[opensc-devel] extensions and fixes for opensc-tool & opensc-explorer
Hi,
please find attached 3 patches to opensc-tool and opensc-explorer:
* [PATCH 1/3] opensc-tool: make list_algorithms() table driven
Use easily extensible tables instead of explicit coding to display
algorithm names and options in list_algorithms.
Leverage the new tables to add more RSA hashes
* [PATCH 2/3] opensc-tool: convert print_file() to using tables
Use ID<->name tables in print_file() innstead of arrays of strings where
the index was treated like some "magic" constant. With the new mapping
tables, the meaning is obvious.
While on it, fix a bug with ac_ops_df[]: before the conversion, it was a list
of pointers to strings but was in one case treated like it was a mapping
table.
With the conversion to a mapping table, and the adaption of other code parts
this bug got fixed "automagically" ;-)
* [PATCH 3/3] opensc-{explorer,tool}: allow sending extended APDUs
In do_apdu() resp. send_apdu/(, flexibilize parsing the APDU string passed
so that extended APDUs are accepted a valid APDUs too.
While at it, fix a bug where more data than available would have been copied,
potentially leading to a SIGSEGV.
Please consider including them into trunk, as they
a) fix potential bugs
b) help development: send extedned APDUs
c) allow tools to give more complete information
Thanks in advance
PEter
--
Peter Marschall
pe...@adpm.de
From af08131050655c05111cc10548c6e0156351e502 Mon Sep 17 00:00:00 2001
From: Peter Marschall
Date: Sat, 16 Apr 2011 14:28:03 +0200
Subject: [PATCH 1/3] opensc-tool: make list_algorithms() table driven
Use easily extensible tables instead of explicit coding to display
algorithm names and options in list_algorithms.
Leverage the new tables to add more RSA hashes.
Signed-off-by: Peter Marschall
---
src/tools/opensc-tool.c | 122 ++-
1 files changed, 67 insertions(+), 55 deletions(-)
diff --git a/src/tools/opensc-tool.c b/src/tools/opensc-tool.c
index 529e842..5857228 100644
--- a/src/tools/opensc-tool.c
+++ b/src/tools/opensc-tool.c
@@ -34,6 +34,12 @@
#include "libopensc/cardctl.h"
#include "util.h"
+/* type for associations of IDs to names */
+typedef struct _id2str {
+ unsigned int id;
+ const char *str;
+} id2str_t;
+
static const char *app_name = "opensc-tool";
static int opt_wait = 0;
@@ -556,81 +562,87 @@ static void print_serial(sc_card_t *in_card)
static int list_algorithms(void)
{
int i;
- const char *aname;
+ const char *aname = "unknown";
+
+ const id2str_t alg_type_names[] = {
+ { SC_ALGORITHM_RSA, "rsa"},
+ { SC_ALGORITHM_DSA, "ec" },
+ { SC_ALGORITHM_DES, "des"},
+ { SC_ALGORITHM_3DES, "3des" },
+ { SC_ALGORITHM_MD5, "md5"},
+ { SC_ALGORITHM_SHA1, "sha1" },
+ { SC_ALGORITHM_PBKDF2,"pbkdf2" },
+ { SC_ALGORITHM_PBES2, "pbes2" },
+ { SC_ALGORITHM_GOSTR3410, "gost" },
+ { 0, NULL }
+ };
+ const id2str_t alg_flag_names[] = {
+ { SC_ALGORITHM_ONBOARD_KEY_GEN, "onboard key generation" },
+ { SC_ALGORITHM_NEED_USAGE, "needs usage"},
+ { 0, NULL }
+ };
+ const id2str_t rsa_flag_names[] = {
+ // { SC_ALGORITHM_RSA_PAD_NONE, "none" },
+ { SC_ALGORITHM_RSA_PAD_PKCS1, "pkcs1" },
+ { SC_ALGORITHM_RSA_PAD_ANSI, "ansi" },
+ { SC_ALGORITHM_RSA_PAD_ISO9796,"iso9796" },
+ // { SC_ALGORITHM_RSA_HASH_NONE, "none" },
+ { SC_ALGORITHM_RSA_HASH_SHA1, "sha1" },
+ { SC_ALGORITHM_RSA_HASH_MD5, "MD5" },
+ { SC_ALGORITHM_RSA_HASH_MD5_SHA1, "md5-sha1" },
+ { SC_ALGORITHM_RSA_HASH_RIPEMD160, "ripemd160" },
+ { SC_ALGORITHM_RSA_HASH_SHA256,"sha256"},
+ { SC_ALGORITHM_RSA_HASH_SHA384,"sha384"},
+ { SC_ALGORITHM_RSA_HASH_SHA512,"sha512"},
+ { SC_ALGORITHM_RSA_HASH_SHA224,"sha224"},
+ { 0, NULL }
+ };
if (verbose)
printf("Card supports %d algorithm(s)\n\n",card->algorithm_count);
for (i=0; i < card->algorithm_count; i++) {
- switch (card->algorithms[i].algorithm) {
- case SC_ALGORITHM_RSA:
- aname = "rsa";
- break;
- case SC_ALGORITHM_DSA:
- aname = "dsa";
- aname = "ec";
- break;
- case SC_ALGORITHM_DES:
- aname = "des";
- break;
- case SC_ALGORITHM_3DES:
- aname = "3des";
- break;
- case SC_ALGORITHM_MD5:
- aname = "md5";
- break;
- case SC_ALGORITHM_SHA1:
- aname = "sha1";
- break;
- case SC_ALGORITHM_PBKDF2:
- aname = "pbkdf2";
- break;
- case SC_ALGORITHM_PBES2:
- aname = "pbes2";
- break;
- case SC_ALGORITHM_GOSTR3410:
- aname = "gost";
- break;
- default:
- aname = "unknown";
- break;
- }
-
+ int j;
+
+ /* find algorithm name */
+ for (j = 0; alg_type_names[j].str != NULL; j++) {
+ if (card->algorithms[i].algorithm == alg_type_names[j].id) {
+aname = alg_type_names[j].str;
+break;
+ }
+ }
+
printf("Algorithm: %s\n", aname);
printf("Key length: %d\n", card->algorithms[i].key_le
[opensc-devel] finally OpenPGP card 2.0 support
Hi, please find attached the third round of my patches to the OpenPGP card driver, that now can - at least partially - deal with OpenPGP 2.0 cards while still compatible with OpenPGP 1.1 cards (tested with both card types). Here's what they do (copied from the commit message of each patch): * [PATCH 01/15] OpenPGP: fix top-level DOs according to spec Added: * 00c4: new top-level DO in 2.0 can also be found inside constructed DOs 006E/0073 in 2.0 & 1.1 * 0101: new optional top-level DO starting in 1.1 for private use max 254 bytes; access: read - always; write - verify CHV2 * 0102: new optional top-level DO starting in 1.1 for private use max 254 bytes; access: read - always; write - verify CHV3 * 0103: new optional top-level DO starting in 1.1 for private use max 254 bytes; access: read - verify CHV2; write - verify CHV2 * 0104: new optional top-level DO starting in 1.1 for private use max 254 bytes; access: read - verify CHV3; write - verify CHV3 * 5f52: new top-level DO in 2.0 can also be found inside constructed DOs 006E in 2.0 * 7f21: new optional top-level DO in 2.0 use: card holder certificate (e.g. X.509) for the AUT key in the card Removed: * 0073: never a top-level DO, but part of top-level constructed DO 006E Changed: * 005e: not a constructed DO, but a simple/primitive DO Note: Trying to read non-existent top-level DOs or top-level DOs that weren't defined in a spec version later than the current card's version does not hurt. They are returned as empty. * [PATCH 02/15] OpenPGP: add indication of 2048 RSA agorithm for OpenPGP 2.0 cards * [PATCH 03/15] OpenPGP: try to match flags with specification * [PATCH 04/15] OpenPGP: re-factor pgp_enumerate_blob() Leverage the fact that OpenPGP cards use TLV encoding according to ASN.1 BER-encoding rules and use sc_asn1_read_tag() as the workhorse within pgp_enumerate_blob(). There's one peculiarity though: OpenPGP cards expect 'cla' to be merged into 'tag'. This is done manually after calling sc_asn1_read_tag(). * [PATCH 05/15] OpenPGP: implement function to free the fake file system * pgp_iterate_blobs(): walk through the blob tree * pgp_free_blob(): free a blob * [PATCH 06/15] OpenPGP: NULL-ify free()'d pointer * [PATCH 07/15] OpenPGP: re-factor pgp_set_blob() * NULL-ify freed data pointer * avoid unnecessary malloc() calls * cope with malloc() errors * do not rely on blob->file for be set * [PATCH 08/15] OpenPGP: add some comments * [PATCH 09/15] OpenPGP: use symbolic names for errors/success * [PATCH 10/15] OpenPGP: catch calloc() errors in pgp_new_blob() Detect and react on out of memory errors in pgp_new_blob() and its callers. * [PATCH 11/15] OpenPGP: update card capabilities from historical bytes According to OpenPGP card specs 1.1 & 2.0 historical bytes in the ATR indicate capabilities: * bit 0x40 of the 3rd byte of the compact-TLV entry with TL 0x73 tells whether the card supports extended Lc/Le fields in APDUs. In addition, OpenPGP card 2.0 spec specifies the optional DO 5f52 which also contains the histoirical bytes (just in case). If available use this value to override capabilties from ATR. * [PATCH 12/15] OpenPGP: use card "extended Lc/Le" capabilities Adapt pgp_get_pubkey() and pgp_read_blob() to make use of the information about the "extended Lc/Le" capabilities. This allows reading OpenPGP Card v2.0 keys! Yippie!! * [PATCH 13/15] OpenPGP: allow extended APDUs in all functions Depending on the card's capabilities and the necessity (requested response size > 256) allow extended APDUs in all functions talking to the card. * [PATCH 14/15] OpenPGP: free memory when selecting the application fails free() the memory already reserved when the file identifying the OpenPGP application fails & reset the pointers in the card strcuture back to NULL. * [PATCH 15/15] OpenPGP: implement card_ctl() command SC_CARDCTL_GET_SERIALNR Implement card_ctl(), crrently restricted only to SC_CARDCTL_GET_SERIALNR. The card's serial number is copied from the respective bytes in the AID. Please include them into the trunk as they: a) fix lots of bugs b) make the code conform to the ABI: free locally allocated memory, .. c) extend features: OpenPGP Card 2.0 support (at least partially) Thanks in advance Peter -- Peter Marschall pe...@adpm.de From 8319b2627fdbcf9465ffe6383d6b60cebe3da9a4 Mon Sep 17 00:00:00 2001 From: Peter Marschall Date: Sun, 13 Mar 2011 21:41:12 +0100 Subject: [PATCH 01/15] OpenPGP: fix top-level DOs according to spec Added: * 00c4: new top-level DO in 2.0 can also be found inside constructed DOs 006E/0073 in 2.0 & 1.1 * 0101: new optional top-level DO starting in 1.1 for private use max 254 bytes; access: read - always; write - verify CHV2 * 0
[opensc-devel] Status installing and using opensc + minidriver on win7 x64
Hi everyone,
I tried to get windows smartcardlogon, and ssh login with putty to work
with my feitian pki smartcard on x64 Windows 7, and decided to try
opensc's minidriver using latest nightly build (5352, to be precise).
I'm posting my findings here, as per request of mrtn, who helped me out
a lot today. My findings so far:
- The installer puts the registry settings about where to find its
cardprofiles and configfile in an incorrect location:
(HKLM\Software\OpenSC Project\OpenSC (64bit)\ instead of
HKLM\Software\OpenSC Project\OpenSC\), resulting in the tools not being
able to find the profiles and configuration files. Changing the keyname
in the registry to "OpenSC" solves this.
- Furthermore, using pkcs15-init with more than one -v flag crashes the
tool immediately.
- Also, trying to erase the card with pkcs15-init -E crashes the tool,
regardless wether the card was blank or previously initialized. The
crash seems to happen after the card is erased though, because it is
empty afterwards.
- Initializing the card and uploading keys and certificates seems to work:
---8<--
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init --create-pkcs15
--profile pkcs15+onepin --use-default-transport-key --pin --puk
--label "Rien Broekstra"
Using reader with a card: OMNIKEY CardMan 3x21 0
C:\Program Files\OpenSC Project\OpenSC\tools>
---8<--
---8<--
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init.exe
--store-private-key c:\Users\Rien\Documents\key.pem --auth-id 01
Using reader with a card: OMNIKEY CardMan 3x21 0
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\toos>
---8<--
---8<--
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-init.exe
--store-certificate c:\Users\Rien\Documents\cert.pem --auth-id 01
Using reader with a card: OMNIKEY CardMan 3x21 0
User PIN [User PIN] required.
Please enter User PIN [User PIN]:
C:\Program Files\OpenSC Project\OpenSC\tools>
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -c
Using reader with a card: OMNIKEY CardMan 3x21 0
X.509 Certificate [Certificate]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f0050153100
ID : fd76dfb49faccbcc5afac5d06c04d230b4756cfc
GUID : {fd76dfb4-9fac-cbcc-5afa-c5d06c04d230}
Encoded serial : 02 01 01
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs15-tool.exe -k
Using reader with a card: OMNIKEY CardMan 3x21 0
Private RSA Key [Private Key]
Object Flags : [0x3], private, modifiable
Usage : [0x4], sign
Access Flags : [0x0]
ModLength : 2048
Key ref: 1 (0x1)
Native : yes
Path : 3f005015
Auth ID: 01
ID : fd76dfb49faccbcc5afac5d06c04d230b4756cfc
GUID : {fd76dfb4-9fac-cbcc-5afa-c5d06c04d230}
---8<--
- Something seems to be off with the location to the pkcs11 dll, because
pkcs11-tool.exe can't load the module unless I explicitly specify its
location (this may be expected behaviour though?):
---8<--
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module
C:\windows
\system32\opensc-pkcs11.dll --test --login
Using slot 1 with a present token (0x1)
Logging in to "Rien Broekstra (User PIN)".
Please enter User PIN: C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only RSA signatures)
testing key 0 (Private Key)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
testing key 0 (Private Key)
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
Unwrap: not implemented
Decryption (RSA)
testing key 0 (Private Key) -- can't be used to decrypt, skipping
No errors
---8<--
- Furthermore, when I try to access the card via CSP (EIDAuthenticator)
it is able to find the certificates on the card. However, whenever I try
to login with them it will yield an error that the presented PIN is
incorrect, while I'm sure I entered the correct PIN. A snippet from the
debug log:
---8<--
2011-04-17 22:27:09.456 [cardmod] card.c:330:sc_unlock: called
2011-04-17 22:27:09.456 Verify rv:0
2011-04-17 22:27:09.456 [cardmod]
Re: [opensc-devel] Status installing and using opensc + minidriver on win7 x64
Dear Rien and all, For information, putty-cac is not maintained. You may consider testing http://www.cryptoterm.com which is free for personal use and is rock-solid. It was tested with Feitian PKI cards and it works. > - Also, trying to erase the card with pkcs15-init -E crashes the > tool, > regardless wether the card was blank or previously initialized. The > crash seems to happen after the card is erased though, because it is > empty afterwards. Just tested, I can confirm this problem. Also: 1) I could use the latest OpenSC x64 build with Firefox 32bit and 64bit (called Nighbuild) and opensc-pkcs11.so worked with already initialized smartcards. 2) But I did not succeed in setting-up the mini-driver: certutil.exe -SCinfo The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: FT SCR301 CCID Smart Card 301 0 --- Reader: FT SCR301 CCID Smart Card 301 0 --- Status: SCARD_STATE_PRESENT --- Status: The card is available for use. --- Card: ---ATR: 3b 9f 95 81 31 fe 9f 00 65 46 53 05 30 06 71 df ;...1...eFS.0.q. 00 00 00 81 61 10 c6 a.. === Analyzing card in reader: FT SCR301 CCID Smart Card 301 0 SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WI N32: 2) Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The system canno t find the file specified. 0x2 (WIN32: 2) Cannot retrieve Provider Name for --===-- Done. CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2) CertUtil: The system cannot find the file specified. C:\Users\jmpoure>opensc-tool.exe --atr Using reader with a card: FT SCR301 CCID Smart Card 301 0 3b:9f:95:81:31:fe:9f:00:65:46:53:05:30:06:71:df:00:00:00:81:61:10:c6. Kind regards, -- Jean-Michel Pouré - Gooze - http://www.gooze.eu ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Status installing and using opensc + minidriver on win7 x64
On 4/17/2011 11:40 PM, Jean-Michel Pouré - GOOZE wrote: [snip] > 2) But I did not succeed in setting-up the mini-driver: > > certutil.exe -SCinfo > The Microsoft Smart Card Resource Manager is running. > Current reader/card status: > Readers: 1 >0: FT SCR301 CCID Smart Card 301 0 > --- Reader: FT SCR301 CCID Smart Card 301 0 > --- Status: SCARD_STATE_PRESENT > --- Status: The card is available for use. > --- Card: > ---ATR: > 3b 9f 95 81 31 fe 9f 00 65 46 53 05 30 06 71 > df ;...1...eFS.0.q. > 00 00 00 81 61 10 c6 a.. > > > === > Analyzing card in reader: FT SCR301 CCID Smart Card 301 0 > SCardGetCardTypeProviderName: The system cannot find the file specified. > 0x2 (WI > N32: 2) > Cannot retrieve Provider Name for SCardGetCardTypeProviderName: The > system canno > t find the file specified. 0x2 (WIN32: 2) > Cannot retrieve Provider Name for > --===-- > > Done. > CertUtil: -SCInfo command FAILED: 0x2 (WIN32: 2) > CertUtil: The system cannot find the file specified. > > C:\Users\jmpoure>opensc-tool.exe --atr > Using reader with a card: FT SCR301 CCID Smart Card 301 0 > 3b:9f:95:81:31:fe:9f:00:65:46:53:05:30:06:71:df:00:00:00:81:61:10:c6. > > Kind regards, You need an entry in the registry in order to let windows know to use the opensc minidriver for your card as described in http://www.opensc-project.org/opensc/wiki/MiniDriver. Use your ATR as the value for the ATR-field, and an ATRMask of all ff's with the same length as the atr. -- Rien ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Status installing and using opensc + minidriver on win7 x64
Helo, On Apr 17, 2011, at 23:43 , Rien Broekstra wrote: > - The installer puts the registry settings about where to find its > cardprofiles and configfile in an incorrect location: > (HKLM\Software\OpenSC Project\OpenSC (64bit)\ instead of > HKLM\Software\OpenSC Project\OpenSC\), resulting in the tools not being > able to find the profiles and configuration files. Changing the keyname > in the registry to "OpenSC" solves this. Fixed in r5353 [1] > - Furthermore, using pkcs15-init with more than one -v flag crashes the > tool immediately. > - Also, trying to erase the card with pkcs15-init -E crashes the tool, > regardless wether the card was blank or previously initialized. The > crash seems to happen after the card is erased though, because it is > empty afterwards. This is (s/b)ad and needs debugging. > - Something seems to be off with the location to the pkcs11 dll, because > pkcs11-tool.exe can't load the module unless I explicitly specify its > location (this may be expected behaviour though?): Expected but needs to be fixed ASAP as well. > - Furthermore, when I try to access the card via CSP (EIDAuthenticator) > it is able to find the certificates on the card. However, whenever I try > to login with them it will yield an error that the presented PIN is > incorrect, while I'm sure I entered the correct PIN. A snippet from the > debug log: > > This key cannot be used for decryption: -1209 (Not allowed) When generating the key (and maybe also the certificate) make sure to specify KU decryption --key-usage, -u Specify X.509 key usage (use "--key-usage help" for more information) > And, lastly, puttysc refuses to accept opensc-pkcs11.dll as a pkcs11 > library. Maybe because puttysc is built for 32bit windows and the > library is 64? Indeed. Acombined installer would be good but this will probably require some work. Meanwhile, both x86 and x64 installers should be able to be installed side by side. Thanks for testing! -- @MartinPaljak.net +3725156495 ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
