Re: [opensc-devel] Consistence between the OpenSC and proprietary drivers
On 1/11/2011 10:50 PM, Jan Just Keijser wrote: Hi all, Viktor TARASOV wrote: On 11.01.2011 09:23, Xiaoshuo Wu wrote: On Mon, 10 Jan 2011 16:50:37 +0800, Viktor TARASOV viktor.tara...@opentrust.com wrote: Do we have any chance to influence the card producer and to change behavior of their middlewares ? If so, then it make a sense to wait. OpenSC compatibility is an important feature in Feitian's current middleware. New model will also be OpenSC compatible. Sun is really raising in the East. I've been reading this discussion and a question comes to mind. The Feitian cards work with the OpenSC driver The Feitian cards also work with the proprietary driver from Feitian itself, in a way that is almost 100% compatible with OpenSC. It's PKCS#15 format for interoperability, and the compatibility with OpenSC is among the most important test cases. Moreover, Feitian's token support secret key objects stored in PKCS#15 format, which haven't been supported by OpenSC by now. Even with these efforts, it's not 100% compatible with OpenSC. Sorry, we tried to, but failed. We could have managed to achieve this if we get rid of one of the key features in proprietary driver. As a result, Feitian's software refuse to write(not read) smart cards formatted by OpenSC, and vice versa. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Active developers on opensc-project.org
On 4/3/2010 2:59 AM, Jean-Michel Pouré - GOOZE wrote: On Fri, 2010-04-02 at 16:36 +0300, Martin Paljak wrote: Entersafe (or Feitian to be precise) has no docs, so it is hard to know what it can or can not support. I asked FEITIAN for the technical documentation and I am waiting for the answer. Hi Jean-Michel, Sorry for that. Could you please tell me what email address did you write to? I can help to ask what's happening. Liuyangliuy...@ftsafe.com is one of our engineers in global tech support team, you can write to him directly. Best regards, Weitao ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-user] epass3000 filesystem size
Hi group, I got a bug report from Ralf Spennebergsoftw...@opensource-security.de that he can not store three 2048bit certificates in ePass3000. I looked into it and found that no one can create more than 15 files under 5015 df. I increase it from 15 to 48, and all are OK. Attached is the patch for this issue. -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 Index: src/pkcs15init/pkcs15-entersafe.c === --- src/pkcs15init/pkcs15-entersafe.c (revision 3711) +++ src/pkcs15init/pkcs15-entersafe.c (working copy) @@ -151,7 +151,7 @@ df_data.type = SC_ENTERSAFE_DF_DATA; df_data.data.df.file_id[0]=(df-id 8) 0xFF; df_data.data.df.file_id[1]=df-id 0xFF; - df_data.data.df.file_count=0x0F; + df_data.data.df.file_count=0x30; df_data.data.df.flag=0x01; df_data.data.df.ikf_size[0]=(df-size8)0xFF; df_data.data.df.ikf_size[1]=df-size0xFF; ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] patch for entersafe driver to support FTCOS/PK-01C smart cards, and some bug fixes.
Hi list, New release of smart card middle-ware of Feitian, which is compatible with PKCS#15, is coming. OpenSC need attached patch to work with it. Changes in the patch: 1.Card type FTCOS/PK-01C added. (new) 2.Limit pin length in range [4,16). (bug fix) 3.Can not unblock PIN. (bug fix) Please review, thank you very much. -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 Index: trunk/src/pkcs15init/entersafe.profile === --- trunk/src/pkcs15init/entersafe.profile (revision 3673) +++ trunk/src/pkcs15init/entersafe.profile (working copy) @@ -12,6 +12,7 @@ option default { macros { pin-flags = initialized, needs-padding; + min-pin-length = 4; df_acl = *=NEVER; protected = *=$PIN,READ=NONE; dir-size = 128; @@ -49,21 +50,25 @@ reference = 1; attempts = 3; flags = $pin-flags; + min-length = $min-pin-length; } PIN so-puk { reference = 1; attempts = 3; flags = $pin-flags; + min-length = $min-pin-length; } PIN user-pin { reference = 1; attempts = 3; flags = $pin-flags; + min-length = $min-pin-length; } PIN user-puk { reference = 1; attempts = 3; flags = $pin-flags; + min-length = $min-pin-length; } # Additional filesystem info. @@ -147,7 +152,6 @@ } EF public-key { file-id = 3003; - size = 320; structure = transparent; ACL = *=NEVER,READ=NONE,UPDATE=$PIN; } @@ -173,16 +177,7 @@ structure = transparent; ACL = *=NEVER,READ=NONE,UPDATE=$PIN; } - - # private data objects are stored in transparent EFs. - EF data { - file-id = 3401; - structure = transparent; - ACL = *=NEVER,READ=$PIN,UPDATE=$PIN; - } - } - } } } Index: trunk/src/pkcs15init/pkcs15-entersafe.c === --- trunk/src/pkcs15init/pkcs15-entersafe.c (revision 3673) +++ trunk/src/pkcs15init/pkcs15-entersafe.c (working copy) @@ -258,24 +258,46 @@ { int r; sc_pkcs15_pin_info_t *pin_info = (sc_pkcs15_pin_info_t *) pin_obj-data; - sc_entersafe_wkey_data data; SC_FUNC_CALLED(card-ctx, 1); - if (!pin || !pin_len || pin_len 16) - return SC_ERROR_INVALID_ARGUMENTS; + {/*pin*/ + sc_entersafe_wkey_data data; - data.key_id=pin_info-reference; - data.usage=0x0B; - data.key_data.symmetric.EC=0x33; - data.key_data.symmetric.ver=0x00; - /* pad pin with 0 */ - memset(data.key_data.symmetric.key_val, 0, sizeof(data.key_data.symmetric.key_val)); - memcpy(data.key_data.symmetric.key_val, pin, pin_len); - data.key_data.symmetric.key_len=16; + if (!pin || !pin_len || pin_len 16) + return SC_ERROR_INVALID_ARGUMENTS; - r = sc_card_ctl(card, SC_CARDCTL_ENTERSAFE_WRITE_KEY, data); + data.key_id=pin_info-reference; + data.usage=0x0B; + data.key_data.symmetric.EC=0x33; + data.key_data.symmetric.ver=0x00; + /* pad pin with 0 */ + memset(data.key_data.symmetric.key_val, 0, sizeof(data.key_data.symmetric.key_val)); + memcpy(data.key_data.symmetric.key_val, pin, pin_len); + data.key_data.symmetric.key_len=16; + r = sc_card_ctl(card, SC_CARDCTL_ENTERSAFE_WRITE_KEY, data); + } + + {/*puk*/ + sc_entersafe_wkey_data data; + + if (!puk || !puk_len || puk_len 16) + return SC_ERROR_INVALID_ARGUMENTS; + + data.key_id=pin_info-reference+1; + data.usage=0x0B; + data.key_data.symmetric.EC=0x33; + data.key_data.symmetric.ver=0x00; + /* pad pin with 0 */ + memset(data.key_data.symmetric.key_val, 0, sizeof(data.key_data.symmetric.key_val)); + memcpy(data.key_data.symmetric.key_val, puk, puk_len); + data.key_data.symmetric.key_len=16; + + r = sc_card_ctl(card, SC_CARDCTL_ENTERSAFE_WRITE_KEY, data); + } + + SC_FUNC_RETURN(card-ctx,4,r); } Index: trunk/src/libopensc/cards.h === --- trunk/src/libopensc/cards.h (revision 3673) +++ trunk/src/libopensc/cards.h (working copy) @@ -144,6 +144,7 @@ /* EnterSafe cards */ SC_CARD_TYPE_ENTERSAFE_BASE = 19000, SC_CARD_TYPE_ENTERSAFE_3K, + SC_CARD_TYPE_ENTERSAFE_FTCOS_PK_01C, }; extern sc_card_driver_t *sc_get_rutoken_driver(void); Index: trunk/src/libopensc/cardctl.h === --- trunk/src/libopensc/cardctl.h (revision 3673) +++ trunk/src/libopensc/cardctl.h (working copy) @@ -578,9 +578,7 @@ #define ENTERSAFE_AC_EVERYONE 0x00 #define ENTERSAFE_AC_USER 0x04 -#define ENTERSAFE_AC_USER_ 0x08 - #define ENTERSAFE_AC_NEVER 0xC0 #define ENTERSAFE_AC_ALWAYS 0x10 #define ENTERSAFE_AC_CHV 0x30 Index: trunk/src/libopensc/card-entersafe.c
Re: [opensc-devel] patch for entersafe driver to support FTCOS/PK-01C smart cards, and some bug fixes.
Andreas Jellinghaus wrote: I commited the change already to opensc trunk, is that ok? OK,thank you very much. I made some tests, it seems work fine. if you think the new code works, and need no further changes, we can push for a new opensc release. I think opensc has other changes too, thus a new release in the next weeks would be good. I think we can wait until other parts are ready, so no problem to push for new release in the next weeks. About the problem that paths for 2 public keys get the same under firefox metioned in post days ago, will we add known Issues section in release note, or there is a plan to fix it before the new release? I added to the NEWS file: * updated and improve entersave driver. feel free to send me a patch if you want more detailed information in there. also can you edit the wiki page about entersafe and document the new version / in which cases people will need to update to the next opensc release Please check the attached patch. And I have added a new page for card type FTCOS/PK-01C under category Smart Cards. -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 Index: trunk/NEWS === --- trunk/NEWS (revision 3675) +++ trunk/NEWS (working copy) @@ -7,7 +7,8 @@ or doc/nonpersistent/ChangeLog. New in 0.11.8; 2009-??-??; Andreas Jellinghaus -* updated and improve entersave driver. +* updated and improve entersafe driver. FTCOS/PK-01C cards are supported + now, compatible with cards writen by Feitian's software on windows. New in 0.11.7; 2009-02-26; Andreas Jellinghaus * hide_empty_slots now on by default? small logic change? @@ -21,7 +22,7 @@ New in 0.11.6; 2008-08-27; Andreas Jellinghaus * Improved security fix: don't match for OpenSC in the card label. -* New support for Feitian ePass3000 bei Weitao Sun. +* New support for Feitian ePass3000 by Weitao Sun. * GemSafeV1 improved to handle key_ref other than 3 by Douglas E. Engert New in 0.11.5; 2008-07-31; Andreas Jellinghaus ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Problem when generate more than one keypair using Firefox
Weitao Sun wrote: Martin Paljak wrote: On 18.03.2009, at 5:00, Weitao Sun wrote: 4.The user want a second keypair(KEYPAIR_B), so we will alloc a new ID for it. We, again, start from DEFAULT_ID(0x45) to 0xFF, pick a number, because KEYPAIR_A's ID is not DEFAULT_ID(0x45), we pick 0x45 again. Quickfix could be to assign the ID like 0x45 + count(existing_keys) ? No, when any key is deleted, things got mass up. We can't determine paths depend on object IDs, because object ID can be changed by user to arbitrary values. So is to the number of existing keys. According to Murphy's law, when there is possibility user can do wrong, he will. And in this case, it is not actually user's fault. Could we travel all objects to see whether the new path has already been used? If so, pick another, otherwise we can use it. This policy don't depend on user's behavior. But it involves so many code changing. -- Weitao Sun wei...@ftsafe.com EnterSafe division www.entersafe.com RD Dep.,Feitian Technologies Co., Ltd. www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, PostCode 100083 TEL: (86)10 62304466 Ext. 585 FAX: (86)10 62304416 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Limitations in reader-pcsc.c:pcsc_internal_transmit
Hi list, In function pcsc_internal_transmit(src/libopensc/reader-pcsc.c line:173),there is limitation for dwRecvLength: CODE_BEGIN if (dwREcvLength 258) dwRecvLength = 258; CODE_END I have several smart cards(T=1), which will not work with these two line. When be asked for RSA public key of 2048 bits, the card OS returns data _more than_ 256 bytes, and if dwRecvLength is too small to hold the data, function ScardTransmit of pcsc-lite will fail. I'm wondering whether it will make harmful impact to other cards if we remove this limitation. If the answer is no, can we remove this two line? Thank you. -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Problem when generate more than one keypair using Firefox
Hi list, I have met with a problem when enroll more than one certificates using firefox(3.0.7). I traced the process, and found what happend. Here is the steps: 1.sc_pkcs15init_generate_key was called to generate a keypair, let us name it KEYPAIR_A. Firefox didn't give it CKA_ID attribute, so we(opensc) give it one (in function sc_pkcs15init_init_prkdf via select_id, in pkcs15-lib.c line 1237). The plicy we alloc new ID is, picking a number in range from DEFAULT_ID(0x45) to 0xFF, if there is no object using it. Thus the ID is 0x45 because the key is the first object. We determine the path of the public key using object ID and template defined in card's specific dot profile file. For example, for entersafe cards, the path is 0x3048 ( that is 0x3003 defined in profile plus 0x45 the object ID). Let's write down the value of 0x3048, we will meet it again soon. 2.Firefox modifies the KEYPAIR_A's ID according it's own policy,so KEYPAIR_A's ID changed from 0x45 to other value, let's assume it's 12345678abcdef. So it is not 0x45 any longer. This step is important. 3.We are happy, everything is OK till now. 4.The user want a second keypair(KEYPAIR_B), so we will alloc a new ID for it. We, again, start from DEFAULT_ID(0x45) to 0xFF, pick a number, because KEYPAIR_A's ID is not DEFAULT_ID(0x45), we pick 0x45 again. 5.Now give the public key a path, 0x3003 plus 0x45 the result isWOW.. the path for public key of KEYPAIR_B is 0x3048, again. The two paths are the same now for public key of KEYPAIR_A and KEYPAIR_B. We are in hell. I hope the situation has been clearly illustrated. I don't know how to solve this problem. -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [opensc-commits] svn opensc changed [3659] Improve this function even more.
Hi aj, webmas...@opensc-project.org wrote: Revision: 3659 Author: aj Date: 2009-03-05 18:37:55 + (Thu, 05 Mar 2009) Log Message: --- Improve this function even more. Modified Paths: -- trunk/src/pkcs15init/pkcs15-lib.c Modified: trunk/src/pkcs15init/pkcs15-lib.c === --- trunk/src/pkcs15init/pkcs15-lib.c 2009-03-05 15:28:17 UTC (rev 3658) +++ trunk/src/pkcs15init/pkcs15-lib.c 2009-03-05 18:37:55 UTC (rev 3659) static int sc_pkcs15init_parse_info(sc_card_t *card, @@ -3719,12 +3724,18 @@ unsigned intnopts = 0; size_t n; - end = p + len; - while (p end (tag = *p++) != 0 tag != 0xFF) { + end = p + (len - 1); value of len may be 0,this cause segment fault later. + while (p end)) { /* more bytes to look at */ this line can not compile, with 2 ')' -- Weitao Sun wei...@ftsafe.com TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Code for ePass3000 accomplished
Ludovic Rousseau wrote: On Mon, Aug 18, 2008 at 10:25 PM, Andreas Jellinghaus [EMAIL PROTECTED] wrote: Am Freitag, 15. August 2008 07:14:12 schrieb Weitao Sun: Hello, The attachment is the patch file. Let me know if you have any comments. Thank you. Hi Weitao, thanks for sending the diff. a few small comments: Same comments as Andreas. Why do you need to patch src/pkcs15init/pkcs15-lib.c? @@ -2793,9 +2794,13 @@ r = sc_pkcs15_encode_df(card-ctx, p15card, df, buf, bufsize); if (r = 0) { +sc_file_t *file; +r = sc_profile_get_file_by_path(profile, df-path, file); +if(r0) return r; r = sc_pkcs15init_update_file(profile, card, - df-file, buf, bufsize); + file, buf, bufsize); free(buf); + sc_file_free(file); } return r 0 ? r : 0; Hi Ludovic, When debugging function sc_pkcs15init_change_attrib using iceweasel(3.0.1), I notice that it use the df-file to update. But the file's acl entry of update is empty ,this causes problem later in sc_pkcs15init_update_file with error info security status not satisfied. Shouldn't sc_pkcs15init_change_attrib get the file from profile as sc_pkcs15init_update_any_df does? I'm new to OpenSC, any suggestion about this issue? -- Weitao Sun [EMAIL PROTECTED] TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Code for ePass3000 accomplished
Ludovic Rousseau wrote: On Fri, Aug 15, 2008 at 3:52 AM, Weitao Sun [EMAIL PROTECTED] wrote: Hello, Hello, I have finished the code supporting usb tokens from Feitian(www.ftsafe.com) named ePass3000 , and tested it. It is used in China,Japan and Brazil.I want to know by which means I can submit the changes to OpenSC. I guess there may be a code review for new codes, Use the subversion repository to provide a diff between the latest version of OpenSC and your code integreted in it using svn diff. Then post the result on this list. The patch is being held until the it can be review it for approval, because of exceeding this list's size limit of attachment. -- Weitao Sun [EMAIL PROTECTED] TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Code for ePass3000 accomplished
Hello, I have finished the code supporting usb tokens from Feitian(www.ftsafe.com) named ePass3000 , and tested it. It is used in China,Japan and Brazil.I want to know by which means I can submit the changes to OpenSC. I guess there may be a code review for new codes, some usb tokens may be supplied for testing purpose. Thank you. -- Weitao Sun [EMAIL PROTECTED] TEL:+86 010 62304466 ext. 585 FAX:+86 010 62304477 Entersafe RD Dep.www.entersafe.com Feitian Technologies Co., Ltd.www.ftsafe.com 5th Floor, Building 7A, No.40 Xueyuan Road Haidian District, Beijing, P.R. China, 100083 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Shouldn't sc_pkcs15init_change_attrib get the file from profile?
Hi list, When I debug for my new usb token, in function sc_pkcs15init_change_attrib, I notice that it use the df-file to update. When update, the file's acl entry of update is empty ,this causes problem. Shouldn't sc_pkcs15init_change_attrib get the file from profile as sc_pkcs15init_update_any_df does? I'm new to OpenSC, any comment? Thank you. -- Weitao Sun [EMAIL PROTECTED] ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel