PKCS#11 and PKCS#15 with cyberflex 32k or 64k

On Sep 27, 2009, at 18:51, gilles Bernabé wrote:

Hello,

I was trying to use opensc for the first time with cyberflex cards 32K and 64K
i've succesfully load the Muscle applet CardEdgeCF.cap and CardEdgeII.ijc in the cards from here :
http://www.opensc-project.org/opensc/wiki/Cyberflex and here :http://www.openscdp.org/scripts/musclecard/index.html
i'm able to initialize the pin(SO and user) with both with this command :"pkcs15-init -EC -p pkcs15+onepin",

but when i try to to load a certificate externally generated by openssl, i've got error:

"root@admin1-laptop:~/JavaCard_SDK2# pkcs15-init -S moi2.key -a 1 -u sign,decrypt --split-key
Please enter passphrase to unlock secret key:
User PIN required.
Please enter User PIN:
[pkcs15-init] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=02
[pkcs15-init] sec.c:201:sc_pin_cmd: returning with: Card command failed
[pkcs15-init] pkcs15-lib.c:3105:do_get_and_verify_secret: Failed to verify user PIN (ref=0x1)
[pkcs15-init] pkcs15-muscle.c:192:muscle_store_key: returning with: Not supported
Failed to store private key: Not supported"

9C02 is SW_AUTH_FAILED; it appears the PIN you entered is incorrect.

Could you try setting to PIN to '00000000' and see if it works?

(error too if i try the internal generation: "pkcs15-init -G RSA -a 1 -v -u sign,decrypt --split-key")

I've try too the pkcs11-tool without success:

"root@admin1-laptop:~/JavaCard_SDK2# pkcs11-tool --init-token --label "gilles" --so-pin 12345678
[opensc-pkcs11] pkcs15.c:761:sc_pkcs15_bind: returning with: Unsupported card
[opensc-pkcs11] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=05
[opensc-pkcs11] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=05
error: PKCS11 function C_InitToken failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting."

9C05 is SW_UNSUPPORTED_FEATURE.

Is there a method to load a certificate on this cards or do you know compatible cards(recent cards not old) like jcops, in order to use it with firefox and PKCS11 on linux?

I use the Muscle applet and OpenSC with an Aladdin eToken 72K. It is a pretty recent card and it works wonderfully: key generation works (up to 2048 bit), key loading, etc... But you must get the engineering version in order to load custom applets.

I've heard about people using a very recent version of the JCOP card with Muscle + OpenSC: the JCOP31 v2.4.1. Which is, like the Aladdin eToken 72K, a Java 2.2.2 card that supports nice things like extended APDUs, has a nice amount of RAM, is (really) fast, etc.

thanks ,
Kind regards

Good luck!

Hi,

On Sep 27, 2009, at 22:14, gilles Bernabé wrote:

thanks , i had ever set the SO pin to "00000000"
 this time i have set too the user pin to "00000000"
and i've got another error, that's strange ^^:

I think the problem lies in the initial APDU sent to the card (to initialize it). I suppose you're just "copy pasting" an example APDU from the wiki - that apdu, probabably, initializes all PINs to 00000000. You have to personalize the the APDU, or change the PINs after you've initialized the card.

"root@admin1-laptop:~/JavaCard_SDK2# pkcs15-init -S moi2.key -a 1 -u sign,decrypt --split-key
Please enter passphrase to unlock secret key:
User PIN required.
Please enter User PIN:
[pkcs15-init] muscle.c:247:msc_delete_object: returning with: File not found"

The "File not found" warning is harmless.

and when i want to load the cert:

"root@admin1-laptop:~/JavaCard_SDK2# pkcs15-init -X moi2.crt -v -a 1
Connecting to card in reader SCM SDI 010 00 00...
Using card driver Muscle Card Driver.
Found MUSCLE
About to store certificate.
error:0906D06C:PEM routines:PEM_read_bio:no start line
error: Unable to read certificate from moi2.crt

Aborting."

Check Martin's response.

according to this page cyberflex 64k should be compatible: http://www.openscdp.org/scripts/musclecard/index.html, perhaps they meaned compatible wih the crypto algorythms included in the card, not the certificate storage.
thanks for the JCOP tip , i will command one in order to try too the cardlet EAP-TLS: http://perso.telecom-paristech.fr/~urien/openeapsmartcard/

According to many reports on the web the Cyberflex 64k is compatible with Muscle.

