Re: [opensc-devel] new release?
Hi Viktor, we've completed the development of write support for the SmartCard-HSM and are in the middle of testing and bug-fixing. The code is based on the latest version in OpenSC/staging and changes mostly apply to our own code. Is there a chance to get write support into the upcomin release ? If yes, I would prepare a pull request against the CardContact/staging branch. Andreas Am 17.09.2012 22:00, schrieb Viktor Tarasov: Hello, Le 15/09/2012 16:52, Kalev Lember a écrit : On 09/06/2012 08:06 PM, Viktor Tarasov wrote: Hello, current github 'staging' is tagged as v0.13.0-pre1. If no objections, I will merge this branch into github 'master' -- it will be base version to test and to prepare the coming release candidate. Very good idea. I think it makes a lot of sense to have just one 'master' branch for development; this is what people coming over from other projects tend to expect. 'Master' and 'staging' are actually synchronized and for the new pull requests I propose to create them relative to the 'master' branch. Until the end of this release the pull requests to 'staging' are also accepted. The tag name 'v0.13.0-pre1' has been changed (sorry) to '0.13.0pre1' -- still cannot understand which common set of characters could be used for the release-version/tag-name to satisfy 'git', 'obs', 'dpkg-build', ... Commits to 'master' and new tags trigger the jenkins jobs of build, packaging and some rudimentary test of package and unit tests (for Suse). https://opensc.fr/jenkins/view/Open https://opensc.fr/jenkins/view/OpenSC-release/SC-release/ https://opensc.fr/jenkins/view/OpenSC-release/ The resulting packages are transfered to 'download' part of the opensc-project.org file server: - commits to http://www.opensc-project.org/downloads/projects/opensc/nightly/ - releases to http://www.opensc-project.org/downloads/projects/opensc/releases/ For a while there are only source tarballs, MSIs for x32 and x64 and rpm i586 for opensSuSE 12.1 . Hope that rapidly the building of releases packages for some debian/ubuntu distributions will be connected. It would be nice if you could look/test the tarball or packages of the release 0.13.0pre1. Your remarks, proposals, contributions are heartily welcome. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Technical Description - Android Embedded SE
Il 25/09/2012 07:58, Andreas Jellinghaus ha scritto: EMV for sure: there's an unauthenticated bit that tells the card to authenticate the transaction without asking for the PIN... Thats ok, it is a valid feature. If people buy something for less than a dollar, and the transaction is authenticated with the signature of a rsa key in the smart card, and we haven't reached the consecutive lower boundary amount yet, then simply approving the transaction is perfectly fine - getting a PIN or doing an online transaction isn't worth doing for such a small amount of money. IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious... Most vending machines still use modems and dial up for every transaction and hang up again later. The stupid thing is that it seems they do the same for cellular-based readers too... What a waste! Thats why card transactions are so slow. Once the standard is to have a permanent internet connection, that won't change anything: many banks still use *mainframes* ! Some still backup to (and transfer data with) tape *wheels* ! (when we dismissed our IBM 9000, I think one of the tape units got sold to the bank...). As long as it works, they don't change it. BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Technical Description - Android Embedded SE
NdK wrote: IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious... http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf http://youtu.be/gv3dxjvqk7Y //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair
Dear all, we've come a across a strange issue in OpenSC. When we try to generate a key pair with parameters not supported by the card, then the framework code still tries to allocate private/public key objects rather than returning an error code. The questionable code is in line 2675 of framework-pkcs15.c / pkcs15_gen_keypair. Is that an intended behaviour or a plain bug ? Andreas -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Technical Description - Android Embedded SE
Il 25/09/2012 11:50, Peter Stuge ha scritto: IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious... http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf Tks. That's the (or one of) article I remembered but couldn't find... BYtE, Diego. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Technical Description - Android Embedded SE
NdK wrote: IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious... http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf Tks. That's the (or one of) article I remembered but couldn't find... http://google.com/search?q=chip+and+pin+broken ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
Thunderbird 13.0.1 can now sign e-mail. I had forgot to uncomment in opensc.conf: pin_cache_ignore_user_consent = true; a new feature of 0.13.0pre1 See: http://www.opensc-project.org/pipermail/opensc-devel/2012-August/018282.html -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 smime.p7s Description: S/MIME Cryptographic Signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair
On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote: Dear all, we've come a across a strange issue in OpenSC. When we try to generate a key pair with parameters not supported by the card, then the framework code still tries to allocate private/public key objects rather than returning an error code. The questionable code is in line 2675 of framework-pkcs15.c / pkcs15_gen_keypair. Is that an intended behaviour or a plain bug ? Same problem as before. No one has had a PKCS#15 card that supports ECC. The original ECC code added to OpenSC was for client use only, and used the PIV card. For testing the piv-tool could tell the card to generate a key pair, but that was not via and PKCS standards. Andreas -- Douglas E. Engert deeng...@anl.gov Argonne National Laboratory 9700 South Cass Avenue Argonne, Illinois 60439 (630) 252-5444 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair
Hi Douglas, the same problem exists for RSA keys. If you specify an invalid key size, the code tries to generate invalid objects. Our fix ist at https://github.com/CardContact/OpenSC/commit/a9682fd704dca5abc028b32e5ec577aa1c12ee78 Andreas Am 25.09.2012 16:31, schrieb Douglas E. Engert: On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote: Dear all, we've come a across a strange issue in OpenSC. When we try to generate a key pair with parameters not supported by the card, then the framework code still tries to allocate private/public key objects rather than returning an error code. The questionable code is in line 2675 of framework-pkcs15.c / pkcs15_gen_keypair. Is that an intended behaviour or a plain bug ? Same problem as before. No one has had a PKCS#15 card that supports ECC. The original ECC code added to OpenSC was for client use only, and used the PIV card. For testing the piv-tool could tell the card to generate a key pair, but that was not via and PKCS standards. Andreas -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Strange issue in framework-pkcs15.c / pkcs15_gen_keypair
Hi, On Tue, Sep 25, 2012 at 4:39 PM, Andreas Schwier andreas.schw...@cardcontact.de wrote: Hi Douglas, the same problem exists for RSA keys. If you specify an invalid key size, the code tries to generate invalid objects. Our fix ist at https://github.com/CardContact/OpenSC/commit/a9682fd704dca5abc028b32e5ec577aa1c12ee78 Thanks for patch and testing. It was a bug. It appeared in 9a63e03e when support of the soft-generated keys was removed from pkcs15-init and pkcs11. Andreas Kind regards, Viktor. Am 25.09.2012 16:31, schrieb Douglas E. Engert: On 9/25/2012 5:01 AM, Andreas Schwier (ML) wrote: Dear all, we've come a across a strange issue in OpenSC. When we try to generate a key pair with parameters not supported by the card, then the framework code still tries to allocate private/public key objects rather than returning an error code. The questionable code is in line 2675 of framework-pkcs15.c / pkcs15_gen_keypair. Is that an intended behaviour or a plain bug ? Same problem as before. No one has had a PKCS#15 card that supports ECC. The original ECC code added to OpenSC was for client use only, and used the PIV card. For testing the piv-tool could tell the card to generate a key pair, but that was not via and PKCS standards. Andreas -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
Hi Andreas, On Tue, Sep 25, 2012 at 9:14 AM, Andreas Schwier andreas.schw...@cardcontact.de wrote: we've completed the development of write support for the SmartCard-HSM and are in the middle of testing and bug-fixing. Fine, what part of the common OpenSC libraries are involved into your tests (pkcs11, minidriver, pkcs15, ...) ? What are the OSs? The code is based on the latest version in OpenSC/staging and changes mostly apply to our own code. Is there a chance to get write support into the upcomin release ? If yes, I would prepare a pull request against the CardContact/staging branch. Ok, you can make pull request to 'staging' or 'master' of OpenSC/OpenSC -- two branches are kept syncronized. Andreas Kind wishes, Viktor. Am 17.09.2012 22:00, schrieb Viktor Tarasov: Hello, Le 15/09/2012 16:52, Kalev Lember a écrit : On 09/06/2012 08:06 PM, Viktor Tarasov wrote: Hello, current github 'staging' is tagged as v0.13.0-pre1. If no objections, I will merge this branch into github 'master' -- it will be base version to test and to prepare the coming release candidate. Very good idea. I think it makes a lot of sense to have just one 'master' branch for development; this is what people coming over from other projects tend to expect. 'Master' and 'staging' are actually synchronized and for the new pull requests I propose to create them relative to the 'master' branch. Until the end of this release the pull requests to 'staging' are also accepted. The tag name 'v0.13.0-pre1' has been changed (sorry) to '0.13.0pre1' -- still cannot understand which common set of characters could be used for the release-version/tag-name to satisfy 'git', 'obs', 'dpkg-build', ... Commits to 'master' and new tags trigger the jenkins jobs of build, packaging and some rudimentary test of package and unit tests (for Suse). https://opensc.fr/jenkins/view/Open https://opensc.fr/jenkins/view/OpenSC-release/SC-release/ https://opensc.fr/jenkins/view/OpenSC-release/ The resulting packages are transfered to 'download' part of the opensc-project.org file server: - commits to http://www.opensc-project.org/downloads/projects/opensc/nightly/ - releases to http://www.opensc-project.org/downloads/projects/opensc/releases/ For a while there are only source tarballs, MSIs for x32 and x64 and rpm i586 for opensSuSE 12.1 . Hope that rapidly the building of releases packages for some debian/ubuntu distributions will be connected. It would be nice if you could look/test the tarball or packages of the release 0.13.0pre1. Your remarks, proposals, contributions are heartily welcome. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
Hi Viktor, we are testing on Windows XP SP3, Debian Lenny and a current Ubuntu version. Our focus is on PKCS#11 and integration with Firefox, Thunderbird and XCA. We already tested minidriver with IE and Outlook, but we do short regression tests with each new build. We've set up automated tests using our Smart Card Shell, which interfaces with PKCS#11 using opensc-java. This way we test key generation of all kinds (RSA/EC), certificates issuance and storing as well as data element reading/writing. We also have a quick regression test using a script with various pkcs11-tool commands. We've also done tests using the IAIK PKCS#11 wrapper that worked well. So far we're quite confident that the current code base is stable. We have three things left on our list, but they are not pressing: 1. Adding support to have domain parameter at the PKCS#11 interface for EC public keys after on card generation (i.e. serialize/ deserialize public keys as spki) 2. Adding support for explicit domain parameter in EC_PARAMS 3. Fast-track C_Initialize and C_SetPIN into the card-driver (The SmartCard-HSM uses a PKCS#11 like token initialization) Given the fact, that these changes touch core code, we would schedule this topics for the .14 release. Andreas Am 25.09.2012 17:04, schrieb Viktor Tarasov: Hi Andreas, On Tue, Sep 25, 2012 at 9:14 AM, Andreas Schwier andreas.schw...@cardcontact.de mailto:andreas.schw...@cardcontact.de wrote: we've completed the development of write support for the SmartCard-HSM and are in the middle of testing and bug-fixing. Fine, what part of the common OpenSC libraries are involved into your tests (pkcs11, minidriver, pkcs15, ...) ? What are the OSs? The code is based on the latest version in OpenSC/staging and changes mostly apply to our own code. Is there a chance to get write support into the upcomin release ? If yes, I would prepare a pull request against the CardContact/staging branch. Ok, you can make pull request to 'staging' or 'master' of OpenSC/OpenSC -- two branches are kept syncronized. Andreas Kind wishes, Viktor. Am 17.09.2012 22:00, schrieb Viktor Tarasov: Hello, Le 15/09/2012 16:52, Kalev Lember a écrit : On 09/06/2012 08:06 PM, Viktor Tarasov wrote: Hello, current github 'staging' is tagged as v0.13.0-pre1. If no objections, I will merge this branch into github 'master' -- it will be base version to test and to prepare the coming release candidate. Very good idea. I think it makes a lot of sense to have just one 'master' branch for development; this is what people coming over from other projects tend to expect. 'Master' and 'staging' are actually synchronized and for the new pull requests I propose to create them relative to the 'master' branch. Until the end of this release the pull requests to 'staging' are also accepted. The tag name 'v0.13.0-pre1' has been changed (sorry) to '0.13.0pre1' -- still cannot understand which common set of characters could be used for the release-version/tag-name to satisfy 'git', 'obs', 'dpkg-build', ... Commits to 'master' and new tags trigger the jenkins jobs of build, packaging and some rudimentary test of package and unit tests (for Suse). https://opensc.fr/jenkins/view/Open https://opensc.fr/jenkins/view/OpenSC-release/SC-release/ https://opensc.fr/jenkins/view/OpenSC-release/ The resulting packages are transfered to 'download' part of the opensc-project.org http://opensc-project.org file server: - commits to http://www.opensc-project.org/downloads/projects/opensc/nightly/ - releases to http://www.opensc-project.org/downloads/projects/opensc/releases/ For a while there are only source tarballs, MSIs for x32 and x64 and rpm i586 for opensSuSE 12.1 . Hope that rapidly the building of releases packages for some debian/ubuntu distributions will be connected. It would be nice if you could look/test the tarball or packages of the release 0.13.0pre1. Your remarks, proposals, contributions are heartily welcome. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org mailto:opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 tel:%2B49%20571%2056149 -http://www.cardcontact.de http://www.tscons.de
Re: [opensc-devel] Technical Description - Android Embedded SE
2012/9/25 Peter Stuge pe...@stuge.se NdK wrote: IIUC that bit is not authenticated, so a MITM attack can force both the reader and the card think the other party doesn't support PIN auth, making the card sign the transaction anyway, regardless the amount involved. So IMVHO it's quite serious... http://www.cl.cam.ac.uk/~sjm217/papers/oakland10chipbroken.pdf Tks. That's the (or one of) article I remembered but couldn't find... http://google.com/search?q=chip+and+pin+broken but the broken security demonstrated so far is related to misconfiguration, and many other banks have correct card profiles and are not affected. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] pam_p11 (without pin) and ssh (with pin) on one card
Hey y'all I have an ePass2003, and I'd like to use it for pam_p11 and ssh. The pam_p11 key should be usable without a pin, or can I provide the pin by using the password field? I'd like to know which paths are possible. The other object stored is an ssh key secured by a pin. My problem is now that I initialize my card with pkcs15-init --create-pkcs15 --profile pkcs15+onepin I only have one pin, but I'd like to have two auth-ids, one with and one without pin. -- Simon ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] new release?
Jean-Michel Pouré - GOOZE wrote: I was quite busy and failed to do any work these last days. Remember how much easier it is to write email with opinion. //Peter pgpNhpOSPqCvo.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel