here is a preview for opensc 0.11.7: http://www.opensc-project.org/files/opensc/testing/opensc-0.11.7-pre1.tar.gz
this new version has a number of changes for security: * lock_login is now on as default. if you want to run thunderbird and firefox at the same time, both with smart card support, you need to turn this option off. but that would allow any application to talk to your card, and steal a signature. * software key generation: I think people expect the smart card to generate rsa keys, not the opensc software on your host. but opensc can do that, for example if the card cannot generate rsa keys itself, or for corner cases like the cardos split key hack. now soft_keygen_allowed is off in the default configuration. if you want to use cards, that cannot create rsa keys themself or need special hacks, then you need to turn on this option. * private data objects were not implemented securely: the old code stored them with a flag "ask for the pin", but did nothing to protect the data, thus everyone can read it. The new code sets the access control right for such data objects, at least with the cryptoflex 32k card I tried. please give the code a try, and let me know, if your card still work. note for testing: * you need to initialize the card with "pkcs15-init -p pkcs15+onepin" so that you can store things with pkcs11-tool. * after storing data with pkcs11-tool, you can use opensc-explorer to try to download the data. with the old version "cd 5015" and "get 4601" would download the first data object, even if it was marked secure. with the new code the file is now 4701 and protected with a proper ACL, so you need to present the pin to the card before downloading that data. also side note: I'm not sure about this, but I think we cannot fix old cards with private data objects. what you can do is: * download the data * overwrite the data on the card with random data * store the secret data once more, this time with the new code, so it is properly secured this time. now you can delete the secret data from your desktop/laptop (use the "wipe" command to do that securely). please give this new version a try. I will be offline for a few days, back on january 4th, and plan to release the final 0.11.7 if you all agree that week (january 11th the latest). This should give everyone enough time for testing and improving the code. Thanks for your help! Regards, Andreas _______________________________________________ opensc-devel mailing list [email protected] http://www.opensc-project.org/mailman/listinfo/opensc-devel
