Yes and no. It's not bad to have low-level tools which are useless
for end users. Those tools are very useful for developers.
[...]
Agree that end-user GUIs need more sophisticated functionality than
may be offered by most or even all existing OpenSC tools. But that
does not mean that
I had to recompile the whole OpenSC/OpenCT framework from source as the
one shipped with Fedora was utter crap (and I mean *really* crap)! I
also had to upgrade gdm to 2.32 (again, compiled from source) in order
to get it to work with the rest of the framework in FC13.
Can you
One of the reasons to subscribe to the list many months ago was that I
wanted to use Gnome Smartcard Manager but it wasn't working (at least
not in FC13) :-X
I guess you are mixing up two things: Gnome Display Manager (which takakes
care of logon within Gnome and can use
They do! The configuration file(s) default to coolkey, but opensc/openct
drivers are also listed in the same file, although these are commented
out and therefore disabled.
RedHat does *package* OpenSC but it has no meaning in their overall dogtag
PKI offering (which uses coolkey
b) There is no such thing as Gnome smart card manager. If it will ever be
created in the context I assume the original poster thinkgs about it, it will
probably be integrated to Gnome Keyring/Seahorse. But there's nothing there
yet.
See my previous post regarding this - I assume the OP
Fedora has been shipping latest released opensc for quite some time.
Quite some time being since when - 3-4 months ago? because when I
started having these problems both openct and opensc packages on Fedora
were terribly outdated!
You
got your smart card working by building the latest
One of the reasons to subscribe to the list many months ago was that I
wanted to use Gnome Smartcard Manager but it wasn't working (at least
not in FC13) :-X
I had to recompile the whole OpenSC/OpenCT framework from source as the
one shipped with Fedora was utter crap (and I mean *really*
I don't think RedHat is using OpenSC. They have a PKCS#11 token called
coolkey.
Coolkey is already available in Debian at
http://packages.debian.org/source/sid/coolkey
They do! The configuration file(s) default to coolkey, but opensc/openct
drivers are also listed in the same file,
Something like that might actually warrant a new point release of opensc
to make sure Linux distros pick up the fix.
Having a point release for every single bug fix would be overkill. So
the question is, what's the best approach to quickly distribute
important fixes? What would fit
Current Windows installer is built with mingw, as instructed on
WindowsInstaller [1]
Building with VS is possible, but is not as automated and repeatable as mingw
(the dependancies need to be fetched and built as well somehow). Improvements
to both documentation and alternative build
is it possible to use OpenSC/OpenCT to replace my standard (Windows
GUI) login
You need either a CSP or a GINA replacement. (Though I think maybe
pGina stopped working in newer Windowses?) I think there is a
for-free CSP that can use the opensc p11.
Thanks Peter, but what is 'CSP'
You get to google that all on your own.
Aladdin/SafeNet eTokens do not support CNG, so you /cannot/ use
CNG-based Certificate Templates (i.e. Server 2008-compatible templates)
when issuing Smart Card Logon certificates to Aladdin eTokens. Thus,
you must make sure that any Certificate
Note that neither of these have much to do with the opensc p11.
I hope that I won't need Aladdin 'layer' on top of what I am required to
use, otherwise it is a no-go from me.
I did try something similar about 5 years ago and got nowhere as I was
not prepared to pay Aladdin the money they
[3] http://www.opensc-project.org/opensc/wiki/ReleaseNotes
That gives me 'Trac Error - Page ReleaseNotes not found' - thought to
let you know.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
@ALL:
The 'pkcs15-tool' should possibly be changed to output the raw data as
its default. That would not be that strange, because the unix command
'cat' does exactly the same. Therefore users should be prepared for it.
That would be very wise!
@MDF:
Before making even more effort on
What is the module you are writing? An alternative to OpenSC (not OpenCT)
PKCS#11 module?
No. My module will allow opening of LUKS-encrypted partitions (including
root partitions) at boot up time before the kernel loads using udev.
Currently this is only possible with password
Should be the same for all cards. But it's better to use --slot-label
instead of --slot. Because slot numbering may vary depending on reader
configuration (i.e. different amount of readers attached to systems).
Noted! I assume --slot-label is [a-zA-Z0-9] with no spaces, is that right?
@MDF:
Before making even more effort on storing data objects, you should
definitely check if these objects are really private. My assumption is,
they are not.
Your assumption was wrong!
$pkcs15-tool -C
...
Path: 3f0050153303(read 3f00/5015/3303)
...
$opensc-explorer
Your assumption was wrong!
Which command and parameters do you use to write the objects to the
card? I'm using the current version from trunk, and there the behaviour
is different.
1. Generate a key file. I used:
- dd if=/dev/random of=~/master-key bs=1 count=2048
- dd
1. Generate a key file. I used:
- dd if=/dev/random of=~/master-key bs=1 count=2048
- dd if=~/master-key of=~/key256 bs=1 count=256
- dd if=~/master-key of=~/key512 bs=1 count=512 seek=256
- dd if=~/master-key of=/key1k bs=1 count=1024 seek=768
For what kind of algorithm are
Opensc-explorer shows me the content of CIAInfo.bin without
pin-verification. Does that answer your question?
Yeah, just about. Why do you think that is? Could this be a
manufacturer-related issue?
___
opensc-devel mailing list
the attached patch fixes #220. Now the login function does what its name
promises. If user-login is not desired, then simply don't call login()!
Am I right in assuming that the patch attached 'automatically'
determines whether a login is required (even if -l and/or --pin
options are
No. It forces a login, if -l is specified (even if login is NOT required).
Right, so I presume if I want to see whether a login is required I still
have to use pkcs11-tool -O and check whether the object I am
interested in is shown (and its 'private' flag is set). Is there another
(more
Many thanks for your input Andre! Comments below:
Right, so I presume if I want to see whether a login is required I still
have to use pkcs11-tool -O and check whether the object I am
interested in is shown (and its 'private' flag is set). Is there another
(more straight-forward)
It's completely hidden, for sure. Without login, you cant decided, if
there are private objects on the token or not.
True, after testing it earlier there is nothing there to see - it is as
if the token does not exist (rightly so, I think).
I have to think about what other/better
As an aside question: when I create a data token I could specify
--auth-id (I normally chose --auth-id=01 if I need that data token
to be private), which, to me, implies that I could register more than
one auth-id.
Do you use auth-id with pkcs15-init? If true, then you could
How about writing a tool which interfaces directly with a p11 module,
rather than being stuck with the particular things pkcs11-tool can
do.
I would have done it ages ago if: 1) I had enough knowledge of how
OpenSC/OpenCT works (or have enough time on my hands to acquire such
knowledge -
I think you would have been done by now if you did.
How OpenSC and/or OpenCT works is not actually required to use the
p11 module, but of course it is quite useful background information.
From your descriptions I think you only need very basic things from
p11, which you should be able to
pkcs15-tool -r 1f645352 | grep -v '\-' | base64 -d
Nope! It does not work even if I add the '-i' option on base64 - it
generates more data - the resulting file is larger than the key itself.
Key size is 256 bytes, output (encoded) is 384 bytes.
pkcs15-tool -r 1f645352 | grep -v '\-' | base64 -d
Nope! It does not work even if I add the '-i' option on base64 - it
generates more data - the resulting file is larger than the key
itself. Key size is 256 bytes, output (encoded) is 384 bytes.
Got it working in pkcs15-tool as well,
In other words, when I execute this:
/bin/plymouth ask-for-password --prompt Enter your PIN --command
/usr/bin/pkcs11-tool -lry data --slot 2 --application-id 12 |
/sbin/cryptsetup luksOpen /dev/xxx --key-file=-
See attachment and use exactly the same quotation marks.
./x.sh
That's not really feasible because the pin is hard-coded in x.sh
Do not expect complete solutions to your problems. Instead you should
fill in the missing parts yourself.
I did - in the script I attached in my previous post.
It would be much better to print the prompt on stderr.
In the next few days I will build the scripts for installing all files
and automatically build initrd/initramfs and then will be in a
position to test it. As I pointed out above I already tested
pcsc-lite-libs+OpenCT+OpenSC (without anything else) and it works to
absolute perfection, so
Is it possible to have an option (say, --display-no-prompt or -nd
for short) where pkcs11-tool does NOT display any kind of user prompt,
like Please enter User PIN:?
The reason I am asking this is because if I want to pipe the output of
pkcs11-tool and rely on stdout the above prompt will mess
I already tested pcsc-lite-libs+OpenCT+OpenSC
Why do you need pcsc-lite-libs?
Spotters badge!
Executing rpm -qRp on the newly-built package gives me
pcsc-lite-libs(x86-64) so, naturally, I assumed that was needed (the
package contains two .so files, so not much of a difference
Then I think it would be a better idea to make a p11 provider
directly on top of libccid.
That may work. But Mr Dash Four wrote he also need OpenCT.
Since he do not give the list of readers he wants to use I can't really help.
You already know that I am using Aladdin eToken 64k
In other words, build a wrapper around libccid with an api
compatible with libpcsclite.
Then I think it would be a better idea to make a p11 provider
directly on top of libccid.
That may work. But Mr Dash Four wrote he also need OpenCT.
Since he do not give the list
you could use something like this:
pkcs15-crypt --key 3b8d4e --input cipher.bin --decipher -R
The only requirement is libpcsclite. Everything else could be turned
off. Correct?
You've lost me!
I already have the data object stored on my smartcard and I need a
stripped-down
(x86_64) to login with it without the need to type uid/password without
much success!
AFAIK you will not succeed, as you will need to type/select at least
the user, the detect my user when I plug in my card does not work
[1]
Could you elaborate please? I have succeeded insofar
OK, further to my previous post earlier, I have now made significant
progress.
For some strange reason the link I quoted in the previous post used to
download version 0.6.3 (even though the latest version is 0.6.4) and I
did not check the file itself as my own (Fedora-distributed) version was
40 matches
Mail list logo