[opensc-devel] Success with Omnikey (was: Re: Feitian ePass+SCR301 problem)
Hi all, positive news this time: I've managed to upload my certificate to the Feitian ePAss and sign a certificate request with it (i.e no more annoying openssl error: Jan Just Keijser wrote: > Yang Liu wrote: >> Dear Customer, >> >> Our R&D team replied your enquiry in >> http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >> >> >> >> > I saw the posting on the list, as well as several other useful > suggestions; I will try the suggested commands next tuesday as I won't > have access to the card reader or card until that time. > > > >> -Original Message- >> From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, May >> 20, 2010 6:35 PM >> To: opensc-devel@lists.opensc-project.org >> Cc: liuy...@ftsafe.com; jmpo...@gooze.eu >> Subject: [SPAM] Re: Feitian ePass+SCR301 problem >> >> hi all, >> >> a new attempt, this time with the Omnikey reader that Jean-Michel so >> kindly sent me (thanks again!). This time I attached the card reader >> to a CentOS 5 box which has >> - openssl 0.9.8e >> - opensc 0.11.9 >> - pcsc-1.4.102 >> Later on I added opensc 0.11.13 (read below) >> >> I started out with the gooze tutorial again >> http://www.gooze.eu/howto/smartcard-quickstarter-guide >> >> ardeche [janjust] > pkcs15-init -E >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 >> --label "janjust" >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> ardeche [janjust] > pkcs15-init --store-certificate >> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> ardeche [janjust] > pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> >> At this point I downloaded and built opensc-0.11.13 like this: >> >> ardeche [janjust] > head -10 config.log >> This file contains any messages produced by compilers while >> running configure, to aid debugging if configure makes a mistake. >> >> It was created by opensc configure 0.11.13, which was >> generated by GNU Autoconf 2.64. Invocation command line was >> >> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >> >> >> After the build and install I continued: >> >> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >> User PIN required. >> Please enter User PIN: >> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APDU >> [pkcs15-init] card-entersafe.c:371:entersafe_transmit_apdu: returning >> with: Transmit failed >> [pkcs15-init] card-entersafe.c:1321:entersafe_gen_key: APDU transmit >> failed: Transmit failed >> [pkcs15-init] card.c:678:sc_card_ctl: returning with: Transmit failed >> [pkcs15-init] pkcs15-entersafe.c:391:entersafe_generate_key: >> EnterSafe generate RSA key pair failed: Transmit failed >> Failed to generate key: Transmit failed >> >> this still fails, but that might be related to the older pcsc-lite >> version... >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >> Assertion `0' failed. >> Aborted >> >> So I commented out 'assert(0)' in card-entersafe.c: >> >> ardeche [janjust] > ./pkcs15-init --store-private-key >> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Please enter passphrase to unlock secret key: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> User PIN required. >> Please enter User PIN: >> >> I had to enter the PIN 4 times, but OK: >> >> ardeche [janjust] > ./pkcs15-tool --dump >> Using reader with a card: OmniKey CardMan 3121 00 00 >> PKCS#15 Card [janjust]: >> Version: 1 >> Serial number : 3092541116010310 >> Manufacturer ID: EnterSafe >> Last update: 20100520100048Z >> Flags : EID compliant >> >> PIN [User PIN] >> Com. Flags: 0x3 >> ID: 01 >> Flags : [0x30], initialized, needs-padding >> Length: min_len:4, max_len:16, stored_len:16 >>
[opensc-devel] Success with Omnikey
Hi all, positive news this time: I've managed to upload my certificate to the Feitian ePAss and sign a certificate request with it (i.e no more annoying openssl error: 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General Error:p11_ops.c:131: 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP lib:a_sign.c:276: here's what I did: - svn checkout of the pcsc code - build the pcsc code - svn checkout of the opensc code - patch the opensc code so that the openssl 1.0 thing does not bite me (it's still broken in svn) - build the opensc code (with --enable-pcsc) - grab the latest engine_pkcs11 code and build it then - run the new pcscd - modify opensc.conf to point to the new libpcsclite libs and a new profile directory (/usr/local/share/opensc) - re-initialize the card - install the cert + userkey - run my script to sign a cert request and this finally worked! I then switched back to the older opensc 0.11.13 code and that also worked for signing a certificate request! However, if I re-initialize the card using the opensc 0.11.13 codebase the cert signing failed using both the old and the new version of opensc : this leads me to believe that the card initialisation code has changed between 0.11.13 and 0.12 (svn) ... Now I have to test if all of this also works for the Feitian SCR301 card reader ... The preliminary conclusion is that yes it *is* possible to get this card working on Linux but it requires *lots* of tinkering, including the svn checkout. One of the things about the 0.12 codebase is the fact that all of a sudden I have to use slot=1 instead of slot=0 but I guess I can live with that annoyance ... Another interesting observation is that it seems impossible to store a certificate/pub key/priv key on the card using ID=666 : it always ends up as ID=6066 . This is not related to the Feitian card, as it also happens with my trusty old Aladdin eToken PRO. And thanks to Douglas Engbert for pointing out the certificate compromise ;-) cheers, JJK / Jan Just Keijser > > Jan Just Keijser wrote: >> Yang Liu wrote: >>> Dear Customer, >>> >>> Our R&D team replied your enquiry in >>> http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >>> >>> >>> >>> >> I saw the posting on the list, as well as several other useful >> suggestions; I will try the suggested commands next tuesday as I >> won't have access to the card reader or card until that time. >> >> >> >>> -Original Message- >>> From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, >>> May 20, 2010 6:35 PM >>> To: opensc-devel@lists.opensc-project.org >>> Cc: liuy...@ftsafe.com; jmpo...@gooze.eu >>> Subject: [SPAM] Re: Feitian ePass+SCR301 problem >>> >>> hi all, >>> >>> a new attempt, this time with the Omnikey reader that Jean-Michel so >>> kindly sent me (thanks again!). This time I attached the card reader >>> to a CentOS 5 box which has >>> - openssl 0.9.8e >>> - opensc 0.11.9 >>> - pcsc-1.4.102 >>> Later on I added opensc 0.11.13 (read below) >>> >>> I started out with the gooze tutorial again >>> http://www.gooze.eu/howto/smartcard-quickstarter-guide >>> >>> ardeche [janjust] > pkcs15-init -E >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> >>> ardeche [janjust] > pkcs15-init --create-pkcs15 --profile >>> pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 >>> --label "janjust" >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> >>> ardeche [janjust] > pkcs15-init --store-certificate >>> ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> User PIN required. >>> Please enter User PIN: >>> User PIN required. >>> Please enter User PIN: >>> >>> ardeche [janjust] > pkcs15-init --store-private-key >>> ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem >>> Using reader with a card: OmniKey CardMan 3121 00 00 >>> Please enter passphrase to unlock secret key: >>> User PIN required. >>> Please enter User PIN: >>> pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: >>> Assertion `0' failed. >>> Aborted >>> >>> >>> At this point I downloaded and built opensc-0.11.13 like this: >>> >>> ardeche [janjust] > head -10 config.log >>> This file contains any messages produced by compilers while >>> running configure, to aid debugging if configure makes a mistake. >>> >>> It was created by opensc configure 0.11.13, which was >>> generated by GNU Autoconf 2.64. Invocation command line was >>> >>> $ ./configure --enable-pcsc --prefix=/user/janjust/local/feitian >>> >>> >>> After the build and install I continued: >>> >>> ardeche [janjust] > ./pkcs15-init --generate-key rsa/2048 --auth-id >>> 01 Using reader with a card: OmniKey CardMan 3121 00 00 >>> User PIN required. >>> Please enter User PIN: >>> [pkcs15-init] reader-pcsc.c:239:pcsc_transmit: unable to transmit >>> [pkcs15-init] apdu.c:394:do_single_transmit: unable to transmit APD
Re: [opensc-devel] Success with Omnikey (was: Re: Feitian ePass+SCR301 problem)
On Wed, 2010-05-26 at 13:34 +0200, Jan Just Keijser wrote: > positive news this time: I've managed to upload my certificate to the > Feitian ePAss and sign a certificate request with it (i.e no more > annoying openssl error: Dear Jan, * SCR-301 works fine. The Feitian SCR-301 is CCID compliant. * Feitian PKI works fine. * You only need to install OpenSC svn version. Kind regards, Jean-Michel -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Success with Omnikey
Jan Just Keijser wrote: > Hi all, > > positive news this time: I've managed to upload my certificate to the > Feitian ePAss and sign a certificate request with it (i.e no more > annoying openssl error: > 15127:error:8000A005:PKCS11 library:PKCS11_rsa_sign:General > Error:p11_ops.c:131: > 15127:error:0D0C3006:asn1 encoding routines:ASN1_item_sign:EVP > lib:a_sign.c:276: > > here's what I did: > > - svn checkout of the pcsc code > - build the pcsc code > - svn checkout of the opensc code > - patch the opensc code so that the openssl 1.0 thing does not bite me > (it's still broken in svn) > - build the opensc code (with --enable-pcsc) > - grab the latest engine_pkcs11 code and build it > > then > - run the new pcscd > - modify opensc.conf to point to the new libpcsclite libs and a new > profile directory (/usr/local/share/opensc) > - re-initialize the card > - install the cert + userkey > - run my script to sign a cert request > and this finally worked! > > I then switched back to the older opensc 0.11.13 code and that also > worked for signing a certificate request! > However, if I re-initialize the card using the opensc 0.11.13 codebase > the cert signing failed using both the old and the new version of opensc > : this leads me to believe that the card initialisation code has changed > between 0.11.13 and 0.12 (svn) ... > In fact, initialization of Feitian card has been changed -- it was discussed in thread 'C_SignFinal fails when using a pinpad reader': The User PIN of this card is the local one. This fact was not reflected in the PIN's attributes written into the card during initialization with opensc 0.11.13 . > Now I have to test if all of this also works for the Feitian SCR301 card > reader ... > > The preliminary conclusion is that yes it *is* possible to get this card > working on Linux but it requires *lots* of tinkering, including the svn > checkout. I hope the final conclusion will be more optimistic. There was bug in opensc-0.11.13, now it's corrected in trunk -- I venture to say it's 'normal'. > One of the things about the 0.12 codebase is the fact that all > of a sudden I have to use slot=1 instead of slot=0 but I guess I can > live with that annoyance ... > If in your opensc.conf you will set 'plug_and_play' to 'false', you will have your token in slot '0'. > Another interesting observation is that it seems impossible to store a > certificate/pub key/priv key on the card using ID=666 : it always ends > up as ID=6066 . This is not related to the Feitian card, as it also > happens with my trusty old Aladdin eToken PRO. > > And thanks to Douglas Engbert for pointing out the certificate > compromise ;-) > > cheers, > Kind wishes, Viktor. > JJK / Jan Just Keijser > > > >> Jan Just Keijser wrote: >> >>> Yang Liu wrote: >>> Dear Customer, Our R&D team replied your enquiry in http://www.opensc-project.org/pipermail/opensc-devel/2010-May/014259.html >>> I saw the posting on the list, as well as several other useful >>> suggestions; I will try the suggested commands next tuesday as I >>> won't have access to the card reader or card until that time. >>> >>> >>> >>> -Original Message- From: Jan Just Keijser [mailto:janj...@nikhef.nl] Sent: Thursday, May 20, 2010 6:35 PM To: opensc-devel@lists.opensc-project.org Cc: liuy...@ftsafe.com; jmpo...@gooze.eu Subject: [SPAM] Re: Feitian ePass+SCR301 problem hi all, a new attempt, this time with the Omnikey reader that Jean-Michel so kindly sent me (thanks again!). This time I attached the card reader to a CentOS 5 box which has - openssl 0.9.8e - opensc 0.11.9 - pcsc-1.4.102 Later on I added opensc 0.11.13 (read below) I started out with the gooze tutorial again http://www.gooze.eu/howto/smartcard-quickstarter-guide ardeche [janjust] > pkcs15-init -E Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] > pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 123456 --puk 11 --label "janjust" Using reader with a card: OmniKey CardMan 3121 00 00 ardeche [janjust] > pkcs15-init --store-certificate ~/.globus/usercert.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 User PIN required. Please enter User PIN: User PIN required. Please enter User PIN: ardeche [janjust] > pkcs15-init --store-private-key ~/.globus/userkey.pem --auth-id 01 --id 123456 --format pem Using reader with a card: OmniKey CardMan 3121 00 00 Please enter passphrase to unlock secret key: User PIN required. Please enter User PIN: pkcs15-init: card-entersafe.c:1047: entersafe_encode_bignum: Assertion `0' failed. Aborted At thi
Re: [opensc-devel] AccessMode in ISO7816-15
Hi Andreas, Andreas Schwier (ML) wrote: > Hi Viktor, > > ISO 7816-15:2004 defines read(0), update(1), execute(2) and delete(3). > Thanks. Finally I found the other accessModes in IAS/ECC v.1.0.1 specification: attribute (4), pso_cds (5), pso_verif (6), pso_dec (7), pso_enc (8), int_auth (9), ext_auth (10) > Andreas > Regards, Viktor. > Viktor TARASOV schrieb: > >> Hi, >> >> The 'accessMode' bit string, encoded by the native Oberthur middleware >> for the IAS/ECC cards, >> can be up to 10 bits length. >> >> In PKCS#15 (v1.1) for the 'accessMode' only three bits defined: 'read', >> 'update', 'execute'. >> In ECC specification (CEN/TS 15480-2:2007) one more: 'delete'. >> >> Have you an access to 7816-15, please? Does it's 'accessMode' definition >> identical to the one defined in PKCS#15? >> >> Do you know other specifications that define more of the AccessMode >> operations? >> >> Kind wishes, >> Viktor. >> >> >> > > > -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [patch 3/3] Add i.MX card reader support
Am Dienstag 25 Mai 2010, um 15:54:10 schrieb Ludovic Rousseau: > You may want to specify a LGPL license version. 2.1 or 3.0 or (at your > option) any later version? > > I had a quick look at the other OpenCT files and they do not use the > standard LGPL license text. > > And the license version is not indicated on the OpenCT project page > [1]. Just that the project uses LGPL. > > [1] http://www.opensc-project.org/openct OpenCT smart card reader drivers, middleware and library (C) 2003-2006 Copyright by the OpenCT Authors listed above This software is free software; you can redistribute it and/or modify it under the terms of the GNU Lesser General Public License as published by the Free Software Foundation; either version 2.1 of the License, or (at your option) any later version. is the normal license. Most of the code is still BSD-3 licensed too (and all of libopenct is), but some drivers are already LGPL-2.1+ only, so another new driver with LGPL-2.1+ is ok. If you want to go for LGPL 3 or 3+ (or 2.1) or any other new license, lets have a discussion about that first (so we know why, and how it will affect openct as a whole). About the web page: hmm, there is now a link to fsf web page with lgpl? strange. AFAIK the authorative parts are this: http://www.opensc-project.org/openct/wiki/LicenseText -> core is BSD-3 http://www.opensc-project.org/openct/wiki/AuthorsAndCredits -> in more details: some parts are LGPL 2.1+, thus if you compile in those parts, the whole is LGPL 2.1+. if you compile OpenCT without those parts, it is BSD-3. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [patch 0/3] [RFC] Adding an 'in system' SmartCard interface
the code looks good to me. very clean, nice! what is missing are some small issues: * license: LGPL-2.1+? or 3-BSD? or some other license? * the whole picture: if someone has a patched kernel and openct with these changes: how does he get it to work? "mknod" to create a device and a static config in openct.conf? or sysfs, udev and hotplugging? (if so, what changes are needed for udev...?) if the big picture is described somewhere, a url would be fine too. * kernel patch: is it published somewhere? we could carry a copy from my point of view, or a txt file with a url in it or something like that (or simply edit openct wiki and create a new page, and possibly attach it, if you like). > The kernel driver is not part of this patch stack. Please bear with me, if > the SmartCard handling seems broken at any point. I'm not a SmartCard > expert. This is my first attempt to make them work. do you have some card and app for testing? opensc and a cardos card for example, and running the opensc regression test suite. > > Some notes: > - I'm not sure if something like the 'src/ifd/direct.c' is really > required. I wrote it to get my userland driver to work and to be able to > setup my interface in the same manner like the other reader's drivers. > Most functions are dead in this file, because the communication to 'in > kernel' drivers is much simpler than talking to a serial or USB device. > Suggestions to avoid this file are welcome. hmm, not sure if "direct" is such a good name, but I don't know a better one myself. in general keeping that abstraction is ok with me. > - there was the need to touch 'src/ifd/atr.c' to be able to calculate some >timeout values. If there is a generic way to extract the CWI/BWI related > to a specific protocol, please give me a hint. I think for the other > reader devices, this kind of calculation is done in their firmware, right? not sure, maybe openct lacks proper handling there. At last I never bothered with all that, since usb crypto tokens are often very fast by default. > * what is the default 'block waiting time' for the T0 protocol? I thought T=0 is character based, so there should be none...? but no expert here, only used T=1 devices myself. > * what is the correct behaviour, if the card wants to use a > specific FI/DI pair, the hardware cannot handle? the card lists in atr what it can do. the reader doesn't need to do pps, it can stay at the default speed. or it can use PPS with any fi/di it wants, not only the one listed in the atr. if the card accepts that fi/di in pps communication, both sides are fine with it. also not sure 100% how higher level APIs work, but I thought apps need to trigger PPS? still many readers do pps by themself, so cards are always as fast as possible with them, at least I think. (well, at least drivers for windows might do that...) > Falling back to 1/1, or trying to use a FI/DI pair with slower transfer speed? I'm using the > latter one, but I'm unsure if its correct. And what to do, if the FI value > is supported, but the DI value is to small? (for example: Card wants > FI/DI=13/1, but my interface can only handle 13/2, 13/3, ...) the card will refuse. not sure if you have several tries in pps negotiation, or if you need to reset the card (warm or cold) in between. [power management] hmm, good idea. if noone keeps a connection to the reader open, it could be suspended and everything turned off. however is some app keeps a connection open, it must stay active, so that a "verified" state (pin confirmed) isn't lost due to a power down. >* Even running "openct-control shutdown" seems not to call the driver's > 'close' function. Bug or feature? guess a bug. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] new versions
are there any plans for new version? * openct could use a new release once juergens "imx" code works well and is commited. at least a pre-release or rc, and later a full release. * what happend to opensc 0.11.*? I thought the problem with gost / engine_pkcs11 is so big, it should be fixed in the 0.11 line to help normal users, and so distributions can backport that fix if they want. * is it time for a release candidate or pre-patch in trunk? i.e. are there any further plans that will change API/ABI or is API/ABI stable now again? martin, do you want to create new releases? need help? or any other volunteer? Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] [patch 0/3] [RFC] Adding an 'in system' SmartCard interface
Andreas Jellinghaus wrote: > [power management] .. > however is some app keeps a connection open, it must stay active, > so that a "verified" state (pin confirmed) isn't lost due to a > power down. Then that app can get a bug report filed. It would be a good first step if OpenCT and OpenSC do not cause it. //Peter ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