I've tested the Aladdin eToken 72K + Muscle applet + OpenSC in OS X with EAP-TLS to authenticate to a wireless network and it works just fine :)

according to this thread: http://forums.sun.com/thread.jspa?forumID=23&threadID=5393606
you need to have a company and contact the NXP sales contact , to get the JCOP31 v2.4.1

2009/9/27 João Poupino <joao.poupino@...>

On Sep 27, 2009, at 18:51, gilles Bernabé wrote:

Hello,

I was trying to use opensc for the first time with cyberflex cards 32K and 64K
i've succesfully load the Muscle applet CardEdgeCF.cap and CardEdgeII.ijc in the cards from here :
http://www.opensc-project.org/opensc/wiki/Cyberflex and here :http://www.openscdp.org/scripts/musclecard/index.html
i'm able to initialize the pin(SO and user) with both with this command :"pkcs15-init -EC -p pkcs15+onepin",

but when i try to to load a certificate externally generated by openssl, i've got error:

"root@admin1-laptop:~/JavaCard_SDK2# pkcs15-init -S moi2.key -a 1 -u sign,decrypt --split-key
Please enter passphrase to unlock secret key:
User PIN required.
Please enter User PIN:
[pkcs15-init] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=02
[pkcs15-init] sec.c:201:sc_pin_cmd: returning with: Card command failed
[pkcs15-init] pkcs15-lib.c:3105:do_get_and_verify_secret: Failed to verify user PIN (ref=0x1)
[pkcs15-init] pkcs15-muscle.c:192:muscle_store_key: returning with: Not supported
Failed to store private key: Not supported"

9C02 is SW_AUTH_FAILED; it appears the PIN you entered is incorrect.

Could you try setting to PIN to '00000000' and see if it works?

(error too if i try the internal generation: "pkcs15-init -G RSA -a 1 -v -u sign,decrypt --split-key")

I've try too the pkcs11-tool without success:

"root@admin1-laptop:~/JavaCard_SDK2# pkcs11-tool --init-token --label "gilles" --so-pin 12345678
[opensc-pkcs11] pkcs15.c:761:sc_pkcs15_bind: returning with: Unsupported card
[opensc-pkcs11] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=05
[opensc-pkcs11] iso7816.c:102:iso7816_check_sw: Unknown SWs; SW1=9C, SW2=05
error: PKCS11 function C_InitToken failed: rv = CKR_GENERAL_ERROR (0x5)

Aborting."

9C05 is SW_UNSUPPORTED_FEATURE.

Is there a method to load a certificate on this cards or do you know compatible cards(recent cards not old) like jcops, in order to use it with firefox and PKCS11 on linux?

I use the Muscle applet and OpenSC with an Aladdin eToken 72K. It is a pretty recent card and it works wonderfully: key generation works (up to 2048 bit), key loading, etc... But you must get the engineering version in order to load custom applets.

I've heard about people using a very recent version of the JCOP card with Muscle + OpenSC: the JCOP31 v2.4.1. Which is, like the Aladdin eToken 72K, a Java 2.2.2 card that supports nice things like extended APDUs, has a nice amount of RAM, is (really) fast, etc.

thanks ,
Kind regards

Good luck!

Hi,

On Oct 4, 2009, at 14:21, Peter Stuge wrote:

> João Poupino wrote:
>>> i've got "OID.2.5.4.0" on the card and just "O" (for organisation)
>>> when i load it in the webbrowser in format pkcs12, but the values
>>> associated to this field organisation are the same and all the rest
>>> is the same.
>>
>> I don't think I understood this cleary, could you please clarify?
>>
>> What certificate attributes and values to you see on the card?
>> What certificate attributes and values do you see when you load it
>> in firefox?
>
> As I understand it, the one certificate is shown completely correctly
> when using a .p12 and it also functions correctly, but when the
> certificate is on the card Firefox does not display the O part of the
> DN, and instead the numeric OID 2.5.4.0 (with the correct organization
> data). I don't know what that numeric OID actually means, if anything.
>
> My guess was an error in producing or parsing ASN.1.
>

Ok, got it. All else being equal, the O attribute is different.
According to [1], 2.5.4.0 is just "objectClass". Organization should
be 2.5.4.10.

[1] - http://www.oid-info.com/

> It would be helpful to display the certificate attributes also using
> something other than Firefox/NSS, e.g. the OpenSSL engine or via p11.
>
>
> //Peter
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@...
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Hi,

Ok thanks João,
i think peter understood,
here's the two screens:
when i load the cert on the card :[1] , this time it's OID2.5.0.10
when i load the cert in the browser using a ".p12": [2]

only the second issue is a success.

Yes i have initialized the pins like in [3] , with the command :
opensc-tool -s 00:A4:04:00:06:A0:00:00:00:01:01 -s B0:2A:00:00:38:08:4D:75:73:63:6C:65:30:30:04:01:08:30:30:30:30:30:30:30:30:08:30:30:30:30:30:30:30:30:05:02:08:30:30:30:30:30:30:30:30:08:30:30:30:30:30:30:30:30:00:00:17:70:00:02:01and

then :

pkcs15-init -EC -p pkcs15+onepin

result of " pkcs11-tool --test --login " is in result.txt

i realized there was the source code i was looking for: [4] , first i'll read this big thread, and try to compile the cardlet with ant, i think it should help me to get a better result.txt, i was working with an old .ijc of [3]...
i'll also take a more recent Opensc version, i have the 0.11.4 of the synaptic in ubuntu.
i'll give you some news , thanks

Gilles

[1]: http://img202.imageshack.us/img202/6841/screen1q.jpg
[2]: http://img242.imageshack.us/img242/9206/screen2s.jpg
[3]: http://www.opensc-project.org/opensc/wiki/Cyberflex
[4]: http://lists.drizzle.com/pipermail/muscle/2009-May/007644.html

2009/10/4 João Poupino <joao.poupino@...>

Hi,

On Oct 4, 2009, at 14:21, Peter Stuge wrote:

> João Poupino wrote:
>>> i've got "OID.2.5.4.0" on the card and just "O" (for organisation)
>>> when i load it in the webbrowser in format pkcs12, but the values
>>> associated to this field organisation are the same and all the rest
>>> is the same.
>>
>> I don't think I understood this cleary, could you please clarify?
>>
>> What certificate attributes and values to you see on the card?
>> What certificate attributes and values do you see when you load it
>> in firefox?
>
> As I understand it, the one certificate is shown completely correctly
> when using a .p12 and it also functions correctly, but when the
> certificate is on the card Firefox does not display the O part of the
> DN, and instead the numeric OID 2.5.4.0 (with the correct organization
> data). I don't know what that numeric OID actually means, if anything.
>
> My guess was an error in producing or parsing ASN.1.
>

Ok, got it. All else being equal, the O attribute is different.
According to [1], 2.5.4.0 is just "objectClass". Organization should
be 2.5.4.10.

[1] - http://www.oid-info.com/

> It would be helpful to display the certificate attributes also using
> something other than Firefox/NSS, e.g. the OpenSSL engine or via p11.
>
>
> //Peter
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@...
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Peter Stuge wrote:
> gilles Bernabé wrote:
>> when i load it on the card, in the fieds of the certificate : E:...,
>> CN:.., ....., i've got "OID.2.5.4.0" on the card and just "O" (for
>> organisation) when i load it in the webbrowser in format pkcs12,
>
> So is this a bug in something ASN.1 in OpenSC, or in the applet?
>

Sounds like a malformed or unusual certificate.

 OID 2.5.4.0 is for objectClass which is not normally use in a DN.

So different applications might print different strings(or the OID number)
for this OID. (O= for objectClass could be used, but is misleading
as O= is usuall used for Organization.)

See: http://www.alvestrand.no/objectid/2.5.4.0.html

Can you send the certificate?(PEM encodeing would be best.)

>
> //Peter
> _______________________________________________
> opensc-devel mailing list
> opensc-devel@...
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

 Douglas E. Engert  <DEEngert@...>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

_______________________________________________
opensc-devel mailing list
opensc-devel@...
http://www.opensc-project.org/mailman/listinfo/opensc-devel

gilles Bernabé wrote:

Hi,

@ Douglas E.:
Sorry for my late answer, i was busy with other projects for my school,
but when i ask the card to show me the certificate that's inside, the result of the command :
pkcs15-tool -r <id>
give me the same certificate that i had loaded, so the "OID" just apears in firefox.

As I said in the first response:

Can you send the certificate?(PEM encodeing would be best.)

I've compiled the last Muscle cardlet from here:[1] with Ant, i got a CardeEdgeCflex.ijc (and other .cap and .exp)
i've loaded the .ijc in the 32k card.
I've installed too the Opensc version 0.11.9 and the Openct version 0.6.17,
but the result is the same, i've got again an "OID 2.5.4.0" when i want to be authenticated, and the server doesn't recognize my certificate...
and when i go in firefox->options->....->your certificates, for the part Organisation(O) of the Muscle certificate it is written "not par of the certificate" instead of the value of my attribute "O".

Pherhaps i'll try to understand better this story of OID,
does someone have ever been able to use the Muscle applet with a smartcard and success a SSL authentication ? i mean like this one: [2] (at the end of the page: Appache FireFox).
I know this method works with cards like Aladdin "out of the box" without Muscle, but what interests me is to use the Muscle Applet( to customize it later)  and use it at the same time with PKCS15 or PKCS11.

thanks,

kind regards,
Gilles

[1]: http://lists.drizzle.com/pipermail/muscle/2009-May/007644.html
[2]: http://www.unixgarden.com/index.php/securite/smartcards-applications

2009/10/5 Douglas E. Engert <deengert@... <mailto:deengert@...>>

   Peter Stuge wrote:
    > gilles Bernabé wrote:
    >> when i load it on the card, in the fieds of the certificate : E:...,
    >> CN:.., ....., i've got "OID.2.5.4.0" on the card and just "O" (for
    >> organisation) when i load it in the webbrowser in format pkcs12,
    >
    > So is this a bug in something ASN.1 in OpenSC, or in the applet?
    >

   Sounds like a malformed or unusual certificate.

    OID 2.5.4.0 is for objectClass which is not normally use in a DN.

   So different applications might print different strings(or the OID
   number)
   for this OID. (O= for objectClass could be used, but is misleading
   as O= is usuall used for Organization.)

   See: http://www.alvestrand.no/objectid/2.5.4.0.html

   Can you send the certificate?(PEM encodeing would be best.)

    >
    > //Peter
    > _______________________________________________
    > opensc-devel mailing list
    > opensc-devel@...

   <mailto:opensc-devel@...>

    > http://www.opensc-project.org/mailman/listinfo/opensc-devel

   --

    Douglas E. Engert  <DEEngert@... <mailto:DEEngert@...>>

    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois  60439
    (630) 252-5444
   _______________________________________________
   opensc-devel mailing list
   opensc-devel@...

   <mailto:opensc-devel@...>

   http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

 Douglas E. Engert  <DEEngert@...>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444

ok, here it is PEM encoding

Le 22 octobre 2009 22:06, Douglas E. Engert <deengert@...> a écrit :

gilles Bernabé wrote:

Hi,

@ Douglas E.:
Sorry for my late answer, i was busy with other projects for my school,
but when i ask the card to show me the certificate that's inside, the result of the command :
pkcs15-tool -r <id>
give me the same certificate that i had loaded, so the "OID" just apears in firefox.

As I said in the first response:

Can you send the certificate?(PEM encodeing would be best.)

I've compiled the last Muscle cardlet from here:[1] with Ant, i got a CardeEdgeCflex.ijc (and other .cap and .exp)
i've loaded the .ijc in the 32k card.
I've installed too the Opensc version 0.11.9 and the Openct version 0.6.17,
but the result is the same, i've got again an "OID 2.5.4.0" when i want to be authenticated, and the server doesn't recognize my certificate...
and when i go in firefox->options->....->your certificates, for the part Organisation(O) of the Muscle certificate it is written "not par of the certificate" instead of the value of my attribute "O".

Pherhaps i'll try to understand better this story of OID,
does someone have ever been able to use the Muscle applet with a smartcard and success a SSL authentication ? i mean like this one: [2] (at the end of the page: Appache FireFox).
I know this method works with cards like Aladdin "out of the box" without Muscle, but what interests me is to use the Muscle Applet( to customize it later)  and use it at the same time with PKCS15 or PKCS11.

thanks,

kind regards,
Gilles

[1]: http://lists.drizzle.com/pipermail/muscle/2009-May/007644.html
[2]: http://www.unixgarden.com/index.php/securite/smartcards-applications

2009/10/5 Douglas E. Engert <deengert@... <mailto:deengert@...>>

   Peter Stuge wrote:
    > gilles Bernabé wrote:
    >> when i load it on the card, in the fieds of the certificate : E:...,
    >> CN:.., ....., i've got "OID.2.5.4.0" on the card and just "O" (for
    >> organisation) when i load it in the webbrowser in format pkcs12,
    >
    > So is this a bug in something ASN.1 in OpenSC, or in the applet?
    >

   Sounds like a malformed or unusual certificate.

    OID 2.5.4.0 is for objectClass which is not normally use in a DN.

   So different applications might print different strings(or the OID
   number)
   for this OID. (O= for objectClass could be used, but is misleading
   as O= is usuall used for Organization.)

   See: http://www.alvestrand.no/objectid/2.5.4.0.html

   Can you send the certificate?(PEM encodeing would be best.)

    >
    > //Peter
    > _______________________________________________
    > opensc-devel mailing list
    > opensc-devel@...

   <mailto:opensc-devel@...>

    > http://www.opensc-project.org/mailman/listinfo/opensc-devel

   --

    Douglas E. Engert  <DEEngert@... <mailto:DEEngert@...>>

    Argonne National Laboratory
    9700 South Cass Avenue
    Argonne, Illinois  60439
    (630) 252-5444
   _______________________________________________
   opensc-devel mailing list
   opensc-devel@...

   <mailto:opensc-devel@...>

   http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

 Douglas E. Engert  <DEEngert@...>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439
 (630) 252-5444