Hello,
Le 27/12/2011 18:05, LinuxChuck a écrit : > On Sun, Dec 25, 2011 at 5:20 AM, Viktor Tarasov > <viktor.tara...@gmail.com> wrote: >> Hello, >> >> I have no 'Windows 7 x64' neither 'CardOS 4.4' to test. >> Have been testing with 'CardOS v4.3b' on 'WinXP 32bit'. >> > I'm wondering if this may be a Windows x64 specific issue. 'It-works-for-me' on Windows 7(64bits) with the OpenSC.msi(64bits) built on the same platform with VS-2010. I've had the seg.fault problems with the opensc tools from the 'nightly-built' that was built, apparently, on the same sources. The difference between two builts is that the first one was compiled with 'DEBUG' support. Will look later for the sources of problems. For a while, I can send you the download link for the MSI that I've tested. Kind regards, Viktor. >> The MSI were build by 'nightly built', that uses 'SM' branch: >> http://www.opensc-project.org/downloads/nightly/viktor/win32/OpenSC-build102.71a73a59648aa4648d42dca2596cb624cd309af7.msi >> >> Card were initialized and cert/key imported on the linux, using the package >> build on the 'SM' branch: >> # cardos-tool -f >> # pkcs15-init -E >> # pkcs15-init -C --label "Test" -P --auth-id 53434D --so-pin "12345678" >> --so-puk "123456" --pin "9999" --puk "8888" >> # pkcs15-init -a 53434D --label "SmartCard Logon" -S >> basic-user-smartcard-logon.p12 -f pkcs12 --passphrase coucou --so-pin >> "12345678" --pin "9999" > I'm doing my tests with the same card configured as stated from my > original post. If I should re-initialize it using the above, please > let me know. > >> Then in Windows: >> C:\WINDOWS>certutil -SCinfo >> 402.203.0: 0x80070057 (WIN32: 87): ..CertCli Version >> >> The Microsoft Smart Card Resource Manager is running. >> Current reader/card status: >> Readers: 1 >> 0: OMNIKEY CardMan 3x21 0 >> --- Reader: OMNIKEY CardMan 3x21 0 >> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE >> --- Status: The card is being shared by a process. >> --- Card: OpenSC CardOS v4.3B >> >> Analyzing card in reader: OMNIKEY CardMan 3x21 0 >> ================ Certificate 0 ================ >> --- Reader: OMNIKEY CardMan 3x21 0 >> --- Card: OpenSC CardOS v4.3B >> >> Provider = Microsoft Base Smart Card Crypto Provider >> Key Container = {017ba2c9-da88-742d-29d0-03f33451a7d7} >> Performing AT_SIGNATURE public key matching test... >> Public key matching test succeeded >> Key Container = {017ba2c9-da88-742d-29d0-03f33451a7d7} >> >> Provider = Microsoft Base Smart Card Crypto Provider >> ProviderType = 1 >> Flags = 1 >> KeySpec = 2 >> Private key verifies >> Performing cert chain verification... >> ... and so on ... >> >> >> I propose you to try the upper MSI, activate debug (set in opensc.conf >> debug-level = 8' and meaningful value to 'debug-file'). >> In this MSI the minidriver debug is activated; you should have valid path >> 'c:\tmp\' -- this path is encoded into the sources . > Steps taken: > 1. Uninstalled the previous installation of OpenSC > 2. Rebooted > 3. Installed the nightly build you linked to above. > 4. Created "C:\tmp", set it to full-control for everyone on the system. > 5. I found that this installer did not place "opensc-minidriver.dll" > in "C:\Windows\System32\" as the last installer did. Instead, it > placed it in "C:\Windows\SysWOW64\". I updated the appropriate > registry entries to point to this specific location. > 6. Updated "C:\Program Files (x86)\OpenSC Project\OpenSC\opensc.conf" > file as you directed above. Set the following: > a. debug_file = "c:\tmp\opensc-debug.log"; > b. debug = 8; > c. Added a clause for my card-specific ATR to ensure OpenSC > chooses the CardOS driver. > 7. Rebooted > 8. Executed "Certutil -SCInfo" > > I am receiving the exact same results as before. No debug log files > are being created in "C:\tmp". Did I miss a step, or set something > incorrectly? > >From the OpenSC tools provided in the Windows installation, I can > successfully query the card and view the objects using "pkcs15-tool > -D" at the Windows command prompt. > >> Send here the md.log and opensc-debug.log. >> >> Kind regards, >> Viktor. > Thanks for the quick response! Hoping to hear back again. > >> >> Le 22/12/2011 17:37, LinuxChuck a écrit : >>> Hello all, >>> >>> Be warned, I am learning all of this as I go, so there may be some >>> obvious mistakes below that could easily solve my problems. Feel free >>> to point those out. :-) >>> >>> I've recently finalized the lengthy NDA process that allows me access >>> to the keys for unlocking and initializing my CardOS 4.4 smartcards. >>> I have managed to decipher their "initialization scripts" A.K.A. "CSF" >>> files into APDU statements that I can send directly via opensc-tool. >>> I even threw together an ugly little limited bash script using awk, >>> sed, and grep to parse their CSF files into directly-executable APDU >>> statements via opensc-tool. >>> >>> I received the cards in manufacturing lifecycle with their proprietary >>> factory Startkey. >>> >>> I'm using an SCM SCR3311 USB card reader, and have it working quite >>> nicely in both Linux and Windows. >>> >>> Here's a quick summary of what I can *successfully* accomplish with >>> the cards so far on my Linux workstation: >>> 1. Send an APDU to change the Factory Startkey to the default "0xff" >>> Startkey. >>> 2. Send an APDU to move the card from Manufacturing lifecycle to >>> Administration lifecycle. >>> 3. Send an APDU to fully erase the card, and set it back to >>> Manufacturing lifecycle (leaving the key at default) >>> 4. Initialize the card via pkcs15-init with an SO PIN and a User PIN >>> as follows: >>> pkcs15-init -C --so-pin 12345678 --so-puk 09876543 >>> pkcs15-init -P -a a2 -l "User PIN" --pin 09871234 --puk 12340987 >>> 5. Erase the card via pkcs15-init -E >>> 6. Generate a certificate on-card via pkcs15-init -G >>> 7. Import a certificate and private key from an Active-Directory >>> (2008 r2) generated user certificate as follows: >>> pkcs15-init -S PkiTestCertificate.pfx -f PKCS12 -a a2 -i 45 >>> --passphrase PASSPHRASE --split-key >>> >>> >>> Now, let's say I perform steps 1, 2, 4, and 7 above on a new card. >>> Everything seems to work as expected. I can even do a pkcs15-tool -D >>> and see all the objects I expect to see from the card. >>> >>> This is where the fun ends. Now I'm kind of stuck. >>> >>> When I take this newly initialized card and plug it into a Windows 7 >>> workstation on the Domain where the user certificate was created, I >>> can't get the windows system to recognize the card. I've taken the >>> following steps on the windows client: >>> 1. Installed the 12.2 Win64 WindowsInstaller from the OpenSC downloads >>> page. >>> 2. Created the appropriate registry entries as suggested in the >>> minidriver wiki entry. (included below as "registry entries applied") >>> 3. Rebooted >>> 4. Inserted the card >>> 5. From a command prompt, I execute "certutil -SCInfo". >>> >>> This results in a series of 3 pop-ups stating that I need to insert a >>> smart card. The details on the pop-up state that the smart card >>> inserted is "OpenSC Card", and that "A smart card was detected, but is >>> not the one required for the current operation. The smart card you >>> are using may be missing required driver software or a required >>> certificate." I only have the option to "Cancel" these pop-ups. >>> >>> Additionally, I get get the output below on the command-line. >>> (included below as "certutil output") >>> >>> This is where I'm stuck. What am I missing to allow Windows 7 x64 to >>> see and access certificates on this smart card? >>> >>> One notable issue that may be the solution: Included with the >>> proprietary CSF scripts were a series of 256-byte APDU commands to >>> apply a "service pack" to the cards prior to >>> initialization/personalization. But I am not familiar with how to >>> apply these super-long APDU's to the cards via the opensc-suite of >>> utilities. >>> >>> I'd greatly appreciate any suggestions or good leads toward completing >>> this project. >>> >>> Thanks in advance! >>> >>> ******registry entries applied****** >>> Windows Registry Editor Version 5.00 >>> >>> >>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC >>> Card] >>> "ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51 >>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff >>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >>> Provider" >>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >>> "80000001"="opensc-minidriver.dll" >>> >>> Windows Registry Editor Version 5.00 >>> >>> >>> [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\OpenSC >>> Card] >>> "ATR"=hex:3b,d2,18,02,c1,0a,31,fe,58,c8,0d,51 >>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff >>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >>> Provider" >>> "80000001"="opensc-minidriver.dll" >>> ******registry entries applied****** >>> >>> ******certutil output****** >>> The Microsoft Smart Card Resource Manager is running. >>> Current reader/card status: >>> Readers: 1 >>> 0: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 >>> --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 >>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED >>> --- Status: The card is available for use. >>> --- Card: OpenSC Card >>> --- ATR: >>> 3b d2 18 02 c1 0a 31 fe 58 c8 0d 51 ;.....1.X..Q >>> >>> >>> ======================================================= >>> Analyzing card in reader: SCM Microsystems Inc. SCR33x USB Smart Card >>> Reader 0 >>> >>> --------------===========================-------------- >>> ================ Certificate 0 ================ >>> --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 >>> --- Card: OpenSC Card >>> Provider = Microsoft Base Smart Card Crypto Provider >>> Key Container = (null) [Default Container] >>> >>> Cannot open the AT_SIGNATURE key for reader: SCM Microsystems Inc. SCR33x >>> USB Sm >>> art Card Reader 0 >>> Cannot open the AT_KEYEXCHANGE key for reader: SCM Microsystems Inc. >>> SCR33x USB >>> Smart Card Reader 0 >>> >>> --------------===========================-------------- >>> ================ Certificate 0 ================ >>> --- Reader: SCM Microsystems Inc. SCR33x USB Smart Card Reader 0 >>> --- Card: OpenSC Card >>> Provider = Microsoft Smart Card Key Storage Provider >>> Key Container = (null) [Default Container] >>> >>> Cannot open the key for reader: SCM Microsystems Inc. SCR33x USB Smart >>> Card Rea >>> der 0 >>> >>> --------------===========================-------------- >>> >>> Done. >>> CertUtil: -SCInfo command completed successfully. >>> ******certutil output****** >>> _______________________________________________ >>> opensc-devel mailing list >>> opensc-devel@lists.opensc-project.org >>> http://www.opensc-project.org/mailman/listinfo/opensc-devel >>> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
