Nabble - OpenSC

Re: smartcard supported by opensc

2009-12-05T09:27:03Z

> From: Andreas Jellinghaus <aj@...>
> Date: Sat, 5 Dec 2009 11:04:26 +0100
> Sender: opensc-user-bounces@...
>
> Am Freitag 04 Dezember 2009 15:57:26 schrieb rainbow:
> > My system is linux ,debian lenny 5.0,so Aladdin eToken PRO USB 64K(4.2B)
> > may not be supported
>
> hu? aladdin etoken should work fine on that system.
>
> but: aladdin initializes the software in their own format, opensc uses
> pkcs#15. so the normal thing to do is: format the token and then use
> either only opensc with it, or only the aladdin software with it.
>
> you can have both formats side by side, but each software will only
> be able to access it's format, and if you format the token, everything
> is gone (so normaly noone does that).

Andreas,

Thanks for the nice summary of SmartCard support issues (in a previous
message).

As far as the eToken PRO 64K(4.2B), we have had great success with this
token. We use it for Unix, MacOS, and Windows and do run it with Aladdin
PKCS11 and OpenSC PKCS15 formats "side by side". It's annoying in that
it requires two separate certs and ends up containing two sets of ssh
keys, but the annoyance is only during the initialization and loading of
the certs.

Once set up, they just work for most every OS we have tried, though
MacOS support is a bit clunky.

One caveat. Many Unix desktop environments include keyring managers
(e.g. seahorse for Gnome) that don't support the PINs for the tokens, so
the system most be configured to not use the manager for ssh or whatever
application you need to work with the token. For Gnome, the command is:
gconftool-2 --set -t bool /apps/gnome-keyring/daemon-components/ssh false
--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman@... Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T04:32:11Z

2009/12/5 Andreas Jellinghaus <aj@...>:
> Am Samstag 05 Dezember 2009 10:24:42 schrieb rainbow:
>> yes,I know, so if I want to use opensc with smart card, what smart cards
>> should I buy? I find there is few cards can get from the market support
>> opensc.
> or maybe javacards with the muscle applet, but I would buy only one
> or two cards and experiment with them first, to see if that it works
> out for you, as I got mixed results.

There's also JavaCardSign for JavaCards.
http://javacardsign.sourceforge.net/ a PKCS#15 compatible open source
applet. I have not tried it yet but João whoi has worked with
JavaCards said it looks promising (== minor tweaks necessary to make
it work with the rest of OpenSC, including pkcs15-init).

Martin.
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T02:20:45Z

Am Samstag 05 Dezember 2009 10:24:42 schrieb rainbow:
> yes,I know, so if I want to use opensc with smart card, what smart cards
> should I buy? I find there is few cards can get from the market support
> opensc.

JP corrected me, setec 4.4.1 should work very well, if you can buy them.
also cardos 4.3B work well.

or maybe javacards with the muscle applet, but I would buy only one
or two cards and experiment with them first, to see if that it works
out for you, as I got mixed results.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T02:17:58Z

Am Samstag 05 Dezember 2009 09:34:44 schrieb rainbow:
> so,what the common smart card is well supported by opensc?

you found the biggest problem we have with opensc.
everytime there is a nice card and it works fine with opensc,
the production of the card is stopped :(

cardos 4.2B or 4.3B work (but you need to format them once
with some windows software I guess).

I have little experience with java cards and using the muscle
applet. it seems to work somehow, the experience is mixed,
some say it works very good, some ran into problems like
I did.

note sure if the oberthur cards with that specific authentic
applet are available.

if someone writes a driver acos5 could be interesting,
or working on an improved javacard applet and a driver for
it in opensc.

any other card I forgot?

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-05T02:11:41Z

Am Freitag 04 Dezember 2009 17:49:25 schrieb John R Pierce:
> Martin Paljak wrote:
> > The RightWay of adding smart card support is via PKCS#11 which is
> > available from hre:
> >
> > http://sites.google.com/site/alonbarlev/openssh-pkcs11
>
> what about http://www.opensc-project.org/engine_pkcs11 ?

that works for openssl, but applications need to explicit
use it. for example wpa_supplicant does it.

openssh could be changed to use pkcs#11 not directly but
via some engine, sure. but I don't think anyone wrote a
patch for that so far. but a good idea still.

however I think the openssh developers strive to keep
the software as simple as possible to avoid security
issues. thus I'm not sure what code they would accept
anyway. after all they didn't accept our patch for
bug 608 in many, many years, nor could tell us how we
can aim for a better patch that would be acceptable.
so my hopes to get any new code for smart card support
into openssh are not very high.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-05T02:08:30Z

Am Freitag 04 Dezember 2009 17:28:23 schrieb Martin Paljak:
> The RightWay of adding smart card support is via PKCS#11 which is available
> from hre:
>
> http://sites.google.com/site/alonbarlev/openssh-pkcs11

thats the most flexible way and works with many different software.

but recompiling openssh with "--enable-opensc" and applying the
patch for bug 608 to openssh is working fine as well.
(yes, it uses the old opensc api, we don't prefer that any more,
but it still works fine...)

the patch is in src/openssh/ask-for-pin.diff or see here:
http://www.opensc-project.org/svn/opensc/trunk/src/openssh/

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-05T02:04:26Z

Am Freitag 04 Dezember 2009 15:57:26 schrieb rainbow:
> My system is linux ,debian lenny 5.0,so Aladdin eToken PRO USB 64K(4.2B)
> may not be supported

hu? aladdin etoken should work fine on that system.

but: aladdin initializes the software in their own format, opensc uses
pkcs#15. so the normal thing to do is: format the token and then use
either only opensc with it, or only the aladdin software with it.

you can have both formats side by side, but each software will only
be able to access it's format, and if you format the token, everything
is gone (so normaly noone does that).

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-05T01:48:56Z

Am Freitag 04 Dezember 2009 15:45:35 schrieb Peter Keller:
> (2) The Aladdin eToken PRO USB 72K(JC) has been reported NOT to work on
> Linux with the Aladdin PKI client here:
> http://www.etokenonlinux.org/et/FAQ#eTokenhardwareandsoftware

but some people managed to install muscle applet on those tokens
and thus get them to work with opensc.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-05T01:42:50Z

Am Freitag 04 Dezember 2009 15:29:31 schrieb rainbow:
> hi, I do not understand the smartcard very much,I see from opensc that AKIS
> card not support the pkcs15-init , so is there any thing impact the use of
> opensc ,such as write data to card or create keys, or is there a card full
> supported by opensc,thanks.

opensc has three kinds of supports
* basic functionality only
* emulation functionality
* full initialization functionality

basic means you can play with it and issue a few commands for testing, but
it is not usefull for real work environments.

emulation functionality means you can't change the card (maybe change PIN
or the content of an already existing file), but use the card (i.e. read
data, use rsa keys for signing/encryption, etc.). this is common for
a) national ID cards (you can't change anything with them usualy, but only
use them)
b) cards initialized with some other software (if they use a different format
than PKCS#15 and thus we can only guess which informtion is where on the card)

full initialization functionality means you can buy a blank card, initialize
it with opensc - thus create a PKCS#15 structure - and change it in all
the normal ways, for example create keys, store keys and certificates, create
and manage PIN, reset PIN, store public or private data objects, change those,
with most cards also delete objects/keys/certiticates. details still depend on
the card in questions, some cards have special situations (e.g. the cardos
cards with the secret commands to get them going).

still with full initialization: if the same card was initialized with some
other software in PKCS#15 format, then opensc can use it (similar to emulated
cards), but altering the card will most likely not work (maybe change/unblock
a PIN or change existing DATA files, but not store or create new certificates
or keys, as that requires a compatible profile, which is software specific).

but cards in "full initialization" support should work (read, sign, decrypt)
with other software, and also work if other software initialized them in
PKCS#15 format.

does this explanation help?

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: problem

2009-12-05T01:25:21Z

Am Samstag 05 Dezember 2009 01:20:23 schrieb Thorsten Sprenger:
> Hello Andreas and Sebastian,
>
> my answer might come a little late, but I just spent quite a long time to
> solve the mentioned problem with Firefox / Windows.
>
> It is quite simple:
> Just put OpenSC's 'bin' directory to the environment variable 'Path'.
> That's all.

Ah, sure, firefox needs to find the dll's. the alternative is to put
the dlls into system32, which is of course the path into library hell.
but at least if gina with a CSP wants to use opensc, there might be
no alternative (not sure if the path for GINA can be set somehow).

> PS: Andreas, could you give me a hint, how to bring a CardOS 4.3B card from
> 'manufacturing' state into a useful one ?

sure. run cardos-tool --info (or the old cardos-info): if the
startkey is version "00", then you need to change it to "ff" first.
once it is "ff" (and the valus is really 16 bytes 0xff), then you
can format the card (that creates the main folder and puts the
card in admin mode), and after that is done you can run
pkcs15-init --create-pkcs15.

to change the startkey from 0x00 to 0xff you need to know and
use the secret APDU command from siemens. latest opensc trunk
has code in cardos-tool to check you use the right APDU (but
you still need to pass it), with older opensc versions you
can run "opensc-tool -s APDU" to do that.

to format the card you can run cardos-tool --format
(if you have an older opensc version and know the APDU you
can of course use "opensc-tool -s APDU" to do that).

the APDU commands might be copyrighted by siemens so I can't
post them here.

alternative: use some official software to change startkey
and format the cards once. costs 20€ or so. (but I have
no experience with that, except for aladdin etokens and
the aladdin software...)

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T01:24:42Z

yes,I know, so if I want to use opensc with smart card, what smart cards should I buy? I find there is few cards can get from the market support opensc.

2009/12/5 Andreas Jellinghaus <aj@...>

Am Samstag 05 Dezember 2009 02:46:23 schrieb rainbow:

> hi, if I buy an Setcos 4.4.1 card, can I use the pkcs15-init to the card?
>

I don't remember anyone using a setcos card in years, so I'm pretty sure
the answer is: no.

Regards, Andreas

--
Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T01:18:46Z

Am Samstag 05 Dezember 2009 02:46:23 schrieb rainbow:
> hi, if I buy an Setcos 4.4.1 card, can I use the pkcs15-init to the card?
>
I don't remember anyone using a setcos card in years, so I'm pretty sure
the answer is: no.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T00:34:44Z

so,what the common smart card is well supported by opensc?

2009/12/5 Jean-Pierre Szikora <jean-pierre.szikora@...>

Le 05-déc.-09 à 02:46, rainbow a écrit :

hi, if I buy an Setcos 4.4.1 card, can I use the pkcs15-init to the card?

Hi,

I'm surprised that the card is still for sale, Setec (a finish company acquired by Gemalto) stopped the production of this chip 3 years ago. And yes, the card is well supported by OpenSC.

Cheers,

Jean-Pierre

From forum: OpenSC - User

Re: Setcos 4.4.1 cards

2009-12-05T00:27:50Z

Le 05-déc.-09 à 02:46, rainbow a écrit :

> hi, if I buy an Setcos 4.4.1 card, can I use the pkcs15-init to the
> card?
>

Hi,

I'm surprised that the card is still for sale, Setec (a finish company
acquired by Gemalto) stopped the production of this chip 3 years ago.
And yes, the card is well supported by OpenSC.

Cheers,

Jean-Pierre
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Setcos 4.4.1 cards

2009-12-04T17:46:23Z

hi, if I buy an Setcos 4.4.1 card, can I use the pkcs15-init to the card?

--
Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

problem

2009-12-04T16:20:23Z

Hello Andreas and Sebastian,

my answer might come a little late, but I just spent quite a long time to solve the mentioned problem with Firefox / Windows.

It is quite simple:
Just put OpenSC's 'bin' directory to the environment variable 'Path'.
That's all.

Hope I could help you !
Regards,
Thorsten

PS: Andreas, could you give me a hint, how to bring a CardOS 4.3B card from 'manufacturing' state into a useful one ?

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T10:06:46Z

>>> The RightWay of adding smart card support is via PKCS#11 which is available from hre:
>>>
>>> http://sites.google.com/site/alonbarlev/openssh-pkcs11
>>>
>>>
>> what about http://www.opensc-project.org/engine_pkcs11 ?
>>
>
> I don't see any reference to "engine" in OpenSSH documentation.
>
> In theory it could do as well but nlike the direct PKCS#11 interface, to my knowledge there is no implementation for an engine based approach.
>

ooops, my eyes crossed. you wrote ssh and I read ssl.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T09:43:21Z

On 04.12.2009, at 18:49, John R Pierce wrote:

> Martin Paljak wrote:
>> The RightWay of adding smart card support is via PKCS#11 which is available from hre:
>>
>> http://sites.google.com/site/alonbarlev/openssh-pkcs11
>>
>
> what about http://www.opensc-project.org/engine_pkcs11 ?

I don't see any reference to "engine" in OpenSSH documentation.

In theory it could do as well but nlike the direct PKCS#11 interface, to my knowledge there is no implementation for an engine based approach.

--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T08:49:25Z

Martin Paljak wrote:
> The RightWay of adding smart card support is via PKCS#11 which is available from hre:
>
> http://sites.google.com/site/alonbarlev/openssh-pkcs11
>

what about http://www.opensc-project.org/engine_pkcs11 ?

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T08:28:23Z

On 04.12.2009, at 18:19, Peter Keller wrote:

> On Fri, 4 Dec 2009, rainbow wrote:
>
>> My system is linux ,debian lenny 5.0,so Aladdin eToken PRO USB 64K(4.2B) may not be supported ,do you know Athena ASEPCOS can be full supported by opensc and linux?
>
> I have never seen or used any Athena cards, so I cannot answer any questions
> about them at all.
>
> I forgot to say in my previous post that for the Aladdin eToken devices to
> work, you must install the Linux PKI client as well. This software should be
> either be supplied with the token or a licence code provided with the token
> that will allow you to register with Aladdin and download the software.
> However we have found that some suppliers of the hardware will not provide
> access to the software, making the cards effectively useless.
>
> I rarely use debian. I can say the following though: in Ubuntu (which is
> very similar to debian), the opensc and openct packages seem to work but
> openssh is not built with smartcard support. If you want to use ssh or
> ssh-agent with a key that is stored on a smartcard, you will need to
> recompile the openssh-client package with smartcard support. This applies to
> any smartcard. I do not know anything about support for smartcards in Linux
> for applications other than openssh.

The RightWay of adding smart card support is via PKCS#11 which is available from hre:

http://sites.google.com/site/alonbarlev/openssh-pkcs11

--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T08:19:03Z

On Fri, 4 Dec 2009, rainbow wrote:

> My system is linux ,debian lenny 5.0,so Aladdin eToken PRO USB 64K(4.2B) may not be supported ,do you know Athena ASEPCOS can be full supported by opensc and linux?

I have never seen or used any Athena cards, so I cannot answer any questions
about them at all.

I forgot to say in my previous post that for the Aladdin eToken devices to
work, you must install the Linux PKI client as well. This software should be
either be supplied with the token or a licence code provided with the token
that will allow you to register with Aladdin and download the software.
However we have found that some suppliers of the hardware will not provide
access to the software, making the cards effectively useless.

I rarely use debian. I can say the following though: in Ubuntu (which is
very similar to debian), the opensc and openct packages seem to work but
openssh is not built with smartcard support. If you want to use ssh or
ssh-agent with a key that is stored on a smartcard, you will need to
recompile the openssh-client package with smartcard support. This applies to
any smartcard. I do not know anything about support for smartcards in Linux
for applications other than openssh.

If you need to recompile openssh-client, help should be available from the
debian community.

Regards,
Peter.

--
Peter Keller Tel.: +44 (0)1223 353033
Global Phasing Ltd., Fax.: +44 (0)1223 366889
Sheraton House,
Castle Park,
Cambridge CB3 0AX
United Kingdom
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T06:57:26Z

My system is linux ,debian lenny 5.0,so Aladdin eToken PRO USB 64K(4.2B) may not be supported ,do you know Athena ASEPCOS can be full supported by opensc and linux?

2009/12/4 Peter Keller <pkeller@...>

On Fri, 4 Dec 2009, rainbow wrote:

> hi, I do not understand the smartcard very much,I see from opensc that AKIS card not support the pkcs15-init , so is there any thing impact the use of opensc ,such as write data to card or create keys, or is
> there a card full supported by opensc,thanks.

We have successfully used the Aladdin eToken PRO USB 64K(4.2B) cards with
opensc, on the following systems:

OpenSUSE 11.1 (distribution default openssh, opensc and openct packages)

OS X 10.5.8 (OpenSC installed separately: only the OpenSC scssh-agent is
actually required, the other system-provided ssh-tools and pcscd work fine).
Please be aware that:

(1) These cards will NOT work on Windows 7 or OS X 10.6.x systems until
Aladdin release compatible middleware

(2) The Aladdin eToken PRO USB 72K(JC) has been reported NOT to work on
Linux with the Aladdin PKI client here:
http://www.etokenonlinux.org/et/FAQ#eTokenhardwareandsoftware

Good luck,
Peter.

--
Peter Keller Tel.: +44 (0)1223 353033
Global Phasing Ltd., Fax.: +44 (0)1223 366889
Sheraton House,
Castle Park,
Cambridge CB3 0AX
United Kingdom
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: smartcard supported by opensc

2009-12-04T06:45:35Z

On Fri, 4 Dec 2009, rainbow wrote:

> hi, I do not understand the smartcard very much,I see from opensc that AKIS card not support the pkcs15-init , so is there any thing impact the use of opensc ,such as write data to card or create keys, or is
> there a card full supported by opensc,thanks.

We have successfully used the Aladdin eToken PRO USB 64K(4.2B) cards with
opensc, on the following systems:

OpenSUSE 11.1 (distribution default openssh, opensc and openct packages)

OS X 10.5.8 (OpenSC installed separately: only the OpenSC scssh-agent is
actually required, the other system-provided ssh-tools and pcscd work fine).
Please be aware that:

(1) These cards will NOT work on Windows 7 or OS X 10.6.x systems until
Aladdin release compatible middleware

(2) The Aladdin eToken PRO USB 72K(JC) has been reported NOT to work on
Linux with the Aladdin PKI client here:
http://www.etokenonlinux.org/et/FAQ#eTokenhardwareandsoftware

Good luck,
Peter.

--
Peter Keller Tel.: +44 (0)1223 353033
Global Phasing Ltd., Fax.: +44 (0)1223 366889
Sheraton House,
Castle Park,
Cambridge CB3 0AX
United Kingdom
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

smartcard supported by opensc

2009-12-04T06:29:31Z

hi, I do not understand the smartcard very much,I see from opensc that AKIS card not support the pkcs15-init , so is there any thing impact the use of opensc ,such as write data to card or create keys, or is there a card full supported by opensc,thanks.
--
Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested

2009-12-04T06:01:54Z

Am Freitag 04 Dezember 2009 14:53:33 schrieb rainbow:
> " Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested"
> does that means I can execute all pkcs15-init commands and opensc-explorer
> commands and so on?

as far as I know: yes. but those card are very, very old. I guess gemplus
stopped producing them 5 or 10 years ago, so I doubt you can still buy them.

Current Gemalto cards are all unsupported, as far as I know, except for
the cryptoflex card which can be used with the muscle applet (see current
discussion on this list, haven't tested it myself). And there is some kind
of emulation for gemplus v1 card format in opensc - i.e. you can use a few
functions of those cards. and Gemplus v1 format is quite old too, I think
they introduced a new format years ago, and that isn't supported by opensc.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested

2009-12-04T05:53:33Z

" Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested" does that means I can execute all pkcs15-init commands and opensc-explorer commands and so on?
--
Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: no pkcs15-init in my opensc

2009-12-04T05:35:12Z

Am Freitag 04 Dezember 2009 13:21:19 schrieb rainbow:
> my card is acs03,maybe it is not supported by opensc now.

acos3 is not supported, and never will be (opensc is for
crypto cards, acos3 doesn't have rsa crypto as far as I know).

acos5 is a crypto card, but we don't have a drive for it,
so it can't be used with opensc either.

Regards, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: pkcs15-init and openct

2009-12-04T05:33:37Z

if you want to use opensc with pcsc, then edit
opensc.conf and set reader_drivers = pcsc;

if you want to use opensc with openct, then edit
opensc.conf and set reader_drivers = openct;

the default is both drivers, but you don't need that
(unless you absolutely know what you are doing).

> should I have to install openct ? There is no such indication on the
> opensc project? anybody know why?

please have a look at the documentation (e.g. FAQ on the website,
QuickStart of each project), and help us to improve it.

Thanks, Andreas
_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

pkcs15-init and openct

2009-12-04T04:59:29Z

hi, I have install opensc and pc/sc driver for smart card, i do not install openct,but when I
   #pkcs15-init --create-pkcs15
   Error: can't open /var/run/openct/status: No such file or directory
   Error: can't open /var/run/openct/status: No such file or directory
   Error: can't open /var/run/openct/status: No such file or directory
   Error: can't open /var/run/openct/status: No such file or directory
   Error: can't open /var/run/openct/status: No such file or directory
should I have to install openct ? There is no such indication on the opensc project? anybody know why?

--
Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

no pkcs15-init in my opensc

2009-12-04T04:21:19Z

hi,
I have installed opensc on my computer,my os is debian 5.0 and gcc is 3.4,after installing it according to the method on the official webpage, but I find there is no pkcs15-init command,and when i execute command :

#opensc-tool --atr
Using reader with a card: ACS ACR38U 00 00
[opensc-tool] card-default.c:113:default_init: unable to determine the right class byte
[opensc-tool] card.c:202:sc_connect_card: driver 'Default driver for unknown cards' init() failed: Card is invalid or cannot be handled

[opensc-tool] card.c:213:sc_connect_card: unable to find driver for inserted card
[opensc-tool] card.c:228:sc_connect_card: returning with: Card is invalid or cannot be handled
Failed to connect to card: Card is invalid or cannot be handled

my card is acs03,maybe it is not supported by opensc now. If I have pkcs15-init tool, is it the best for me to buy an empty card or it may limit the opensc tool? Hope your reples,thanks!

Qingquan Lv
School of Information Science & Engineering , Lanzhou University.
mail: lvqq05@...
Do what you like,
Enjoy your life.

_______________________________________________
opensc-user mailing list
opensc-user@...
http://www.opensc-project.org/mailman/listinfo/opensc-user

From forum: OpenSC - User

Re: Unblocking PIN via PKCS#11?

2009-12-04T01:31:53Z

Pierre Ossman wrote:

On Thu, 03 Dec 2009 16:32:01 +0100
Viktor TARASOV viktor.tarasov@... wrote:

As for me, for the cards (rather 'pkcs15 contents') that do not have 
SOPIN or the only useful SOPIN function is 'unblock_user_pin' it's 
acceptable to use PUK as SOPIN and to use 'sc_pkcs15_unblock_pin' in 
C_InitPIN() .


Could you elaborate on what other SO PINs there are out there

According to standard the SO-PIN is not PUK - the role of SO is to initialize token
and create User PIN .
So, it's natural that our colleagues can oppose the idea to consider PUK==SOPIN .
(As I've told above, it's not my case. )

There is no "PUK" notion in the standard.
From my point of view, the most 'standard' manner to do User 'PIN unblock'
is with the C_SetPIN() in the unlogged session.

how my patch would cause problems in those cases.

I need to look it more closely.

All the cards I have
experience with only have the PIN and PUK.

There are the cases when at the card level SOPIN != PUK .
Another question if this difference is exported by the driver to the upper level.

Rgds

Kind wishes,

-- 
Viktor Tarasov	viktor.tarasov@...

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

From forum: OpenSC - Dev

Re: Unblocking PIN via PKCS#11?

2009-12-04T00:44:36Z

Pierre Ossman wrote:

On Thu, 03 Dec 2009 16:57:55 +0100
Viktor TARASOV viktor.tarasov@... wrote:

In fact, reading the pkcs11.v2.20 pp 116:

C_SetPIN modifies the PIN of the user that is currently logged in, or 
the CKU_USER PIN if the session is not logged in.

So, C_Login(CKU_SO) + C_InitPIN() is not the only PIN unblocking scheme.


But C_SetPIN requires knowledge of the existing PIN, which the user
most likely doesn't have if they've managed to lock themselves out.

And even if they know the correct PIN, how would OpenSC go about
verifying this since the card will refuse to validate the PIN now that
it is locked?

I understood this phrase in the following way:
-- if C_SetPIN() is preceded by C_Login(CKU_XX), then C_SetPIN will change the XX PIN.
   In this case the 'pOldPin' argument is the current PIN value
   or empty (if P1=01 mode of the ISO 'Change Reference Data' command is used
            or PIN is already cached during the C_Login());

-- if C_SetPIN() is not preceded by C_Login then it's implicitly the User PIN is going to be changed.
   In this case the 'pOldPin' argument is the unblocking code.
   For me it's quite logical, because, as you've told,
   we do not have or cannot use the actual PIN value.

The standard uses term 'modify' - for me it can be the both - 'change' and 'unlock'.
To make 'PIN change' there is the C_Login()+C_SetPIN() mode.
So, the other mode is for 'PIN unlock', and, IMHO, this mode fits quite well to 'PIN unlock'.

Rgds

Kind wishes,

-- 
Viktor Tarasov	viktor.tarasov@...

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

From forum: OpenSC - Dev

Re: Unblocking PIN via PKCS#11?

2009-12-04T00:19:20Z

On Thu, 03 Dec 2009 16:32:01 +0100
Viktor TARASOV <viktor.tarasov@...> wrote:

>
> As for me, for the cards (rather 'pkcs15 contents') that do not have
> SOPIN or the only useful SOPIN function is 'unblock_user_pin' it's
> acceptable to use PUK as SOPIN and to use 'sc_pkcs15_unblock_pin' in
> C_InitPIN() .
>

Could you elaborate on what other SO PINs there are out there and how
my patch would cause problems in those cases. All the cards I have
experience with only have the PIN and PUK.

Rgds
--
Pierre Ossman OpenSource-based Thin Client Technology
System Developer Telephone: +46-13-21 46 00
Cendio AB Web: http://www.cendio.com

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

signature.asc (205 bytes) Download Attachment

From forum: OpenSC - Dev

Re: Unblocking PIN via PKCS#11?

2009-12-04T00:17:04Z

On Thu, 03 Dec 2009 16:57:55 +0100
Viktor TARASOV <viktor.tarasov@...> wrote:

>
> In fact, reading the pkcs11.v2.20 pp 116:
>
> C_SetPIN modifies the PIN of the user that is currently logged in, or
> the CKU_USER PIN if the session is not logged in.
>
> So, C_Login(CKU_SO) + C_InitPIN() is not the only PIN unblocking scheme.
>

But C_SetPIN requires knowledge of the existing PIN, which the user
most likely doesn't have if they've managed to lock themselves out.

And even if they know the correct PIN, how would OpenSC go about
verifying this since the card will refuse to validate the PIN now that
it is locked?

Rgds
--
Pierre Ossman OpenSource-based Thin Client Technology
System Developer Telephone: +46-13-21 46 00
Cendio AB Web: http://www.cendio.com

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

signature.asc (205 bytes) Download Attachment

From forum: OpenSC - Dev

Re: SCardConnect(), dwPreferredProtocols and detecting Pinpad

2009-12-03T09:34:12Z

2009/12/3 Viktor TARASOV <viktor.tarasov@...>:
> Hi,

Hello,

> for me, PinPad is not detected with dwPreferredProtocols=0
> in the preceding SCardConnect() call (src/libopensc/reader-pcsc.c +917).
>
> With dwPreferredProtocols=SCARD_PROTOCOL_ANY it's detected normally.
>
> Is it question of version of PCSC(1.4.3-16) or CCID(1.3.0-15)?

Exact. This bug has been corrected in revision 2957 [1] of pcsc-lite.
The correction appeared in version pcsc-lite 1.5.0.

The Apple version of pcsc-lite still have the bug.

Bye

[1] http://lists.alioth.debian.org/pipermail/pcsclite-cvs-commit/2008-May/003131.html

--
Dr. Ludovic Rousseau
_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

From forum: OpenSC - Dev