Re: [opensc-devel] configure opensc to deliver an other ce rt as the one requested

Hi Christian > > >The problem is this: the usual case seems to be someone tells the > > >application to use private-key with ID 1, and the application also > > >uses the cert with ID 1 for that communication. Due to a different > > >use of certs in this card here that doesnt work out: i have to us

Re: [opensc-devel] configure opensc to deliver an other ce rt as the one requested

> > That's a quick (and dirty) hack. > Yes, but seems to do what i want. If more people need this and i have > overseen an official way to configure this it could be implemented > i.e. using opensc.conf. I'm sure this works with OpenSwan and with NetKey-cards that have additional user-certificate

Re: [opensc-devel] configure opensc to deliver an other ce rt as the one requested

> Peter Koch wrote: > ... > > OpenSwan should NOT assume that the key has the same ID as the > > certificate as this cannot be true for cards that have more than > > one certificate per key. > > the pkcs11 (and pkcs15) ids are not unique ids. It is possible > that

[opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs

Hi I just learned that PKCS#15 IDs are non-unique and MUST be choosen such that a certificate has the same ID as its correspoding private and public key. Therefore I changed my PKCS#15-emulation for NetKey cards. This kind of card contains more then one certificate that correspond to the same pr

Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs

> > I just learned that PKCS#15 IDs are non-unique and MUST be choosen > > it is not a must, just a recommendation to simplify the search for > the corresponding private key (btw: afaik pkcs11 recommends to use > subject key identifier (normally a digest of the key) as id) If this is a recommenda

Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs

Hi! Before I programmed the PKCS#15 emulations routine for TCOS-cards I downloaded the PKCS15-spec but it was too long and I was too lazy to read it. So I just used my common sense. One consequence was that I chosed unique IDs for certificates. I still believe that a non-unique identifier does not

Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs

> BTW - I've been wondering why the CKA_IDs of the CA certs which > were stored onto the card using the command > > pkcs15-init --format PKCS12 --store-private-key myCert.p12 > > don't show up as 0x46 and 0x48, respectively, but as 0x00. > > Any ideas? Might be sensitive data which is availabl

Re: [opensc-devel] PKCS#15-question about Cert-IDs and Key-IDs

Hi, > There are two ways to select a certificate: > > a) by CKA_ID and optionally by slot > ... > > b) by enumeration (positional parameter) > ... > > strongSwan can now select one of the certs using the position > #1, #2, #3, #4. Currently in order to retrieve the desired certificate > and to use

Re: [opensc-devel] Issue with SignTrust TCOS Card

Hi Holger! > I have run into an issue using a SignTrust TCOS Card (issuer: Deutsche > Telekom) in a Reiner SCT cyberjack smart card reader. I am using the > CTAPI driver supplied by ReinerSCT (libctapi-cyberjack). > > I can't create signatures on the card using the default siganture key in > slot

[opensc-devel] Re: netkey-tool

Hi Karl, > Hi Peter, > > Where can I download netkey-tool for use on xp. > > Many thanks, > > Karl netkey-tool is part of the regular OpenSC package for quite a while. It is supposed to be in the windows version too. If for some reason it is not - please complain about it on the OpenSC mailin

[opensc-devel] Re: netkey-tool

Hi I had a look at the Makefile that creates the SCB-package. http://www.opensc-project.org/svn/scb/trunk/Makefile.mak It contains the following block that copies all the Opensc executables: COPY SRC\TESTS\BASE64.EXE $(DEST) COPY SRC\TESTS\P15DUMP.EXE $(DEST) COPY SRC\TE

[opensc-devel] Re: netkey-tool

Hi Andreas > > Or maybe even > > > > COPY SRC\TOOLS\*.EXE $(DEST) > > done. do you need a new scb package right now? I don't need one, but I got emails from three different persons all asking for a windows copy of netkey-tool. Probably all participants of this years LinuxTag :-) You cannot

[opensc-devel] PuTTYcard - who's using it

Hi all! > > Anything new with the eToken Pro issue? > > > > I have formated my eToken Pro direct with openSC but PuTTYcard does not work > > :( > > > > I thought that I’m not impacted by the file layout problem because I have > > used the pkcs15-init command. Is there any way to use a Aladdin eT

[opensc-devel] debug-output under Windows

Hi all! I would like to analyse the APDUs that are sent to a smart card when Firefox does certificate based client authentification under windows. Here's what I put into C:\Programme\Smart card bundle\opensc.conf: app default { debug = 9; debug_file= C:\Temp\OpenSC.log . But whatever de

Re: [opensc-devel] Netkey-card with multiple certs per private key

Hi Christian! > sorry to bug you again with this issue, but i want to > clean stuff up here. I like to hear from people that use my TCOS emulation :-) > > Here's what I might do: I could reorder the certificates in the > > Netkey emulation such that the user-certificates will be > > the first to

Re: [opensc-devel] Netkey-card with multiple certs per private key

Hi Andreas! > Try strongSwan from http://www.strongswan.org which has a regular > PKCS#11 smartcard interface and allows to select certificates > according to position e.g. > > leftcert=%smartcard#4 > > which is the fourth certificate in the enumeration shown by > > ipsec listcards > > Rea

Re: [opensc-devel] Datev Smart Card support for PKCS11?

Hi > I've noticed that the wiki is not up to date in this section > (http://www.opensc-project.org/opensc/wiki/GermanEid). According to the > Datev Homepage, the Smart Card is based upon the Telesec TCOS 2.03 MIN > and the Siemens SLE66CX322P-Microchip (http://datev.de/info-db/0903358). > > opens

[opensc-devel] Datev Smart Card support added

Hi all Daniel Zauft donated a DATEV card (DATEV smartcard classic), so I was able to add support for this kind of preformatted TCOS-card. Please test and let me know whether you were able to use your DATEV card or not. Peter ___

Re: [opensc-devel] Re: Datev Smart Card support added

Hi Andreas! > I also have an DATEV SmartCard. But whatever i try, i can't get > Thunderbird to work with that card. How did you do that ? > If i can make some dumps with an opensc-tool for "debugging" or whatever > just let me know (and tell me how to do this - on an windows-xp-system). I added

[opensc-devel] OpenSC logo

Hi Matti! > Hello, I'm the original author of the logo (chip-key) you still seem to be > using, after all these years :) Don't panic, I'm NOT writing here to claim > it back, or to make demands, since it was commissioned exclusively for > the project by one (ex-)project member (Antti Tapaninen

Re: [opensc-devel] Request for advice: want to support MS Windows-initialised Aladdin eToken pro

Hi Persival! On this years LinuxTag in Wiesbaden, Germany, Aladdin donated two eTokens to me and I tried to do exactly what you are asking for, namely writing a PKCS15-emulation for the Aladdin proprietary file layout. Writing the source is relatively simple, just have a look at one of the existi

[opensc-devel] Request for advice: want to support MS

> > Unfortunately the login-process uses some sort of challenge-response > > mechanism (GET CHALLENGE command followed by EXTERNAL AUTH) > > So far I have absolutely no idea how to compute the response from > > a given challenge. I do know where the certs and keys are, and I do > > know all APDUs t

Re: [opensc-devel] DATEV-SmartCard classic

Hi Stesie! > first of all, I'd like to thank you for writing OpenSC. nice to know ! > I recently got myself a `DATEV SmartCard classic' and tried to use it > with OpenSC today (svn snapshot 3144). > > However I had to slightly modify libopensc to make it recognize the > card: Seems that you und

[opensc-devel] Status of StarCos support

Hi! What's the status of OpenSCs StarCos support. I just looked into SVN and lately only bug-fixes where applied to card-starcos.c. Is sombody working on StarCos 3.0 support or has already looked into the StarCos 3.0 manual? Is anybody planning to do this? Peter _

[opensc-devel] GET CHALLENGE / EXTERNAL AUTHENTICATE Problem

Hi all! I'm trying to do an EXTERNAL AUTHENTICATE against a CardOS 4.01 card. Requesting the challenge is easy. But how do I calculate the response? Here's an example that I captured with an USB-sniffer: APDU 1: 0084 08, Response 584eb56f6d9f13c5 9000 APDU 2: 00820081 08 cdddb92642a38d3b, R

Re: [opensc-devel] GET CHALLENGE / EXTERNAL AUTHENTICATE Problem

Hi Nils > sure that a normal pin is used (or is this a DES key which > somehow needs to be enlarged to 64 bits) ? Of course a key is needed to calculate the response. I assumed that this key was caluclated from the PIN by just 0-padding it. > > I have already tried stuff like > > > > echo -en '\

Re: [opensc-devel] tcos encipherment

> I try to decrypt ciphertext with Deutsche Post card (tcos). > ATR: 3B BA 96 00 81 31 86 5D 00 64 05 7B 02 03 31 80 90 00 7D. > > Data encrypted by RSA, using OpenSSL with public key of Deutsche Post > certificate. > > On decryption operation I have error on ADPU: > > ... > > transmitted: 00 22 C1

Re: [opensc-devel] tcos encipherment

> > How did you encrypt your data? Looks like a padding problem to me. > > OpenSC assumes that you used PKCS#1-padding before you encrypted > > your data. I'm not sure whether all keys on your SignTrust card > > supports non-PKCS#1-padding. Let me know if you must decrypt > > non-PKCS#1-padded data

Re: [opensc-devel] tcos encipherment

> Question: what is limitation on size of pbData for successful decryption. > I know, what for successful encryption, size of pbData must be less of equal > max_in_size. On decryption for NetKey card max_in_size == 117 (ex_size == > 128, > RSA_PKCS1_PADDING_SIZE == 11), but if in RSA_public_en

Re: [opensc-devel] Aladdin emulation

Hi Chaskiel, > I'd also like to confirm that there's no emulation for the aladdin > filestructure or anyone working on such. (my employer is considering > these devices, and windows/cisco vpn client compatibility will be > important) There is no emulation in OpenSC for the filestructure th

[opensc-devel] opensc-explorer, cat does not work with TCOS-cards

Hi, I'm working on the TCOS driver (support for new TCOS 3.0 cards) and I noticed a problem with TCOS-cards in opensc-explorer. It happens with both TCOS 2.0 and TCOS 3.0 cards. cat 2f02 does not work and here's the relevant debug-output: Outgoing APDU data [8 bytes] ==

[opensc-devel] TCOS3 support - SM replated question

Hi, I just extended the TCOS driver. It's now supposed to support both TCOS2 and TCOS3 cards. I changed almost all TCOS-related stuff and pkcs15-tcos.c is a complete rewrite of the old version. So chances are pretty good that something does not work anymore. I did some tests with my new TCOS3 ca

[opensc-devel] nightly snapshots missing

Hi all People asked me how they could download an OpenSC version with TCOS3-support, which I added with revision 3309. I told them to download the latest nightly snapshot but http://www.opensc-project.org/files/opensc/snapshots/ does not contain current versions. Seems like no nightly snapshot w

Re: [opensc-devel] eToken AKS support

Hi Dmitry, > I try to provide user logon on eToken AKS application. > Token based on Cardos V4.2B. What kind of logon do you mean (ie. Windows-logon, SSH-logon, ...) > Aladdin's utility eToken Property use EXTERNAL_AUTHENTICATE for this. > Utility send adpu GET_CHALLENGE "00 84 00 00 08" and

Re: [opensc-devel] Externally generated keys

Hi Marc: > From the FAQ at http://www.opensc-project.org/faq.html > > "Can I store my ssh private key on a smart card? > > "Most people prefer to use a smart card with a key that was generated on > the card and cannot ever leave it. In fact everyone seems to do that. So > while it might be tech

Re: [opensc-devel] A graphical PIN dialog for PKCS#11?

Sorry - I did not read the OpenSC mailinglist for a while, otherwise I could have informed you about my FireFox 2/3 experiences regarding smart cards and PIN-dialogs. 1) FireFox 2 always asks for a PIN before C_Login is called. If CKF_PROTECTED_AUTHENTICATION_PATH is set FireFox 2 will ignore what

[opensc-devel] Secure PIN Entry does not work

pected under windows. Peter Koch #include #include #include #include int main(){ SCARDCONTEXT hContext; SCARDHANDLE hCard; LONG ret; DWORD i, ol, dw, spe_ctl_direct, state, proto, buflen, atrlen; BYTE obuf[100], atr[32]; char buf[1000];

Re: [opensc-devel] test of German health card (eGK)

Hi! The german eGK specification does NOT specify a complete card operating system but only a few commands. Every card operating system that implements those commands (among others) is eGK-compliant. In order to support a card OpenSC must implement a couple of basic commands and only some of them

[opensc-devel] Question / Searching Peter Koch

Hi Jochen! > in the passed there was a developer who got informations about the TUD > Smartcard projekt at the TU Darmstadt. I think his name was Peter Koch. > Please can he contact me, i am the successor of Ronny John at the > Smartcard projekt and have some Questions and

Re: [opensc-devel] APDU to verify Admin PIN

Hi Nguyễn Hồng Quân Since you are trying to change the preferred language with a PUT DATA command I assume you are using an OpenPGP card OpenPGP cards use ASCII coding of PINs so the correct APDU to verify your admin PIN (assuming its value is the default 12345678) is 00 20 00 83 08 31 32 33 34

[opensc-devel] flex.profile missing and PIN-EIntry broken

Hi I just tried to erase my old Cryptoflex card an recreate a PKCS#15-structure under Windows. First problem was: flex.profile was missing - here's the relevant debug output from pkcs15-init -Cvvv 2012-05-06 10:57:54.577 Trying profile file C:\Programme\OpenSC Project\OpenSC\profiles\pkcs15.prof

[opensc-devel] OpenPGP card / Cryptostick - current status???

Hi Early this year I was asked by the German Privacy Foundation wether I was willing to enhance OpenSC support for their CryptoStick. http://www.crypto-stick.com/2011/opensc-pkcs11-driver-development I wrote a PKCS#11-library for OpenPGP cards in 2010 so I have some experience with this kind of c

Re: [opensc-devel] OpenPGP card / Cryptostick - current status???

Hi Quân I still don't understand what you are trying to do - maybe you can explain that in more detail: The purpose of pkcs15-init is to create a PKCS#15 filesystem layout on a card. The purpose of a pkca15-emulation routine is to make OpenSC believe that a card has a PKCS#15 filesystem which in

Re: [opensc-devel] CRYPTOMATE64

Hi 2012/5/23 NdK > Someone already tested that token? It's the only one I could find that > handles RSA4096... > So does the OpenPGP card and the CryptoStick (which contains that card) Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-pro

Re: [opensc-devel] OpenPGP card / Cryptostick - current status???

Hi Peter > But changing the contents of DOs on an OpenPGP card is exactly > > what the gpg administration tools do, so why reimplementing this into > > pkcs15-init > Because it > * looks possible ;-) > * helps to better understand PC/SC, opensc, gpg, ... > * is fun > * may improve opensc's PKCS#*

Re: [opensc-devel] Docs/Specs on ACLs / security attributes?

Hi Peter I am trying to extend openpgp-tool to load data to the various writable DOs, > and - if possible - I want it to determine automatically the permissions of > the (emulated) files using standard interfaces, i.e. security attributes or > preferably ACLs. As the file system on openPGP cards o

Re: [opensc-devel] Active developers on opensc-project.org

Hi Martin! I'm maintaining the TCOS-driver and the PKCS#15-emulation for german signature cards and some TCOS-based University cards. There was no need to change the driver for about two years, but this doesn't mean that the TCOS-driver is unmaintainted. I therefore changed the Wiki-tags and remo

Re: [opensc-devel] Fix Netkey SigG application

Hi Christian Somewhere between 0.11.4 and 0.11.8 the SigG application of > "TeleSec GmbH" Netkey cards got broken. > Yes and this was due to an incorrecr renumbering of the PINs. The SigG-key of both TCOS2 and TCOS3-cards are protected by PIN 5. Both cards have 6 different PIN (PIN 1 - 6), but t

Re: [opensc-devel] Fix Netkey SigG application

Hi Christian, You take care to push my patch or an improved one into opensc? > I fixed the incorrect PIN-IDs in trunk on last saturday. We actually also own some TCOS3 2048 bit cards which are pretty useless > for us until opensc supports secure messaging. > > Are there any plans to implement it

Re: [opensc-devel] Aladdin eToken Pro w/PKCS15 (was Re: OpenPGP card v2)

Hi David! > Ok, thanks for the summary (depressing though it is). > > I'm beginning to suspect that for someone like myself who just wants to > test NSS/sysdb interaction with external PKCS#11 modules, my best option > is just to crawl back under my rock and write a sane PKCS#11 plugin for > a TPM

Re: [opensc-devel] Call for testing of the upcoming 0.12.0 release / PIN not asked

@Johannes: > Apply this patch locally, and everything should work fine. BTW the > unicard support was added by Peter Koch [1]. Maybe you want to contact > him for an upstream patch. > pkcs15-tcos.c has not been modified for a long time (except some minor cosmetic changes). So somethi

Re: [opensc-devel] MyEID microSD

Hi Andre! Have a look at: http://www.certgate.com/index.php?id=71 Certgate was the first company that offered smart cards built into microSD cards. I got two testcards from certgate in 2008. One was java-based and one contained a TCOS3-chip. They were planning to offer an ifd-handler for linux.

[opensc-devel] card->max_recv_size problem

Hi! tcos_init() does NOT set card->max_recv_size and therefore some default value (i.e. 256) was used. With current svn this does not work anymore. sc_read_binary() checks wether count > card->max_recv_size and then tries to read count bytes in chunks of card->max_recv_size. If card->max_recv_siz

Re: [opensc-devel] card->max_recv_size problem

Hi Martin! 2010/9/13 Martin Paljak > > Should I set card->max_recv_size and card->max_send_size > > in tcos_init()? > > > No. Sorry, this place was erroneously left untouched and is fixed in SVN > trunk. Please verify that it works as expected. > Not yet! I had to replace line 122 of iso7816.c

Re: [opensc-devel] Call for testing of the upcoming 0.12.0 release / PIN not asked

Hi Johannes: 2010/9/9 Johannes Becker > Hello, > > now I have the opensc-debug logs for pkcs11-tool -L with TCOS > > opensc version 0.11.13-1 gives > token flags: login required, PIN initialized, token initialized > http://www.uni-giessen.de/~g013/opensc/opensc-debug.0.11.13-1.log

Re: [opensc-devel] Call for testing of the upcoming 0.12.0 release

Hi Martin; The TCOS driver marks the user PIN as unblocking PIN [3], which I believe is > incorrect (only PUK should have the unblocking code flag set) > > The attached patch should fix this. Peter, please add your comment. > PKCS#15-spec says: PinAttributes.pinFlags: This field signals whether

Re: [opensc-devel] FOSDEM 2011: february 5th and 6th

Hi Andreas and Jean-Michel! > I always wanted to go to FOSDEM conference in Brussels, Belgium. > > Next year the conference will be on 5th and 6th of february. > > > Maybe more people on this list are interested in going there > > and meeting up, and maybe having a devroom, a talk, or whatever > >

Re: [opensc-devel] OpenSC 0.12.1 RC1

2011/5/12 Johannes Becker > Am Freitag 29 April 2011 schrieb Martin Paljak: > > > > > I froze r5409 [1] as OpenSC 0.12.1 RC1. > > It works with iceweasel (firefox) and CardOS V4.3B > > It doesn't work with TCOS 2 . > This the same with OpenSC 0.12.0, we discussed the > problem without a solution

[opensc-devel] OpenSC now supports TCOS3 IdKey cards

Hi I just added support for IDKey cards ( http://www.telesec.de/tcos/LB_IDKey_100318_dt.pdf ). If anybody out there is using this card with OpenSC (besides me) please let me know wether it works or not. Peter ___ opensc-devel mailing list opensc-devel@

Re: [opensc-devel] Pinpad Dell Smartcard Keyboard TCOS 2

Hi, we are using TCOS2 card for more than 7 years and our policy is to only use smartcard readers with secure PIN entry. The CCID standard improved things a lot but unfortunately only a few readers have 100% correct implementations. The Dell USB Smartcard Keyboard seems to support SPE only if the

Re: [opensc-devel] Pinpad Dell Smartcard Keyboard TCOS 2

Hi Actually I'm not sure if in case of unpadded PIN blocks, should the initial > APDU prefix include CLA INS P1 P2 only or an additional 0x00 (which you > refer to as empty Lc) or not ? IMHO CCID spec leaves room for interpretation > there... I remember different behavior from different readers/ca

Re: [opensc-devel] Pinpad Dell Smartcard Keyboard TCOS 2

2011/6/1 Martin Paljak > > Yes, it works on Linux. Windows is the problem. Maybe the fault is with > the SCM Windows > > driver. > > IIRC you need to very closely match the Windows driver and the device > Firmware. It had byte ordering issues and I *think* the Windows driver > requires the incorr

Re: [opensc-devel] Static PKCS#11 for OpenPGP v.2

Hi Adam If you are looking for a standalone PKCS#11-library for OpenPGP cards you may try the library that I wrote for the CrytpStick http://www.privacyfoundation.de/crypto_stick/ The CryptoStick is a USB device with a builtin OpenPGP chip so all software for the CryptoStick works with "normal" O

Re: [opensc-devel] Pinpad, TCOS card

Hi Johannes! 2011/7/15 Johannes Becker > Hello, > > I'm testing a new Firmware for the Xiring MyLeo card reader. It > will support extended APDU. It works with a CardOS chip, but > with a TCOS chip firefox displays quickly the small window asking > you to enter the pin on the pinpad several time

Re: [opensc-devel] Pinpad, TCOS card

Hi Martin! 2011/7/18 Martin Paljak > > Some reader expect just 4 bytes (CLA INS P1 P2) without Le. Some other > > readers insist on getting a 0-Le byte. And very few readers handle both > cases. > > This should be tested and documented if possible. Creating conditional > reader-specific code is