only using the pkcs11-tool.

According to your logs, the application DF is selected between the PIN
verifying and 'sign' operation. That's the behavior of the previous
versions of OpenSC.

Could you tell us more about the application that generates the APDUs?
If it based on the older OpenSC version, try to change the 'lock_login'
configuration option.


I am using opensc-12.2, the version shipped with openSuse 12.2 (32 bit), which
is the most current stable version (according to the opensc homepage).

Here is the p11spy output produced by
pkcs11-tool --module pkcs11-spy.so  --sign --login --input-file /tmp/csr --
output-file /tmp/csr.sig -m SHA1-RSA-PKCS --verbose --pin 123456


*** OpenSC PKCS#11 spy *
Loaded: /usr/lib/pkcs11/opensc-pkcs11.so


0: C_GetFunctionList
Returned:  0 CKR_OK


1: C_Initialize
[in] pInitArgs = (nil)
Returned:  0 CKR_OK


2: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Count is 4
[out] *pulCount = 0x4
Returned:  0 CKR_OK


3: C_GetSlotList
[in] tokenPresent = 0x0
[out] pSlotList:
Slot -1
Slot 1
Slot 5
Slot 9
[out] *pulCount = 0x4
Returned:  0 CKR_OK


4: C_GetSlotInfo
[in] slotID = 0x
[out] pInfo:
   slotDescription:'Virtual hotplug

[opensc-devel] [PATCH] buffer overflow fix

2012-10-22 Thread Emmanuel Dreyfus

Hi

Please check in the fix below.

--- src/pkcs11/pkcs11-global.c.orig 2012-10-22 09:11:56.0 +0200
+++ src/pkcs11/pkcs11-global.c  2012-10-22 09:12:14.0 +0200
@@ -43,9 +43,9 @@
 #if defined(HAVE_PTHREAD)  defined(PKCS11_THREAD_LOCKING)
 #include pthread.h
 CK_RV mutex_create(void **mutex)
 {
-   pthread_mutex_t *m = (pthread_mutex_t *) malloc(sizeof(*mutex));
+   pthread_mutex_t *m = (pthread_mutex_t *) malloc(sizeof(*m));
if (m == NULL)
return CKR_GENERAL_ERROR;;
pthread_mutex_init(m, NULL);
*mutex = m;

-- 
Emmanuel Dreyfus
http://hcpnet.free.fr/pubz
m...@netbsd.org
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Re: [opensc-devel] adding support for a java applet

Re: [opensc-devel] adding support for a java applet

Re: [opensc-devel] adding support for a java applet

Re: [opensc-devel] PIN not sent to card before signing

[opensc-devel] [PATCH] buffer overflow fix

5 matches

Site Navigation

Mail list logo

Footer information