On Thursday 27 April 2006 11:45, Martin Paljak wrote: > > What card are you using?
An older FINEID card, opensc-tools says SetCOS. I believe it follows the fineid application 1.x specification (see www.fineid.fi), not the later version 2. > I *think* the apdu data sent to reader-pcsc.c > should already contain the Lc byte. I'm totally new to the opensc/pcsclite codebase and do not know the assumptions between the modules. In the dumps I made runtime, in this case the resulting pin verify block + apdu did not have Lc but it had the data. I did not investigate the apdu data that comes as input. Why does it need to use a copy? Why not make a new verify apdu from the scratch in this case? The fineid spec allows empty Lc when verify command is sent to the card, but in this case there is some Data and Lc must be set correctly. Actually, I don't know what the card/reader would do if Lc was empty. With Lc=0 the card (i.e. the fineid application) should tell that verification is not required or tell the number of retries left. It follows that Lc > 0 (data+padding) is a must if one wants the secure pin verify to happen between the reader and the card? > Don't have a reader with > me to test it currently. So the problem might be where the apdu is > constructed not in the pcsc code. Quite probable. I would assume the present opensc code has been successful before. Btw., I updated by SPR532 to firmware 5.09beta (from the SCM site) and have not used any other fw before. I read somewhere that some cards have problem with 5.09 and people have downgraded back to 5.07 or so. For me the fw seems to work but I'm not 100 % sure since I started to use the whole stuff only recently. > > This is a known issue. You can bug mozilla NSS developers that > starting from NSS 3.10 NSS selects a nonrep key/cert for SSL client > authentication even when the cert usage does not indicate it and when > you have another certificate that *is* for SSL client usage. > (this has been on my todo list for quite some time...) Too bad. In web-surfing, I really would not like to give my signature to any site that I have not even seen yet - especially because the fox shows me the site's ssl certificate only *after* I have verified the pins to the card! I think that eventually there might be a "signature phishing" case that would misuse such browser behaviour. It need not even be illegal: consider a web page that makes you sign a licence agreement, eula or whatever that fits in the business plan but before you see anything about the stuff - like the "legal" texts in the cd-roms telling that by opening the envelope you have blah blah. Oh joy :( _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
