[opensc-devel] STARCOS 3.0 cards with SafeSign Identity Client
Hello, I've been issued a smart card by the Australian Health Insurance Commission or Medicare Australia. These cards are for getting on to our new national electronic health record system. I would quite like to use it on Linux but haven't had a lot of luck with pkcs15-tool so far. I'm really mostly wondering whether the problem is with a lack of support for the card operating system or an incompatibility between the OpenSC and card PKCS#15 implementations. I believe they run STARCOS 3.0 and are initialised with the SafeSign Identity Client application, which I'm assure is PKCS#15 compliant. However OpenSC complains that the card is not supported. The ATR data is: 3b:bb:18:00:c0:10:31:fe:45:80:67:04:12:b0:03:03:00:00:81:05:3c I have attached the logs from pkcs15-tool with both OpenCT and PCSC-Lite, and can turn up the debugging further if that would help. Thanks, David Adam zanc...@ucc.gu.uwa.edu.au0x7f4687ac2700 23:08:50.859 [pkcs15-tool] reader-openct.c:173:openct_reader_detect_card_presence: called Using reader with a card: CCID Compatible 0x7f4687ac2700 23:08:50.859 [pkcs15-tool] reader-openct.c:173:openct_reader_detect_card_presence: called Connecting to card in reader CCID Compatible... 0x7f4687ac2700 23:08:50.859 [pkcs15-tool] card.c:125:sc_connect_card: called 0x7f4687ac2700 23:08:50.859 [pkcs15-tool] reader-openct.c:196:openct_reader_connect: called 0x7f4687ac2700 23:08:51.031 [pkcs15-tool] card-entersafe.c:104:entersafe_match_card: called 0x7f4687ac2700 23:08:51.031 [pkcs15-tool] card-rutoken.c:101:rutoken_match_card: called 0x7f4687ac2700 23:08:51.031 [pkcs15-tool] reader-openct.c:381:openct_reader_lock: called 0x7f4687ac2700 23:08:51.033 [pkcs15-tool] reader-openct.c:407:openct_reader_unlock: called 0x7f4687ac2700 23:08:51.034 [pkcs15-tool] reader-openct.c:381:openct_reader_lock: called 0x7f4687ac2700 23:08:51.036 [pkcs15-tool] reader-openct.c:407:openct_reader_unlock: called 0x7f4687ac2700 23:08:51.037 [pkcs15-tool] card-piv.c:2516:piv_match_card: called 0x7f4687ac2700 23:08:51.037 [pkcs15-tool] card-piv.c:715:piv_find_aid: called 0x7f4687ac2700 23:08:51.037 [pkcs15-tool] card-piv.c:678:piv_select_aid: called 0x7f4687ac2700 23:08:51.037 [pkcs15-tool] reader-openct.c:381:openct_reader_lock: called 0x7f4687ac2700 23:08:51.039 [pkcs15-tool] reader-openct.c:407:openct_reader_unlock: called 0x7f4687ac2700 23:08:51.040 [pkcs15-tool] reader-openct.c:381:openct_reader_lock: called 0x7f4687ac2700 23:08:51.042 [pkcs15-tool] reader-openct.c:407:openct_reader_unlock: called 0x7f4687ac2700 23:08:51.043 [pkcs15-tool] card-itacns.c:162:itacns_match_card: Matching 3b against atr[0] == 3b 0x7f4687ac2700 23:08:51.043 [pkcs15-tool] reader-openct.c:381:openct_reader_lock: called 0x7f4687ac2700 23:08:51.045 [pkcs15-tool] reader-openct.c:407:openct_reader_unlock: called 0x7f4687ac2700 23:08:51.046 [pkcs15-tool] reader-openct.c:242:openct_reader_disconnect: called Failed to connect to card: Card is invalid or cannot be handled 0x7f4687ac2700 23:08:51.046 [pkcs15-tool] ctx.c:787:sc_release_context: called 0x7f4687ac2700 23:08:51.046 [pkcs15-tool] reader-openct.c:153:openct_reader_release: called 0x7f4687ac2700 23:08:51.046 [pkcs15-tool] reader-openct.c:153:openct_reader_release: called 0x7f4687ac2700 23:08:51.046 [pkcs15-tool] reader-openct.c:140:openct_reader_finish: called 0x7fb862227700 22:56:16.845 [pkcs15-tool] sc.c:195:sc_detect_card_presence: called 0x7fb862227700 22:56:16.846 [pkcs15-tool] reader-pcsc.c:293:refresh_attributes: returning with: 0 (Success) 0x7fb862227700 22:56:16.846 [pkcs15-tool] reader-pcsc.c:369:pcsc_detect_card_presence: returning with: 1 Using reader with a card: Gemalto USB Shell Token V2 00 00 0x7fb862227700 22:56:16.846 [pkcs15-tool] sc.c:195:sc_detect_card_presence: called 0x7fb862227700 22:56:16.846 [pkcs15-tool] reader-pcsc.c:293:refresh_attributes: returning with: 0 (Success) 0x7fb862227700 22:56:16.846 [pkcs15-tool] reader-pcsc.c:369:pcsc_detect_card_presence: returning with: 1 Connecting to card in reader Gemalto USB Shell Token V2 00 00... 0x7fb862227700 22:56:16.846 [pkcs15-tool] card.c:115:sc_connect_card: called 0x7fb862227700 22:56:16.847 [pkcs15-tool] reader-pcsc.c:293:refresh_attributes: returning with: 0 (Success) 0x7fb862227700 22:56:16.847 [pkcs15-tool] card-entersafe.c:104:entersafe_match_card: called 0x7fb862227700 22:56:16.847 [pkcs15-tool] card-rutoken.c:101:rutoken_match_card: called 0x7fb862227700 22:56:16.847 [pkcs15-tool] apdu.c:525:sc_transmit_apdu: called 0x7fb862227700 22:56:16.914 [pkcs15-tool] apdu.c:525:sc_transmit_apdu: called 0x7fb862227700 22:56:16.930 [pkcs15-tool] muscle.c:269:msc_select_applet: returning with: -1200 (Card command failed) 0x7fb862227700 22:56:16.930 [pkcs15-tool] card-piv.c:2507:piv_match_card: called 0x7fb862227700 22:56:16.930 [pkcs15-tool] card-piv.c:713:piv_find_aid: called 0x7fb862227700 22:56:16.930 [pkcs15-tool] card-piv.c:676:piv_select_aid: called 0x7fb862227700 22:56:16.930
Re: [opensc-devel] state of the project?
Ludovic Rousseau wrote: Andreas, the host available at opensc-project.org will disapear at the end of the year 2012 [2]. I think you misunderstood what Andreas wrote in his email. I think that what Andreas was saying is that someone else needs to be root and care for the machine. I don't expect that it will be any problem whatsoever to keep the VM around until whenever it is easy to change DNS, as long as someone is actually taking care of the system. Of course when noone is able to and other offers aren't useful, then all that remains is to rely on free (beer) services like github or SF. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Viktor Tarasov wrote: I propose to start migration the week 19-25.11 . I'll have more free time: - sources: all sources will migrate to github; - CI: CI server is currently hosted by 'opensc.fr' ; - download: on the same platform can be hosted the file server; - TRAC (wiki?): it seems that Peter Stuge proposed to do something with Trac. Peter, if you are here, can you take this part, or at least explain how it could be done, please? If no suggestions, Trac can also be hosted by 'opensc.fr' . Educating someone on how to do a migration is as I'm sure you know a whole lot more work than performing the migration. If there's desire I'm of course still happy to host a Trac, but please keep in mind that Trac is a lot less useful when source code is somewhere else. Please add my SSH key on the server and let me know, if you want me to look into moving Trac out. - mailling list: the same, if no other suggestions, I'm ready to install/migrate it to 'opensc.fr' platform. Would be nice if one of the experts explain what is the actions to follow for such migration. I don't like mailman too much. I've set it up, but I don't use it. I'd suggest using SF for the list(s?). //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Andreas Jellinghaus wrote: I wonder what we can or should do to improve the state of the project. I think it's clear that only very few entities are putting resources into the project. there hasn't been any real discussion, no back and forth about the merrits of the different proposals, and no convergence on one option or decission by anyone. I think even this is way too much to expect from those who do put resources into the project. Noone who is contributing seems to have much experience from hosting, so discussion about hosting is really difficult. (I may have plenty of experience, but I don't contribute very much to the project.) It seems to me the state of the project is defunct: while there are requests, proposals, options and offerings, we are not getting towards a decission or action it seems, as noone decides anything or gets people to agree or to do things. There's a fairly fundamental disagreement between development styles. I e.g. advocate security-conscious development and great results, even if slow, while everyone else who has spoken on that matter advocates fast change with perhaps less importance on technical quality and elegance. It's sad that less-than-great results is acceptable in open source under any circumstance, but since I'm not even putting development resources into the project it doesn't matter at all what I think about that. IMO it's largely a waste of time to migrate away from an existing working system unless the services really can not be updated in place. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
On Wed, Nov 14, 2012 at 10:22 PM, Alon Bar-Lev alon.bar...@gmail.com wrote: On Wed, Nov 14, 2012 at 10:20 PM, Ludovic Rousseau ludovic.rouss...@gmail.com wrote: 2012/11/14 Ludovic Rousseau ludovic.rouss...@gmail.com I could not migrate: - pkcs11-help. Something fails in the authors names conversion I forked the github repository of Alon. pkcs11-helper is now available under the OpenSC organization. https://github.com/OpenSC/pkcs11-helper I have not tried to migrate: - OpenCT - OpenSC-Java Aren't these projects obsolete now? I tried to convert OpenCT. But I could not get the author correspondence. Some SVN revisions have no author and confuse svn2git. I will prepare github for you to use. Ready: https://github.com/alonbl/openct ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Hello Peter, Le 16/11/2012 21:42, Peter Stuge a écrit : Viktor Tarasov wrote: I propose to start migration the week 19-25.11 . I'll have more free time: - sources: all sources will migrate to github; - CI: CI server is currently hosted by 'opensc.fr' ; - download: on the same platform can be hosted the file server; - TRAC (wiki?): it seems that Peter Stuge proposed to do something with Trac. Peter, if you are here, can you take this part, or at least explain how it could be done, please? If no suggestions, Trac can also be hosted by 'opensc.fr' . Educating someone on how to do a migration is as I'm sure you know a whole lot more work than performing the migration. If there's desire I'm of course still happy to host a Trac, but please keep in mind that Trac is a lot less useful when source code is somewhere else. It seems that decision to move all sources to github is accepted. Do you mean that with sources on github it would be more useful to use the bug system and wiki on github, as Ludovic proposed, and not the Trac installed on someone's platform ? (I need some time to discover Trac's internals and how it interacts with SCM .) As far as I understood, in any case we have to start from sqlite dump of the current OpenSC Trac. Andreas, can you do it, please ? Please add my SSH key on the server and let me know, if you want me to look into moving Trac out. - mailling list: the same, if no other suggestions, I'm ready to install/migrate it to 'opensc.fr' platform. Would be nice if one of the experts explain what is the actions to follow for such migration. I don't like mailman too much. I've set it up, but I don't use it. I'd suggest using SF for the list(s?). Could you expand 'SF' or give the link, please? //Peter Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] state of the project?
Viktor Tarasov wrote: - mailling list: the same, if no other suggestions, I'm ready to install/migrate it to 'opensc.fr' platform. Would be nice if one of the experts explain what is the actions to follow for such migration. I don't like mailman too much. I've set it up, but I don't use it. I'd suggest using SF for the list(s?). Could you expand 'SF' or give the link, please? Sorry - missed this one. SF = sourceforge While I disagree with most other uses of SF because of their quite unfriendly terms of service (a function of US law of course) I think that mailing lists are OK. Subscribing to lists doesn't require an SF account, and SF doesn't add overly much spam to the posts. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel