Re: [opensc-devel] Problem with CardMan4040 and OpenSC
26.11.2011 10:43, Martin Paljak kirjoitti: Hello, It can be compiled with OpenCT support, exclusively. But that's a corner case, I believe 95%+ of people have pcsc-lite/CCID compatible hardware. Key is to build pcsc-lite with support for openct. I guess you mean the opposite: build openct with pcsc-lite support. I fully agree. I'm using CardMan 4040 with pcsclite. Personally, I got pissed off with fighting with openct. pcsclite works much better. I also have a couple of usb readers, but the CardMan is very handy with my laptop (I got it free from my friend, thanks Max!) I'm using svn versions of the softwares (opensc, pcsclite, pampkcs11). However, after pcsclite svn rev 6019 I got some problems, so I'm still using 6018. About to update to 1.8.1 some day, I assume the latest version should work if run as a service started at bootup. Since Ubuntu does not yet have official support for systemd, I'll be using it this way anyway. The most problems with all this smart card systems with linux are usually 1) distribution included versions are old 2) when self compiled, double check all the config file directories... for example, config is not necessary on /etc, it might also be on /usr/etc! When installing CardMan to be used with pcsclilte, I followed mainly instructiuons from here: http://blog.deepreflect.net/2011/01/23/omikey-cardman-4040-linux-fc14/ . The main point is not to use the manufacturers install procedure, but manually copy the driver (which is for kernel ver 2.x, however, works with 3) from the gz and write the cardman4040.conf - file. Hannu smime.p7s Description: S/MIME-salakirjoitettu allekirjoitus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with CardMan4040 and OpenSC
26.11.2011 16:34, Niclas Hoyer kirjoitti: Silly me :-) Thanks for your suggestions, but the error still remains: $ tar -xzf ifdok_cm4040_lnx_x64-2.0.0.tar.gz tar: This does not look like a tar archive tar: Skipping to next header tar: Exiting with failure status due to previous errors Regards, Niclas hmm.. I'm using 32bit version with my laptop, it works ok. Tried to unzip the 64 bit version, got the same error :-( oh, works, if you -- gunzip ifdok_cm4040_lnx_x64-2.0.0.tar.gz tar -xf ifdok_cm4040_lnx_x64-2.0.0.tar --- Hannu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with CardMan4040 and OpenSC
26.11.2011 12:04, Hannu Kotipalo kirjoitti: I fully agree. I'm using CardMan 4040 with pcsclite. Personally, I got pissed off with fighting with openct. pcsclite works much better. I also have a couple of usb readers, but the CardMan is very handy with my laptop (I got it free from my friend, thanks Max!) One note thought; this does NOT work, if you are using both CardMan 4040 AND a ccid reader. I'm using svn versions of the softwares (opensc, pcsclite, pampkcs11). However, after pcsclite svn rev 6019 I got some problems, so I'm still using 6018. About to update to 1.8.1 some day, I assume the latest version should work if run as a service started at bootup. Since Ubuntu does not yet have official support for systemd, I'll be using it this way anyway. I just installed version 1.8.1, it works, but you have to make pcscd run as a service, ie. edit /etc/init.d/pcscd and comment out the exit 0 line. See comments on the file. Hannu smime.p7s Description: S/MIME-salakirjoitettu allekirjoitus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with CardMan4040 and OpenSC
26.11.2011 19:01, Peter Stuge kirjoitti: Hannu Kotipalo wrote: Personally, I got pissed off with fighting with openct. pcsclite works much better. This is simply not true. As I already explained, OpenCT works perfectly, and it offers the rather significant advantage that hmm.. when I tried openct some time ago, I couldnot get it to work.I was using ccid redaer with MyEID card on a 64 bit system. MaybeI should give it another try? I do not have to rely on a closed source software for doing my smart card crypto. I'm surprised that you don't care about that. Well, I would preferopen source.. but wouldthere be closed source on 4040 case anyway? When installing CardMan to be used with pcsclilte, You mean when installing the vendor supplied PCMCIA driver and the closed source ifdhandler. Remember that I also use the reader with pcsc-lite, even though it's through OpenCT. Hmm.. maybe I try openct again some day with my CardMan4040. Hannu smime.p7s Description: S/MIME-salakirjoitettu allekirjoitus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem with CardMan4040 and OpenSC
26.11.2011 19:50, Peter Stuge kirjoitti: hmm.. when I tried openct some time ago, I couldnot get it to work. I was using ccid redaer with MyEID card on a 64 bit system. MaybeI should give it another try? Well, if you have a working setup which you are happy with then there's also no need to change that, right? :) Yes, don't fix if it's not broken (like my space bar,whichdoesnot allways work very good) .. I have a mixed 32/64 system, but the smart card related packages I run are so far 32. I need to switch to a full 64 system soon, if you like I can keep you updated on how OpenCT and cm4040 works for me there. I have 64 bit desktop (all sw is 64 bit) and an old Lenovo X60 laptop (32bit). On the desktop, I have ccid compatible reader, on the laptop I'm using CardMan4040. On both systems I'm also using ACR38 micro card reader (USB token) which has MyEID card and cacert certificates. When I tried openct, I was using the 64 bit desktop with 64 bit sw. I do not have to rely on a closed source software for doing my smart card crypto. I'm surprised that you don't care about that. Well, I would preferopen source.. but wouldthere be closed source on 4040 case anyway? The HID Global ifdhandler .so file is closed source. Only their kernel module is published with source code. Ok. When installing CardMan to be used with pcsclilte, You mean when installing the vendor supplied PCMCIA driver and the closed source ifdhandler. Remember that I also use the reader with pcsc-lite, even though it's through OpenCT. Hmm.. maybe I try openct again some day with my CardMan4040. Let me know if you would like more information from me about my setup. I'm happy to document it in order to help others. The way I do some things will probably be different from what others would like, but that should be easy enough to adjust. I e.g. have udev run openct-control init as my user, and I manually run pcscd -f when I want to use the reader. One or both those things can be done differently if prefered. I'm using pam_pkcs11 to log in with my Finnish ID card, so the reader has to work before I log in. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel smime.p7s Description: S/MIME-salakirjoitettu allekirjoitus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Using Finnish Goverment Identity card for smart card log in
Hi! First shortly about the case; The idea is to use 3rd part issued smart card to log in to a computer. Basicly you ('sysop') relay on that 3rd part will identity the user reliably. Actually you are outsourcing the Certificate management. I configured my system based on instructions from https://help.ubuntu.com/community/CommonAccessCard, with some changes: 1) Of course I use Finnish ID card 2) I use opensc instead of coolkey 3) cert-policy should definitely be ca,signature and preferably also crl (you can of course also manually remove login access for any card). Checking only ca is not enought, it would be easy to make a card that would pass (I think?). I assume pam_pkcs11 is mainly purposed to be used on self generated certificates instead of ID card. So there is something to be improved (of course, if there is will to support this kind of usage). Here are my comments: 1. When using ID cards, there are usually one Root CA certificate and one intermediate certificate. Current version on pam_pkcs11 needs both to be present on /etc/pam_pkcs11/cacerts/ for it to work. Since the certificate chain is also on the card used, the Root CA *should* be enought (not a big problem thought) 2. For some reason local crl check does not seem to work for me. 3. There should be an option to download crl at predefined interval and then use local crl check (of course you can write your own script..) 