Re: [opensc-devel] OpenSC 0.13.0
A big Thank you to everyone contributing to this release. It's a great piece of work. Andreas Am 04.12.2012 22:13, schrieb Viktor Tarasov: Hello, The next release is tagged on the github OpenSC/OpenSC project, thanks to all of you for your contributions. Tarball and MSI installers can be found on github, sourceforge or the CI server: https://github.com/OpenSC/OpenSC/tags https://sourceforge.net/projects/opensc/files/OpenSC/ https://opensc.fr/jenkins/ The packages for the other OSs will be added. The list, not complete, of the new features: * New card driver ePass2003. * OpenPGP card: greatly improved card driver and PKCS#15 emulation; implemented write (pkcs15init) mode; greatly enhanced documentation and tools. * ECDSA keys supported in 'read' and 'write' modes by internal PKCS#15 library, PKCS#11 and tools. * Minidriver in 'write' mode. * SM: secure messaging in GlobalPlatform-SP01 and CW14890 specifications; supported by ePass2003, IAS/ECC and AuthentIC cards; ACL and APDU modes to trigger secure messaging session; 'local' version of the external secure messaging module. * PKCS#15: support of 'secret-key' PKCS#15 objects support of 'authentication-object' PKCS#15 objects support of 'algReference' common key PKCS#15 attribute support of 'algReference' common key PKCS#15 attribute support of 'subjectName' common public key PKCS#15 attribute * PKCS#11: removed 'onepin' version of pkcs#11 module configuration options to expose slots for PINs and present on-card applications. support GOSTR3410 generate key mechanism support of EC key type * Support of PACE reader. * Remove libltdl reference. * ECDSA supported by MyEID card. * New card driver for the SmartCard-HSM, a light-weight hardware security module. * New useful commands in 'opensc-explorer' tool: 'find', 'put-data', ... * fixes SIGV issue related to the unsupported public key format * fixes for the number of documentation issues This release was pushed ahead by the number of new features and new card drivers eager for their place in the project, as well as by the necessity to restore the regular release process. You are heartily invited to comment/test/use this release. Also at this time we are migrating the OpenSC project to the new hosting. Currently: - the sources of OpenSC sources and its sub-projects are migrated to github (thanks to Ludovic); - mailing-list on sourceforge is ready to substitute the mailing-list on opensc-project.org (once more thanks to Ludovic); - Peter Stuge have to migrate the OpenSC trac wiki onto one of his platform ; - sourceforge will replace the file server hosted by opensc-project.org (currently the CI service sends the release and 'nightly' packages to both sourceforge and opensc-project); - CI service is currently running for OpenSC/OpenSC github project, but can be extended and include the other OpenSC sub-projects. Currently the github OpenSC/OpenSC contains two branches 'master' and 'staging', rigorously synchronized between each other. I guess that we can eliminate the 'staging' branch and use only the 'master' one. The OpenSC wiki pages are largely outdated; but I think it's reasonable to wait Peter to finish migration of existing trac before starting to update it. Kind regards, Viktor. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel -- -CardContact Software System Consulting |.## ##.| Andreas Schwier |# #| Schülerweg 38 |# #| 32429 Minden, Germany |'## ##'| Phone +49 571 56149 -http://www.cardcontact.de http://www.tscons.de http://www.openscdp.org ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!!
