Re: [opensc-devel] Support for OpenPGP Card version 2?
On Sun, 10 Jan 2010 20:49:55 +0100, Crypto Stick wrote: > Using reader with a card: Gemplus GemPC Twin 00 00 > [opensc-explorer] iso7816.c:99:iso7816_check_sw: Wrong parameter(s) P1-P2 > [opensc-explorer] iso7816.c:464:iso7816_select_file: returning with: > Incorrect parameters in APDU You need to use Extended Length APDUs. IIRC, your reader should be able to grok them as it works on the TPDU level. Shalom-Salam, Werner -- Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Hello, To clarify my knowledge, I would like to contribute some user documentation on the wiki. The subject of transferring an RSA key pair to a smartcard seems interesting. Here are some newbee questions before I go on: * I would like to add a page with dummy certificates on the wiki. One root CA, one secondary CAs and several certs. So that users only have to download them to test command lines. Would you favor that ? * pkcs11-tool and pkcs15-init have some common tools. For example, it is possible to generate an RSA key. But I could not find information about pkcs11-tool on the wiki. Is pkcs11-tool deprecated? * Until now, my attempts to transfer a key to a smartcard did not succeed (Feitian cards). For example, I tried: pkcs15-init -S foobar.pkcs12 -f PKCS12 --auth-id 01 --pin --insecure --passphrase "XX" but it failed with error messages. Importing 1 certificates: 0: /C=FR/L=Paris/O=Foobar organisation/CN=Foobar secondary 1024 CA pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted Is pkcs15-init fully working? Or is it a Feitian card issue or me not fully understanding what is possible to do? Kind regards, Jean-Michel signature.asc Description: Ceci est une partie de message numériquement signée ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Hello Jean-Michel, On 11.01.2010, at 15:52, Jean-Michel Pouré wrote: > * I would like to add a page with dummy certificates on the wiki. One > root CA, one secondary CAs and several certs. So that users only have to > download them to test command lines. Would you favor that ? For pure test purposes, it would be OK, but for generic educational purposes I would suggest making YetAnotherSelfSignedSnakeOilOpenSSLCAGenerationGuide which the user could just copy-paste. > * pkcs11-tool and pkcs15-init have some common tools. For example, it is > possible to generate an RSA key. But I could not find information about > pkcs11-tool on the wiki. Is pkcs11-tool deprecated? Definitely not. You might find glitches and shortcomings with pkcs11-tool but that would just benefit OpenSC as we could see the problems and fix them. > * Until now, my attempts to transfer a key to a smartcard did not > succeed (Feitian cards). > > For example, I tried: > pkcs15-init -S foobar.pkcs12 -f PKCS12 --auth-id 01 --pin > --insecure --passphrase "XX" Why don't you want to generate the keys on the card? Under normal circumstances that's the thing smart cards are for. Why do you mix --auth-id and --insecure? Is the auth-id 01 required to import a key? > > but it failed with error messages. > > Importing 1 certificates: > 0: /C=FR/L=Paris/O=Foobar organisation/CN=Foobar secondary 1024 CA > pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion > `0' failed. > Aborted I don't know the entersafe code wether this is a problem in entersafe code or a glitch with data generated by pkcs15-init. Please send a longer log. > > Is pkcs15-init fully working? Or is it a Feitian card issue or me not > fully understanding what is possible to do? pkcs15-init is fully working. The failing assert comes from entersafe (feitian) driver code. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
On 11.01.2010, at 15:52, Jean-Michel Pouré wrote: > For example, I tried: > pkcs15-init -S foobar.pkcs12 -f PKCS12 --auth-id 01 --pin > --insecure --passphrase "XX" > > but it failed with error messages. > > Importing 1 certificates: > 0: /C=FR/L=Paris/O=Foobar organisation/CN=Foobar secondary 1024 CA > pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion > `0' failed. > Aborted > > Is pkcs15-init fully working? Or is it a Feitian card issue or me not > fully understanding what is possible to do? If you have a full test suite (you can provide the commands you issued and the key files you have) I can try it with an epass3000 token (which should work with the same driver and have the same chip inside) and see if/how/why it fails for me. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Martin Paljak wrote: > for generic educational purposes I would suggest making > YetAnotherSelfSignedSnakeOilOpenSSLCAGenerationGuide which the > user could just copy-paste. I made one of those some time ago for BincIMAP and while the wiki it lived at is now offline I have mirrored the archived web page at: http://stuge.se/diyca/ //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
On 11.01.2010, at 16:30, Peter Stuge wrote: > Martin Paljak wrote: >> for generic educational purposes I would suggest making >> YetAnotherSelfSignedSnakeOilOpenSSLCAGenerationGuide which the >> user could just copy-paste. > > I made one of those some time ago for BincIMAP and while the wiki it > lived at is now offline I have mirrored the archived web page at: > > http://stuge.se/diyca/ I think it is good if people go through a CA creation step by step, just to demystify the whole PKI thing. Even if it seems tedious in the beginning, it makes a lot of good knowledge-wise in the long run. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Le lundi 11 janvier 2010 à 16:17 +0200, Martin Paljak a écrit : > Definitely not. You might find glitches and shortcomings with > pkcs11-tool but that would just benefit OpenSC as we could see the > problems and fix them. Sorry to insist, but from a user point of view, what is the difference between pkcs11-tool and pkcs15-tool and related tools? Why is there two sets of tools for the same features? How do I know which tool to use? I guess the wiki should only inform about pkcs15 related tools, right? > If you have a full test suite (you can provide the commands you issued > and the key files you have) I can try it with an epass3000 token > (which should work with the same driver and have the same chip inside) > and see if/how/why it fails for me. I will first publish a page with certificates and will get back to you. Thanks! Jean-Michel signature.asc Description: Ceci est une partie de message numériquement signée ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
On 11.01.2010, at 17:28, Eric wrote: > > Why don't you want to generate the keys on the card? Under normal > > circumstances that's the thing smart cards are for. > > I've got limited experience with PKI policies, but what about key escrow? Or > the poor man's version, creating a backup copy of a smart card on another > smart card, kept in a firesafe? I don't believe that this goes under a "normal beginner usage scenario". > Of course, if your card is damaged, lost or stolen, your certification should > be revoked by the CA and reissued with a new certification. But you still > need the old key to decrypt old data to re-encrypt with the new key, right? Correct. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Martin Paljak wrote: > > Of course, if your card is damaged, lost or stolen, your > > certification should be revoked by the CA and reissued with a new > > certification. But you still need the old key to decrypt old data > > to re-encrypt with the new key, right? > > Correct. If encryption code was better at handling this cryptosystem failure mode they would make it much easier to create a backup card that could then be stored out of daily use. At the moment it's complicated, but definately the best way to protect against a lost key. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
On 11.01.2010, at 17:28, Jean-Michel Pouré wrote: > Le lundi 11 janvier 2010 à 16:17 +0200, Martin Paljak a écrit : >> Definitely not. You might find glitches and shortcomings with >> pkcs11-tool but that would just benefit OpenSC as we could see the >> problems and fix them. > > Sorry to insist, but from a user point of view, what is the difference > between pkcs11-tool and pkcs15-tool and related tools? Why is there two > sets of tools for the same features? How do I know which tool to use? PKCS#11 is a generic cryptographic device interface, implemented by OpenSC and by several other (hardware) vendors. pkcs11-tool can work with any of those PKCS#11 modules (unless there are bugs that prevent intended usage in either pkcs11-tool or the specific pkcs#11 module) pkcs15-tool is a low(er) level OpenSC tool that interacts directly with OpenSC internals (libopensc) to create (or read) necessary objects on the card. pkcs15-init writes objects on the card, pkcs15-tool reads them. OpenSC PKCS#11 module provides, in theory, similar functionality as pkcs15-init (to write thing to the card) or pkcs15-tool and pkcs15-crypt (to read things from the card or do crypto operations with keys on the card) but instead of a command line interface, PKCS#11 API for other programs to use is exposed. Hope this helps. I think there are sections in the wiki that describe the situation, I believe this needs to be made more clear (as it often causes misunderstandings) > I guess the wiki should only inform about pkcs15 related tools, right? Yes and no. In theory, it would be nice if OpenSC PKCS#11 module would allow to do all operations that are possible via lower level pkcs15-init. But pcks15-init could be more flexible in some circumstances. -- Martin Paljak http://martin.paljak.pri.ee +372.515.6495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Le lundi 11 janvier 2010 à 16:53 +0100, Peter Stuge a écrit : > > > Of course, if your card is damaged, lost or stolen, your > > > certification should be revoked by the CA and reissued with a new > > > certification. But you still need the old key to decrypt old data > > > to re-encrypt with the new key, right? This is why I don't intend to generate an RSA key on card. I plan to create master, secondary and tertiary CAs: * The primary CA is the backup, stored in a safe place. * The secondary CA can be transferred to one or two smartcards used for daily administration. * Then I issue tertiary CAs : one for VPN, one for login, etc ... In this situation, I may use my card to administrate tertiary CAs. If the card is lost, I can revoke the secondary CA or issue a backup card. I thought about an alternative where I would create a primary CA on card, sign-up a secondary CA for daily administration. This would be an elegant situation without key transfer. But in this case, there is only one backup and master card. And as I am a newbee, it seems a little bit tricky to rely on a single card! In my opinion, key transfer is more flexible. What do you think? Any suggestion is welcome. Kind regards, Jean-Michel signature.asc Description: Ceci est une partie de message numériquement signée ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
On Mon, 11 Jan 2010 22:17:09 +0800, Martin Paljak wrote: Is pkcs15-init fully working? Or is it a Feitian card issue or me not fully understanding what is possible to do? pkcs15-init is fully working. The failing assert comes from entersafe (feitian) driver code. Thank you for reporting this, it's a flaw in entersafe driver. I'd like to propose the patch for it, it removes the assert line and some unused code, solves a problem with ePass3000, see my attachment. Regards, Xiaoshuo entersafe_assert.diff Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Feitian Entersafe : transferring a key to a smartcard
Am Montag 11 Januar 2010 14:52:04 schrieb Jean-Michel Pouré: > * I would like to add a page with dummy certificates on the wiki. One > root CA, one secondary CAs and several certs. So that users only have to > download them to test command lines. Would you favor that ? src/test/regression contains our regression test suite, and it includes such certificates, as far as I know. also the regression test suite might be a better place than the wiki for testing such things. > * pkcs11-tool and pkcs15-init have some common tools. For example, it is > possible to generate an RSA key. But I could not find information about > pkcs11-tool on the wiki. Is pkcs11-tool deprecated? no. the tool documentation is in the source package as man pages / xml files / html documentation, not in the wiki. > Is pkcs15-init fully working? Or is it a Feitian card issue or me not > fully understanding what is possible to do? looks like a feitian card/driver issue to me. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