4. GUI would be nice.. ;-) About the cURL and https: Compiling the source (0.6.7) after ./configure --with-curl did not work. I had also manually define it on uri.c: #define HAVE_CURL One note; the most challenging part on this seems to be getting the correct (new enought) versions to be compiled and installed *on correct directory*. You need pcsclite, opensc, and pam_pkcs11. Compile them all with ./configure --prefix=/usr --exec-prefix=/usr. After compiling and installing, double-check if you have some configuration files on /usr/etc instead of /etc. Hannu ps. sorry for top-posting.. 21.09.2011 21:34, Martin Paljak kirjoitti: Hello, On 9/19/11 11:25 , Hannu Kotipalo wrote: I succeeded in configuring pkcs11-pam module to use Identity card issued by Finnish goverment. Also, smart card with cacert certificates works ok (certificates ar stored on Aventra MyEID cards). Great! However, there seems to be some problem with revocation lists. 1) if any of the certificates on the chain does not have a crl distribution point, the check will fail. I would assume that if certificate has defined no crl distribution point, it should be ok withoiut the check? That would be very wrong. If key generation and distribution is one of the weakest links, then revocation and adequate checking is another great problems of PKI setups. Unless you want a simple possession of key authentication on a single (disconnected) computer you might omit revocation checking (and use pam_p11 instead), but for everything else that works with certificates, you really want to check them for validity. As CA certificates are not revoked very often (except Diginotar, of course ;)) and they anyway need to be hand-coded into software or configuration to be a trust anchor (at least roots(, you could omit revocation checking for CA-s (given a compromised CA, the CRL for it would be somewhat worthless). But checking end-entity certificates is a must. Or is it? Looks like one of the ca certificates on the Finnish ID card does not have the crl dist point. See debug below. Adding certificates would also help. I have two Finnish test cards, I can check the certs as well (given that they are not much different from actual certificates) 2) cacert has their crl list at secure https - address. pam-pkcs11 does not seem to support that. Would it be easy to add it? That might be automatic. pam_pkc11 can use cURL and cURL can handle https. Did you add support for cURL when compiling? Maybe you have not enabled SSL support in cURL? DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:256: downloading crl from http://proxy.fineid.fi/crl/vrkcqcc.crl DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 Printing data for mapper subject: /C=FI/serialNumber=T/GN=NAME/SN=SURNAME/CN=SURNAME NAME T http://proxy.fineid.fi/arl/vrkroota.crl /C=FI/ST=Finland/O=Vaestorekisterikeskus CA/OU=Valtion kansalaisvarmenteet/CN=VRK Gov. CA for Citizen Qualified Certificates check_for_revocation() failed: neither the user nor the ca certificate does contain a crl distribution point The error is misleading. Also, it seems that pkcs11_inspect tries to verify all certificates on the token the same way, as you'd not be authenticating with the CA certificate on the card but your personal certificate, this might need some adjustments in pkcs11_inspect code (only non-CA certificates should be processed). Have you tried to actually use pam_pkcs11
[opensc-devel] Using Finnish Goverment Identity card for smart card logging
Hi! I succeeded in configuring pkcs11-pam module to use Identity card issued by Finnish goverment. Also, smart card with cacert certificates works ok (certificates ar stored on Aventra MyEID cards). I improvised instructions from https://help.ubuntu.com/community/CommonAccessCard However, there seems to be some problem with revocation lists. 1) if any of the certificates on the chain does not have a crl distribution point, the check will fail. I would assume that if certificate has defined no crl distribution point, it should be ok withoiut the check? Or is it? Looks like one of the ca certificates on the Finnish ID card does not have the crl dist point. See debug below. 2) cacert has their crl list at secure https - address. pam-pkcs11 does not seem to support that. Would it be easy to add it? Here are the debugs from pkcs11_inspect debug (cert_policy = ca,signature,crl_online;) btw, this mail has been signed with cacert.org certificate on Aventra MyEID card. Finnish ID card: - @:~/src/pam_pkcs11-0.6.7$ pkcs11_inspect debug DEBUG:pam_config.c:248: Using config file /etc/pam_pkcs11/pam_pkcs11.conf DEBUG:pkcs11_inspect.c:69: loading pkcs #11 module... DEBUG:pkcs11_lib.c:975: PKCS #11 module = [/usr/lib/opensc-pkcs11.so] DEBUG:pkcs11_lib.c:992: module permissions: uid = 0, gid = 0, mode = 755 DEBUG:pkcs11_lib.c:1001: loading module /usr/lib/opensc-pkcs11.so DEBUG:pkcs11_lib.c:1009: getting function list DEBUG:pkcs11_inspect.c:78: initialising pkcs #11 module... DEBUG:pkcs11_lib.c:1106: module information: DEBUG:pkcs11_lib.c:1107: - version: 2.20 DEBUG:pkcs11_lib.c:1108: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1109: - flags: DEBUG:pkcs11_lib.c:1110: - library description: Smart card PKCS#11 API DEBUG:pkcs11_lib.c:: - library version: 0.0 DEBUG:pkcs11_lib.c:1118: number of slots (a): 3 DEBUG:pkcs11_lib.c:1141: number of slots (b): 3 DEBUG:pkcs11_lib.c:1037: slot 1: DEBUG:pkcs11_lib.c:1047: - description: Virtual hotplug slot DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0006 DEBUG:pkcs11_lib.c:1037: slot 2: DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00 00 DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: HENKILOKORTTI (perustunnusluku) DEBUG:pkcs11_lib.c:1058: - manufacturer: VRK-FINEID DEBUG:pkcs11_lib.c:1059: - model: PKCS#15 DEBUG:pkcs11_lib.c:1060: - serial: 4600015070963841 DEBUG:pkcs11_lib.c:1061: - flags: 040c DEBUG:pkcs11_lib.c:1037: slot 3: DEBUG:pkcs11_lib.c:1047: - description: OMNIKEY CardMan 4040 Socket 0 00 00 DEBUG:pkcs11_lib.c:1048: - manufacturer: OpenSC (www.opensc-project.org) DEBUG:pkcs11_lib.c:1049: - flags: 0007 DEBUG:pkcs11_lib.c:1051: - token: DEBUG:pkcs11_lib.c:1057: - label: HENKILOKORTTI (allekirjoitustunn DEBUG:pkcs11_lib.c:1058: - manufacturer: VRK-FINEID DEBUG:pkcs11_lib.c:1059: - model: PKCS#15 DEBUG:pkcs11_lib.c:1060: - serial: 4600015070963841 DEBUG:pkcs11_lib.c:1061: - flags: 040c DEBUG:pkcs11_lib.c:1364: opening a new PKCS #11 session for slot 2 DEBUG:pkcs11_lib.c:1577: Saving Certificate #1: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 45 DEBUG:pkcs11_lib.c:1577: Saving Certificate #2: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 47 DEBUG:pkcs11_lib.c:1577: Saving Certificate #3: DEBUG:pkcs11_lib.c:1579: - type: 00 DEBUG:pkcs11_lib.c:1580: - id: 48 DEBUG:pkcs11_lib.c:1612: Found 3 certificates in token DEBUG:mapper_mgr.c:172: Retrieveing mapper module list DEBUG:mapper_mgr.c:73: Loading static module for mapper 'subject' DEBUG:mapper_mgr.c:196: Inserting mapper [subject] into list DEBUG:pkcs11_inspect.c:128: Found '3' certificate(s) DEBUG:pkcs11_inspect.c:132: verifing the certificate #1 DEBUG:cert_vfy.c:338: Adding hashdir lookup to x509_store DEBUG:cert_vfy.c:350: Adding hash dir '/etc/pam_pkcs11/cacerts' to CACERT checks DEBUG:cert_vfy.c:357: Adding hash dir '/etc/pam_pkcs11/crls' to CRL checks DEBUG:cert_vfy.c:450: certificate is valid DEBUG:cert_vfy.c:207: crl policy: 1 DEBUG:cert_vfy.c:232: extracting crl distribution points DEBUG:cert_vfy.c:256: downloading crl from http://proxy.fineid.fi/crl/vrkcqcc.crl DEBUG:uri.c:593: parsing uri: DEBUG:uri.c:255: protocol = [http] DEBUG:uri.c:256: user = [(null)] DEBUG:uri.c:257: password = [(null)] DEBUG:uri.c:258: host = [proxy.fineid.fi] DEBUG:uri.c:259: port = [(null)] DEBUG:uri.c:260: path = [/crl/vrkcqcc.crl] DEBUG:uri.c:395: connecting... DEBUG:uri.c:420: receiving... DEBUG:uri.c:451: decoding... DEBUG:cert_vfy.c:130: crl is der encoded DEBUG:cert_vfy.c:281: verifying crl DEBUG:cert_vfy.c:464: certificate has not been revoked DEBUG:pkcs11_inspect.c:146: Inspecting certificate #1 Printing data for mapper subject: /C=FI/serialNumber=T/GN=NAME/SN=SURNAME/CN=SURNAME
Re: [opensc-devel] OpenSC 0.11.11 released today
Johannes Becker kirjoitti: Hello, when configuring OpenSC 0.11.11 under Debian lenny and squeeze I get PC/SC support: no NSPlugin support:no I have installed libpcsclite-dev (Version: 1.4.102-1) What else do I need? By the way: opensc doesn't work as it comes with Debian squeeze pcsc_scan detects reader and card, but opensc-tool doesn't find the reader. Same in Ubuntu 9.10 (64 bit). There seems to be a missing symbolic link. This helped me: sudo ln -s /lib/libpcsclite.so.1.0.0 /usr/lib/libpcsclite.so.1 btw, I think *some* reader support (either pcsclite or opensc) should be on by default and there should be some warning if no reader support is configured. These could save a lot of time from the newcomers.. Hannu Regards Johannes ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel smime.p7s Description: S/MIME Cryptographic Signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] supported cards?
Hi! I planned to buy some PKI cards and start to use them, but it seems extremely difficult to find someone who is selling a decent card that is supported with opensc. Do you have any suggestions? Looks like all the blank cards on the supported cards list are currenlty obsolete. Personally I might even consider to build a new driver if it is needed. For example ACS ACOS5 card seems quit promising. Would it be a good choise? Any other suggestions? regards, Hannu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] supported cards?
Hi! Thank you for your information. Aladdin eToken actually seems like good possibility Hmm.. unfortunately they do not ship wordwide :-( (it saysShipping to: Worldwide, but cannot choose other than US) These ACOS cards are sold in 7.5 Euros (~ $10 US). I'll think about it.. Hannu la, 2009-09-12 kello 12:25 +0100, João Poupino kirjoitti: Hello Hannu, Well, according to my experience, there are a number of well supported cards that are easily available. For example, the eToken 32K and 64K are well supported and you can find them with really nice prices (~ $16 US) at ebay [1]. Another alternative, is practically any Java Card running the Muscle applet [2]. Myself, and some people, are running the Muscle applet + OpenSC with very recent Java cards and its working fine (e.g. the eToken 72K engineering version and recent JCOP cards). Some older Java cards are still available (e.g. Cyberflex, older JCOP cards, etc.). Older cards that have excellent support in OpenSC, like the Cryptoflex 32K, are still available at [3]. Good luck. João [1] - http://shop.ebay.com/?_from=R40_trksid=m38_nkw=etoken_sacat=See-All-Categories [2] - http://www.musclecard.com/ [3] - http://www.usasmartcard.com/ On Sep 12, 2009, at 10:52 AM, Hannu Kotipalo wrote: Hi! I planned to buy some PKI cards and start to use them, but it seems extremely difficult to find someone who is selling a decent card that is supported with opensc. Do you have any suggestions? Looks like all the blank cards on the supported cards list are currenlty obsolete. Personally I might even consider to build a new driver if it is needed. For example ACS ACOS5 card seems quit promising. Would it be a good choise? Any other suggestions? regards, Hannu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel signature.asc Description: Digitaalisesti allekirjoitettu viestin osa ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel