Re: [opensc-devel] Want to write suppot for iKey4000 USB toekn
On Tue, 2011-10-25 at 11:26 +0300, Martin Paljak wrote: Hello, On Tue, Oct 25, 2011 at 02:22, Andy Walls awa...@md.metrocast.net wrote: If the offer here still stands: http://www.opensc-project.org/pipermail/opensc-devel/2008-August/011252.html http://www.opensc-project.org/opensc/wiki/RainbowIkeyFour The best bet is to contact them again, maybe they have changed their mind. You might want to try in parallel to get in contact with their support interface (it is often a lengthy process and getting to technically minded people who can and want to comment on anything might take some time) I haven't contacted them yet, but I will soon. I seem to have the iKey 4000 variant that is *not* USB CCID v1.10 compliant: That's a sad fact. Since there is an IFD for the iKey2032 in OpenCT, maybe that can be used as a starting point for an IFD for the iKey 4000. Probably. After examination of the USB traces I have found that the iKey 4000 USB protocol is almost identical to the iKey 3000, assuming OpenCT's ifd-ikey3k.c code is correct. The vendor protocol on the default control pipe seems to only have 4 values for bRequest in USB packets. bmRequestType: 0x41 (Host to Device, Vendor, Interface) bRequest: 0x16 wValue: varies wIndex: 0x Used for commanding what appear to be token and/or embedded reader related functions. For example, wValue = 0x2 causes the device to respond with a PTS sequence: 0xff 0x11 0x11 0xff (PTSS PTS0 PTS1 PTSCK). bmRequestType: 0x41 (Host to Device, Vendor, Interface) bRequest: 0x17 wValue: varies wIndex: varies Used for sending APDUs to the embedded SafeNet/Datakey DK400 SmartCard. wValue and wIndex appear to contain part of the APDU, and the transfer payload contains the rest of the APDU. bmRequestType: 0xc1 (Device to Host, Vendor, Interface) bRequest: 0x01 wValue: 0x wIndex: 0x Used to fetch responses to the above request types bmRequestType: 0xc1 (Device to Host, Vendor, Interface) bRequest: 0x00 wValue: 0x wIndex: 0x Used to request some sort of firmware(?) information from the device. The wValue, wIndex, and transfer payload are covered by a simple bytewise XOR-sum for bRequest = 0x17 commands and for the bRequest = 0x1 response to such commands. While at it, you can look at how to integrate OpenCT ifdhandler into pcsc-lite by default. I'm not quite sure I understand what you would like here, but it seems out of scope of my current objective. I initially was going to write an IFDHandler for PC/SC-lite and modify the CoolKey library to provide the PKCS-11 functions and provide a NSS interface to FireFox, etc. However, since OpenCT already had some iKey support, I decided to start with OpenCT. You could also snoop the USB layer, maybe the card inside works with some existing driver with no or just a few modifications (or maybe just needs a custom profile) The few APDU's I have examined, SELECT_FILE and READ_BINARY I think, look like they match the StarCos cards to some degree. The embedded SmartCard implementation is a DK400 according to the Historical bytes in the ATR. I also observed in the USB snoop that the OS is SafeNet's SCCOS v3.0 (likely an evolution of DKCCOS v2.0). Anyway, slowly moving forward Regards, Andy ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Want to write suppot for iKey4000 USB toekn
Hello, On Tue, Oct 25, 2011 at 02:22, Andy Walls awa...@md.metrocast.net wrote: If the offer here still stands: http://www.opensc-project.org/pipermail/opensc-devel/2008-August/011252.html http://www.opensc-project.org/opensc/wiki/RainbowIkeyFour The best bet is to contact them again, maybe they have changed their mind. You might want to try in parallel to get in contact with their support interface (it is often a lengthy process and getting to technically minded people who can and want to comment on anything might take some time) I seem to have the iKey 4000 variant that is *not* USB CCID v1.10 compliant: That's a sad fact. Since there is an IFD for the iKey2032 in OpenCT, maybe that can be used as a starting point for an IFD for the iKey 4000. Probably. While at it, you can look at how to integrate OpenCT ifdhandler into pcsc-lite by default. For comparison, aside from the iKey 4000, all the ATRs listed in this file: As the iKey4000 comes in USB form factor and is not a smart card or standard CCID device and pcsc_scan is mostly used on Linux (even though it can be compiled on Windows as well, with small adjustments) it is reasonable to think, that the iKey4000 ATR has not yet reached the list :) You could also snoop the USB layer, maybe the card inside works with some existing driver with no or just a few modifications (or maybe just needs a custom profile) Best, Martin ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Want to write suppot for iKey4000 USB toekn
Hi, We have a couple of iKey4000 USB tokens at my company that we received from a CA. I'd like to add Linux support for these devices so end users can use them with Firefox, Evolution, and Thunderbird. If the offer here still stands: http://www.opensc-project.org/pipermail/opensc-devel/2008-August/011252.html http://www.opensc-project.org/opensc/wiki/RainbowIkeyFour I'd be willing to sign an NDA for information of the device, with the understanding that the reviewed, resultant code could be released under the LGPL. (BTW, I'm the maintainer of the Linux kernel ivtv and cx18 drivers.) For anyone interested for details and speculation I've collected about the token, see below. Regards, Andy W. I seem to have the iKey 4000 variant that is *not* USB CCID v1.10 compliant: Bus 003 Device 004: ID 04b9:1206 Rainbow Technologies, Inc. iKey 4000 Token Device Descriptor: bLength18 bDescriptorType 1 bcdUSB 1.00 bDeviceClass0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 8 idVendor 0x04b9 Rainbow Technologies, Inc. idProduct 0x1206 iKey 4000 Token bcdDevice1.10 iManufacturer 2 SafeNet, Inc. iProduct1 iKey 4000 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 20 bNumInterfaces 1 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x80 (Bus Powered) MaxPower 56mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber0 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 255 Vendor Specific Class bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0 ** UNRECOGNIZED: 02 40 Device Status: 0x (Bus Powered) SnoopyPro captures of device initialization show that all data traffic happens over the default control pipe. Some basic research indicates that the iKey4000 and iKey2032 may be similar: http://www.datakey-europe.com/englisch/inhalt_smartcard.htm Since there is an IFD for the iKey2032 in OpenCT, maybe that can be used as a starting point for an IFD for the iKey 4000. The ATR also inidicates to me that the iKey4000's SafeNet CCOS (SCCOS) is likely based off of the DataKey CCOS (DKCCOS). The ATR of the iKey4000, is in this captured packets: ControlTransfer data: : 19 3b ff 18 00 00 81 31 fe 4d 80 25 a0 00 00 00 | ; 1 M % | 0010: 56 57 44 4b 34 30 30 06 00 dd c8 40 02 01 a0 00 | VWDK400@ | bRequestType: 0xc1 (Read-Vendor-Interface) bRequest: 1 wValue: 0 (0x) wIndex: 0 (0x) wLength: 32 For comparison, aside from the iKey 4000, all the ATRs listed in this file: http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt that have a hex string 56 57 44 4B 3[0-9] 3[0-9] 3[0-9] or ASCII VMDK[1-9][0-9][0-9], are DataKey products. In 1999, DataKey Licensed DKCCOS to Rainbow: http://www.thefreelibrary.com/Rainbow+Technologies+and+Datakey+Collaborate+On+Future+Rainbow+iKey...-a055215336 In 2004, SafeNet acquired DataKey: http://www.datakeyelectronics.com/about_safenet.html iKey 4000 FIPS 140 security policy document: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp943.pdf iKey 2032 FIPS 140 security policy document: http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp161.pdf ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