Hi all; I have a smart card (SmartCafe Expert 3.2 72k) and I've loaded and initialized Muscle applet (0.9.11) on it. Now, I have problem with pkcs15 initializing... In Windows, I couldn't initialize the card using pkcs15-init tool, so I decided to compile opensc-0.12.2 in linux (fedora 16) and use pkcs15-init tool in linux. I have fedora on VMWare ( my host OS is Windows7) and installed Card Reader driver on fedora with name ifdokccid.so (my Card Reader is Omnikey CardMan 3121). I've got and installed pcsc-tools package on linux and run pcsc_scan command on Terminal, the output was as below: --- PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau ludovic.rouss...@free.fr Compiled with PC/SC lite version: 1.6.6 Scanning present readers... 0: VMware Virtual USB CCID 00 00 Wed Dec 5 11:03:39 2012 Reader 0: VMware Virtual USB CCID 00 00 Card state: Card inserted, ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 + TS = 3B -- Direct Convention + T0 = F7, Y(1): , K: 7 (historical bytes) TA(1) = 18 -- Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz = 161290 bits/s TB(1) = 00 -- VPP is not electrically connected TC(1) = 00 -- Extra guard time: 0 TD(1) = 80 -- Y(i+1) = 1000, Protocol T = 0 - TD(2) = 31 -- Y(i+1) = 0011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 45 -- Block Waiting Integer: 4 - Character Waiting Integer: 5 + Historical bytes: 73 66 74 65 2D 6E 66 Category indicator byte: 73 (proprietary format) + TCK = C4 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 SmartCafe Expert 3.2 72K -- My problem is that VMWare finds the reader as: Reader 0: VMware Virtual USB CCID 00 00 NOT Reader 0: Omnikey CardMan 3121 00 00 !! So, the command opensc-tool -a has the following output: Using reader with a card: VMware Virtual USB CCID 00 00 Failed to connect to card: Unresponsive card (correctly inserted?) When I connect the reader to the system, VMWare recognizes it as : Shared OMNIKEY CardMan 3x21 0 in Removable Devices section of VM, so fedora finds it as VMware Virtual USB CCID 00 00 reader not Omnikey! How should the card reader be introduced in VM to solve this problem? I guess the problem is because of VMWare settings for card reader not OpenSC, but I've not found more related forum than here to ask this question; Could you help me please? TIA.___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!!
2012/12/5 Rns Course rns_cou...@yahoo.com: Hi all; Hello, I have a smart card (SmartCafe Expert 3.2 72k) and I've loaded and initialized Muscle applet (0.9.11) on it. Now, I have problem with pkcs15 initializing... In Windows, I couldn't initialize the card using pkcs15-init tool, so I decided to compile opensc-0.12.2 in linux (fedora 16) and use pkcs15-init tool in linux. I have fedora on VMWare ( my host OS is Windows7) and installed Card Reader driver on fedora with name ifdokccid.so (my Card Reader is Omnikey CardMan 3121). I've got and installed pcsc-tools package on linux and run pcsc_scan command on Terminal, the output was as below: --- PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau ludovic.rouss...@free.fr Compiled with PC/SC lite version: 1.6.6 Scanning present readers... 0: VMware Virtual USB CCID 00 00 Wed Dec 5 11:03:39 2012 Reader 0: VMware Virtual USB CCID 00 00 Card state: Card inserted, ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 + TS = 3B -- Direct Convention + T0 = F7, Y(1): , K: 7 (historical bytes) TA(1) = 18 -- Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz = 161290 bits/s TB(1) = 00 -- VPP is not electrically connected TC(1) = 00 -- Extra guard time: 0 TD(1) = 80 -- Y(i+1) = 1000, Protocol T = 0 - TD(2) = 31 -- Y(i+1) = 0011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 45 -- Block Waiting Integer: 4 - Character Waiting Integer: 5 + Historical bytes: 73 66 74 65 2D 6E 66 Category indicator byte: 73 (proprietary format) + TCK = C4 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 SmartCafe Expert 3.2 72K -- My problem is that VMWare finds the reader as: Reader 0: VMware Virtual USB CCID 00 00 NOT Reader 0: Omnikey CardMan 3121 00 00 !! So, the command opensc-tool -a has the following output: Using reader with a card: VMware Virtual USB CCID 00 00 Failed to connect to card: Unresponsive card (correctly inserted?) When I connect the reader to the system, VMWare recognizes it as : Shared OMNIKEY CardMan 3x21 0 in Removable Devices section of VM, so fedora finds it as VMware Virtual USB CCID 00 00 reader not Omnikey! How should the card reader be introduced in VM to solve this problem? I guess the problem is because of VMWare settings for card reader not OpenSC, but I've not found more related forum than here to ask this question; Could you help me please? VMWare uses a trick to show the smart card reader in the VM without disconnecting it from the host. VMWare uses PC/SC on Windows to access the reader and shows it as a fake CCID reader in the VM. It is strange that you can get the ATR using pcsc_scan but not using opensc-tool -a. It is also possible to connect your reader directly to the VM as any other USB device. It will then not be available from Windows. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!!
Thank you Dr. Rousseau, It is also possible to connect your reader directly to the VM as any other USB device. It will then not be available from Windows. Yes, exactly! My problem is because of not disconnecting card reader from windows. Now, how should I connect the reader directly to the VM as any USB device? Since, upon connecting the reader to system, shared reader icon appears on the VM task bar! Indeed, I have problem in VM setting to recognize the reader just as a USB device. Could you guide me about this? Best Regards. From: Ludovic Rousseau ludovic.rouss...@gmail.com To: opensc-devel@lists.opensc-project.org opensc-devel@lists.opensc-project.org Sent: Wednesday, 5 December 2012, 16:51:28 Subject: Re: [opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!! 2012/12/5 Rns Course rns_cou...@yahoo.com: Hi all; Hello, I have a smart card (SmartCafe Expert 3.2 72k) and I've loaded and initialized Muscle applet (0.9.11) on it. Now, I have problem with pkcs15 initializing... In Windows, I couldn't initialize the card using pkcs15-init tool, so I decided to compile opensc-0.12.2 in linux (fedora 16) and use pkcs15-init tool in linux. I have fedora on VMWare ( my host OS is Windows7) and installed Card Reader driver on fedora with name ifdokccid.so (my Card Reader is Omnikey CardMan 3121). I've got and installed pcsc-tools package on linux and run pcsc_scan command on Terminal, the output was as below: --- PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau ludovic.rouss...@free.fr Compiled with PC/SC lite version: 1.6.6 Scanning present readers... 0: VMware Virtual USB CCID 00 00 Wed Dec 5 11:03:39 2012 Reader 0: VMware Virtual USB CCID 00 00 Card state: Card inserted, ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 + TS = 3B -- Direct Convention + T0 = F7, Y(1): , K: 7 (historical bytes) TA(1) = 18 -- Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz = 161290 bits/s TB(1) = 00 -- VPP is not electrically connected TC(1) = 00 -- Extra guard time: 0 TD(1) = 80 -- Y(i+1) = 1000, Protocol T = 0 - TD(2) = 31 -- Y(i+1) = 0011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 45 -- Block Waiting Integer: 4 - Character Waiting Integer: 5 + Historical bytes: 73 66 74 65 2D 6E 66 Category indicator byte: 73 (proprietary format) + TCK = C4 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 SmartCafe Expert 3.2 72K -- My problem is that VMWare finds the reader as: Reader 0: VMware Virtual USB CCID 00 00 NOT Reader 0: Omnikey CardMan 3121 00 00 !! So, the command opensc-tool -a has the following output: Using reader with a card: VMware Virtual USB CCID 00 00 Failed to connect to card: Unresponsive card (correctly inserted?) When I connect the reader to the system, VMWare recognizes it as : Shared OMNIKEY CardMan 3x21 0 in Removable Devices section of VM, so fedora finds it as VMware Virtual USB CCID 00 00 reader not Omnikey! How should the card reader be introduced in VM to solve this problem? I guess the problem is because of VMWare settings for card reader not OpenSC, but I've not found more related forum than here to ask this question; Could you help me please? VMWare uses a trick to show the smart card reader in the VM without disconnecting it from the host. VMWare uses PC/SC on Windows to access the reader and shows it as a fake CCID reader in the VM. It is strange that you can get the ATR using pcsc_scan but not using opensc-tool -a. It is also possible to connect your reader directly to the VM as any other USB device. It will then not be available from Windows. Bye -- Dr. Ludovic Rousseau ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!!
