_____
> From: helpcrypto helpcrypto
> Sent: 12/11/2012 11:43 PM
> To: Ravneet Singh Khalsa
> Cc: opensc-devel@lists.opensc-project.org
> Subject: Re: [opensc-devel] Changing Admin PIN on PIV card
>
> pkcs11's C_SetPin ?
>
> On Wed, Dec 12, 2012 at 3:06 AM, Ravnee
pkcs11's C_SetPin ?
On Wed, Dec 12, 2012 at 3:06 AM, Ravneet Singh Khalsa
wrote:
> Hi,
>
>
>
> Does there any tool or API exists to change Admin PIN on Gemalto PIV Cards ?
>
>
>
> Thanks.
>
>
>
>
> ___
> opensc-devel mailing list
> opensc-devel@lists.op
Thanks a lot for this really interesting share.
This will help me improve my code quality for sure!
On Mon, Dec 10, 2012 at 11:26 AM, Martin Paljak wrote:
> Hello,
>
> https://www.securecoding.cert.org/confluence/display/seccode/CERT+C+Secure+Coding+Standard
>
> Martin
> _
Updating to any bigger magic number will do the trick, but maybe its
better to consider removing SC_MAX_CARD_DRIVERS (hence having no
limits), this, of course, depends on the usage. Can you say for
what/where it is used?
___
opensc-devel mailing list
open
Maybe Im wrong, but AFAIK if opensc says unsupported card, then you
have to make a driver for it:
http://www.opensc-project.org/opensc/wiki/FrequentlyAskedQuestions#Q:WhattodoifmycardisnotsupportedbyOpenSC
On Mon, Oct 22, 2012 at 8:48 AM, aidin boghaniyan wrote:
> Hello again,
> Do anybody have
> The libccid package installs a udev rule file to change the access
> rights of the USB device.
> This rule file is examied at device plug so you need to replug the
> reader _after_ the file is installed.
> This rule file is examined by udev so you (may) have to "restart"
> udev, or simply reboot.
On Thu, Oct 11, 2012 at 3:37 PM, Ludovic Rousseau
wrote:
>
>> I havent restarted yet (to check if the reader start working), but
>> would like to know if theres is something I can do to detect and use
>> the reader (without rebooting).
>
> Replug your reader after installing libccid so that the ud
Dear Jean-Michel.
I didnt know about iReader. Thanks a lot.
A few weeks ago i was looking for something like that, and
http://www.apriva.com/products/iss/authentication/reader was the only
one i found suitable.
Im very-VERY(did i say VERY?) interested in having an smartcard
working out of the box
> I tried that already and could not use VirtualBox because it only allows
> Max OS X Server running as guest. I also invested in a VMware licence
> and it never worked for the same reasons.
I needed to run OSX on a windows host vmware computer to test our
smartcard software.
AFAIK, You cant insta
> Do you want my Humble or Honest opinion ? :)
None. Hacker one :P
> It shall depend on the use case. I doubt that there will ever be a
> "single, universal keychain", but many. VPN authentication with device
> based (TMP etc) keys which get auto-provisioned and a "movable"
> identity in the form
> Huh, I'd guess (hope) nobody would be deploying *RSA* below 2048 bits
> (smart cards doing 3k and 4k are also slowly emerging) and elliptic
> curves are already becoming a viable option (in commodity software) as
> well..
The most advanced i have seen here so far is 2048 :P
> There's also a bun
Just to sum up:
-TPM (fail?)
-Intel IPT (seem to be a draft and only for intel?)
-SC (Welcome 1970)
-Virtual/Cloud wallets (obscure?)
-A mobile device to replace sc (standard?)
IMHO, SC are old enough/well known to continue existing for quite
long, until someone brings a new/better/big idea.
Also
On Tue, Jul 24, 2012 at 4:16 AM, Nguyễn Hồng Quân wrote:
> Hi,
>
> I heard that you are successful to implement Admin PIN callback in PKCS#11.
> Which card did you do? Can it be applied to OpenPGP? If yes, how should we
> do?
>
> Thanks.
Where did you read that? I didnt say it...
We have a very o
On Mon, Jul 23, 2012 at 9:00 AM, NdK wrote:
> The problem with FF (and TB) is that it calls C_login only once, then
> assumes the login is still valid. Even if card got reset.
Then you should return the appropiate PKCS#11 error values, and thats
all. Isnt it so?
> Even worse, it asks for *ALL*
> Le 21/07/2012 06:37, Nguyễn Hồng Quân a écrit :
>> So, is there a way to ask for SO PIN via PKCS#11?
>> If yes, how should the code of card support be changed?
>
> I have no solution,
> PIN callbacks is not supported by PKCS#11 framework (in the manner as it's
> supported by pkcs15-init tool).
>
Hello again Alejandro (and others)
Apart from these URLs, do you know any other HOWTO/guide (to add a
card to OpenSC) ?
https://www.opensc-project.org/opensc/wiki/DeveloperInformation/NewCardDriver
https://www.opensc-project.org/opensc/wiki/DeveloperInformation/NewCardDriver/EnterSafeExample
> Maybe it's better that someone more implicated in OpenSC architecture would
> answer this question.
Volunteers? (The question was: shouldnt a 100% compliant pkcs#15 card
work "out of the box" with opensc?)
> You can export keys from a smartcard via pkcs15-tool, but this not mean that
> you don
Hi Alejandro.
Today im testing an opensc unsupported card, i have dumped the apdus
sent by pcscd when doing some operations and it seems its pkcs#15
compliant.
Apart from this link, have you made any progress?
On Wed, Jun 6, 2012 at 10:21 AM, Alejandro Díaz wrote:
> 2012/6/6 helpcry
Hi!
Our company -finally-, is going to change the smartcard we are using.
Actually we have a non-cryptographic, and seems we are sitching to "3B
6F 00 00 80 66 B0 07 01 01 77 07 53 02 31 24 82 90 00"
Looking at
http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt
i have found
> I'm not developing dnie driver, only I'm working with the documentation for
> explain the way to develop a driver and I think that this knowledge can be
> interesting for the community.
That will be great.
In the past we considered making a driver for our "very old not
cryptographic either pkcs
> My objetive is to know how to write a OpenSC driver from APDU documentation.
IIUC: You want to make your own "opensc-dnie", right?
> but I've lost the way to connect the exercices with the final driver.
Dont understand what this means.
> On the other hand, if this manual doesn't already exist o
> You don't. It's useful to mount an attack against any BT sc reader (if
> sc doesn't support sm, or reader doesn't implement some extra security
> over bt).
now i understand what you talking about...:P
___
opensc-devel mailing list
opensc-devel@lists.op
> http://ubertooth.sourceforge.net/ about ~100 EUR including shipping.
how do you insert the smartcard there?...and how to connect it to the
android/iphone?
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org
This might be interesting:
http://www.apriva.com/products/iss/authentication/reader
Priced 150€ +/-
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
>> - When Firefox import certificate, which C_* functions in PKCS#11 module
>> will be called?
>> - What is the action flow from the C_* functions in PKCS#11 to the driver?
I suggest you having a look at https://developer.mozilla.org/en/PKCS11_Implement
But probably pkcs11-spy and "on the fly" d
> And what if I replace the trusted reader w/ another, hacked?
> Not too hard, it seems, since many supermarkets got hacked this way...
IMVHO, changing your physical reader from .cn its much harder that
editing a file...
> Just install a keylogger (maybe an HW one on the PS/2 cable? I've seen
> o
IIUC, the readers are 'dumb' devices, so this is how opensc works actually:
Opensc invoke select DF...
Opensc shows a login and send it to card / request login to card
which shows a login popup, and gets 9000 if ok
Opensc request sign...
Having a pinpad/biometric could work like this:
Ope
> Report CKF_PROTECTED_AUTHENTICATION_PATH to the application. OpenSC
> then calls an external lib to do do what is needed to authenticate the
> user.
>
> The external lib can do anything like display a dialog box, talk to
> the biometric reader, talk to a remote server, etc.
and what about the li
>> PKCS#11 interface define both, ui callback (notify)
>
> What is that? Can you be more specific?
I was thinking about CK_NOTIFY as a way to notify operation progress
>> Couldnt opensc provide a way to do this safely?
>> Could signed libraries solve this?
>
> What is the threat model?
> Who is t
Hello martin.
Just to know (im asking myself about it...)
> I don't know about the readers or their internals, but OpenSC for sure
> does not support any kind of biometric authentication.
PKCS#11 interface define both, ui callback (notify) and that login can
be made using pinpads/external devices
INPUT:
http://www.opensc-project.org/opensc/wiki/UsingOpensc
OUTPUT:
Traceback (most recent call last):
File "build/bdist.linux-x86_64/egg/trac/web/api.py", line 440, in send_error
data, 'text/html')
File "build/bdist.linux-x86_64/egg/trac/web/chrome.py", line 827, in
render_template
Im not able to find any pkcs11-spy.dll on my system. Can anyone tell
me where it should be?
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
> Another issues with this project is many of the modifications can only be
> tested
> by a subset of developers (maybe only one) who have the cards that can use
> the modification.
Maybe its an stupid idea (or already done), but can't we virtualize
(and use it in Jenkins) smartcards?
___
a related issue i found some days ago related to windows
public/private key handling. Not very close to the topic, but imho
close enough to post (and ask).
http://social.msdn.microsoft.com/Forums/en-AU/windowssecurity/thread/676746c1-f9d0-4590-87b6-6a2fbddd319f
2011/12/3 Hunter William :
> Hi,
>
And, as i said before: try to avoid jss, cause its not "officially
supported" by mozilla.
2011/11/25 Douglas E. Engert :
>
>
> On 11/24/2011 4:02 AM, Anders Rundgren wrote:
>> Hi Ludovic,
>>
>> You are a true smart card middleware expert.
>> I'm not and my customers are even less of that.
>> They
We have been using java for quite a long time to use the certificates
stored in our smartcards.
So far, we didnt have many issues.
Actually we are using jss to attack our pkcs#11 module (or csp), but
since we got some problems on osx (i talked with NdK some weeks ago),
we decided to move to sunPKC
Douglas E. Engert :
>
>
> On 8/26/2011 2:46 AM, helpcrypto helpcrypto wrote:
>> 2011/8/25 Douglas E. Engert:
>>>
>>> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
>>> #define CKO_NETSCAPE 0xCE534350
>>>
>>> #define CKO_
2011/8/25 Douglas E. Engert :
>
> The OpenSC pkcs11/pkcs11-display.c has definitions for all these.
> #define CKO_NETSCAPE 0xCE534350
>
> #define CKO_NETSCAPE_CRL (CKO_NETSCAPE + 1)
> #define CKO_NETSCAPE_SMIME (CKO_NETSCAPE + 2)
> #define CKO_NETSCAPE_TRUST
Sorry for the little OT.
I would like to know if OpenSC PKCS#11 module added on
Firefox/Thunderbird has the same "problem" im having on my PKCS#11
library.
Seems that Mozilla its invoking C_FindObjectsInit asking for objects
with CK_OBJECT_CLASS = 0xCE534351 or 0xCE534352 or 0xCE534353 or
0xCE534
> Wow, that is what would call seriously "user friendly".
> And an example for others...
>
> Could you (offlist, as the list is non-commercial) disclose me the name of
> the bank?
Again AFAIK, this is a common scenario here in spain for public
companies like the one i work for (university).
In ou
AFAIK, it depends on your bank card relationship
We use a bank card, that can be used for payment and cash retrieval,
and also used for authentication process.
The card is customized for our company, and has the "euro6000" logo.
The workout its the following: the card has 2 applications (DF
accor
2011/8/3 NdK :
> On 03/08/2011 16:16, Douglas E. Engert wrote:
>> You say you are using FF, so have you looked at JSS?
>> http://www.mozilla.org/projects/security/pki/jss/
How can you say so, if JSS is not recommended/supported for Java Applets?
(as said in the infamous bug
https://bugzilla.mozilla
2011/8/3 NdK :
> Then why I get *exaxtly* one slot per PIN (and in the slot name there's
> the label I associated with the PIN? Maybe it's opensc-specific, but I
> doubt.
must be opensc is adding an slot for each application/pin. You should
check this with someone/martin, but im pretty sure is this
2011/8/3 NdK :
> The wallet must allow for use of a smart card or a simple password
> (obviously highly sensitive passwords will have to be restricted to
> stronger method). Not really different at the programmatic level, since
> I can store "anything" in the "encryptedPrivateKey" field: an actual
2011/8/3 NdK :
> Il 03/08/2011 09:32, helpcrypto helpcrypto ha scritto:
> I need to implement a multiuser web password manager that allows users
> to group-share passwords (so Linux sysadmins don't have access to
> Windows passwords -- yes, I know AD, it's just an example)
If any of you dont agree with any of the following, just let me know.
>>>- should I avoid SunPKCS11 and base my program on "simple" PC/SC?
Absolutely not.
Do yo code on assembly for you web pages? PCSC should be used only if
your smartcard doesnt have a higher level of abstraction possible
(like
Hi everyone.
At our company, we are thinking about buying a new smartcard for our
certificate-related services.
Actually we have a 1024 RSA certificate on a not-so-cryptographic
smartcard, and plan to use 2 x 2048 RSA certificates soon.
As our smartcard doesn't have enough space, i have started l
Thank you a lot. And a lot of thanks for your work on PCSCLite, which
actually we are using a lot.
2011/5/12 Ludovic Rousseau
> 2011/5/12 helpcrypto helpcrypto :
> > First, I'll introduce ourselves:
> > We have developed a self-designed (not opensc based) PKCS#11 library f
Sorry if not the correct place/list (posted on opensc-devel and opensc-user)
First, I'll introduce ourselves:
We have developed a self-designed (not opensc based) PKCS#11 library for our
company smartcards.
They aren't PKCS#15 compliant, and not really cryptographic, because key is
handled out of
49 matches
Mail list logo
