Re: [opensc-devel] Changing Admin PIN on PIV card
According to PKCS#11 standard, "C_SetPIN modifies the PIN of the user that is currently logged in, or the CKU_USER PIN if the session is not logged in." On Wed, Dec 12, 2012 at 2:26 PM, Ravneet Singh Khalsa wrote: > C_SetPIN does not change Admin PIN. > ____ > From: helpcrypto helpcrypto > Sent: 12/11/2012 11:43 PM > To: Ravneet Singh Khalsa > Cc: opensc-devel@lists.opensc-project.org > Subject: Re: [opensc-devel] Changing Admin PIN on PIV card > > pkcs11's C_SetPin ? > > On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa > wrote: >> Hi, >> >> >> >> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards >> ? >> >> >> >> Thanks. >> >> >> >> >> ___ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Changing Admin PIN on PIV card
pkcs11's C_SetPin ? On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa wrote: > Hi, > > > > Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ? > > > > Thanks. > > > > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Food for thought on C coding style
Thanks a lot for this really interesting share. This will help me improve my code quality for sure! On Mon, Dec 10, 2012 at 11:26 AM, Martin Paljak wrote: > Hello, > > https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard > > Martin > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] SC_MAX_CARD_DRIVERS and OpenSC 0.13
Updating to any bigger magic number will do the trick, but maybe its better to consider removing SC_MAX_CARD_DRIVERS (hence having no limits), this, of course, depends on the usage. Can you say for what/where it is used? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] adding support for a java applet
Maybe Im wrong, but AFAIK if opensc says unsupported card, then you have to make a driver for it: http://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions#Q:WhattodoifmycardisnotsupportedbyOpenSC On Mon, Oct 22, 2012 at 8:48 AM, aidin boghaniyan wrote: > Hello again, > Do anybody have any idea? > > Thanks in advance > > On Tue, Oct 16, 2012 at 9:54 AM, aidin boghaniyan > wrote: >> >> Hi, >> I have some kona25 java card, and I must provide a pkcs11 interface for >> them. >> I know that the best way for using them with OpenSC is loading Muscle >> applet on it, but I was unsuccessful on this solution. >> Indeed, I have loaded muscle applet using gpj (java global platform), and >> I add my card ATR to the list of Muscle card supported ATRs, but when I use >> this card with OpenSC, I got the "unsupported card" error, and when I debug >> code, I detect the problems is from "muscle_match_card" function. This >> function doesn't receive what it expects form card, so the card will be >> unsupported. >> I tried to load another cap file of the Muscle applet, but there was no >> change. >> Does anybody had any advise? >> >> Another solution for me is using "Java Card Sign" applet, and writing a >> PKCS11 driver for this card. I have loaded this applet on my card and >> communicate successfully with this applet from host application of it. This >> applet and it's host application are open source. >> So my main question is that, Is this solution the best solution that I can >> choose? >> >> Regards > > > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [Muscle] Ubuntu 12.04 smartcard reader install? AKA: Dear Canonical: could you fix this?
> The libccid package installs a udev rule file to change the access > rights of the USB device. > This rule file is examied at device plug so you need to replug the > reader _after_ the file is installed. > This rule file is examined by udev so you (may) have to "restart" > udev, or simply reboot. googling a bit, i found "sudo reload udev" I'll try that next time. Thanks a lot for your help, Ludovic! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [Muscle] Ubuntu 12.04 smartcard reader install? AKA: Dear Canonical: could you fix this?
On Thu, Oct 11, 2012 at 3:37 PM, Ludovic Rousseau wrote: > >> I havent restarted yet (to check if the reader start working), but >> would like to know if theres is something I can do to detect and use >> the reader (without rebooting). > > Replug your reader after installing libccid so that the udev rule file > is executed. > You may also have to reboot. Replug didnt work, restart did. Why should I restart? It wont be possible to be hotplug? (sorry for the cross-post, but tought it was interesting to all) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] OpenSC 0.13 + pcscd as a daemon for Android
Dear Jean-Michel. I didnt know about iReader. Thanks a lot. A few weeks ago i was looking for something like that, and http://www.apriva.com/products/iss/authentication/reader was the only one i found suitable. Im very-VERY(did i say VERY?) interested in having an smartcard working out of the box (seek4android does not fit) on mobile devices, and your interest look promising. Please, keep me update whit anything new. On Wed, Sep 26, 2012 at 1:54 PM, Jean-Michel Pouré - GOOZE wrote: > Dear all, > > I would like to raise questions about using OpenSC 0.13 under Android. I > hope that Ben from Feitian can participate in this discussion. > > The idea behind is that Feitian released the iReader, a ccid card reader > for mobile devices. The iReader is CCID and is supported under OpenSC > (on computer). GOOZE will be releasing the iReader shortly. > > Seek4Android contains an old version of OpenSC 0.11.13. Actually, > Seek4Android requires flashing the device, which is not acceptable for > end-users of current Android systems. > > Did anyone succeeded in compiling today's pcscd and opensc under > Android-4.x? Do you think that today's pcscd and opensc can run inside > Android after compilation with a suitable keychain? > > Any information is welcome. > > Kind regards, > Jean-Michel POURE > -- > > GOOZE - http://www.gooze.eu >High quality cryptographic tools > for GNU/Linux, Mac OS X and Windows > including the FEITIAN PKI card > POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France >Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90 > Registry: FR 527 672 448 00018 - VAT: FR54527672448 > ID PGP/GPG: 084F2584 > > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Help compiling Mac OS 10.7, 10.8 and 10.9 on ONE machine
> I tried that already and could not use VirtualBox because it only allows > Max OS X Server running as guest. I also invested in a VMware licence > and it never worked for the same reasons. I needed to run OSX on a windows host vmware computer to test our smartcard software. AFAIK, You cant install OSX on a VM from the official ISO, but need a fixed/modified image to bypass the...EFI? Currently have 10.5 and 10.6 on vmware o, but considering OSX costs (not hardware!), maybe its easier to have that cheap ones. The reason why i used vmware(player) its cause the USB support was much better than on virtualbox. If you want some help, i cand send you some tips how i did it. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
> Do you want my Humble or Honest opinion ? :) None. Hacker one :P > It shall depend on the use case. I doubt that there will ever be a > "single, universal keychain", but many. VPN authentication with device > based (TMP etc) keys which get auto-provisioned and a "movable" > identity in the form of an eID smart card for digital signatures or > cross-domain authentication have different requirements. Key > containers for encryption is yet another story. > > And embedded keystores (phones, vpn devices, whatnot) that need a > provisioning scheme is also quite obvious, with the smartphone scene > creating the firsthand need for it. > > Martin > > As always, there's no golden bullet solution. I think the "perfect solution" will be DNA. In fact, i gave you the one-billion idea: A mouse/keyboard/device with a DNA sequencing/reader system which sends your public DNA profile. A simple way of matching your public DNA with your thoughts, memories and personality, to match both. As you can guess, that works as a keypair You develop it. For tomorrow. Free. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
> Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits > (smart cards doing 3k and 4k are also slowly emerging) and elliptic > curves are already becoming a viable option (in commodity software) as > well.. The most advanced i have seen here so far is 2048 :P > There's also a bunch of applications and use cases where the new age > vision of "wave your phone around" is not a good idea (for example I'd > better avoid taking my smartphone out unless I want/have to, and using > crowded public transport is not one of the places I'd like to do > it...) > > And IMHO device-attached containers (TPM, Intel etc) are totally > different from transportable key-containers (like smart cards or USB > tokens) So, IYHO, whats the better option? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Secure Credential Cloning. Was: Intel's Virtual Smart Card
Just to sum up: -TPM (fail?) -Intel IPT (seem to be a draft and only for intel?) -SC (Welcome 1970) -Virtual/Cloud wallets (obscure?) -A mobile device to replace sc (standard?) IMHO, SC are old enough/well known to continue existing for quite long, until someone brings a new/better/big idea. Also, considering how governments are involved in technology, probably many countries will adopt them, like eID, DNIe, and so in the next years. In 1024bit mode, of course. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Prompt for SO PIN in Firefox
On Tue, Jul 24, 2012 at 4:16 AM, Nguyễn Hồng Quân wrote: > Hi, > > I heard that you are successful to implement Admin PIN callback in PKCS#11. > Which card did you do? Can it be applied to OpenPGP? If yes, how should we > do? > > Thanks. Where did you read that? I didnt say it... We have a very old card for which i made a pkcs#11 lib, not using opensc or anything else. well...openssl0.9.8 I dont konw if it can be applied to OpenPGP cause i dont know OpenPGP (Altought i will like to) There are 2 thing to implement: -CKU_SO login If you want a certificate to be used with CKU_SO instead of user, you could "ignore" the user type, have different slots for each user...these ways arent 100% compliant, but could do the trick. Anyhow, remember that, acording to the standard, the SO user its only for "initialization" purposes, so maybe you need a card supporting diferent users, rather that SO. -Callbacks: The same manner if you invoke C_Login with a PIN to login, If your token has CKF_PROTECTED_AUTHENTICATION_PATH, you could invoke C_Login with pin=NULL, and another library will try to autenticate before login into token. Thats probably not 100% standard compliant, but could do the trick. GURUS: how its the CKF_PROTECTED_AUTHENTICATION_PATH supposed to work? Will a pinpad "intercept" the calls to the card and request the PIN before sending it to the card? I dont remember if that was clear on standard. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Prompt for SO PIN in Firefox
On Mon, Jul 23, 2012 at 9:00 AM, NdK wrote: > The problem with FF (and TB) is that it calls C_login only once, then > assumes the login is still valid. Even if card got reset. Then you should return the appropiate PKCS#11 error values, and thats all. Isnt it so? > Even worse, it asks for *ALL* PINs when the token gets added. > That made me give up having pkcs#11 enabled in FF/TB. I have mine added with not so many problems, so if you want some help, contact me. In fact, this week a added a third device without problems... > IIRC there are a couple of bug reports in bugzilla, but seems they won't get > fixed. Really? XD > "Friendly token" (or something similar...) setting helps a bit, but IMO > it remains unsafe to have a token accessed by FF. "-mechanisms FRIENDLY"? IIRC, it enable accessing the token without requiring a PIN at first load, then it ask for it when trying to use certificates. Always at your service Diego! PS: [OT] A few days ago i used Java PKCS#11 interface using C_whatever functions in java (we are actually using SunPkcs11 provider), and seems to be working ok. IMHO its "easier" than smartcard-io. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Prompt for SO PIN in Firefox
> Le 21/07/2012 06:37, Nguyễn Hồng Quân a écrit : >> So, is there a way to ask for SO PIN via PKCS#11? >> If yes, how should the code of card support be changed? > > I have no solution, > PIN callbacks is not supported by PKCS#11 framework (in the manner as it's > supported by pkcs15-init tool). > PKCS#11 framework do not create slot for SoPIN. IIRC, C_Login can accept user type CKU_SO to login as admin, the problem might be "what you could do as admin". Probably that depends on the card. In the other hand, PKCS#11 define CKF_PROTECTED_AUTHENTICATION_PATH when "another" login method can be used, like a pinpad, rather than asking the library to authenticate. Maybe this is what you could use to work like a callback (like in CSP), but probably doesnt fit the standard. Anyway, ill be very interested in the future progress you make. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Driver develop
Hello again Alejandro (and others) Apart from these URLs, do you know any other HOWTO/guide (to add a card to OpenSC) ? https://www.opensc-project.org/opensc/wiki/DeveloperInformation/NewCardDriver https://www.opensc-project.org/opensc/wiki/DeveloperInformation/NewCardDriver/EnterSafeExample ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Driver develop
> Maybe it's better that someone more implicated in OpenSC architecture would > answer this question. Volunteers? (The question was: shouldnt a 100% compliant pkcs#15 card work "out of the box" with opensc?) > You can export keys from a smartcard via pkcs15-tool, but this not mean that > you don't need card-**.c driver to use it. This file will be so long than > the card's API diff with ISO 7816 standard[1]. The problems i have found so far are: 1 - I dont have the card apdu reference yet (some apdus are sent plaintext, i have been able to sniff them). 2 - The card doesnt seem to be 100% standard compliant (some apdus i sent doesnt have the response i expected). 3 - The card uses a SM to write objects on card, and i dont have the secret keys to establish the SM (I think this one is the end of the trip). Please, keep us(me) updated with your progress ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Driver develop
Hi Alejandro. Today im testing an opensc unsupported card, i have dumped the apdus sent by pcscd when doing some operations and it seems its pkcs#15 compliant. Apart from this link, have you made any progress? On Wed, Jun 6, 2012 at 10:21 AM, Alejandro Díaz wrote: > 2012/6/6 helpcrypto helpcrypto >> >> > I'm not developing dnie driver, only I'm working with the documentation >> > for >> > explain the way to develop a driver and I think that this knowledge can >> > be >> > interesting for the community. >> >> That will be great. >> >> In the past we considered making a driver for our "very old not >> cryptographic either pkcs#15 card", and finally we did our own pkcs#11 >> library. >> I think your best bet will be asking jonsito directly. and please, >> post somewhere any progress/doc you find along the way. > > > I found a wiki page[1] with a start point, but only form index wiki. > > I will submit the dnie example. > >> >> >> Maybe others like martin, viktor or ludovic can help you with this. I >> sorry i cant. > > > I agree. > > Thank you very much! > > [1] https://www.opensc-project.org/opensc/wiki/DeveloperInformation/NewCardDriver > > Alejandro Díaz Torres > Área de Proyectos > > Emergya Consultoría > Tfno: +34 954 51 75 77 > Fax: +34 954 51 64 73 > www.emergya.es > > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] is this card? is it supported?
Hi! Our company -finally-, is going to change the smartcard we are using. Actually we have a non-cryptographic, and seems we are sitching to "3B 6F 00 00 80 66 B0 07 01 01 77 07 53 02 31 24 82 90 00" Looking at http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt i have found its ccid supported (already know that), but the names doesnt seem to be correct. This card is an "Optelio Card Santander"/R5/other alias, in other words, a card which a bank here at Spain (banco santander) gives to Universities like Huelva, Pompeu Fabra, etc (and many many others). There are some models provided by gemalto, maybe others by FNMT. How should i update the list or add the info about that card? Does anyone have some commands he/she would like me to send? (is this really properly written?) Another thing i will like to know if it is supported by opensc. There are a bunch of universities out there that seem to have it, but usually through gemalto gclib pkcs#11 I have checked http://www.opensc-project.org/opensc/tags?q=%27supported%27 and http://www.opensc-project.org/opensc/wiki/SupportedHardware and didnt find the spanish DNIe (which actually is working based on opensc), so i dont know about this. Im going to invoke "opensc-tool --name" in a moment, but maybe there are more test i should do. Are they documented somewhere? EXTRA for Ludovic Rousseau: in http://ludovic.rousseau.free.fr/ you have some encoding troubles. "système d'exploitation préféré" where it should be something like "système...préféré", isnt it? "Ma clé GnuPG" where it should be "clé", right? jai oublié tout le français que j'etudié dans l'ecole ;) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Driver develop
> I'm not developing dnie driver, only I'm working with the documentation for > explain the way to develop a driver and I think that this knowledge can be > interesting for the community. That will be great. In the past we considered making a driver for our "very old not cryptographic either pkcs#15 card", and finally we did our own pkcs#11 library. I think your best bet will be asking jonsito directly. and please, post somewhere any progress/doc you find along the way. Maybe others like martin, viktor or ludovic can help you with this. I sorry i cant. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Driver develop
> My objetive is to know how to write a OpenSC driver from APDU documentation. IIUC: You want to make your own "opensc-dnie", right? > but I've lost the way to connect the exercices with the final driver. Dont understand what this means. > On the other hand, if this manual doesn't already exist on the wiki and > you're interested, I will write it. I am. PS: Why developing a "opensc-dnie" if already theres 1 (2) working? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] BT reader
> You don't. It's useful to mount an attack against any BT sc reader (if > sc doesn't support sm, or reader doesn't implement some extra security > over bt). now i understand what you talking about...:P ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] BT reader
> http://ubertooth.sourceforge.net/ about ~100 EUR including shipping. how do you insert the smartcard there?...and how to connect it to the android/iphone? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] BT reader
This might be interesting: http://www.apriva.com/products/iss/authentication/reader Priced 150€ +/- ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Import X.509 certificate via Firefox?
>> - When Firefox import certificate, which C_* functions in PKCS#11 module >> will be called? >> - What is the action flow from the C_* functions in PKCS#11 to the driver? I suggest you having a look at https://developer.mozilla.org/en/PKCS11_Implement But probably pkcs11-spy and "on the fly" developing will be easier. And remember CKA_ID for mozilla is public key hash :) >> - Currently, after select *.p12 file, Firefox automatically assume the >> destination as Software Security Device (SSD), instead of asking me >> where to import (SSD or Smartcard...). AFAIK, If the card is not present, it automatically uses softoken, but if a card is present and is not read-only, it shows a dialog to select. >> There may be due to something >> missing in the PKCS-card_driver code. Can you point me what I need to >> implement to make Firefox know that "there are another place to import >> than the built-in SSD"? Anyhow, ask on dev-tech-cry...@lists.mozilla.org ;) ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Biometric integraiton?
> And what if I replace the trusted reader w/ another, hacked? > Not too hard, it seems, since many supermarkets got hacked this way... IMVHO, changing your physical reader from .cn its much harder that editing a file... > Just install a keylogger (maybe an HW one on the PS/2 cable? I've seen > one that is quite hard to recognize... or even one INSIDE the > keyboard...) and root (or user w/ physical access to the computer... > that quite easily translates to "root" anyway) knows your PIN. Repeat above ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Biometric integraiton?
IIUC, the readers are 'dumb' devices, so this is how opensc works actually: Opensc invoke select DF... Opensc shows a login and send it to card / request login to card which shows a login popup, and gets 9000 if ok Opensc request sign... Having a pinpad/biometric could work like this: Opensc knows CKF_PROTECTED_AUTHENTICATION_PATH is set Opensc invoke select DF... Opensc request login to reader (passing login apdu ?), and gets 9000 if ok Opensc request sign... What i dont understand is how reader authenticate against card: fingerprint is translated to char* and sent to card? how the reader kow whats the login apdu for that card? (please, give me some doc about that...) There must be a flag at reader level which says "im a reader, and im able to biometric/pinpad verify". Is there any "feature_support_flag" to do that, like when using extended_apdus? > If you can edit a root file you can do anything much more evil. having root acces < having pin => using private key By the way: does any of you know how to use "encrypted memory" in applications? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Biometric integraiton?
> Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC > then calls an external lib to do do what is needed to authenticate the > user. > > The external lib can do anything like display a dialog box, talk to > the biometric reader, talk to a remote server, etc. and what about the library-in-the-middle attack? > Todo list: > - define an API between OpenSC and an external lib maybe the readers have many different system of autehtication (pin, biometric, "on the fly /time generated") I have to think this twice. > - define a configuration to tell OpenSC to use an external lib and, what if i edit your current config and replace the lib with my modified evil lib? > I don't know how/if OpenSC can know the smart card reader is > biometric. I have not seen any thing like that in PC/SC. neither I. what about something like "declaring reader features" ? If the reader support extended apdus, then EXTENDED_APDU_SUPPORT flag is set. What do you think of BIOMETRIC_SUPPORT / EXTERNAL_LOGIN_SUPPORT? to know that? have this been discussed (improve readers feature info on PCSC wg?) > A few years ago I played with fprint [1] and a COVADIS Alya reader [2]. > Another API to loot at may be bioapi [3]. I'll have a look, thanks. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Biometric integraiton?
>> PKCS#11 interface define both, ui callback (notify) > > What is that? Can you be more specific? I was thinking about CK_NOTIFY as a way to notify operation progress >> Couldnt opensc provide a way to do this safely? >> Could signed libraries solve this? > > What is the threat model? > Who is the attacker and what can he do? I was thinking about this: if biometirc login is made using a library opensc library<->biometric-reader library and opensc library<->man-in-the-middle library<->biometric-reader library probably this is not how its supposed to be done. > Signing a library will not solve much if the attacker has root access > or is the user itself. Windows csp's must be signed to be used. That was what i was thinking. As you an see, thinking in many things, nor correct ones :P The question remains, anyway: how could opensc support biometric/whatever readers? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Biometric integraiton?
Hello martin. Just to know (im asking myself about it...) > I don't know about the readers or their internals, but OpenSC for sure > does not support any kind of biometric authentication. PKCS#11 interface define both, ui callback (notify) and that login can be made using pinpads/external devices. (C_Login can receive the pin, or can show a dialog if pin==NULL). Biometric/other kind of pinpads can be used using external libraries provided in config. This, of course, could mean a security risk 'cause someone could proxyfy the libraries. Couldnt opensc provide a way to do this safely? Could signed libraries solve this? Any reading regarding this specific topic? Thanks for the info. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] OpenSC page down...
INPUT:
http://www.opensc-project.org/opensc/wiki/UsingOpensc
OUTPUT:
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/trac/web/api.py", line 440, in send_error
data, 'text/html')
File "build/bdist.linux-x86_64/egg/trac/web/chrome.py", line 827, in
render_template
message = req.session.pop('chrome.%s.%d' % (type_, i))
File "build/bdist.linux-x86_64/egg/trac/web/api.py", line 216, in __getattr__
value = self.callbacks[name](self)
File "build/bdist.linux-x86_64/egg/trac/web/main.py", line 300, in
_get_session
return Session(self.env, req)
File "build/bdist.linux-x86_64/egg/trac/web/session.py", line 198, in __init__
self.get_session(sid)
File "build/bdist.linux-x86_64/egg/trac/web/session.py", line 219,
in get_session
super(Session, self).get_session(sid, authenticated)
File "build/bdist.linux-x86_64/egg/trac/web/session.py", line 61, in
get_session
db = self.env.get_db_cnx()
File "build/bdist.linux-x86_64/egg/trac/env.py", line 328, in get_db_cnx
return get_read_db(self)
File "build/bdist.linux-x86_64/egg/trac/db/api.py", line 90, in get_read_db
return _transaction_local.db or DatabaseManager(env).get_connection()
File "build/bdist.linux-x86_64/egg/trac/db/api.py", line 152, in
get_connection
return self._cnx_pool.get_cnx(self.timeout or None)
File "build/bdist.linux-x86_64/egg/trac/db/pool.py", line 226, in get_cnx
return _backend.get_cnx(self._connector, self._kwargs, timeout)
File "build/bdist.linux-x86_64/egg/trac/db/pool.py", line 146, in get_cnx
raise TimeoutError(errmsg)
TimeoutError: Unable to get database connection within 0 seconds.
(OperationalError('could not connect to server: No such file or
directory\n\tIs the server running locally and
accepting\n\tconnections on Unix domain socket
"/var/run/postgresql/.s.PGSQL.5432"?\n',))
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] I must be blind
Im not able to find any pkcs11-spy.dll on my system. Can anyone tell me where it should be? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Ownership issue and consequences on OpenSC project
> Another issues with this project is many of the modifications can only be > tested > by a subset of developers (maybe only one) who have the cards that can use > the modification. Maybe its an stupid idea (or already done), but can't we virtualize (and use it in Jenkins) smartcards? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] opensc csp and windows
a related issue i found some days ago related to windows public/private key handling. Not very close to the topic, but imho close enough to post (and ask). http://social.msdn.microsoft.com/Forums/en-AU/windowssecurity/thread/676746c1-f9d0-4590-87b6-6a2fbddd319f 2011/12/3 Hunter William : > Hi, > > Having just done this, I may be able to help. You do need the minidriver > installed for this to work. Check out > http://www.opensc-project.org/opensc/wiki/MiniDriver for details. In a > nutshell: > > - Make sure you have the minidriver dll - you may need a different version of > OpenSC (look for opensc-minidriver.dll) > - Add your ATR to the registry as detailed in the wiki > - Test and load the certificates into the store using certutil -SCInfo. Your > card should be recognised with the name you used in the registry - otherwise > the first two steps weren't done properly. Note that you can get certutil in > Windows XP too - look for the Windows 2003 Adminpak. In fact I don't know of > another way to get the certificates loaded properly (can you use the tools > bundled with opensc?), so you will probably need to install this on XP. > - Make sure that the certificate is loaded, and that the private key > reference is present (important!) in the Microsoft store (run certmgr.msc). > > Then you should be able to use the certificate where required. When the > private key is necessary, the BaseCSP will prompt you for the PIN (the > certificate maintains a reference to where to find the private key). Note > that I experienced a number of issues with getting the certificate reliably > into the store *with* the private key, but this seemed to be because I was > changing my certificate, and Microsoft seems to keep a reference to the > private key even when you delete the public key. You can usually fix this by > rebooting or by running certutil -repairstore -user my . > > Hope that helps, > Will > > From: opensc-devel-boun...@lists.opensc-project.org > [opensc-devel-boun...@lists.opensc-project.org] On Behalf Of michele > [mich...@mailc.net] > Sent: 02 December 2011 04:15 PM > To: opensc-devel@lists.opensc-project.org > Subject: [opensc-devel] opensc csp and windows > > Hi, I'm looking for guidelines for using the latest stable of OpenSC > with Windows XP and 7. > I need to authenticate to a web site by reading the certificate stored > in the smart card. All works fine using > Mozilla Firefox (and adding a new Security device by specifying the > opensc dll), but now I'm interested in the > CSP stuff. How can certificates stored in the smart card loaded into the > Microsoft store and then used by Internet Explorer? > Is the experimental mini driver what I want? How it works? > > Thank you for any guidelines. > > Michele > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Experiences with Java smartcardio
And, as i said before: try to avoid jss, cause its not "officially
supported" by mozilla.
2011/11/25 Douglas E. Engert :
>
>
> On 11/24/2011 4:02 AM, Anders Rundgren wrote:
>> Hi Ludovic,
>>
>> You are a true smart card middleware expert.
>> I'm not and my customers are even less of that.
>> They just want to plug in and go.
>>
>> As it appears the smart card community/industry have created
>> uniquely complex middleware for reasons unclear to me.
>
> I never could understand it, either.
>
>> It is
>> proven beyond doubt that the platform vendors can't keep up
>> with it either [2]. Do they even bother testing this stuff?
>>
>> I understand that there are "layers" but if not even "layer-0"
>> works right-out-of-the-box the value of java-based software is
>> greatly reduced. "Write once run everywhere" actually works
>> for sophisticated applications like EJBCA http://ejbca.org
>> without low-level platform tweaks.
>>
> Since it sounds like your problem is more they trying to get
> the javax.smartcardio.* to run, but more of access to smartcards
> from java,
>
> Have you read:
>
> http://java.sun.com/developer/technicalArticles/J2SE/security/
>
> SunMSCAPI for Windows,
> SunPKCS11 for PKCS#11 platforms.
>
> It also talkes about NSS.
>
> another possible interface is Mozilla NSS for java.
> Since NSS calls PKCS#11 security devices, it should work
> on many platforms
>
> http://www.mozilla.org/projects/security/pki/jss/
>
>> Anders
>> unconvinced
>>
>> On 2011-11-24 10:31, Ludovic Rousseau wrote:
>>> 2011/11/23 Anders Rundgren:
Hi,
>>>
>>> Hello,
>>>
I just wonder what your opinion is about Java smart card io which is a
part of JDK 1.6 and forward.
I did a minute test and it wasn't overly convincing :-(
OTOH, as we all know that smart card middle ware is "hell on earth" I
may simple haven't given it enough time.
>>>
>>> Do you know "PCSC sample in Java" [1]?
>>>
import javax.smartcardio.*;
import java.util.List;
public class smart
{
public static void main (String[] args)
{
try
{
// show the list of available terminals
TerminalFactory factory = TerminalFactory.getDefault();
List terminals = factory.terminals().list();
// get the first terminal
if (terminals.isEmpty ())
{
System.out.println ("No terminals found!");
}
else
{
System.out.println("Terminals: " + terminals);
CardTerminal terminal = terminals.get(0);
// establish a connection with the card
Card card = terminal.connect("T=0");
System.out.println("card: " + card);
CardChannel channel = card.getBasicChannel();
// disconnect
card.disconnect(false);
}
}
catch (Exception e)
{
e.printStackTrace ();
}
}
}
On windows you get an exception if there is no reader connected!
>>>
>>> I can't tell about Windows.
>>>
On Ubuntu I always get No terminals found!
>>>
>>> Ubuntu has a special configuration of pcsc-lite. Read "pcsc-lite
>>> upgrade and Ubuntu special configuration" [2].
>>>
On both machines I have other smart card apps working including pcscd on
Ubuntu
that in debug mode shows that the card is connected etc.
>>>
>>> You have not tried hard enough :-)
>>>
>>> Bye,
>>>
>>> [1] http://ludovicrousseau.blogspot.com/2010/06/pcsc-sample-in-java.html
>>> [2]
>>> http://ludovicrousseau.blogspot.com/2010/10/pcsc-lite-upgrade-and-ubuntu-special.html
>>>
>>
>> ___
>> opensc-devel mailing list
>> opensc-devel@lists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>
> --
>
> Douglas E. Engert
> Argonne National Laboratory
> 9700 South Cass Avenue
> Argonne, Illinois 60439
> (630) 252-5444
> ___
> opensc-devel mailing list
> opensc-devel@lists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Experiences with Java smartcardio
We have been using java for quite a long time to use the certificates stored in our smartcards. So far, we didnt have many issues. Actually we are using jss to attack our pkcs#11 module (or csp), but since we got some problems on osx (i talked with NdK some weeks ago), we decided to move to sunPKCS11 and avoid jss. Our new applet, not yet in production but on tests, seems to work perfectly. As i said other times, im the one that makes the pkcs#11 library, not the applet guy...so i cannot give you much information. Will be great if ALL the browsers could use a javascript GOOD interface to sign (more than a pkcs#1)/PKI, anyone knows something about that? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Half OT: PKCS#11+Mozilla
I alreay see that links and, as i told you earlier, must be a Mozilla/NSS bad implementation, cause it asks again and again, no matter if CKR_OK or CKR_INVALID_ATTRIBUTE. anyway, ill argue this things with the mozilla people. Thanks a lot for your time and help. Much appreciatted. 2011/8/26 Douglas E. Engert : > > > On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote: >> 2011/8/25 Douglas E. Engert: >>> >>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these. >>> #define CKO_NETSCAPE 0xCE534350 >>> >>> #define CKO_NETSCAPE_CRL (CKO_NETSCAPE + 1) >>> #define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2) >>> #define CKO_NETSCAPE_TRUST (CKO_NETSCAPE + 3) >>> #define CKO_NETSCAPE_BUILTIN_ROOT_LIST (CKO_NETSCAPE + 4) >>> >>> There are vendor attributes too. >> >> These are the values im talking about...i guess somewhere must be >> documented what they are for. > > PKCS#11 allows for vendor defined objects and attributes and NSS implements > some soft tokens that can support storing of CA certs, with TRUST, and CRLs > and other objects or attributes needed by NSS. > > You can find the documentations and source for NSS here: > > http://www.mozilla.org/projects/security/pki/nss/ > > In Release 3.12 the names are changed from CKO_NETSCAPE_ to CKO_NSS_ > with the same values: > > http://www.mozilla.org/projects/security/pki/nss/nss-3.12/nss-3.12-release-notes.html > > In the NSS CVS source these are defined in > ./mozilla/security/nss/lib/util/pkcs11n.h > > >> >>> >>> Looks like looking for a CRL. >>> >>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK >> >> I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not. >> It still ask many times. > > See this thread: > http://www.mail-archive.com/dev-tech-crypto@lists.mozilla.org/msg08609.html > > One of the NSS developers, says you can return CKR_INVALID_ATTRIBUTE > and it might stop asking. > > >> >>> >>> Add to the environment something like this: >>> >>> PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so >>> PKCS11SPY_OUTPUT=/tmp/tb.spy.txt >>> >>> >>> You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module. >>> make the pkcs11-spy.so or pkcs11-spy.dll the security device. >>> >>> >>> >>> When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK >>> >> >> Thanks a lot for your help. >> ___ >> opensc-devel mailing list >> opensc-devel@lists.opensc-project.org >> http://www.opensc-project.org/mailman/listinfo/opensc-devel > > -- > > Douglas E. Engert > Argonne National Laboratory > 9700 South Cass Avenue > Argonne, Illinois 60439 > (630) 252-5444 > ___ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Half OT: PKCS#11+Mozilla
2011/8/25 Douglas E. Engert : > > The OpenSC pkcs11/pkcs11-display.c has definitions for all these. > #define CKO_NETSCAPE 0xCE534350 > > #define CKO_NETSCAPE_CRL (CKO_NETSCAPE + 1) > #define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2) > #define CKO_NETSCAPE_TRUST (CKO_NETSCAPE + 3) > #define CKO_NETSCAPE_BUILTIN_ROOT_LIST (CKO_NETSCAPE + 4) > > There are vendor attributes too. These are the values im talking about...i guess somewhere must be documented what they are for. > > Looks like looking for a CRL. > > When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK I dont know in OpenSC, but doenst matter if i return 0+CKR_OK or not. It still ask many times. > > Add to the environment something like this: > > PKCS11SPY=/opt/smartcard/lib/your-pkcs11.so > PKCS11SPY_OUTPUT=/tmp/tb.spy.txt > > > You can use the OpenSC pkcs11-spy.so with TB and your own PKCS#11 module. > make the pkcs11-spy.so or pkcs11-spy.dll the security device. > > > > When OpenSC PKCS#11 sees these, it returns 0 objects and CKR_OK > Thanks a lot for your help. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Half OT: PKCS#11+Mozilla
Sorry for the little OT. I would like to know if OpenSC PKCS#11 module added on Firefox/Thunderbird has the same "problem" im having on my PKCS#11 library. Seems that Mozilla its invoking C_FindObjectsInit asking for objects with CK_OBJECT_CLASS = 0xCE534351 or 0xCE534352 or 0xCE534353 or 0xCE534354 around 171 times. This type is a mask for VENDOR_DEFINED ones, and seems to be related to NSS. As far as i know, returning CKR_OK and 0 objects, or even better CKR_ATTRIBUTE_TYPE_INVALID should tell Mozilla "I DONT HAVE ANY OF THIS", and Mozilla "should" stop asking. Instead of this, it asks again...again...and again until boredom (maybe its because i have 171 CAs on my keystore? No clue. Mozilla/NSS people doesnt seem to know anything about this (or they look to other side). As im not an OpenSC user, and have no idea of how to trace/log this stuff, i ask for the guys that would have been fighting against this. Is this also happening to you? Do you implement that VENDOR_DEFINED (undocumented?) types? Could you give me a hand? Thanx a lot anyway. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
> Wow, that is what would call seriously "user friendly". > And an example for others... > > Could you (offlist, as the list is non-commercial) disclose me the name of > the bank? Again AFAIK, this is a common scenario here in spain for public companies like the one i work for (university). In our case, the bank is a saving bank (according to wikipedia translation of "caja de ahorros"). kind of a bank that dont give benefits to their owners (cough). So, "anyone" could do it. at least, banco santander, lacaixa, bankia... Anyhow, this is -more or less- what we have: Dual card (contact/contacless). contactless interface has only an id for parking access and similar things. Contact interface with 2 applications: one for the bank, one for our own use with a 1024 (yes...i know...) RSA certificate for auth+sign... ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] banks
AFAIK, it depends on your bank card relationship We use a bank card, that can be used for payment and cash retrieval, and also used for authentication process. The card is customized for our company, and has the "euro6000" logo. The workout its the following: the card has 2 applications (DF according to 7816 standard), one for EMV, the other one for our own puprposes. Some guys, a long time ago, designed the content of our card and now im the responsible of developing and mantaining the PKCS#11 interface for auth and sign on Win/Linux/Mac. Does that answer your question? ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
2011/8/3 NdK :
> On 03/08/2011 16:16, Douglas E. Engert wrote:
>> You say you are using FF, so have you looked at JSS?
>> http://www.mozilla.org/projects/security/pki/jss/
How can you say so, if JSS is not recommended/supported for Java Applets?
(as said in the infamous bug
https://bugzilla.mozilla.org/show_bug.cgi?id=654939)
Anyway, AFAIK, using JSS doesnt avoid using sunPKCS11.
JSS avoids using smartcardio to list modules using a conf file, and
gives direct access to a PKCS#11 module
>> On Windows, you could also use the Windows CAPI via the SunMSCAPI,
>> and OpenSC on Windows can still be used via the OpenSC mindriver.
> Still proprietary solutions.
> And what about smartphones? "Standard" Java is more likely to be adapted
> than proprietary interfaces.
AFAIK, Java applet should attack the system keystore no matter how.
Having a cert on keystore (loaded from smartcard) is done using CSP or
CNG. At least, thats the way we do it.
>> Here are 3 others: 357025, 613496, 613507, These deal with selecting
>> the "best slot", supporting CK_ALWAYS_AUTHENTICATE if needed, and
>> cutting down on searching for any object when it should be searching for
>> a cert only, which may be your 150 times.
My 150 times its a vendor_defined object (CKO_VENDOR_DEFINED), and its
a "bad" implementation of NSS/PSM (i really dont know the internals).
> Well... The user should be responsible for selecting the "best" slot.
> That IMHO shouldn't be a "slot" in the first place, but just a
> certificate. The browser should only filter certs so that only
> acceptable ones are proposed to the user.
Thats what actually is done, isnt it? At least, after the pin request,
a window with certs is shown to select one...
> If an object isn't accessible ('cause it's marked private), it should
> user's responsibility to login w/ the correct credentials first.
The NSS should detect the flag, and if needed, call C_Login or do the
operations needed. Sometimes the object is not extractable from the
smartcard, so it depends.
Maybe the PIN should be cached cause sometimes card can be reset
between calls, and that loose the security access.
Thats the reason why spanish ID its requesting the PIN all the time(?)
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
2011/8/3 NdK : > Then why I get *exaxtly* one slot per PIN (and in the slot name there's > the label I associated with the PIN? Maybe it's opensc-specific, but I > doubt. must be opensc is adding an slot for each application/pin. You should check this with someone/martin, but im pretty sure is this. > In 2.30 concurrent access is explained quite well. Both multitasking and > multithreading -wise. ...tell me when developing :P We have thread support+lock+transactions to avoid process interference, but all this was "happily" superseeded qhen logical channels arrived at 7816-4 (which our card doesnt support either) > Should be this way. Experiments say otherwise. OpenSC implemente in other way, because PKCS#11 doesnt include multiple pin/virtual slot applications (Anex D?E?...was removed, and talked about this. check version 2.0 or earlier) > I do. And they're named after the labels I gave to my PINs. Did you read the example i gave you to understand what happend? OpenSC must be doing it like this. > You'd have to select the app before. IIUC you can't switch app while > card is in use (well, you an but it's like disconnecting a card and > inserting a new one, with its own ATR). > Discovering which apps are available on a card is another issue. But if I > need PKCS15, i select app > "A300" 'just to be sure'. Absolutely wrong: Consider applications as directories. One of them can be protected for reading, other for writing, or even "public". Your app could need to go trough some of then and your card will not be disconnected at all. PCSC common operation sum up: -establish context (get access to the pcsc service) -connect (comunicate with card...the ATR is received here, just once) -begin transaction (lock for exclusive access) -select 23 applications/DF, read 234232 EF... -entransaction -disconnect -release context What really happened here is that PKCS#15 helps a lot handling objects, but the interface its still #11. intended for cryptoki operations and without virtual slots "defined". If you want different certificates depending on which URL you are, PKCS#11 doesnt range this, and the you are "out of standard" If your application(Java) should use different certs (stored on different apps), then the simplest way is to connect to different PKCS#11 modules or slots Thats why opensc will show an slot for each Application/PIN. Its a way of accepting virtual slots, allowing multiple applications and readers, and making the coding harder. As always, any expert comment showing any mistake will be fine. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Java and pkcs11
2011/8/3 NdK : > The wallet must allow for use of a smart card or a simple password > (obviously highly sensitive passwords will have to be restricted to > stronger method). Not really different at the programmatic level, since > I can store "anything" in the "encryptedPrivateKey" field: an actual key > or a reference to a token. Understood. Java signed applets seems the most homogeinic way of doing it. (Better than writing one script for each browser) > That's exactly what I noticed. Seems the key is the "friendly flag" > that's (IMVHO) badly thought (since I can access both friendly and > unfriendly tokens w/ the same lib). Is that a opensc flag? (remember i dont use opensc, so dont know the internals) > And (more general question) why a slot identifies a pin? What about > "insecure" keys and their certs? See below. An slot doesnt need to have a PIN, as stated on PKCS#11 standard. Even if FF does a bad implementation, and always require a PIN using C_Login, the slot/token could return CKR_OK and continue. Our public cert is stored on a public area of our card, that can be readed and added to NSS without prompting for PIN. Maybe we are talking about different issues here. >> I think we should exchange experiences :P > Mine is just: too buggy to be actually used w/ smartcards, useful only > in the simplest scenarios. In my experience, i can guarantee that NSS is enough stable to be used with smartcard among with Java Applet. We have lot of users, and just a few of known problems. (I already talked about a PSM/NSS deep review)... > I can't retrieve now the bug #, but IIRC it keeps the session to the > token open. Maybe your card allows for more than one channel. No. Our card is a stupidcard rather than smartcard. I noticed FF try to retrieve the session that was previosly used (that is closed when smartcard removed and inserted on reader), but this is easily solved saying "CKR_INVALID_HANDLE" (was this CKR_, right?) Anyway, i agree...PSM/NSS has aspect that could be improved. (And the community...including you and me, could improve) > No, but writing 9 different apps is not the solution, IMVHO. We just have one applet (to rule them all) and some cross.browser js support to detect them. > Nope. You can install sw only if the policy allows you to do it. And > often (think about a kiosk) it's forbidden. A signed applet can AT MOST > have the same rights of the user, IIRC (I don't remember a poliy to give > an applet more rights than the ones assigned to the user running it...). Totally right. Then, your applet should be self-running...and that means no JSS. You should look for a method to locate your PKCS#11 module and so. If you go in this direction, let me know, cause will be our next target soon. >>> - handles multiple slots >> What you mean with this? > That's something I still couldn't understand well... > Reading PKCS11-v2.30b specs, it seems a slot is just a physical object > where a card can be placed. So a reader should present more than one > slot only if it accepts more than one token: > "Cryptoki provides an interface to one or more cryptographic devices > that are active in the system through a number of “slots”. Each slot, > which corresponds to a physical reader or other device interface, may > contain a token. A token is typically “present in the slot” when a > cryptographic device is present in the reader. Of course, since Cryptoki > provides a logical view of slots and tokens, there may be other physical > interpretations. It is possible that multiple slots may share the same > physical reader. The point is that a system has some number of slots, > and applications can connect to tokens in any or all of > those slots." (page 17). 1 - PKCS#11 standard was designed a long time ago, so consider it has several lacks, for example "concurrent access", "multiple pin auth/virtual slots"...or this "strange/complex explanation about slots" In the smartcard approach you and me are using, this is translated as: "One slot for each reader" When the card is inserted in the slot, the token info is retrieved and shown. In my case, as user should have only 1 card, we want to avoid problems, 'cause we have to code our library... we have just 1 slot, no matter which number of readers you have, and when a card is inserted, we loop trough all the readers to check if our card is present. Its not perfect, but works like a charm. > So I can understand that when I plug in another reader I get another set > of slots. Well..more or less, that will be the idea. > What I don't understand is why I get a slot for every PIN on > my card, plus a PnP (always empty) slot. You dont simply get an slot for evrey PIN... (as usual, EXPERTS: correct me if im wrong) If your smartcard has multiple pin auth system (like many applications, each on with a pin), thers should be a way to login on each one. Consider the following: smartcard with 2 apps, both of them containing certificates. How you should do to use any of these
Re: [opensc-devel] Java and pkcs11
2011/8/3 NdK : > Il 03/08/2011 09:32, helpcrypto helpcrypto ha scritto: > I need to implement a multiuser web password manager that allows users > to group-share passwords (so Linux sysadmins don't have access to > Windows passwords -- yes, I know AD, it's just an example). > Server NEVER knows plaintext passwords, so even if it gets hacked no > sensitive information is disclosed. > Passwords must not be displayed, just gets copied to the clipboard (so I > can access firewall password even if I'm in a lab with a dozen users > behind my shoulders). As i understand, you want to develop like a wallte, where password stored on server (crypted) are copied to clipboard (altough a simply CTRL+V will display it), to let the user authenticate in toher services. Right? You need applets cause the access to this wallet is using smartcard? certificate? I agree, its the most "homogenic" way of doint it cross-browser > Known bug in FF, IIUC. When you insert the card (or load opensc-pkcs11) > it C_Login to every slot even if you're not accessing certs. So: > 1) it asks for EVERY pin (even signature ones) Whats IIUC means? With our company card+spanish ID (dnie) on different readers, while doing client auth, it ask for 2 pins (one for each slot), to retrieve ALL the certs from all the slots/tokens. That, let FF to show a windows to select all possible certs. Is this the scenario you are pointing? Can you give me the bugzilla number? (From my experience, NSS or the part responsible from retrieving the certs its not very efficient...for example, it request like 150 times for vendor objects on my token, altough the first time i say "i have no one") I think we should exchange experiences :P > 2) while opensc-pkcs11 is loaded in FF, thunderbird (nor any other > PKCS11 'client') doesn't "see" the card Thats a opensc desired/undesired behaviour. If OpenSC did that for any reason, you could ask here (or martin). But i can tell you, its not FF the one who locks, cause my smartcard can be used and viewed by many at the same time. (Thanks god PCSC's BeginTransaction and EndTransaction methods) > Anyway, auth using 'internal' method is possible only on https sites > (unavailable on shared-hosting plans, and it's now giving me headaches > since I need to use SNI, that's not supported by IE on XP). No idea of what "internal" means, SNI, or what are you taliking about. >> Spanish tax ministry dont use Applets (use native componentes), >> which doesnt require the user to have java. > But, IIUC, that restricts use to only "supported" browser/platform -- I > have labs w/ Linux machines, workstations w/ Windows XP (some w/ only > IE, some w/ FF), quite a lot of Macs... The "minimum common denominator" > can be Java w/ a minimum of must-have native libs (like pcsc-lite and > ccid), even if it could be even better if those aren't needed. We have that 3 systems, and support for 3 major browser on each Firefox/Chrome/IE/Safari. I thinks thats neough for end users...come on, dont make me support "lynx" please. BTW, dont expect a friendly environment using Java on OSX, this guys hate them. Again, similar scenario, maybe we could exchange more info. >> https://www.agenciatributaria.gob.es/AEAT.sede/Inicio/Inicio.shtml >> Spanish ecofirma (also from gov) uses an applet that downloads a >> jnlp that install everything needed on your computer >> http://oficinavirtual.mityc.es/javawebstart/soc_info/ecofirma/index.html > This assumes that the user: > - can install sw Copying files its not always needed, but access to the system its. Signed applets will let you access the system, and you could whatever you want. > - usually uses only one machine Not true...it just "extract and run", even better that installing a client software. There are many ways to allow this without much headhache...and clean the temp files before shutting down :P I Agree its slower, but anyone could use it anywhere (desktop computer) > Well, I'm using Aventra cards, so they're both PKCS15 and cryptographic :) > I thougt you can't have "legally strong" signature unless you're using a > crypto card (at least here in Italy). According to our law (Spain), to have "the higher level of recognized sign, equivalent (and even more) to a hand made sign, you need a secure signing device (keypair generated inside the card)". This, for example, doesnt let the users export the key to a pkcs#12 file that could compromise the key. ---MAYBE IM WRONG ON THIS, so anyone can correct me and, please, do it if im wrong--- Anyway, the sing has legal value and its recognized as an advanced sign, the different can be resumed as: In case of trial, -recognized signatures (created using a secure signing
Re: [opensc-devel] Java and pkcs11
If any of you dont agree with any of the following, just let me know. >>>- should I avoid SunPKCS11 and base my program on "simple" PC/SC? Absolutely not. Do yo code on assembly for you web pages? PCSC should be used only if your smartcard doesnt have a higher level of abstraction possible (like opensc) >> If you need to stick to Java, maybe JNI is the answer. I dont like it very much, but we have some legacy toools which use this technology > I usually do C, but this time I need a java applet for: > 1) a web-based password manager I have to write for the office If you explain more, i can tell you my opinion about what you could need/do > 2) safely and strongly authenticate users to a plain HTTP page (very > shared-hosting friendly!) -- I already can authenticate users w/ a > smartcard (on https), but it needs Firefox to load its PKCS11 that > "locks" the card and no other process can use it. must be a problem with your code. Actually, our card is used by firefox+thunder+ie+local apps at the same time. > I don't really like JNI since it usually needs uncommon client-side > libraries, that's why I thought about pcsc (even if, after all, it's JNI > anyway), since I already studied it and deps-wise it doesn't need > anything more than the minimum. You can observe what others do: Spanish tax ministry dont use Applets (use native componentes), which doesnt require the user to have java. https://www.agenciatributaria.gob.es/AEAT.sede/Inicio/Inicio.shtml Spanish ecofirma (also from gov) uses an applet that downloads a jnlp that install everything needed on your computer http://oficinavirtual.mityc.es/javawebstart/soc_info/ecofirma/index.html In our company, we use smartcard for client/user authentication using certificates, and also mail signing and document signing. For web applications we use a signed applet. This applet is done using Oracle/Sun JCE (java 1.6). Seems that SUN >= 1.6 jre its the only one which had cryptography some time ago. Maybe this has changed and now openjdk include it. You should ask on java lists (and update me with the news, PLEASE!). The applet side is made by another person, but im the developer of the pkcs11 library that runs on osx, win and linux. Its not made using opensc due its a legacy code that have been re-coded just a few months ago, and 'cause our card its not pkcs#15, either really criptographic. (at least its PCSC!) Anyhow, on a recent discussion on mozilla bug (https://bugzilla.mozilla.org/show_bug.cgi?id=654939), i was sadly surprised to read things like: "If Java is trying to load Firefox's NSS libraries, it deserves to not work." "Having external apps digging through the Mozilla cert store is not recommended or supported in any case." "This is not something that we intend to support or fix. No, writing enterprise apps which poke into the Firefox certificate store is not a desired use-case, especially while the app is running." "I know that JSS is used for server applications written in Java. I was not even aware that it's possible to use JSS inside browser applets." ... (and many more) So, in other words...altough Java has examples, doc and code to explain how to use JSS (Java to NSS) and its working perfectly, this seems to be a bad thing for mozilla's people. I still have to discuss at https://lists.mozilla.org/listinfo/dev-platform On IE, you should code a CSP/CNG to access the smartcard and on Safari, you could use opensc or a tokend. Chrome depends on the system. At your position i will: -Check smartcard features to check if its opensc compatible -Implement your card at opensc or doing your own pkcs#11/csp/tokend (watch out lion 10.7 smartcard services!) if needed. This involves PCSC. -Use SUNPKCS11, or JSS if you want to rely on "dangerous and evil undocumented behaviour" Anything you need, dont hesitate to contact me. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] What smartcard should we bought?
Hi everyone. At our company, we are thinking about buying a new smartcard for our certificate-related services. Actually we have a 1024 RSA certificate on a not-so-cryptographic smartcard, and plan to use 2 x 2048 RSA certificates soon. As our smartcard doesn't have enough space, i have started looking on some providers for the best option. I'll need the card to support the following: -Space for at least 2 x 2048 RSA certificates -On-device key generation -Support for multiple session/concurrency (seems this is called logical channels on ISO 7816-4) -Dual (contact+contactless) interface -Based on PCSC, PKCS#11 and PKCS#15 standards -Must be customizable (Company logo, name...) -Multiple applications (DF) Additionally, will be great if the card has: -Secure channels (communications crypted between apps-card) -Possibility of administrator profile (that could create and modify EF with an SO password) -"Native" support on Windows, Linux and Mac OSX (Will be great to be OpenSC supported) Which one of these features you consider more important? Do you have an smartcard in mind? Has this been discussed before? (link please!) Any help will be much appreciated. Thanks! ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] From where should i start?
Thank you a lot. And a lot of thanks for your work on PCSCLite, which actually we are using a lot. 2011/5/12 Ludovic Rousseau > 2011/5/12 helpcrypto helpcrypto : > > First, I'll introduce ourselves: > > We have developed a self-designed (not opensc based) PKCS#11 library for > our > > company smartcards. > > They aren't PKCS#15 compliant, and not really cryptographic, because key > is > > handled out of the card, but is all we have, and its PCSC/CCID. > > > > Our software is working on Linux and Windows (Firefox/Thunderbird), and > we > > expect that will work on Mac OSX as soon as we/they resolve some Java > issues > > on Firefox4, but seems to work on tests. > > Now, we are considering to make Safari/Mail compatible and found the SCA > > project (Actually, dont know if its considered obsolete, unmantained or > > what). > > > > As i read, SCA is compatible with opensc-pkcs11-modules, and seems to be > > kind of bridge/proxy between TokenD and PKCS#11. > > Is theres any way to link safari/mail with our own pkcs11 library through > > this bridge? (asumming SCA=bridge)) > > If its possible: Really, i dont know where to start. Wiki seems quite > messy, > > I cant find anything about what im looking for...Im really lost. > > If not possible, i assume, we should port/refactor our PKCS#11 module to > > embed on OpenSC. Completely lost again. > > > > So this subject is more or less: > > From where should i start? > > I have read the whole wiki (maybe i miss half, 'cuase its quite a > > laberynth), and didnt find an starting point on how to develop/use > opensc. > > > > Where i can find such opensc-pkcs11-module example? Its all OpenSC > > text/config based? > > > > If i want to use safari/Mail access our smartcards, using pkcs11, is > > migrating our code to a opensc interface the only option? > > No, that is not the only option. > Maybe it is simpler to use a tokend over the PKCS#11 API. See [1] > "Free software Tokend above PKCS#11 (for Mac OS X)". > > You should not have to modify your PKCS#11 module. > > Bye > > [1] > http://ludovicrousseau.blogspot.com/2010/04/free-software-tokend-above-pkcs11-for.html > > -- > Dr. Ludovic Rousseau > ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] From where should i start?
Sorry if not the correct place/list (posted on opensc-devel and opensc-user) First, I'll introduce ourselves: We have developed a self-designed (not opensc based) PKCS#11 library for our company smartcards. They aren't PKCS#15 compliant, and not really cryptographic, because key is handled out of the card, but is all we have, and its PCSC/CCID. Our software is working on Linux and Windows (Firefox/Thunderbird), and we expect that will work on Mac OSX as soon as we/they resolve some Java issues on Firefox4, but seems to work on tests. Now, we are considering to make Safari/Mail compatible and found the SCA project (Actually, dont know if its considered obsolete, unmantained or what). As i read, SCA is compatible with opensc-pkcs11-modules, and seems to be kind of bridge/proxy between TokenD and PKCS#11. Is theres any way to link safari/mail with our own pkcs11 library through this bridge? (asumming SCA=bridge)) If its possible: Really, i dont know where to start. Wiki seems quite messy, I cant find anything about what im looking for...Im really lost. If not possible, i assume, we should port/refactor our PKCS#11 module to embed on OpenSC. Completely lost again. So this subject is more or less: >From where should i start? I have read the whole wiki (maybe i miss half, 'cuase its quite a laberynth), and didnt find an starting point on how to develop/use opensc. Where i can find such opensc-pkcs11-module example? Its all OpenSC text/config based? If i want to use safari/Mail access our smartcards, using pkcs11, is migrating our code to a opensc interface the only option? ...and lots of questions follow. Thanks in advance for any help you could provide, and thanks for doing such a great software. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