On 12/5/2012 8:55 AM, Rns Course wrote: Thank you Dr. Rousseau, It is also possible to connect your reader directly to the VM as any other USB device. It will then not be available from Windows. Yes, exactly! My problem is because of not disconnecting card reader from windows. Now, how should I connect the reader directly to the VM as any USB device? Since, upon connecting the reader to system, shared reader icon appears on the VM task bar! Indeed, I have problem in VM setting to recognize the reader just as a USB device. Could you guide me about this? Best Regards. In addition to trying to connect the card directly to the VM, you said you had built OpenSC-0.12.2. Could you try and build the new 0.13.0 and test again? Tarball and MSI installers can be found on github, sourceforge or the CI server: https://github.com/OpenSC/OpenSC/tags https://sourceforge.net/projects/opensc/files/OpenSC/ https://opensc.fr/jenkins/ Ludovic had said it was strange that pcsc_scan worked but opensc-tool -a did not. If you could post some debugging output for OpenSC-0.13.0, that would be helpful. Either (1) modify the opensc.conf, changing the debug = 0; to debug = 7; and uncomment the debug_file = line. (2) add a -v option to the opensc-tool command line and output would be directed to stderr. Although then vendor provided the ifdokccid.so driver, it might not be needed as PCSClite says it is supported as CCID. But since the VMware is changing the name on the card, (and maybe idVendor and idPproduct) things might not work as expected. *From:* Ludovic Rousseau ludovic.rouss...@gmail.com *To:* opensc-devel@lists.opensc-project.org opensc-devel@lists.opensc-project.org *Sent:* Wednesday, 5 December 2012, 16:51:28 *Subject:* Re: [opensc-devel] The smart card reader is known as VMware Virtual USB CCID 00 00 in linux ??!! 2012/12/5 Rns Course rns_cou...@yahoo.com mailto:rns_cou...@yahoo.com: Hi all; Hello, I have a smart card (SmartCafe Expert 3.2 72k) and I've loaded and initialized Muscle applet (0.9.11) on it. Now, I have problem with pkcs15 initializing... In Windows, I couldn't initialize the card using pkcs15-init tool, so I decided to compile opensc-0.12.2 in linux (fedora 16) and use pkcs15-init tool in linux. I have fedora on VMWare ( my host OS is Windows7) and installed Card Reader driver on fedora with name ifdokccid.so (my Card Reader is Omnikey CardMan 3121). I've got and installed pcsc-tools package on linux and run pcsc_scan command on Terminal, the output was as below: --- PC/SC device scanner V 1.4.17 (c) 2001-2009, Ludovic Rousseau ludovic.rouss...@free.fr mailto:ludovic.rouss...@free.fr Compiled with PC/SC lite version: 1.6.6 Scanning present readers... 0: VMware Virtual USB CCID 00 00 Wed Dec 5 11:03:39 2012 Reader 0: VMware Virtual USB CCID 00 00 Card state: Card inserted, ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 ATR: 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 + TS = 3B -- Direct Convention + T0 = F7, Y(1): , K: 7 (historical bytes) TA(1) = 18 -- Fi=372, Di=12, 31 cycles/ETU 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz = 161290 bits/s TB(1) = 00 -- VPP is not electrically connected TC(1) = 00 -- Extra guard time: 0 TD(1) = 80 -- Y(i+1) = 1000, Protocol T = 0 - TD(2) = 31 -- Y(i+1) = 0011, Protocol T = 1 - TA(3) = FE -- IFSC: 254 TB(3) = 45 -- Block Waiting Integer: 4 - Character Waiting Integer: 5 + Historical bytes: 73 66 74 65 2D 6E 66 Category indicator byte: 73 (proprietary format) + TCK = C4 (correct checksum) Possibly identified card (using /usr/share/pcsc/smartcard_list.txt): 3B F7 18 00 00 80 31 FE 45 73 66 74 65 2D 6E 66 C4 SmartCafe Expert 3.2 72K -- My problem is that VMWare finds the reader as: Reader 0: VMware Virtual USB CCID 00 00 NOT Reader 0: Omnikey CardMan 3121 00 00 !! So, the command opensc-tool -a has the following output: Using reader with a card: VMware Virtual USB CCID 00 00 Failed to connect to card: Unresponsive card (correctly inserted?) When I connect the reader to the system, VMWare recognizes it as : Shared OMNIKEY CardMan 3x21 0 in Removable Devices section of VM, so fedora finds it as VMware Virtual USB CCID 00 00 reader not Omnikey! How should the card reader be introduced in VM to solve this problem? I guess the problem is because of VMWare settings for card
Re: [opensc-devel] OpenSC 0.13.0
https://github.com/OpenSC/OpenSC/tags https://sourceforge.net/projects/opensc/files/OpenSC/ https://opensc.fr/jenkins/ The source used to be at: http://www.opensc-project.org/files/opensc/ Is that no longer the canonical location? The wiki at https://www.opensc-project.org/opensc still says the latest release is 0.12.2. pgpnh8V0MRO49.pgp Description: PGP signature ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Which libraries/APIs needed?
opensc has a test suite that does very similar things - create a key, take some content, hash it, sign the hash, verify it. or take some content, and encrypt/decrypt it, verify the result is ok. check that code, most of it will be very similar to what you have, except for the smart card specific parts. http://www.opensc-project.org/opensc/browser/OpenSC/src/tests/regression/init0009 Regards, Andreas 2012/12/4 Markus Wernig liste...@wernig.net: Hi all I have a rather basic question on which libraries/APIs to use for implementing the following in eg. a C or Java program. The basic idea is: init: - create 256bit key for AES-256 - create RSA keypair on token (no x.509) - encrypt aes-key with pubkey of rsa-pair, delete cleartext version loop: - when needed, decrypt aes-key with private rsa key, load to memory - perform symmetric en-/decryption with key in memory Mainly the question is: Since the cryptographic functions on the token (which could also be a network HSM) appear to be carried out by the pkcs#15 driver, do I need the cryptoki API and pkcs#11 at all? Thanks in advance for any pointer. Here's the shellcode that should be translated into a compiled program: echo Generate AES Key secret=`head -c64 /dev/urandom` openssl enc -aes-256-cbc -k $secret -P -md sha1 aes.key echo Generate keypair on pkcs#15 storage pkcs15-init -G rsa/4096 -i 45 -a 01 -u sign,decrypt --pin XXX:YYY pkcs15-tool --read-public-key 45 -o rsa.pub echo Encrypt AES Key openssl rsautl -pubin -inkey rsa.pub -encrypt -in aes.key -out aes.key.c echo Remove AES Key for i in `seq 0 7` do size=`stat aes.key | grep Size | awk {'print $2'}` head -c $size /dev/urandom aes.key sync sync sleep 1 done rm aes.key sync echo Decrypt AES Key to memory (depending on shell) eval `pkcs15-crypt -c --pkcs1 -i aes.key.c` | tr -d ` echo Encrypt data openssl enc -K $key -iv $iv -S $salt -in data.file -out data.file.crypt -aes256 echo Decrypt data openssl enc -d -K $key -iv $iv -in data.file.crypt -out data.file.decrypt -aes256 echo Clear memory unset key iv salt kind regards thanks Markus PS: The above shellcode is based on http://www.gooze.eu/howto/smartcard-quickstarter-guide/signing-crypting-and-verifying ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] minimal requirements for working with crypto tokens?
Greetings, all. As with a similar posted in the last day or two, I'm working deploying an embedded linux system, and I'm trying to figure out the smallest set of libraries that I need to do this. The desired use for tokens in the field is: 1. Sign binary blobs, generating a detached RFC5652 signature file from each data file. 2. (Eventually) for both client and server-side SSL handshaking. On a typical Linux workstation, I can do all this already, thanks to the developers here and on libusb, ccid, and pcsc-lite. Barring late-breaking changes, this functionality is already available in packages for the distribution I'm using here (Fedora 17). To test the latest and greatest, I had to build: libusb-1.0.9 pcsc-lite-1.8.6 ccid-1.4.8 openssl-1.0.1c libp11-0.2.8 opensc-0.13.0rc1-g2895729 (from CardContact) engine_pkcs11-0.1.8 Other than having to adjust the interprocess expectations of pcscd and its users, that also works fine. However, the embedded box is not running the typical workstation daemons. There's no udev at all; I'm handling the event stream directly within my application. (E.g., I'm receiving and handling USB mass storage device insertions / removals.) What I'm looking for is guidance on which libraries are required to do the work, if I can tell those libraries exactly which USB device to use, and only when there is something there to be used. Is libusb used only for discovery, or for access as well? Likewise, if there is only ever one process accessing the token (and I can guarantee that it's single-threaded access), then is pcscd necessary? Even further, if I know exactly which token will be used, is it possible and/or advisable to short-circuit the generic aspects of libpkcs11 and somehow use that token's driver directly? Either way, it seems that I'll still want to use OpenSSL libraries (or equiv, e.g., NSS) to do the ASN.1 streaming and on-cpu crypto ops. (This is the easiest part, as I already have OpenSSL in my build.) Are all these questions stupid, and do I need to be hit over the head with a heavy book? :) I'm still investigating, but if anyone has experience with this sort of setup, I would very much appreciate any advice they could share with me. Thanks for your time. Best regards, Anthony Foiani ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel