AT_SIGNATURE and AT_EXCHANGE Problem

classic Classic list List threaded Threaded
26 messages Options
12
Reply | Threaded
Open this post in threaded view
|

AT_SIGNATURE and AT_EXCHANGE Problem

Michael Heydemann
Dear OpenSC Development Team,

First of all, I would like to say that I really appreciate your great work.
I am working on a little project and explored all the nice tools of OpenSC.
Unfortunately since one week I cannot get around a certain problem.
I hope this mailing list is the right place and you can help me with that.

My project is about  (1) setting up a PKCS#11 key store on a Java Card,
(2 ) loading some test data (keys and certificates) on it, and (3) using the card
with the Windows 7 Key Management.

Hardware: 
* Card Reader: Omnikey 3121USB
* Java Card: J2A080 - NXP, 80k

(1) Setting up PKCS#11 key store:
I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
to install all required software, installing muscle applet to the card, and 
removing the muscle applet from the card. I followed the instructions on
http://blog.ev0ke.net/muscle-jcop/ and everything worked well.

(2) Loading some test data:
I tried some different ways to get some keys and certificates on the card.
None of them delivered data which is accepted by Windows 7.
Here is one set of data I created:

***************************************************************************************
Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
PKCS#15 Card [MUSCLE]:
Version        : 0
Serial number  : 0000
Manufacturer ID: Identity Alliance
Last update    : 20150119080705Z
Flags          : EID compliant

PIN [User PIN]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x10], initialized
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0x00
Reference      : 1
Type           : ascii-numeric
Path           : 3f005015

Private RSA Key [Card Owner]
Object Flags   : [0x3], private, modifiable
Usage          : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags   : [0x0]
ModLength      : 1024
Key ref        : 0 (0x0)
Native         : yes
Path           : 3f005015
Auth ID        : 01
ID             : 01

Public RSA Key [Card Owner]
Object Flags   : [0x2], modifiable
Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags   : [0x0]
ModLength      : 1024
Key ref        : 0
Native         : no
Path           : 3f0050153000
ID             : 01

X.509 Certificate [Card Owner Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153100
ID             : 01
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 2 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153101
ID             : 02
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 3 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153102
ID             : 03
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 4 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153103
ID             : 04
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 5 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153104
ID             : 05
Encoded serial : 02 09 00F695059953A904F9
***************************************************************************************

(3) Using the card in Windows 7:
I installed Windows 7  64 Bit in a VirtualBox and installed
OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
but with same result.
I acquired the ATR of the card and properly installed my opens-minidriver.inf:

***************************************************************************************
[Version]
Signature="$Windows NT$"
Class=SmartCard
ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
Provider=%ProviderName%
CatalogFile=delta.cat
DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0

[Manufacturer]
%ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1

[Minidriver.NTamd64]
%CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTx86]
%CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTamd64.6.1]
%CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTx86.6.1]
%CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000

[DefaultInstall]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[DefaultInstall.ntamd64]
CopyFiles=amd64_CopyFiles
CopyFiles=wow64_CopyFiles
AddReg=AddRegWOW64
AddReg=AddRegDefault

[DefaultInstall.NTx86]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[DefaultInstall.ntamd64.6.1]
AddReg=AddRegWOW64
AddReg=AddRegDefault

[DefaultInstall.NTx86.6.1]
AddReg=AddRegDefault

[SourceDisksFiles]
%SmartCardCardModule%=1
%SmartCardCardModule64%=1

[SourceDisksNames]
1 = %MediaDescription%

[Minidriver64_Install.NT]
CopyFiles=amd64_CopyFiles
CopyFiles=wow64_CopyFiles
AddReg=AddRegWOW64
AddReg=AddRegDefault

[Minidriver64_61_Install.NT]
AddReg=AddRegWOW64
AddReg=AddRegDefault
Include=umpass.inf
Needs=UmPass

[Minidriver32_Install.NT]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[Minidriver32_61_Install.NT]
AddReg=AddRegDefault
Include=umpass.inf
Needs=UmPass

[Minidriver64_61_Install.NT.Services]
Include=umpass.inf
Needs=UmPass.Services

[Minidriver32_61_Install.NT.Services]
Include=umpass.inf
Needs=UmPass.Services


[Minidriver64_61_Install.NT.HW]
Include=umpass.inf
Needs=UmPass.HW

[Minidriver64_61_Install.NT.CoInstallers]
Include=umpass.inf
Needs=UmPass.CoInstallers


[Minidriver64_61_Install.NT.Interfaces]
Include=umpass.inf
Needs=UmPass.Interfaces


[Minidriver32_61_Install.NT.HW]
Include=umpass.inf
Needs=UmPass.HW

[Minidriver32_61_Install.NT.CoInstallers]
Include=umpass.inf
Needs=UmPass.CoInstallers


[Minidriver32_61_Install.NT.Interfaces]
Include=umpass.inf
Needs=UmPass.Interfaces


[amd64_CopyFiles]
;%SmartCardCardModule%,%SmartCardCardModule64%

[x86_CopyFiles]
;%SmartCardCardModule%

[wow64_CopyFiles]
;%SmartCardCardModule64%

[AddRegWOW64]
HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%

[AddRegDefault]
HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%

[DestinationDirs]
amd64_CopyFiles=10,system32
x86_CopyFiles=10,system32
wow64_CopyFiles=10,syswow64


; =================== Generic ==================================

[Strings]
ProviderName =„OpenSC"
MediaDescription=„OpenSC Card Minidriver Installation Disk"
CardDeviceName=„Muscle Card"
SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
SmartCardCardModule="opensc-minidriver.dll"
***************************************************************************************

When the card is inserted the driver is used as shown in device manager
as well as in certutil.exe.
Now here is the actual problem:
When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
complaining that the card does not have the required functions.
The terminal output is like this. I am sorry for pasting this in german.
I added some translations:

***************************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\developer>certutil -scinfo
Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
Leser: 1 (Reader: 1)
  0: OMNIKEY CardMan 3x21 0
--- Leser: OMNIKEY CardMan 3x21 0 (Reader)
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: Die Smartcard kann verwendet werden.
---  Karte: Muscle Card
---    ATR:
        3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
        31 b7                                              1.


=======================================================
Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)

--------------===========================--------------
================ Zertifikat 0 ================ (Trans: Certificate 0)
--- Leser: OMNIKEY CardMan 3x21 0 (Reader)
---  Karte: Muscle Card
Anbieter = Microsoft Base Smart Card Crypto Provider
Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)

Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
x21 0
Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
 3x21 0

--------------===========================--------------
================ Zertifikat 0 ================
--- Leser: OMNIKEY CardMan 3x21 0
---  Karte: Smart Security Device (Brainchild)
Anbieter = Microsoft Smart Card Key Storage Provider
Schl¸sselcontainer = (null) [Standardcontainer]

Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)

--------------===========================--------------

Fertig.
CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
***************************************************************************************

I also configured to use a log file in opensc.conf and debug level 9.
Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
but I am not sure if this is working with a mailing list.





I already inspected the log, but found nothing suspicious.
I think maybe there have to be a private key to be marked
for use as AT_SIGNATURE and one for AT_EXCHANGE.
But how?

Or maybe I am completely wrong and something different is going wrong.

Any help would be appreciated!

Best Regards,
Michael


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

opensc.log (3M) Download Attachment
smime.p7s (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
This is the same problem as:

  https://github.com/OpenSC/OpenSC/pull/321


2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
2015-01-19 09:49:34.203 card_ctl(5) not supported

The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
to get a card "serial number" which windows requires.



On 1/19/2015 3:30 AM, Michael Heydemann wrote:

> Dear OpenSC Development Team,
>
> First of all, I would like to say that I really appreciate your great work.
> I am working on a little project and explored all the nice tools of OpenSC.
> Unfortunately since one week I cannot get around a certain problem.
> I hope this mailing list is the right place and you can help me with that.
>
> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
> with the Windows 7 Key Management.
>
> Hardware:
> * Card Reader: Omnikey 3121USB
> * Java Card: J2A080 - NXP, 80k
>
> (1) Setting up PKCS#11 key store:
> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
> to install all required software, installing muscle applet to the card, and
> removing the muscle applet from the card. I followed the instructions on
> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>
> (2) Loading some test data:
> I tried some different ways to get some keys and certificates on the card.
> None of them delivered data which is accepted by Windows 7.
> Here is one set of data I created:
>
> ***************************************************************************************
> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
> PKCS#15 Card [MUSCLE]:
> Version        : 0
> Serial number  : 0000
> Manufacturer ID: Identity Alliance
> Last update    : 20150119080705Z
> Flags          : EID compliant
>
> PIN [User PIN]
> Object Flags   : [0x3], private, modifiable
> ID             : 01
> Flags          : [0x10], initialized
> Length         : min_len:4, max_len:8, stored_len:8
> Pad char       : 0x00
> Reference      : 1
> Type           : ascii-numeric
> Path           : 3f005015
>
> Private RSA Key [Card Owner]
> Object Flags   : [0x3], private, modifiable
> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
> Access Flags   : [0x0]
> ModLength      : 1024
> Key ref        : 0 (0x0)
> Native         : yes
> Path           : 3f005015
> Auth ID        : 01
> ID             : 01
>
> Public RSA Key [Card Owner]
> Object Flags   : [0x2], modifiable
> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
> Access Flags   : [0x0]
> ModLength      : 1024
> Key ref        : 0
> Native         : no
> Path           : 3f0050153000
> ID             : 01
>
> X.509 Certificate [Card Owner Certificate]
> Object Flags   : [0x2], modifiable
> Authority      : no
> Path           : 3f0050153100
> ID             : 01
> Encoded serial : 02 09 00F695059953A904F9
>
> X.509 Certificate [Contact 2 Certificate]
> Object Flags   : [0x2], modifiable
> Authority      : no
> Path           : 3f0050153101
> ID             : 02
> Encoded serial : 02 09 00F695059953A904F9
>
> X.509 Certificate [Contact 3 Certificate]
> Object Flags   : [0x2], modifiable
> Authority      : no
> Path           : 3f0050153102
> ID             : 03
> Encoded serial : 02 09 00F695059953A904F9
>
> X.509 Certificate [Contact 4 Certificate]
> Object Flags   : [0x2], modifiable
> Authority      : no
> Path           : 3f0050153103
> ID             : 04
> Encoded serial : 02 09 00F695059953A904F9
>
> X.509 Certificate [Contact 5 Certificate]
> Object Flags   : [0x2], modifiable
> Authority      : no
> Path           : 3f0050153104
> ID             : 05
> Encoded serial : 02 09 00F695059953A904F9
> ***************************************************************************************
>
> (3) Using the card in Windows 7:
> I installed Windows 7  64 Bit in a VirtualBox and installed
> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
> but with same result.
> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>
> ***************************************************************************************
> [Version]
> Signature="$Windows NT$"
> Class=SmartCard
> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
> Provider=%ProviderName%
> CatalogFile=delta.cat
> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0
>
> [Manufacturer]
> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>
> [Minidriver.NTamd64]
> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>
> [Minidriver.NTx86]
> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>
> [Minidriver.NTamd64.6.1]
> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>
> [Minidriver.NTx86.6.1]
> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000
>
> [DefaultInstall]
> CopyFiles=x86_CopyFiles
> AddReg=AddRegDefault
>
> [DefaultInstall.ntamd64]
> CopyFiles=amd64_CopyFiles
> CopyFiles=wow64_CopyFiles
> AddReg=AddRegWOW64
> AddReg=AddRegDefault
>
> [DefaultInstall.NTx86]
> CopyFiles=x86_CopyFiles
> AddReg=AddRegDefault
>
> [DefaultInstall.ntamd64.6.1]
> AddReg=AddRegWOW64
> AddReg=AddRegDefault
>
> [DefaultInstall.NTx86.6.1]
> AddReg=AddRegDefault
>
> [SourceDisksFiles]
> %SmartCardCardModule%=1
> %SmartCardCardModule64%=1
>
> [SourceDisksNames]
> 1 = %MediaDescription%
>
> [Minidriver64_Install.NT]
> CopyFiles=amd64_CopyFiles
> CopyFiles=wow64_CopyFiles
> AddReg=AddRegWOW64
> AddReg=AddRegDefault
>
> [Minidriver64_61_Install.NT]
> AddReg=AddRegWOW64
> AddReg=AddRegDefault
> Include=umpass.inf
> Needs=UmPass
>
> [Minidriver32_Install.NT]
> CopyFiles=x86_CopyFiles
> AddReg=AddRegDefault
>
> [Minidriver32_61_Install.NT]
> AddReg=AddRegDefault
> Include=umpass.inf
> Needs=UmPass
>
> [Minidriver64_61_Install.NT.Services]
> Include=umpass.inf
> Needs=UmPass.Services
>
> [Minidriver32_61_Install.NT.Services]
> Include=umpass.inf
> Needs=UmPass.Services
>
>
> [Minidriver64_61_Install.NT.HW]
> Include=umpass.inf
> Needs=UmPass.HW
>
> [Minidriver64_61_Install.NT.CoInstallers]
> Include=umpass.inf
> Needs=UmPass.CoInstallers
>
>
> [Minidriver64_61_Install.NT.Interfaces]
> Include=umpass.inf
> Needs=UmPass.Interfaces
>
>
> [Minidriver32_61_Install.NT.HW]
> Include=umpass.inf
> Needs=UmPass.HW
>
> [Minidriver32_61_Install.NT.CoInstallers]
> Include=umpass.inf
> Needs=UmPass.CoInstallers
>
>
> [Minidriver32_61_Install.NT.Interfaces]
> Include=umpass.inf
> Needs=UmPass.Interfaces
>
>
> [amd64_CopyFiles]
> ;%SmartCardCardModule%,%SmartCardCardModule64%
>
> [x86_CopyFiles]
> ;%SmartCardCardModule%
>
> [wow64_CopyFiles]
> ;%SmartCardCardModule64%
>
> [AddRegWOW64]
> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%
>
> [AddRegDefault]
> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>
> [DestinationDirs]
> amd64_CopyFiles=10,system32
> x86_CopyFiles=10,system32
> wow64_CopyFiles=10,syswow64
>
>
> ; =================== Generic ==================================
>
> [Strings]
> ProviderName =„OpenSC"
> MediaDescription=„OpenSC Card Minidriver Installation Disk"
> CardDeviceName=„Muscle Card"
> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
> SmartCardCardModule="opensc-minidriver.dll"
> ***************************************************************************************
>
> When the card is inserted the driver is used as shown in device manager
> as well as in certutil.exe.
> Now here is the actual problem:
> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
> complaining that the card does not have the required functions.
> The terminal output is like this. I am sorry for pasting this in german.
> I added some translations:
>
> ***************************************************************************************
> Microsoft Windows [Version 6.1.7601]
> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>
> C:\Users\developer>certutil -scinfo
> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
> Leser: 1 (Reader: 1)
>    0: OMNIKEY CardMan 3x21 0
> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
> --- Status: Die Smartcard kann verwendet werden.
> ---  Karte: Muscle Card
> ---    ATR:
>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>          31 b7                                              1.
>
>
> =======================================================
> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>
> --------------===========================--------------
> ================ Zertifikat 0 ================ (Trans: Certificate 0)
> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
> ---  Karte: Muscle Card
> Anbieter = Microsoft Base Smart Card Crypto Provider
> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>
> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
> x21 0
> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>   3x21 0
>
> --------------===========================--------------
> ================ Zertifikat 0 ================
> --- Leser: OMNIKEY CardMan 3x21 0
> ---  Karte: Smart Security Device (Brainchild)
> Anbieter = Microsoft Smart Card Key Storage Provider
> Schl¸sselcontainer = (null) [Standardcontainer]
>
> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>
> --------------===========================--------------
>
> Fertig.
> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
> ***************************************************************************************
>
> I also configured to use a log file in opensc.conf and debug level 9.
> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
> but I am not sure if this is working with a mailing list.
>
>
>
>
>
>
> I already inspected the log, but found nothing suspicious.
> I think maybe there have to be a private key to be marked
> for use as AT_SIGNATURE and one for AT_EXCHANGE.
> But how?
>
> Or maybe I am completely wrong and something different is going wrong.
>
> Any help would be appreciated!
>
> Best Regards,
> Michael
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
[I should have sent this to the opensc-devel, as others can address some of your questions
about the state of the muscle applet and isoapplet].

No, That fix was for the card-itacns.c, you are using the card-muscle.c.

Some equivalent code needs to be added to card-muscle.c, to use what ever information is available that
windows could use to uniquely identify the card. This is then stored with the certificates in the windows store.
At a later time, windows uses certificates from the store and can then prompt to have the card mounted, so it can use the
matching key on the card.

You or someone else that can test a mod to card-muscle.c could submit a code change.

There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do not.

card-belpic.c
card-default.c
card-gemsafeV1.c
card-ias.c
card-incrypto34.c
card-jcop.c
card-mcrd.c
card-miocos.c
card-muscle.c
card-setcos.c
iso7816.c

Cards that support SC_CARDCTL_GET_SERIALNR
card-acos5.c
card-akis.c
card-asepcos.c
card-atrust-acos.c
card-authentic.c
card-cardos.c
card-dnie.c
card-entersafe.c
card-epass2003.c
card-flex.c
card-gpk.c
card-iasecc.c
card-itacns.c
card-myeid.c
card-oberthur.c
card-openpgp.c
card-piv.c
card-rtecp.c
card-rutoken.c
card-sc-hsm.c
card-starcos.c
card-tcos.c
card-westcos.c


To answer some other questions you asked is a private e-mail:

iso7816.c which implements the basic ISO commands does not support and card_ctl commands.
I believe that the IsoApplet is designed to use the iso7816.c I am not sure if the concept of
a unique "serial number" is part of ISO7816.

I also don't know the state of the muscle applet, or if it has something that can be used as a serial number either.



On 1/19/2015 8:37 AM, Michael Heydemann wrote:

> WOW.. Thank you a lot.. I think I owe you a beer..
>
> I checked the fix is from November last year, and the 0.14 version is from summer lat year.
> Does this mean, that the nightly build could fix this?
> What version I should pull/download?
>
> Thank you a lot,
> Michael
>
>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>
>> This is the same problem as:
>>
>>   https://github.com/OpenSC/OpenSC/pull/321
>>
>>
>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>
>> The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
>> to get a card "serial number" which windows requires.
>>
>>
>>
>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>> Dear OpenSC Development Team,
>>>
>>> First of all, I would like to say that I really appreciate your great work.
>>> I am working on a little project and explored all the nice tools of OpenSC.
>>> Unfortunately since one week I cannot get around a certain problem.
>>> I hope this mailing list is the right place and you can help me with that.
>>>
>>> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
>>> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
>>> with the Windows 7 Key Management.
>>>
>>> Hardware:
>>> * Card Reader: Omnikey 3121USB
>>> * Java Card: J2A080 - NXP, 80k
>>>
>>> (1) Setting up PKCS#11 key store:
>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
>>> to install all required software, installing muscle applet to the card, and
>>> removing the muscle applet from the card. I followed the instructions on
>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>
>>> (2) Loading some test data:
>>> I tried some different ways to get some keys and certificates on the card.
>>> None of them delivered data which is accepted by Windows 7.
>>> Here is one set of data I created:
>>>
>>> ***************************************************************************************
>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>> PKCS#15 Card [MUSCLE]:
>>> Version        : 0
>>> Serial number  : 0000
>>> Manufacturer ID: Identity Alliance
>>> Last update    : 20150119080705Z
>>> Flags          : EID compliant
>>>
>>> PIN [User PIN]
>>> Object Flags   : [0x3], private, modifiable
>>> ID             : 01
>>> Flags          : [0x10], initialized
>>> Length         : min_len:4, max_len:8, stored_len:8
>>> Pad char       : 0x00
>>> Reference      : 1
>>> Type           : ascii-numeric
>>> Path           : 3f005015
>>>
>>> Private RSA Key [Card Owner]
>>> Object Flags   : [0x3], private, modifiable
>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>> Access Flags   : [0x0]
>>> ModLength      : 1024
>>> Key ref        : 0 (0x0)
>>> Native         : yes
>>> Path           : 3f005015
>>> Auth ID        : 01
>>> ID             : 01
>>>
>>> Public RSA Key [Card Owner]
>>> Object Flags   : [0x2], modifiable
>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>> Access Flags   : [0x0]
>>> ModLength      : 1024
>>> Key ref        : 0
>>> Native         : no
>>> Path           : 3f0050153000
>>> ID             : 01
>>>
>>> X.509 Certificate [Card Owner Certificate]
>>> Object Flags   : [0x2], modifiable
>>> Authority      : no
>>> Path           : 3f0050153100
>>> ID             : 01
>>> Encoded serial : 02 09 00F695059953A904F9
>>>
>>> X.509 Certificate [Contact 2 Certificate]
>>> Object Flags   : [0x2], modifiable
>>> Authority      : no
>>> Path           : 3f0050153101
>>> ID             : 02
>>> Encoded serial : 02 09 00F695059953A904F9
>>>
>>> X.509 Certificate [Contact 3 Certificate]
>>> Object Flags   : [0x2], modifiable
>>> Authority      : no
>>> Path           : 3f0050153102
>>> ID             : 03
>>> Encoded serial : 02 09 00F695059953A904F9
>>>
>>> X.509 Certificate [Contact 4 Certificate]
>>> Object Flags   : [0x2], modifiable
>>> Authority      : no
>>> Path           : 3f0050153103
>>> ID             : 04
>>> Encoded serial : 02 09 00F695059953A904F9
>>>
>>> X.509 Certificate [Contact 5 Certificate]
>>> Object Flags   : [0x2], modifiable
>>> Authority      : no
>>> Path           : 3f0050153104
>>> ID             : 05
>>> Encoded serial : 02 09 00F695059953A904F9
>>> ***************************************************************************************
>>>
>>> (3) Using the card in Windows 7:
>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>> but with same result.
>>> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>>>
>>> ***************************************************************************************
>>> [Version]
>>> Signature="$Windows NT$"
>>> Class=SmartCard
>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>> Provider=%ProviderName%
>>> CatalogFile=delta.cat
>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0
>>>
>>> [Manufacturer]
>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>
>>> [Minidriver.NTamd64]
>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [Minidriver.NTx86]
>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [Minidriver.NTamd64.6.1]
>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [Minidriver.NTx86.6.1]
>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [DefaultInstall]
>>> CopyFiles=x86_CopyFiles
>>> AddReg=AddRegDefault
>>>
>>> [DefaultInstall.ntamd64]
>>> CopyFiles=amd64_CopyFiles
>>> CopyFiles=wow64_CopyFiles
>>> AddReg=AddRegWOW64
>>> AddReg=AddRegDefault
>>>
>>> [DefaultInstall.NTx86]
>>> CopyFiles=x86_CopyFiles
>>> AddReg=AddRegDefault
>>>
>>> [DefaultInstall.ntamd64.6.1]
>>> AddReg=AddRegWOW64
>>> AddReg=AddRegDefault
>>>
>>> [DefaultInstall.NTx86.6.1]
>>> AddReg=AddRegDefault
>>>
>>> [SourceDisksFiles]
>>> %SmartCardCardModule%=1
>>> %SmartCardCardModule64%=1
>>>
>>> [SourceDisksNames]
>>> 1 = %MediaDescription%
>>>
>>> [Minidriver64_Install.NT]
>>> CopyFiles=amd64_CopyFiles
>>> CopyFiles=wow64_CopyFiles
>>> AddReg=AddRegWOW64
>>> AddReg=AddRegDefault
>>>
>>> [Minidriver64_61_Install.NT]
>>> AddReg=AddRegWOW64
>>> AddReg=AddRegDefault
>>> Include=umpass.inf
>>> Needs=UmPass
>>>
>>> [Minidriver32_Install.NT]
>>> CopyFiles=x86_CopyFiles
>>> AddReg=AddRegDefault
>>>
>>> [Minidriver32_61_Install.NT]
>>> AddReg=AddRegDefault
>>> Include=umpass.inf
>>> Needs=UmPass
>>>
>>> [Minidriver64_61_Install.NT.Services]
>>> Include=umpass.inf
>>> Needs=UmPass.Services
>>>
>>> [Minidriver32_61_Install.NT.Services]
>>> Include=umpass.inf
>>> Needs=UmPass.Services
>>>
>>>
>>> [Minidriver64_61_Install.NT.HW]
>>> Include=umpass.inf
>>> Needs=UmPass.HW
>>>
>>> [Minidriver64_61_Install.NT.CoInstallers]
>>> Include=umpass.inf
>>> Needs=UmPass.CoInstallers
>>>
>>>
>>> [Minidriver64_61_Install.NT.Interfaces]
>>> Include=umpass.inf
>>> Needs=UmPass.Interfaces
>>>
>>>
>>> [Minidriver32_61_Install.NT.HW]
>>> Include=umpass.inf
>>> Needs=UmPass.HW
>>>
>>> [Minidriver32_61_Install.NT.CoInstallers]
>>> Include=umpass.inf
>>> Needs=UmPass.CoInstallers
>>>
>>>
>>> [Minidriver32_61_Install.NT.Interfaces]
>>> Include=umpass.inf
>>> Needs=UmPass.Interfaces
>>>
>>>
>>> [amd64_CopyFiles]
>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>
>>> [x86_CopyFiles]
>>> ;%SmartCardCardModule%
>>>
>>> [wow64_CopyFiles]
>>> ;%SmartCardCardModule64%
>>>
>>> [AddRegWOW64]
>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%
>>>
>>> [AddRegDefault]
>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>
>>> [DestinationDirs]
>>> amd64_CopyFiles=10,system32
>>> x86_CopyFiles=10,system32
>>> wow64_CopyFiles=10,syswow64
>>>
>>>
>>> ; =================== Generic ==================================
>>>
>>> [Strings]
>>> ProviderName =„OpenSC"
>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>> CardDeviceName=„Muscle Card"
>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>> SmartCardCardModule="opensc-minidriver.dll"
>>> ***************************************************************************************
>>>
>>> When the card is inserted the driver is used as shown in device manager
>>> as well as in certutil.exe.
>>> Now here is the actual problem:
>>> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
>>> complaining that the card does not have the required functions.
>>> The terminal output is like this. I am sorry for pasting this in german.
>>> I added some translations:
>>>
>>> ***************************************************************************************
>>> Microsoft Windows [Version 6.1.7601]
>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>
>>> C:\Users\developer>certutil -scinfo
>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>> Leser: 1 (Reader: 1)
>>>    0: OMNIKEY CardMan 3x21 0
>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>> --- Status: Die Smartcard kann verwendet werden.
>>> ---  Karte: Muscle Card
>>> ---    ATR:
>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>>>          31 b7                                              1.
>>>
>>>
>>> =======================================================
>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>>>
>>> --------------===========================--------------
>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>> ---  Karte: Muscle Card
>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>>>
>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>> x21 0
>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>   3x21 0
>>>
>>> --------------===========================--------------
>>> ================ Zertifikat 0 ================
>>> --- Leser: OMNIKEY CardMan 3x21 0
>>> ---  Karte: Smart Security Device (Brainchild)
>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>
>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>>>
>>> --------------===========================--------------
>>>
>>> Fertig.
>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
>>> ***************************************************************************************
>>>
>>> I also configured to use a log file in opensc.conf and debug level 9.
>>> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
>>> but I am not sure if this is working with a mailing list.
>>>
>>>
>>>
>>>
>>>
>>>
>>> I already inspected the log, but found nothing suspicious.
>>> I think maybe there have to be a private key to be marked
>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>> But how?
>>>
>>> Or maybe I am completely wrong and something different is going wrong.
>>>
>>> Any help would be appreciated!
>>>
>>> Best Regards,
>>> Michael
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>>
>>>
>>>
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>> --
>>
>>   Douglas E. Engert  <[hidden email]>
>>
>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
Hi,

I will try to solve this problem for the IsoApplet this weekend. My
spare time is limited until then.

However, the problem will be to find a unique identifier for any generic
card..

Kind regards,
Philip

On 19.01.2015 17:26, Douglas E Engert wrote:

> [I should have sent this to the opensc-devel, as others can address some of your questions
> about the state of the muscle applet and isoapplet].
>
> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>
> Some equivalent code needs to be added to card-muscle.c, to use what ever information is available that
> windows could use to uniquely identify the card. This is then stored with the certificates in the windows store.
> At a later time, windows uses certificates from the store and can then prompt to have the card mounted, so it can use the
> matching key on the card.
>
> You or someone else that can test a mod to card-muscle.c could submit a code change.
>
> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do not.
>
> card-belpic.c
> card-default.c
> card-gemsafeV1.c
> card-ias.c
> card-incrypto34.c
> card-jcop.c
> card-mcrd.c
> card-miocos.c
> card-muscle.c
> card-setcos.c
> iso7816.c
>
> Cards that support SC_CARDCTL_GET_SERIALNR
> card-acos5.c
> card-akis.c
> card-asepcos.c
> card-atrust-acos.c
> card-authentic.c
> card-cardos.c
> card-dnie.c
> card-entersafe.c
> card-epass2003.c
> card-flex.c
> card-gpk.c
> card-iasecc.c
> card-itacns.c
> card-myeid.c
> card-oberthur.c
> card-openpgp.c
> card-piv.c
> card-rtecp.c
> card-rutoken.c
> card-sc-hsm.c
> card-starcos.c
> card-tcos.c
> card-westcos.c
>
>
> To answer some other questions you asked is a private e-mail:
>
> iso7816.c which implements the basic ISO commands does not support and card_ctl commands.
> I believe that the IsoApplet is designed to use the iso7816.c I am not sure if the concept of
> a unique "serial number" is part of ISO7816.
>
> I also don't know the state of the muscle applet, or if it has something that can be used as a serial number either.
>
>
>
> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>> WOW.. Thank you a lot.. I think I owe you a beer..
>>
>> I checked the fix is from November last year, and the 0.14 version is from summer lat year.
>> Does this mean, that the nightly build could fix this?
>> What version I should pull/download?
>>
>> Thank you a lot,
>> Michael
>>
>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>
>>> This is the same problem as:
>>>
>>>   https://github.com/OpenSC/OpenSC/pull/321
>>>
>>>
>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>
>>> The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
>>> to get a card "serial number" which windows requires.
>>>
>>>
>>>
>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>> Dear OpenSC Development Team,
>>>>
>>>> First of all, I would like to say that I really appreciate your great work.
>>>> I am working on a little project and explored all the nice tools of OpenSC.
>>>> Unfortunately since one week I cannot get around a certain problem.
>>>> I hope this mailing list is the right place and you can help me with that.
>>>>
>>>> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
>>>> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
>>>> with the Windows 7 Key Management.
>>>>
>>>> Hardware:
>>>> * Card Reader: Omnikey 3121USB
>>>> * Java Card: J2A080 - NXP, 80k
>>>>
>>>> (1) Setting up PKCS#11 key store:
>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
>>>> to install all required software, installing muscle applet to the card, and
>>>> removing the muscle applet from the card. I followed the instructions on
>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>
>>>> (2) Loading some test data:
>>>> I tried some different ways to get some keys and certificates on the card.
>>>> None of them delivered data which is accepted by Windows 7.
>>>> Here is one set of data I created:
>>>>
>>>> ***************************************************************************************
>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>> PKCS#15 Card [MUSCLE]:
>>>> Version        : 0
>>>> Serial number  : 0000
>>>> Manufacturer ID: Identity Alliance
>>>> Last update    : 20150119080705Z
>>>> Flags          : EID compliant
>>>>
>>>> PIN [User PIN]
>>>> Object Flags   : [0x3], private, modifiable
>>>> ID             : 01
>>>> Flags          : [0x10], initialized
>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>> Pad char       : 0x00
>>>> Reference      : 1
>>>> Type           : ascii-numeric
>>>> Path           : 3f005015
>>>>
>>>> Private RSA Key [Card Owner]
>>>> Object Flags   : [0x3], private, modifiable
>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>> Access Flags   : [0x0]
>>>> ModLength      : 1024
>>>> Key ref        : 0 (0x0)
>>>> Native         : yes
>>>> Path           : 3f005015
>>>> Auth ID        : 01
>>>> ID             : 01
>>>>
>>>> Public RSA Key [Card Owner]
>>>> Object Flags   : [0x2], modifiable
>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>> Access Flags   : [0x0]
>>>> ModLength      : 1024
>>>> Key ref        : 0
>>>> Native         : no
>>>> Path           : 3f0050153000
>>>> ID             : 01
>>>>
>>>> X.509 Certificate [Card Owner Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153100
>>>> ID             : 01
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 2 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153101
>>>> ID             : 02
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 3 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153102
>>>> ID             : 03
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 4 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153103
>>>> ID             : 04
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 5 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153104
>>>> ID             : 05
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>> ***************************************************************************************
>>>>
>>>> (3) Using the card in Windows 7:
>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>> but with same result.
>>>> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>>>>
>>>> ***************************************************************************************
>>>> [Version]
>>>> Signature="$Windows NT$"
>>>> Class=SmartCard
>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>> Provider=%ProviderName%
>>>> CatalogFile=delta.cat
>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0
>>>>
>>>> [Manufacturer]
>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>
>>>> [Minidriver.NTamd64]
>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTx86]
>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTamd64.6.1]
>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTx86.6.1]
>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [DefaultInstall]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.ntamd64]
>>>> CopyFiles=amd64_CopyFiles
>>>> CopyFiles=wow64_CopyFiles
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.NTx86]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.ntamd64.6.1]
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.NTx86.6.1]
>>>> AddReg=AddRegDefault
>>>>
>>>> [SourceDisksFiles]
>>>> %SmartCardCardModule%=1
>>>> %SmartCardCardModule64%=1
>>>>
>>>> [SourceDisksNames]
>>>> 1 = %MediaDescription%
>>>>
>>>> [Minidriver64_Install.NT]
>>>> CopyFiles=amd64_CopyFiles
>>>> CopyFiles=wow64_CopyFiles
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [Minidriver64_61_Install.NT]
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>> Include=umpass.inf
>>>> Needs=UmPass
>>>>
>>>> [Minidriver32_Install.NT]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [Minidriver32_61_Install.NT]
>>>> AddReg=AddRegDefault
>>>> Include=umpass.inf
>>>> Needs=UmPass
>>>>
>>>> [Minidriver64_61_Install.NT.Services]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Services
>>>>
>>>> [Minidriver32_61_Install.NT.Services]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Services
>>>>
>>>>
>>>> [Minidriver64_61_Install.NT.HW]
>>>> Include=umpass.inf
>>>> Needs=UmPass.HW
>>>>
>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>> Include=umpass.inf
>>>> Needs=UmPass.CoInstallers
>>>>
>>>>
>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Interfaces
>>>>
>>>>
>>>> [Minidriver32_61_Install.NT.HW]
>>>> Include=umpass.inf
>>>> Needs=UmPass.HW
>>>>
>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>> Include=umpass.inf
>>>> Needs=UmPass.CoInstallers
>>>>
>>>>
>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Interfaces
>>>>
>>>>
>>>> [amd64_CopyFiles]
>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>
>>>> [x86_CopyFiles]
>>>> ;%SmartCardCardModule%
>>>>
>>>> [wow64_CopyFiles]
>>>> ;%SmartCardCardModule64%
>>>>
>>>> [AddRegWOW64]
>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%
>>>>
>>>> [AddRegDefault]
>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>
>>>> [DestinationDirs]
>>>> amd64_CopyFiles=10,system32
>>>> x86_CopyFiles=10,system32
>>>> wow64_CopyFiles=10,syswow64
>>>>
>>>>
>>>> ; =================== Generic ==================================
>>>>
>>>> [Strings]
>>>> ProviderName =„OpenSC"
>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>> CardDeviceName=„Muscle Card"
>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>> ***************************************************************************************
>>>>
>>>> When the card is inserted the driver is used as shown in device manager
>>>> as well as in certutil.exe.
>>>> Now here is the actual problem:
>>>> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
>>>> complaining that the card does not have the required functions.
>>>> The terminal output is like this. I am sorry for pasting this in german.
>>>> I added some translations:
>>>>
>>>> ***************************************************************************************
>>>> Microsoft Windows [Version 6.1.7601]
>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>
>>>> C:\Users\developer>certutil -scinfo
>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>> Leser: 1 (Reader: 1)
>>>>    0: OMNIKEY CardMan 3x21 0
>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>> --- Status: Die Smartcard kann verwendet werden.
>>>> ---  Karte: Muscle Card
>>>> ---    ATR:
>>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>>>>          31 b7                                              1.
>>>>
>>>>
>>>> =======================================================
>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>>>>
>>>> --------------===========================--------------
>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>> ---  Karte: Muscle Card
>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>>>>
>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>> x21 0
>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>   3x21 0
>>>>
>>>> --------------===========================--------------
>>>> ================ Zertifikat 0 ================
>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>> ---  Karte: Smart Security Device (Brainchild)
>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>
>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>
>>>> --------------===========================--------------
>>>>
>>>> Fertig.
>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
>>>> ***************************************************************************************
>>>>
>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
>>>> but I am not sure if this is working with a mailing list.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I already inspected the log, but found nothing suspicious.
>>>> I think maybe there have to be a private key to be marked
>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>> But how?
>>>>
>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>
>>>> Any help would be appreciated!
>>>>
>>>> Best Regards,
>>>> Michael
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>> --
>>>
>>>   Douglas E. Engert  <[hidden email]>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Martin Paljak-4
Hello,

The way to get a "hardware" serial for JavaCard-s is quite well defined by GlobalPlatform: concatnation of Issuer Identification Number + Card Image Number, which are readable without authentication from decent cards (some chinese JavaCard-s are exceptions)

Nevertheless, the presence of the "get serial" card control is out of sync with the rest of the framework. Why is there a mandatory "extension" for something that should be part of the core? It either should be a required part of the usual card function structure, maybe with some sensible defaults or fallbacks or the "serial" must derived from some unique data (certificate?) if the callback is not there or no data present. 

The question is how to "grow" the framework: either extend the card function pointers (that right now is almost 1:1 ISO and old, first implementations) or via card controls. I would choose extending the card function pointers.

Also, the requirements for for the "serial" must be written down: for example, if the serial remains the same but card content changes, does this matter? does this affect some caching somewhere? Is the serial binary or string, how long? Is it supposed to be globally unique or just for a batch?

Martin

On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]> wrote:
Hi,

I will try to solve this problem for the IsoApplet this weekend. My
spare time is limited until then.

However, the problem will be to find a unique identifier for any generic
card..

Kind regards,
Philip

On 19.01.2015 17:26, Douglas E Engert wrote:
> [I should have sent this to the opensc-devel, as others can address some of your questions
> about the state of the muscle applet and isoapplet].
>
> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>
> Some equivalent code needs to be added to card-muscle.c, to use what ever information is available that
> windows could use to uniquely identify the card. This is then stored with the certificates in the windows store.
> At a later time, windows uses certificates from the store and can then prompt to have the card mounted, so it can use the
> matching key on the card.
>
> You or someone else that can test a mod to card-muscle.c could submit a code change.
>
> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do not.
>
> card-belpic.c
> card-default.c
> card-gemsafeV1.c
> card-ias.c
> card-incrypto34.c
> card-jcop.c
> card-mcrd.c
> card-miocos.c
> card-muscle.c
> card-setcos.c
> iso7816.c
>
> Cards that support SC_CARDCTL_GET_SERIALNR
> card-acos5.c
> card-akis.c
> card-asepcos.c
> card-atrust-acos.c
> card-authentic.c
> card-cardos.c
> card-dnie.c
> card-entersafe.c
> card-epass2003.c
> card-flex.c
> card-gpk.c
> card-iasecc.c
> card-itacns.c
> card-myeid.c
> card-oberthur.c
> card-openpgp.c
> card-piv.c
> card-rtecp.c
> card-rutoken.c
> card-sc-hsm.c
> card-starcos.c
> card-tcos.c
> card-westcos.c
>
>
> To answer some other questions you asked is a private e-mail:
>
> iso7816.c which implements the basic ISO commands does not support and card_ctl commands.
> I believe that the IsoApplet is designed to use the iso7816.c I am not sure if the concept of
> a unique "serial number" is part of ISO7816.
>
> I also don't know the state of the muscle applet, or if it has something that can be used as a serial number either.
>
>
>
> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>> WOW.. Thank you a lot.. I think I owe you a beer..
>>
>> I checked the fix is from November last year, and the 0.14 version is from summer lat year.
>> Does this mean, that the nightly build could fix this?
>> What version I should pull/download?
>>
>> Thank you a lot,
>> Michael
>>
>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>
>>> This is the same problem as:
>>>
>>>   https://github.com/OpenSC/OpenSC/pull/321
>>>
>>>
>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>
>>> The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
>>> to get a card "serial number" which windows requires.
>>>
>>>
>>>
>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>> Dear OpenSC Development Team,
>>>>
>>>> First of all, I would like to say that I really appreciate your great work.
>>>> I am working on a little project and explored all the nice tools of OpenSC.
>>>> Unfortunately since one week I cannot get around a certain problem.
>>>> I hope this mailing list is the right place and you can help me with that.
>>>>
>>>> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
>>>> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
>>>> with the Windows 7 Key Management.
>>>>
>>>> Hardware:
>>>> * Card Reader: Omnikey 3121USB
>>>> * Java Card: J2A080 - NXP, 80k
>>>>
>>>> (1) Setting up PKCS#11 key store:
>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
>>>> to install all required software, installing muscle applet to the card, and
>>>> removing the muscle applet from the card. I followed the instructions on
>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>
>>>> (2) Loading some test data:
>>>> I tried some different ways to get some keys and certificates on the card.
>>>> None of them delivered data which is accepted by Windows 7.
>>>> Here is one set of data I created:
>>>>
>>>> ***************************************************************************************
>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>> PKCS#15 Card [MUSCLE]:
>>>> Version        : 0
>>>> Serial number  : 0000
>>>> Manufacturer ID: Identity Alliance
>>>> Last update    : 20150119080705Z
>>>> Flags          : EID compliant
>>>>
>>>> PIN [User PIN]
>>>> Object Flags   : [0x3], private, modifiable
>>>> ID             : 01
>>>> Flags          : [0x10], initialized
>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>> Pad char       : 0x00
>>>> Reference      : 1
>>>> Type           : ascii-numeric
>>>> Path           : 3f005015
>>>>
>>>> Private RSA Key [Card Owner]
>>>> Object Flags   : [0x3], private, modifiable
>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>> Access Flags   : [0x0]
>>>> ModLength      : 1024
>>>> Key ref        : 0 (0x0)
>>>> Native         : yes
>>>> Path           : 3f005015
>>>> Auth ID        : 01
>>>> ID             : 01
>>>>
>>>> Public RSA Key [Card Owner]
>>>> Object Flags   : [0x2], modifiable
>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>> Access Flags   : [0x0]
>>>> ModLength      : 1024
>>>> Key ref        : 0
>>>> Native         : no
>>>> Path           : 3f0050153000
>>>> ID             : 01
>>>>
>>>> X.509 Certificate [Card Owner Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153100
>>>> ID             : 01
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 2 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153101
>>>> ID             : 02
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 3 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153102
>>>> ID             : 03
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 4 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153103
>>>> ID             : 04
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>
>>>> X.509 Certificate [Contact 5 Certificate]
>>>> Object Flags   : [0x2], modifiable
>>>> Authority      : no
>>>> Path           : 3f0050153104
>>>> ID             : 05
>>>> Encoded serial : 02 09 00F695059953A904F9
>>>> ***************************************************************************************
>>>>
>>>> (3) Using the card in Windows 7:
>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>> but with same result.
>>>> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>>>>
>>>> ***************************************************************************************
>>>> [Version]
>>>> Signature="$Windows NT$"
>>>> Class=SmartCard
>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>> Provider=%ProviderName%
>>>> CatalogFile=delta.cat
>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0
>>>>
>>>> [Manufacturer]
>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>
>>>> [Minidriver.NTamd64]
>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTx86]
>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTamd64.6.1]
>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTx86.6.1]
>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [DefaultInstall]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.ntamd64]
>>>> CopyFiles=amd64_CopyFiles
>>>> CopyFiles=wow64_CopyFiles
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.NTx86]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.ntamd64.6.1]
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [DefaultInstall.NTx86.6.1]
>>>> AddReg=AddRegDefault
>>>>
>>>> [SourceDisksFiles]
>>>> %SmartCardCardModule%=1
>>>> %SmartCardCardModule64%=1
>>>>
>>>> [SourceDisksNames]
>>>> 1 = %MediaDescription%
>>>>
>>>> [Minidriver64_Install.NT]
>>>> CopyFiles=amd64_CopyFiles
>>>> CopyFiles=wow64_CopyFiles
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>>
>>>> [Minidriver64_61_Install.NT]
>>>> AddReg=AddRegWOW64
>>>> AddReg=AddRegDefault
>>>> Include=umpass.inf
>>>> Needs=UmPass
>>>>
>>>> [Minidriver32_Install.NT]
>>>> CopyFiles=x86_CopyFiles
>>>> AddReg=AddRegDefault
>>>>
>>>> [Minidriver32_61_Install.NT]
>>>> AddReg=AddRegDefault
>>>> Include=umpass.inf
>>>> Needs=UmPass
>>>>
>>>> [Minidriver64_61_Install.NT.Services]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Services
>>>>
>>>> [Minidriver32_61_Install.NT.Services]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Services
>>>>
>>>>
>>>> [Minidriver64_61_Install.NT.HW]
>>>> Include=umpass.inf
>>>> Needs=UmPass.HW
>>>>
>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>> Include=umpass.inf
>>>> Needs=UmPass.CoInstallers
>>>>
>>>>
>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Interfaces
>>>>
>>>>
>>>> [Minidriver32_61_Install.NT.HW]
>>>> Include=umpass.inf
>>>> Needs=UmPass.HW
>>>>
>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>> Include=umpass.inf
>>>> Needs=UmPass.CoInstallers
>>>>
>>>>
>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>> Include=umpass.inf
>>>> Needs=UmPass.Interfaces
>>>>
>>>>
>>>> [amd64_CopyFiles]
>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>
>>>> [x86_CopyFiles]
>>>> ;%SmartCardCardModule%
>>>>
>>>> [wow64_CopyFiles]
>>>> ;%SmartCardCardModule64%
>>>>
>>>> [AddRegWOW64]
>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%
>>>>
>>>> [AddRegDefault]
>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>
>>>> [DestinationDirs]
>>>> amd64_CopyFiles=10,system32
>>>> x86_CopyFiles=10,system32
>>>> wow64_CopyFiles=10,syswow64
>>>>
>>>>
>>>> ; =================== Generic ==================================
>>>>
>>>> [Strings]
>>>> ProviderName =„OpenSC"
>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>> CardDeviceName=„Muscle Card"
>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>> ***************************************************************************************
>>>>
>>>> When the card is inserted the driver is used as shown in device manager
>>>> as well as in certutil.exe.
>>>> Now here is the actual problem:
>>>> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
>>>> complaining that the card does not have the required functions.
>>>> The terminal output is like this. I am sorry for pasting this in german.
>>>> I added some translations:
>>>>
>>>> ***************************************************************************************
>>>> Microsoft Windows [Version 6.1.7601]
>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>
>>>> C:\Users\developer>certutil -scinfo
>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>> Leser: 1 (Reader: 1)
>>>>    0: OMNIKEY CardMan 3x21 0
>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>> --- Status: Die Smartcard kann verwendet werden.
>>>> ---  Karte: Muscle Card
>>>> ---    ATR:
>>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>>>>          31 b7                                              1.
>>>>
>>>>
>>>> =======================================================
>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>>>>
>>>> --------------===========================--------------
>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>> ---  Karte: Muscle Card
>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>>>>
>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>> x21 0
>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>   3x21 0
>>>>
>>>> --------------===========================--------------
>>>> ================ Zertifikat 0 ================
>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>> ---  Karte: Smart Security Device (Brainchild)
>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>
>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>
>>>> --------------===========================--------------
>>>>
>>>> Fertig.
>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
>>>> ***************************************************************************************
>>>>
>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
>>>> but I am not sure if this is working with a mailing list.
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> I already inspected the log, but found nothing suspicious.
>>>> I think maybe there have to be a private key to be marked
>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>> But how?
>>>>
>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>
>>>> Any help would be appreciated!
>>>>
>>>> Best Regards,
>>>> Michael
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>> --
>>>
>>>   Douglas E. Engert  <[hidden email]>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert


On 1/19/2015 12:11 PM, Martin Paljak wrote:

> Hello,
>
> The way to get a "hardware" serial for JavaCard-s is quite well defined by GlobalPlatform: concatnation of Issuer Identification Number + Card Image Number, which are readable without authentication
> from decent cards (some chinese JavaCard-s are exceptions)
>
> Nevertheless, the presence of the "get serial" card control is out of sync with the rest of the framework. Why is there a mandatory "extension" for something that should be part of the core? It either
> should be a required part of the usual card function structure, maybe with some sensible defaults or fallbacks or the "serial" must derived from some unique data (certificate?) if the callback is not
> there or no data present.
>
> The question is how to "grow" the framework: either extend the card function pointers (that right now is almost 1:1 ISO and old, first implementations) or via card controls. I would choose extending
> the card function pointers.
>
> Also, the requirements for for the "serial" must be written down:

The use case for the OpenSC minidriver on Window comes from:

http://msdn.microsoft.com/en-us/library/windows/hardware/dn468755(v=vs.85).aspx

Search for cardID, Card Identifier and/or wszGuid

Windows may cache all the certificates from a smart card in the certificate store, along with the
container_name of the card. It can then use the certificates from the cache, and if the card is needed,
prompt the user to enter the card that the contains private key matching the certificate it found in the
store.

See the OpenSC minidriver.c:

/*
  * Set 'cardid' from the 'serialNumber' attribute of the 'tokenInfo'
  */
static DWORD
md_set_cardid(PCARD_DATA pCardData, struct md_file *file)

So for OpenSC cards to work with the minidriver, they need a way to consistently generate a serial number for the card.
How it does this is upto the card driver.

 > for example, if the serial remains the same but card content changes, does this matter?

Maybe, as a user's cache will still have the old contents cached. Its not clear what the Microsoft will do.
 > does this affect some caching somewhere?

Yes, the cardID has bee cached on a user's machine.

 > Is the serial binary or string, how long?

The serial number is converted by the minidriver.c to a GUID for Microsoft.

 > Is it supposed to be globally unique or just for a batch?

It should at least be unique at least for a user's workstation, but should be globaly unique.


For the Microsoft built in PIV driver, Microsoft use the FASC-N or GUID from the CHUID object to derive the cardid.


>
> Martin
>
> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     I will try to solve this problem for the IsoApplet this weekend. My
>     spare time is limited until then.
>
>     However, the problem will be to find a unique identifier for any generic
>     card..
>
>     Kind regards,
>     Philip
>
>     On 19.01.2015 17:26, Douglas E Engert wrote:
>      > [I should have sent this to the opensc-devel, as others can address some of your questions
>      > about the state of the muscle applet and isoapplet].
>      >
>      > No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>      >
>      > Some equivalent code needs to be added to card-muscle.c, to use what ever information is available that
>      > windows could use to uniquely identify the card. This is then stored with the certificates in the windows store.
>      > At a later time, windows uses certificates from the store and can then prompt to have the card mounted, so it can use the
>      > matching key on the card.
>      >
>      > You or someone else that can test a mod to card-muscle.c could submit a code change.
>      >
>      > There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do not.
>      >
>      > card-belpic.c
>      > card-default.c
>      > card-gemsafeV1.c
>      > card-ias.c
>      > card-incrypto34.c
>      > card-jcop.c
>      > card-mcrd.c
>      > card-miocos.c
>      > card-muscle.c
>      > card-setcos.c
>      > iso7816.c
>      >
>      > Cards that support SC_CARDCTL_GET_SERIALNR
>      > card-acos5.c
>      > card-akis.c
>      > card-asepcos.c
>      > card-atrust-acos.c
>      > card-authentic.c
>      > card-cardos.c
>      > card-dnie.c
>      > card-entersafe.c
>      > card-epass2003.c
>      > card-flex.c
>      > card-gpk.c
>      > card-iasecc.c
>      > card-itacns.c
>      > card-myeid.c
>      > card-oberthur.c
>      > card-openpgp.c
>      > card-piv.c
>      > card-rtecp.c
>      > card-rutoken.c
>      > card-sc-hsm.c
>      > card-starcos.c
>      > card-tcos.c
>      > card-westcos.c
>      >
>      >
>      > To answer some other questions you asked is a private e-mail:
>      >
>      > iso7816.c which implements the basic ISO commands does not support and card_ctl commands.
>      > I believe that the IsoApplet is designed to use the iso7816.c I am not sure if the concept of
>      > a unique "serial number" is part of ISO7816.
>      >
>      > I also don't know the state of the muscle applet, or if it has something that can be used as a serial number either.
>      >
>      >
>      >
>      > On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>      >> WOW.. Thank you a lot.. I think I owe you a beer..
>      >>
>      >> I checked the fix is from November last year, and the 0.14 version is from summer lat year.
>      >> Does this mean, that the nightly build could fix this?
>      >> What version I should pull/download?
>      >>
>      >> Thank you a lot,
>      >> Michael
>      >>
>      >>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email] <mailto:[hidden email]>>:
>      >>>
>      >>> This is the same problem as:
>      >>>
>      >>> https://github.com/OpenSC/__OpenSC/pull/321 <https://github.com/OpenSC/OpenSC/pull/321>
>      >>>
>      >>>
>      >>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>      >>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>      >>>
>      >>> The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
>      >>> to get a card "serial number" which windows requires.
>      >>>
>      >>>
>      >>>
>      >>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>      >>>> Dear OpenSC Development Team,
>      >>>>
>      >>>> First of all, I would like to say that I really appreciate your great work.
>      >>>> I am working on a little project and explored all the nice tools of OpenSC.
>      >>>> Unfortunately since one week I cannot get around a certain problem.
>      >>>> I hope this mailing list is the right place and you can help me with that.
>      >>>>
>      >>>> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
>      >>>> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
>      >>>> with the Windows 7 Key Management.
>      >>>>
>      >>>> Hardware:
>      >>>> * Card Reader: Omnikey 3121USB
>      >>>> * Java Card: J2A080 - NXP, 80k
>      >>>>
>      >>>> (1) Setting up PKCS#11 key store:
>      >>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
>      >>>> to install all required software, installing muscle applet to the card, and
>      >>>> removing the muscle applet from the card. I followed the instructions on
>      >>>> _http://blog.ev0ke.net/muscle-__jcop/_ <http://blog.ev0ke.net/muscle-jcop/_> and everything worked well.
>      >>>>
>      >>>> (2) Loading some test data:
>      >>>> I tried some different ways to get some keys and certificates on the card.
>      >>>> None of them delivered data which is accepted by Windows 7.
>      >>>> Here is one set of data I created:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>      >>>> PKCS#15 Card [MUSCLE]:
>      >>>> Version        : 0
>      >>>> Serial number  : 0000
>      >>>> Manufacturer ID: Identity Alliance
>      >>>> Last update    : 20150119080705Z
>      >>>> Flags          : EID compliant
>      >>>>
>      >>>> PIN [User PIN]
>      >>>> Object Flags   : [0x3], private, modifiable
>      >>>> ID             : 01
>      >>>> Flags          : [0x10], initialized
>      >>>> Length         : min_len:4, max_len:8, stored_len:8
>      >>>> Pad char       : 0x00
>      >>>> Reference      : 1
>      >>>> Type           : ascii-numeric
>      >>>> Path           : 3f005015
>      >>>>
>      >>>> Private RSA Key [Card Owner]
>      >>>> Object Flags   : [0x3], private, modifiable
>      >>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>      >>>> Access Flags   : [0x0]
>      >>>> ModLength      : 1024
>      >>>> Key ref        : 0 (0x0)
>      >>>> Native         : yes
>      >>>> Path           : 3f005015
>      >>>> Auth ID        : 01
>      >>>> ID             : 01
>      >>>>
>      >>>> Public RSA Key [Card Owner]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>      >>>> Access Flags   : [0x0]
>      >>>> ModLength      : 1024
>      >>>> Key ref        : 0
>      >>>> Native         : no
>      >>>> Path           : 3f0050153000
>      >>>> ID             : 01
>      >>>>
>      >>>> X.509 Certificate [Card Owner Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153100
>      >>>> ID             : 01
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 2 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153101
>      >>>> ID             : 02
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 3 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153102
>      >>>> ID             : 03
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 4 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153103
>      >>>> ID             : 04
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 5 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153104
>      >>>> ID             : 05
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> (3) Using the card in Windows 7:
>      >>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>      >>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>      >>>> but with same result.
>      >>>> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> [Version]
>      >>>> Signature="$Windows NT$"
>      >>>> Class=SmartCard
>      >>>> ClassGuid={990A2BD7-E738-46c7-__B26F-1CF8FB9F1391}
>      >>>> Provider=%ProviderName%
>      >>>> CatalogFile=delta.cat <http://delta.cat>
>      >>>> DriverVer=05/02/2010,@OPENSC___VERSION_MAJOR@,@OPENSC___VERSION_MINOR@,@OPENSC___VERSION_FIX@,0
>      >>>>
>      >>>> [Manufacturer]
>      >>>> %ProviderName%=Minidriver,__NTamd64,NTamd64.6.1,NTx86,__NTx86.6.1
>      >>>>
>      >>>> [Minidriver.NTamd64]
>      >>>> %CardDeviceName%=Minidriver64___Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTx86]
>      >>>> %CardDeviceName%=Minidriver32___Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTamd64.6.1]
>      >>>> %CardDeviceName%=Minidriver64___61_Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTx86.6.1]
>      >>>> %CardDeviceName%=Minidriver32___61_Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [DefaultInstall]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.ntamd64]
>      >>>> CopyFiles=amd64_CopyFiles
>      >>>> CopyFiles=wow64_CopyFiles
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.NTx86]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.ntamd64.6.1]
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.NTx86.6.1]
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [SourceDisksFiles]
>      >>>> %SmartCardCardModule%=1
>      >>>> %SmartCardCardModule64%=1
>      >>>>
>      >>>> [SourceDisksNames]
>      >>>> 1 = %MediaDescription%
>      >>>>
>      >>>> [Minidriver64_Install.NT]
>      >>>> CopyFiles=amd64_CopyFiles
>      >>>> CopyFiles=wow64_CopyFiles
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [Minidriver64_61_Install.NT]
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass
>      >>>>
>      >>>> [Minidriver32_Install.NT]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [Minidriver32_61_Install.NT]
>      >>>> AddReg=AddRegDefault
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__Services]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Services
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__Services]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Services
>      >>>>
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__HW]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.HW
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__CoInstallers]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.CoInstallers
>      >>>>
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__Interfaces]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Interfaces
>      >>>>
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__HW]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.HW
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__CoInstallers]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.CoInstallers
>      >>>>
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__Interfaces]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Interfaces
>      >>>>
>      >>>>
>      >>>> [amd64_CopyFiles]
>      >>>> ;%SmartCardCardModule%,%__SmartCardCardModule64%
>      >>>>
>      >>>> [x86_CopyFiles]
>      >>>> ;%SmartCardCardModule%
>      >>>>
>      >>>> [wow64_CopyFiles]
>      >>>> ;%SmartCardCardModule64%
>      >>>>
>      >>>> [AddRegWOW64]
>      >>>> HKLM, %SmartCardNameWOW64%,"ATR",__0x00000001,3b,f8,13,00,00,81,__31,fe,45,4A,43,4f,50,76,32,34,__31,b7
>      >>>> HKLM, %SmartCardNameWOW64%,"ATRMask"__,0x00000001,ff,ff,ff,ff,ff,ff,__ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,__ff,ff
>      >>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"__Microsoft Base Smart Card Crypto Provider"
>      >>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"__Microsoft Smart Card Key Storage Provider"
>      >>>> HKLM, %SmartCardNameWOW64%,"__80000001",0x00000000,%__SmartCardCardModule64%
>      >>>>
>      >>>> [AddRegDefault]
>      >>>> HKLM, %SmartCardName%,"ATR",__0x00000001,3b,f8,13,00,00,81,__31,fe,45,4A,43,4f,50,76,32,34,__31,b7
>      >>>> HKLM, %SmartCardName%,"ATRMask",__0x00000001,ff,ff,ff,ff,ff,ff,__ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,__ff,ff
>      >>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"__Microsoft Base Smart Card Crypto Provider"
>      >>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"__Microsoft Smart Card Key Storage Provider"
>      >>>> HKLM, %SmartCardName%,"80000001",__0x00000000,%__SmartCardCardModule%
>      >>>>
>      >>>> [DestinationDirs]
>      >>>> amd64_CopyFiles=10,system32
>      >>>> x86_CopyFiles=10,system32
>      >>>> wow64_CopyFiles=10,syswow64
>      >>>>
>      >>>>
>      >>>> ; =================== Generic ==============================__====
>      >>>>
>      >>>> [Strings]
>      >>>> ProviderName =„OpenSC"
>      >>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>      >>>> CardDeviceName=„Muscle Card"
>      >>>> SmartCardName="SOFTWARE\__Microsoft\Cryptography\Calais\__SmartCards\Muscle Card"
>      >>>> SmartCardNameWOW64="SOFTWARE\__Wow6432Node\Microsoft\__Cryptography\Calais\__SmartCards\Muscle Card"
>      >>>> SmartCardCardModule="opensc-__minidriver.dll"
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> When the card is inserted the driver is used as shown in device manager
>      >>>> as well as in certutil.exe.
>      >>>> Now here is the actual problem:
>      >>>> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
>      >>>> complaining that the card does not have the required functions.
>      >>>> The terminal output is like this. I am sorry for pasting this in german.
>      >>>> I added some translations:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> Microsoft Windows [Version 6.1.7601]
>      >>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>      >>>>
>      >>>> C:\Users\developer>certutil -scinfo
>      >>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>      >>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>      >>>> Leser: 1 (Reader: 1)
>      >>>>    0: OMNIKEY CardMan 3x21 0
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>      >>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>      >>>> --- Status: Die Smartcard kann verwendet werden.
>      >>>> ---  Karte: Muscle Card
>      >>>> ---    ATR:
>      >>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>      >>>>          31 b7                                              1.
>      >>>>
>      >>>>
>      >>>> ==============================__=========================
>      >>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>      >>>> ---  Karte: Muscle Card
>      >>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>      >>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>      >>>>
>      >>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>      >>>> x21 0
>      >>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>      >>>>   3x21 0
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>> ================ Zertifikat 0 ================
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0
>      >>>> ---  Karte: Smart Security Device (Brainchild)
>      >>>> Anbieter = Microsoft Smart Card Key Storage Provider
>      >>>> Schl¸sselcontainer = (null) [Standardcontainer]
>      >>>>
>      >>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>>
>      >>>> Fertig.
>      >>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> I also configured to use a log file in opensc.conf and debug level 9.
>      >>>> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
>      >>>> but I am not sure if this is working with a mailing list.
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>> I already inspected the log, but found nothing suspicious.
>      >>>> I think maybe there have to be a private key to be marked
>      >>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>      >>>> But how?
>      >>>>
>      >>>> Or maybe I am completely wrong and something different is going wrong.
>      >>>>
>      >>>> Any help would be appreciated!
>      >>>>
>      >>>> Best Regards,
>      >>>> Michael
>      >>>>
>      >>>>
>      >>>>
>      >>>> ------------------------------__------------------------------__------------------
>      >>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>      >>>> GigeNET is offering a free month of service with a new server in Ashburn.
>      >>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>      >>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>      >>>> http://p.sf.net/sfu/gigenet
>      >>>>
>      >>>>
>      >>>>
>      >>>> _________________________________________________
>      >>>> Opensc-devel mailing list
>      >>>> [hidden email] <mailto:[hidden email]>
>      >>>> https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>      >>>>
>      >>>
>      >>> --
>      >>>
>      >>>   Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>      >>>
>      >>>
>      >>> ------------------------------__------------------------------__------------------
>      >>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>      >>> GigeNET is offering a free month of service with a new server in Ashburn.
>      >>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>      >>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>      >>> http://p.sf.net/sfu/gigenet
>      >>> _________________________________________________
>      >>> Opensc-devel mailing list
>      >>> [hidden email] <mailto:[hidden email]>
>      >>> https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>      >>
>      >
>
>
>     ------------------------------__------------------------------__------------------
>     New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>     GigeNET is offering a free month of service with a new server in Ashburn.
>     Choose from 2 high performing configs, both with 100TB of bandwidth.
>     Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>     http://p.sf.net/sfu/gigenet
>     _________________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
In reply to this post by Martin Paljak-4
Hello Martin Paljak,

On 01/19/2015 07:11 PM, Martin Paljak wrote:
> Hello,
>
> The way to get a "hardware" serial for JavaCard-s is quite well defined by
> GlobalPlatform: concatnation of Issuer Identification Number + Card Image
> Number, which are readable without authentication from decent cards (some
> chinese JavaCard-s are exceptions)
>

Thanks for the Info. I tried reading those numbers from 4 different Java
Cards. Allthough defined by GlobalPlatform:

Security Domains shall support at least the following data object tags:
• Tag '42': Issuer Identification Number (or Security Domain Provider
Identification Number);
• Tag '45': Card Image Number (or Security Domain Image Number);
• Tag '66': Card Data (or Security Domain Management Data);

only 1 card (a very old Athena Pro 72K - I don't even have ISD keys for
that card) returned the requested data. Unfortunately, this seems very
unreliable. Or did I send a wrong request?

I used GET DATA to the ISD:
cla ins p1p2
80  CA  0045 00 and
80  CA  0042 00

Maybe deriving the serial number from a certificate/public key is a
better (more portable) approach. But there might be side-effects that I
don't think of right now.
Then again, what certificate should be chosen? There might be more than
one certificates/public key in the applet. Certificates might also be
deleted from the filesystem again.

> Nevertheless, the presence of the "get serial" card control is out of sync
> with the rest of the framework. Why is there a mandatory "extension" for
> something that should be part of the core? It either should be a required
> part of the usual card function structure, maybe with some sensible
> defaults or fallbacks or the "serial" must derived from some unique data
> (certificate?) if the callback is not there or no data present.
>

I kind of agree. When writing card drivers for OpenSC you usually look
at the sc_card_operations struct, for me it was not clear for a long
time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
functionality.
(Windows-support was never an requirement for the isoapplet anyway,
until now.)

> The question is how to "grow" the framework: either extend the card
> function pointers (that right now is almost 1:1 ISO and old, first
> implementations) or via card controls. I would choose extending the card
> function pointers.
>
> Also, the requirements for for the "serial" must be written down: for
> example, if the serial remains the same but card content changes, does this
> matter? does this affect some caching somewhere? Is the serial binary or
> string, how long? Is it supposed to be globally unique or just for a batch?
>
> Martin
>
> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
> wrote:
>
>> Hi,
>>
>> I will try to solve this problem for the IsoApplet this weekend. My
>> spare time is limited until then.
>>
>> However, the problem will be to find a unique identifier for any generic
>> card..
>>
>> Kind regards,
>> Philip
>>
>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>> [I should have sent this to the opensc-devel, as others can address some
>> of your questions
>>> about the state of the muscle applet and isoapplet].
>>>
>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>
>>> Some equivalent code needs to be added to card-muscle.c, to use what
>> ever information is available that
>>> windows could use to uniquely identify the card. This is then stored
>> with the certificates in the windows store.
>>> At a later time, windows uses certificates from the store and can then
>> prompt to have the card mounted, so it can use the
>>> matching key on the card.
>>>
>>> You or someone else that can test a mod to card-muscle.c could submit a
>> code change.
>>>
>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>> not.
>>>
>>> card-belpic.c
>>> card-default.c
>>> card-gemsafeV1.c
>>> card-ias.c
>>> card-incrypto34.c
>>> card-jcop.c
>>> card-mcrd.c
>>> card-miocos.c
>>> card-muscle.c
>>> card-setcos.c
>>> iso7816.c
>>>
>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>> card-acos5.c
>>> card-akis.c
>>> card-asepcos.c
>>> card-atrust-acos.c
>>> card-authentic.c
>>> card-cardos.c
>>> card-dnie.c
>>> card-entersafe.c
>>> card-epass2003.c
>>> card-flex.c
>>> card-gpk.c
>>> card-iasecc.c
>>> card-itacns.c
>>> card-myeid.c
>>> card-oberthur.c
>>> card-openpgp.c
>>> card-piv.c
>>> card-rtecp.c
>>> card-rutoken.c
>>> card-sc-hsm.c
>>> card-starcos.c
>>> card-tcos.c
>>> card-westcos.c
>>>
>>>
>>> To answer some other questions you asked is a private e-mail:
>>>
>>> iso7816.c which implements the basic ISO commands does not support and
>> card_ctl commands.
>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>> sure if the concept of
>>> a unique "serial number" is part of ISO7816.
>>>
>>> I also don't know the state of the muscle applet, or if it has something
>> that can be used as a serial number either.
>>>
>>>
>>>
>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>
>>>> I checked the fix is from November last year, and the 0.14 version is
>> from summer lat year.
>>>> Does this mean, that the nightly build could fix this?
>>>> What version I should pull/download?
>>>>
>>>> Thank you a lot,
>>>> Michael
>>>>
>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>
>>>>> This is the same problem as:
>>>>>
>>>>>   https://github.com/OpenSC/OpenSC/pull/321
>>>>>
>>>>>
>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>
>>>>> The card-muscle.c (and others in OpenSC) does not support
>> SC_CARDCTL_GET_SERIALNR
>>>>> to get a card "serial number" which windows requires.
>>>>>
>>>>>
>>>>>
>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>> Dear OpenSC Development Team,
>>>>>>
>>>>>> First of all, I would like to say that I really appreciate your great
>> work.
>>>>>> I am working on a little project and explored all the nice tools of
>> OpenSC.
>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>> I hope this mailing list is the right place and you can help me with
>> that.
>>>>>>
>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>> Card,
>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>> using the card
>>>>>> with the Windows 7 Key Management.
>>>>>>
>>>>>> Hardware:
>>>>>> * Card Reader: Omnikey 3121USB
>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>
>>>>>> (1) Setting up PKCS#11 key store:
>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>> bash scripts
>>>>>> to install all required software, installing muscle applet to the
>> card, and
>>>>>> removing the muscle applet from the card. I followed the instructions
>> on
>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>
>>>>>> (2) Loading some test data:
>>>>>> I tried some different ways to get some keys and certificates on the
>> card.
>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>> Here is one set of data I created:
>>>>>>
>>>>>> ************************************************************
>> ***************************
>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>> Version        : 0
>>>>>> Serial number  : 0000
>>>>>> Manufacturer ID: Identity Alliance
>>>>>> Last update    : 20150119080705Z
>>>>>> Flags          : EID compliant
>>>>>>
>>>>>> PIN [User PIN]
>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>> ID             : 01
>>>>>> Flags          : [0x10], initialized
>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>> Pad char       : 0x00
>>>>>> Reference      : 1
>>>>>> Type           : ascii-numeric
>>>>>> Path           : 3f005015
>>>>>>
>>>>>> Private RSA Key [Card Owner]
>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>> Access Flags   : [0x0]
>>>>>> ModLength      : 1024
>>>>>> Key ref        : 0 (0x0)
>>>>>> Native         : yes
>>>>>> Path           : 3f005015
>>>>>> Auth ID        : 01
>>>>>> ID             : 01
>>>>>>
>>>>>> Public RSA Key [Card Owner]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>> Access Flags   : [0x0]
>>>>>> ModLength      : 1024
>>>>>> Key ref        : 0
>>>>>> Native         : no
>>>>>> Path           : 3f0050153000
>>>>>> ID             : 01
>>>>>>
>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Authority      : no
>>>>>> Path           : 3f0050153100
>>>>>> ID             : 01
>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>
>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Authority      : no
>>>>>> Path           : 3f0050153101
>>>>>> ID             : 02
>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>
>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Authority      : no
>>>>>> Path           : 3f0050153102
>>>>>> ID             : 03
>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>
>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Authority      : no
>>>>>> Path           : 3f0050153103
>>>>>> ID             : 04
>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>
>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>> Object Flags   : [0x2], modifiable
>>>>>> Authority      : no
>>>>>> Path           : 3f0050153104
>>>>>> ID             : 05
>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>> ************************************************************
>> ***************************
>>>>>>
>>>>>> (3) Using the card in Windows 7:
>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>> but with same result.
>>>>>> I acquired the ATR of the card and properly installed my
>> opens-minidriver.inf:
>>>>>>
>>>>>> ************************************************************
>> ***************************
>>>>>> [Version]
>>>>>> Signature="$Windows NT$"
>>>>>> Class=SmartCard
>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>> Provider=%ProviderName%
>>>>>> CatalogFile=delta.cat
>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>> ,@OPENSC_VERSION_FIX@,0
>>>>>>
>>>>>> [Manufacturer]
>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>
>>>>>> [Minidriver.NTamd64]
>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>
>>>>>> [Minidriver.NTx86]
>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>
>>>>>> [Minidriver.NTamd64.6.1]
>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>> 00640181010c829000
>>>>>>
>>>>>> [Minidriver.NTx86.6.1]
>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>> 00640181010c829000
>>>>>>
>>>>>> [DefaultInstall]
>>>>>> CopyFiles=x86_CopyFiles
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [DefaultInstall.ntamd64]
>>>>>> CopyFiles=amd64_CopyFiles
>>>>>> CopyFiles=wow64_CopyFiles
>>>>>> AddReg=AddRegWOW64
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [DefaultInstall.NTx86]
>>>>>> CopyFiles=x86_CopyFiles
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>> AddReg=AddRegWOW64
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [SourceDisksFiles]
>>>>>> %SmartCardCardModule%=1
>>>>>> %SmartCardCardModule64%=1
>>>>>>
>>>>>> [SourceDisksNames]
>>>>>> 1 = %MediaDescription%
>>>>>>
>>>>>> [Minidriver64_Install.NT]
>>>>>> CopyFiles=amd64_CopyFiles
>>>>>> CopyFiles=wow64_CopyFiles
>>>>>> AddReg=AddRegWOW64
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [Minidriver64_61_Install.NT]
>>>>>> AddReg=AddRegWOW64
>>>>>> AddReg=AddRegDefault
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass
>>>>>>
>>>>>> [Minidriver32_Install.NT]
>>>>>> CopyFiles=x86_CopyFiles
>>>>>> AddReg=AddRegDefault
>>>>>>
>>>>>> [Minidriver32_61_Install.NT]
>>>>>> AddReg=AddRegDefault
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass
>>>>>>
>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.Services
>>>>>>
>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.Services
>>>>>>
>>>>>>
>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.HW
>>>>>>
>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.CoInstallers
>>>>>>
>>>>>>
>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.Interfaces
>>>>>>
>>>>>>
>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.HW
>>>>>>
>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.CoInstallers
>>>>>>
>>>>>>
>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>> Include=umpass.inf
>>>>>> Needs=UmPass.Interfaces
>>>>>>
>>>>>>
>>>>>> [amd64_CopyFiles]
>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>
>>>>>> [x86_CopyFiles]
>>>>>> ;%SmartCardCardModule%
>>>>>>
>>>>>> [wow64_CopyFiles]
>>>>>> ;%SmartCardCardModule64%
>>>>>>
>>>>>> [AddRegWOW64]
>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>> Base Smart Card Crypto Provider"
>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>> SmartCardCardModule64%
>>>>>>
>>>>>> [AddRegDefault]
>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>> Smart Card Crypto Provider"
>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>> Smart Card Key Storage Provider"
>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>
>>>>>> [DestinationDirs]
>>>>>> amd64_CopyFiles=10,system32
>>>>>> x86_CopyFiles=10,system32
>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>
>>>>>>
>>>>>> ; =================== Generic ==================================
>>>>>>
>>>>>> [Strings]
>>>>>> ProviderName =„OpenSC"
>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>> CardDeviceName=„Muscle Card"
>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>> Card"
>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>> ************************************************************
>> ***************************
>>>>>>
>>>>>> When the card is inserted the driver is used as shown in device
>> manager
>>>>>> as well as in certutil.exe.
>>>>>> Now here is the actual problem:
>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>> dialog pops up
>>>>>> complaining that the card does not have the required functions.
>>>>>> The terminal output is like this. I am sorry for pasting this in
>> german.
>>>>>> I added some translations:
>>>>>>
>>>>>> ************************************************************
>> ***************************
>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>
>>>>>> C:\Users\developer>certutil -scinfo
>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>> Leser: 1 (Reader: 1)
>>>>>>    0: OMNIKEY CardMan 3x21 0
>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>> ---  Karte: Muscle Card
>>>>>> ---    ATR:
>>>>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>  ;.....1.EJCOPv24
>>>>>>          31 b7                                              1.
>>>>>>
>>>>>>
>>>>>> =======================================================
>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>> card in the reader is being analized)
>>>>>>
>>>>>> --------------===========================--------------
>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>> ---  Karte: Muscle Card
>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>> container)
>>>>>>
>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>> x21 0
>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>   3x21 0
>>>>>>
>>>>>> --------------===========================--------------
>>>>>> ================ Zertifikat 0 ================
>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>
>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>
>>>>>> --------------===========================--------------
>>>>>>
>>>>>> Fertig.
>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>> -SCinfo command has been executed with success)
>>>>>> ************************************************************
>> ***************************
>>>>>>
>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>> attachment to this mail,
>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>> I think maybe there have to be a private key to be marked
>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>> But how?
>>>>>>
>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>
>>>>>> Any help would be appreciated!
>>>>>>
>>>>>> Best Regards,
>>>>>> Michael
>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>> ------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in
>> Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>> compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>   Douglas E. Engert  <[hidden email]>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>> ------------------
>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>> GigeNET is offering a free month of service with a new server in
>> Ashburn.
>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>> compliant.
>>>>> http://p.sf.net/sfu/gigenet
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> [hidden email]
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>
>>
>> ------------------------------------------------------------
>> ------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
Hello,

Michael Heydemann helped me trying to find a solution for this. He was
as well not able to read the Issuer Identification Number or Card Image
Number from his Java Card(s).
I tried to use STORE DATA to maybe write those numbers on uninitialized
Java Cards, but did not have success either. Unless we missed something,
the GP method of obtaining serial numbers seems to be too unreliable.

A solution we thought of would be to write a number to the applet's
filesystem that stays the same for the applet's lifecycle. I am still
not sure what the best approach would be:
1) Let the user define a serial number. He can ensure that the serial  
number is unique among all the cards in the given environment.
2) Derive a serial number based on the first certificate that was found.
The serial will stay the same even if the certificate will be removed
later. If no certificate was found, use a public key for derivation. If
no public key was found, fail.
3) Use a random number.

Opinions on this matter are highly appreciated. Thanks!


Kind regards,
Philip

Am 1/23/2015 10:52 AM, schrieb Philip Wendland:

> Hello Martin Paljak,
>
> On 01/19/2015 07:11 PM, Martin Paljak wrote:
>> Hello,
>>
>> The way to get a "hardware" serial for JavaCard-s is quite well defined by
>> GlobalPlatform: concatnation of Issuer Identification Number + Card Image
>> Number, which are readable without authentication from decent cards (some
>> chinese JavaCard-s are exceptions)
>>
> Thanks for the Info. I tried reading those numbers from 4 different Java
> Cards. Allthough defined by GlobalPlatform:
>
> Security Domains shall support at least the following data object tags:
> • Tag '42': Issuer Identification Number (or Security Domain Provider
> Identification Number);
> • Tag '45': Card Image Number (or Security Domain Image Number);
> • Tag '66': Card Data (or Security Domain Management Data);
>
> only 1 card (a very old Athena Pro 72K - I don't even have ISD keys for
> that card) returned the requested data. Unfortunately, this seems very
> unreliable. Or did I send a wrong request?
>
> I used GET DATA to the ISD:
> cla ins p1p2
> 80  CA  0045 00 and
> 80  CA  0042 00
>
> Maybe deriving the serial number from a certificate/public key is a
> better (more portable) approach. But there might be side-effects that I
> don't think of right now.
> Then again, what certificate should be chosen? There might be more than
> one certificates/public key in the applet. Certificates might also be
> deleted from the filesystem again.
>
>> Nevertheless, the presence of the "get serial" card control is out of sync
>> with the rest of the framework. Why is there a mandatory "extension" for
>> something that should be part of the core? It either should be a required
>> part of the usual card function structure, maybe with some sensible
>> defaults or fallbacks or the "serial" must derived from some unique data
>> (certificate?) if the callback is not there or no data present.
>>
> I kind of agree. When writing card drivers for OpenSC you usually look
> at the sc_card_operations struct, for me it was not clear for a long
> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
> functionality.
> (Windows-support was never an requirement for the isoapplet anyway,
> until now.)
>
>> The question is how to "grow" the framework: either extend the card
>> function pointers (that right now is almost 1:1 ISO and old, first
>> implementations) or via card controls. I would choose extending the card
>> function pointers.
>>
>> Also, the requirements for for the "serial" must be written down: for
>> example, if the serial remains the same but card content changes, does this
>> matter? does this affect some caching somewhere? Is the serial binary or
>> string, how long? Is it supposed to be globally unique or just for a batch?
>>
>> Martin
>>
>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>> wrote:
>>
>>> Hi,
>>>
>>> I will try to solve this problem for the IsoApplet this weekend. My
>>> spare time is limited until then.
>>>
>>> However, the problem will be to find a unique identifier for any generic
>>> card..
>>>
>>> Kind regards,
>>> Philip
>>>
>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>> [I should have sent this to the opensc-devel, as others can address some
>>> of your questions
>>>> about the state of the muscle applet and isoapplet].
>>>>
>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>
>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>> ever information is available that
>>>> windows could use to uniquely identify the card. This is then stored
>>> with the certificates in the windows store.
>>>> At a later time, windows uses certificates from the store and can then
>>> prompt to have the card mounted, so it can use the
>>>> matching key on the card.
>>>>
>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>> code change.
>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>> not.
>>>> card-belpic.c
>>>> card-default.c
>>>> card-gemsafeV1.c
>>>> card-ias.c
>>>> card-incrypto34.c
>>>> card-jcop.c
>>>> card-mcrd.c
>>>> card-miocos.c
>>>> card-muscle.c
>>>> card-setcos.c
>>>> iso7816.c
>>>>
>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>> card-acos5.c
>>>> card-akis.c
>>>> card-asepcos.c
>>>> card-atrust-acos.c
>>>> card-authentic.c
>>>> card-cardos.c
>>>> card-dnie.c
>>>> card-entersafe.c
>>>> card-epass2003.c
>>>> card-flex.c
>>>> card-gpk.c
>>>> card-iasecc.c
>>>> card-itacns.c
>>>> card-myeid.c
>>>> card-oberthur.c
>>>> card-openpgp.c
>>>> card-piv.c
>>>> card-rtecp.c
>>>> card-rutoken.c
>>>> card-sc-hsm.c
>>>> card-starcos.c
>>>> card-tcos.c
>>>> card-westcos.c
>>>>
>>>>
>>>> To answer some other questions you asked is a private e-mail:
>>>>
>>>> iso7816.c which implements the basic ISO commands does not support and
>>> card_ctl commands.
>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>> sure if the concept of
>>>> a unique "serial number" is part of ISO7816.
>>>>
>>>> I also don't know the state of the muscle applet, or if it has something
>>> that can be used as a serial number either.
>>>>
>>>>
>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>
>>>>> I checked the fix is from November last year, and the 0.14 version is
>>> from summer lat year.
>>>>> Does this mean, that the nightly build could fix this?
>>>>> What version I should pull/download?
>>>>>
>>>>> Thank you a lot,
>>>>> Michael
>>>>>
>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>
>>>>>> This is the same problem as:
>>>>>>
>>>>>>    https://github.com/OpenSC/OpenSC/pull/321
>>>>>>
>>>>>>
>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>
>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>> SC_CARDCTL_GET_SERIALNR
>>>>>> to get a card "serial number" which windows requires.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>> Dear OpenSC Development Team,
>>>>>>>
>>>>>>> First of all, I would like to say that I really appreciate your great
>>> work.
>>>>>>> I am working on a little project and explored all the nice tools of
>>> OpenSC.
>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>> I hope this mailing list is the right place and you can help me with
>>> that.
>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>> Card,
>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>> using the card
>>>>>>> with the Windows 7 Key Management.
>>>>>>>
>>>>>>> Hardware:
>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>
>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>> bash scripts
>>>>>>> to install all required software, installing muscle applet to the
>>> card, and
>>>>>>> removing the muscle applet from the card. I followed the instructions
>>> on
>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>
>>>>>>> (2) Loading some test data:
>>>>>>> I tried some different ways to get some keys and certificates on the
>>> card.
>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>> Here is one set of data I created:
>>>>>>>
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>> Version        : 0
>>>>>>> Serial number  : 0000
>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>> Last update    : 20150119080705Z
>>>>>>> Flags          : EID compliant
>>>>>>>
>>>>>>> PIN [User PIN]
>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>> ID             : 01
>>>>>>> Flags          : [0x10], initialized
>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>> Pad char       : 0x00
>>>>>>> Reference      : 1
>>>>>>> Type           : ascii-numeric
>>>>>>> Path           : 3f005015
>>>>>>>
>>>>>>> Private RSA Key [Card Owner]
>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>> Access Flags   : [0x0]
>>>>>>> ModLength      : 1024
>>>>>>> Key ref        : 0 (0x0)
>>>>>>> Native         : yes
>>>>>>> Path           : 3f005015
>>>>>>> Auth ID        : 01
>>>>>>> ID             : 01
>>>>>>>
>>>>>>> Public RSA Key [Card Owner]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>> Access Flags   : [0x0]
>>>>>>> ModLength      : 1024
>>>>>>> Key ref        : 0
>>>>>>> Native         : no
>>>>>>> Path           : 3f0050153000
>>>>>>> ID             : 01
>>>>>>>
>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153100
>>>>>>> ID             : 01
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153101
>>>>>>> ID             : 02
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153102
>>>>>>> ID             : 03
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153103
>>>>>>> ID             : 04
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153104
>>>>>>> ID             : 05
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> (3) Using the card in Windows 7:
>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>> but with same result.
>>>>>>> I acquired the ATR of the card and properly installed my
>>> opens-minidriver.inf:
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> [Version]
>>>>>>> Signature="$Windows NT$"
>>>>>>> Class=SmartCard
>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>> Provider=%ProviderName%
>>>>>>> CatalogFile=delta.cat
>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>> [Manufacturer]
>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>
>>>>>>> [Minidriver.NTamd64]
>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>
>>>>>>> [Minidriver.NTx86]
>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>
>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>> 00640181010c829000
>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>> 00640181010c829000
>>>>>>> [DefaultInstall]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.ntamd64]
>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.NTx86]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [SourceDisksFiles]
>>>>>>> %SmartCardCardModule%=1
>>>>>>> %SmartCardCardModule64%=1
>>>>>>>
>>>>>>> [SourceDisksNames]
>>>>>>> 1 = %MediaDescription%
>>>>>>>
>>>>>>> [Minidriver64_Install.NT]
>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass
>>>>>>>
>>>>>>> [Minidriver32_Install.NT]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>> AddReg=AddRegDefault
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Services
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Services
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.HW
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Interfaces
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.HW
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Interfaces
>>>>>>>
>>>>>>>
>>>>>>> [amd64_CopyFiles]
>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>
>>>>>>> [x86_CopyFiles]
>>>>>>> ;%SmartCardCardModule%
>>>>>>>
>>>>>>> [wow64_CopyFiles]
>>>>>>> ;%SmartCardCardModule64%
>>>>>>>
>>>>>>> [AddRegWOW64]
>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>> Base Smart Card Crypto Provider"
>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>> SmartCardCardModule64%
>>>>>>> [AddRegDefault]
>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>> Smart Card Crypto Provider"
>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>> Smart Card Key Storage Provider"
>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>
>>>>>>> [DestinationDirs]
>>>>>>> amd64_CopyFiles=10,system32
>>>>>>> x86_CopyFiles=10,system32
>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>
>>>>>>>
>>>>>>> ; =================== Generic ==================================
>>>>>>>
>>>>>>> [Strings]
>>>>>>> ProviderName =„OpenSC"
>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>> Card"
>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> When the card is inserted the driver is used as shown in device
>>> manager
>>>>>>> as well as in certutil.exe.
>>>>>>> Now here is the actual problem:
>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>> dialog pops up
>>>>>>> complaining that the card does not have the required functions.
>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>> german.
>>>>>>> I added some translations:
>>>>>>>
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>
>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>     0: OMNIKEY CardMan 3x21 0
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>> ---  Karte: Muscle Card
>>>>>>> ---    ATR:
>>>>>>>           3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>   ;.....1.EJCOPv24
>>>>>>>           31 b7                                              1.
>>>>>>>
>>>>>>>
>>>>>>> =======================================================
>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>> card in the reader is being analized)
>>>>>>> --------------===========================--------------
>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>> ---  Karte: Muscle Card
>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>> container)
>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>> x21 0
>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>    3x21 0
>>>>>>>
>>>>>>> --------------===========================--------------
>>>>>>> ================ Zertifikat 0 ================
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>
>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>> --------------===========================--------------
>>>>>>>
>>>>>>> Fertig.
>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>> -SCinfo command has been executed with success)
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>> attachment to this mail,
>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>> But how?
>>>>>>>
>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>
>>>>>>> Any help would be appreciated!
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Michael
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>> ------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in
>>> Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>> compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>
>>>>>> --
>>>>>>
>>>>>>    Douglas E. Engert  <[hidden email]>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>> ------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in
>>> Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>> compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
In reply to this post by Philip Wendland
After looking closer at the code for minidriver, serial number and card_ctl...

The minidriver in md_set_cardid() uses the serial number from
p15card->tokeninfo->serial_number

The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);

***THIS MAY BE THE PROBLEM***

Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?

PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.

Do all PKCS#15 cards have this file?
Do they all fill in the serial_number?

For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
p15card->tokeninfo->serial_number.

Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
is properly filled in.

So the requirement for windows that a card driver have a card_ctl for serial_number
maybe that the p15card->tokeninfo->serial_number must be filled in.


On 1/23/2015 3:52 AM, Philip Wendland wrote:

> Hello Martin Paljak,
>
> On 01/19/2015 07:11 PM, Martin Paljak wrote:
>> Hello,
>>
>> The way to get a "hardware" serial for JavaCard-s is quite well defined by
>> GlobalPlatform: concatnation of Issuer Identification Number + Card Image
>> Number, which are readable without authentication from decent cards (some
>> chinese JavaCard-s are exceptions)
>>
>
> Thanks for the Info. I tried reading those numbers from 4 different Java
> Cards. Allthough defined by GlobalPlatform:
>
> Security Domains shall support at least the following data object tags:
> • Tag '42': Issuer Identification Number (or Security Domain Provider
> Identification Number);
> • Tag '45': Card Image Number (or Security Domain Image Number);
> • Tag '66': Card Data (or Security Domain Management Data);
>
> only 1 card (a very old Athena Pro 72K - I don't even have ISD keys for
> that card) returned the requested data. Unfortunately, this seems very
> unreliable. Or did I send a wrong request?
>
> I used GET DATA to the ISD:
> cla ins p1p2
> 80  CA  0045 00 and
> 80  CA  0042 00
>
> Maybe deriving the serial number from a certificate/public key is a
> better (more portable) approach. But there might be side-effects that I
> don't think of right now.
> Then again, what certificate should be chosen? There might be more than
> one certificates/public key in the applet. Certificates might also be
> deleted from the filesystem again.


Since serial number is not always defined, and the isoApplet or other applet
may be on a non Global Platform card, the applet may need to provide the equivalent
of a serial number. (This get complicate if there are more then one applet on a card.
can they all provide the same serial number?)

Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
of a smart card is contained in the cardId file.
See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
Under V7.07, Section 5.4.1 Card Identifier.

For example the PIV card edge specifications are defined by NIST, and implemented
by multiple vendors. There is no "serial number" or a cardId file, but there is an object
defined called the CHUID.

  https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf

It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
by the U.S. federal government, but to make the specifications more  usable for
non-government, it can also contain a GUID. Section 2 of the above goes into
detail on these.

THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
and use the FASC-N or GUID as define above. The Microsoft build in driver will
also use the CHUID, and derive a number it can use as the cardId.

The point being, the intent is to give Microsoft a unique number for a card,
unique in the sense the all the cards used on a local system have different numbers.
(Other uses of the number may require it to be global unique...)

The same number should be returned by the card each time so cached certificates
can be associated with a card containing the matching key.

How that number is obtained for the card is up to the applet.

>
>> Nevertheless, the presence of the "get serial" card control is out of sync
>> with the rest of the framework. Why is there a mandatory "extension" for
>> something that should be part of the core?

Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
would have defined a serial number.


It either should be a required
>> part of the usual card function structure, maybe with some sensible
>> defaults or fallbacks or the "serial" must derived from some unique data
>> (certificate?) if the callback is not there or no data present.

Yes, but if the card has many certificates, that can be changed independently,
that will not work very well.

One of the first OpenSC command a user tries is opensc-tool  --serial
23 of the 33 or so card-*.c support reading a serial number, because it
is still optional.

Thus the minidriver in md_set_cardid() uses the serial number from
p15card->tokeninfo->serial_number

The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);

***THIS MAY BE THE PROBLEM***

Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?

For a PKCS#15 card with the tokeninfo there
is ASN.1 ToekenInfo which has serialNumber OCTET STRING.

For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
p15card->tokeninfo->serial_number.

Thus the minidriver should not depend on cardctl if if the



>>
>
> I kind of agree. When writing card drivers for OpenSC you usually look
> at the sc_card_operations struct, for me it was not clear for a long
> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
> functionality.
> (Windows-support was never an requirement for the isoapplet anyway,
> until now.)

I would expect now days, Windows support would be highly desirable,
and the OpenSC minidriver can do that i there is a way to get a serial number
form the card driver.


>
>> The question is how to "grow" the framework: either extend the card
>> function pointers (that right now is almost 1:1 ISO and old, first
>> implementations) or via card controls. I would choose extending the card
>> function pointers.
>>
>> Also, the requirements for for the "serial" must be written down: for
>> example, if the serial remains the same but card content changes, does this
>> matter? does this affect some caching somewhere? Is the serial binary or
>> string, how long? Is it supposed to be globally unique or just for a batch?
>>
>> Martin
>>
>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>> wrote:
>>
>>> Hi,
>>>
>>> I will try to solve this problem for the IsoApplet this weekend. My
>>> spare time is limited until then.
>>>
>>> However, the problem will be to find a unique identifier for any generic
>>> card..
>>>
>>> Kind regards,
>>> Philip
>>>
>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>> [I should have sent this to the opensc-devel, as others can address some
>>> of your questions
>>>> about the state of the muscle applet and isoapplet].
>>>>
>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>
>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>> ever information is available that
>>>> windows could use to uniquely identify the card. This is then stored
>>> with the certificates in the windows store.
>>>> At a later time, windows uses certificates from the store and can then
>>> prompt to have the card mounted, so it can use the
>>>> matching key on the card.
>>>>
>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>> code change.
>>>>
>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>> not.
>>>>
>>>> card-belpic.c
>>>> card-default.c
>>>> card-gemsafeV1.c
>>>> card-ias.c
>>>> card-incrypto34.c
>>>> card-jcop.c
>>>> card-mcrd.c
>>>> card-miocos.c
>>>> card-muscle.c
>>>> card-setcos.c
>>>> iso7816.c
>>>>
>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>> card-acos5.c
>>>> card-akis.c
>>>> card-asepcos.c
>>>> card-atrust-acos.c
>>>> card-authentic.c
>>>> card-cardos.c
>>>> card-dnie.c
>>>> card-entersafe.c
>>>> card-epass2003.c
>>>> card-flex.c
>>>> card-gpk.c
>>>> card-iasecc.c
>>>> card-itacns.c
>>>> card-myeid.c
>>>> card-oberthur.c
>>>> card-openpgp.c
>>>> card-piv.c
>>>> card-rtecp.c
>>>> card-rutoken.c
>>>> card-sc-hsm.c
>>>> card-starcos.c
>>>> card-tcos.c
>>>> card-westcos.c
>>>>
>>>>
>>>> To answer some other questions you asked is a private e-mail:
>>>>
>>>> iso7816.c which implements the basic ISO commands does not support and
>>> card_ctl commands.
>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>> sure if the concept of
>>>> a unique "serial number" is part of ISO7816.
>>>>
>>>> I also don't know the state of the muscle applet, or if it has something
>>> that can be used as a serial number either.
>>>>
>>>>
>>>>
>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>
>>>>> I checked the fix is from November last year, and the 0.14 version is
>>> from summer lat year.
>>>>> Does this mean, that the nightly build could fix this?
>>>>> What version I should pull/download?
>>>>>
>>>>> Thank you a lot,
>>>>> Michael
>>>>>
>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>
>>>>>> This is the same problem as:
>>>>>>
>>>>>>    https://github.com/OpenSC/OpenSC/pull/321
>>>>>>
>>>>>>
>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>
>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>> SC_CARDCTL_GET_SERIALNR
>>>>>> to get a card "serial number" which windows requires.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>> Dear OpenSC Development Team,
>>>>>>>
>>>>>>> First of all, I would like to say that I really appreciate your great
>>> work.
>>>>>>> I am working on a little project and explored all the nice tools of
>>> OpenSC.
>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>> I hope this mailing list is the right place and you can help me with
>>> that.
>>>>>>>
>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>> Card,
>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>> using the card
>>>>>>> with the Windows 7 Key Management.
>>>>>>>
>>>>>>> Hardware:
>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>
>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>> bash scripts
>>>>>>> to install all required software, installing muscle applet to the
>>> card, and
>>>>>>> removing the muscle applet from the card. I followed the instructions
>>> on
>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>
>>>>>>> (2) Loading some test data:
>>>>>>> I tried some different ways to get some keys and certificates on the
>>> card.
>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>> Here is one set of data I created:
>>>>>>>
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>> Version        : 0
>>>>>>> Serial number  : 0000
>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>> Last update    : 20150119080705Z
>>>>>>> Flags          : EID compliant
>>>>>>>
>>>>>>> PIN [User PIN]
>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>> ID             : 01
>>>>>>> Flags          : [0x10], initialized
>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>> Pad char       : 0x00
>>>>>>> Reference      : 1
>>>>>>> Type           : ascii-numeric
>>>>>>> Path           : 3f005015
>>>>>>>
>>>>>>> Private RSA Key [Card Owner]
>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>> Access Flags   : [0x0]
>>>>>>> ModLength      : 1024
>>>>>>> Key ref        : 0 (0x0)
>>>>>>> Native         : yes
>>>>>>> Path           : 3f005015
>>>>>>> Auth ID        : 01
>>>>>>> ID             : 01
>>>>>>>
>>>>>>> Public RSA Key [Card Owner]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>> Access Flags   : [0x0]
>>>>>>> ModLength      : 1024
>>>>>>> Key ref        : 0
>>>>>>> Native         : no
>>>>>>> Path           : 3f0050153000
>>>>>>> ID             : 01
>>>>>>>
>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153100
>>>>>>> ID             : 01
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153101
>>>>>>> ID             : 02
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153102
>>>>>>> ID             : 03
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153103
>>>>>>> ID             : 04
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>
>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>> Authority      : no
>>>>>>> Path           : 3f0050153104
>>>>>>> ID             : 05
>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>> ************************************************************
>>> ***************************
>>>>>>>
>>>>>>> (3) Using the card in Windows 7:
>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>> but with same result.
>>>>>>> I acquired the ATR of the card and properly installed my
>>> opens-minidriver.inf:
>>>>>>>
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> [Version]
>>>>>>> Signature="$Windows NT$"
>>>>>>> Class=SmartCard
>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>> Provider=%ProviderName%
>>>>>>> CatalogFile=delta.cat
>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>
>>>>>>> [Manufacturer]
>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>
>>>>>>> [Minidriver.NTamd64]
>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>
>>>>>>> [Minidriver.NTx86]
>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>
>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>> 00640181010c829000
>>>>>>>
>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>> 00640181010c829000
>>>>>>>
>>>>>>> [DefaultInstall]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.ntamd64]
>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.NTx86]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [SourceDisksFiles]
>>>>>>> %SmartCardCardModule%=1
>>>>>>> %SmartCardCardModule64%=1
>>>>>>>
>>>>>>> [SourceDisksNames]
>>>>>>> 1 = %MediaDescription%
>>>>>>>
>>>>>>> [Minidriver64_Install.NT]
>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>> AddReg=AddRegWOW64
>>>>>>> AddReg=AddRegDefault
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass
>>>>>>>
>>>>>>> [Minidriver32_Install.NT]
>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>> AddReg=AddRegDefault
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>> AddReg=AddRegDefault
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Services
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Services
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.HW
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Interfaces
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.HW
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>
>>>>>>>
>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>> Include=umpass.inf
>>>>>>> Needs=UmPass.Interfaces
>>>>>>>
>>>>>>>
>>>>>>> [amd64_CopyFiles]
>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>
>>>>>>> [x86_CopyFiles]
>>>>>>> ;%SmartCardCardModule%
>>>>>>>
>>>>>>> [wow64_CopyFiles]
>>>>>>> ;%SmartCardCardModule64%
>>>>>>>
>>>>>>> [AddRegWOW64]
>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>> Base Smart Card Crypto Provider"
>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>> SmartCardCardModule64%
>>>>>>>
>>>>>>> [AddRegDefault]
>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>> Smart Card Crypto Provider"
>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>> Smart Card Key Storage Provider"
>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>
>>>>>>> [DestinationDirs]
>>>>>>> amd64_CopyFiles=10,system32
>>>>>>> x86_CopyFiles=10,system32
>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>
>>>>>>>
>>>>>>> ; =================== Generic ==================================
>>>>>>>
>>>>>>> [Strings]
>>>>>>> ProviderName =„OpenSC"
>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>> Card"
>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>> ************************************************************
>>> ***************************
>>>>>>>
>>>>>>> When the card is inserted the driver is used as shown in device
>>> manager
>>>>>>> as well as in certutil.exe.
>>>>>>> Now here is the actual problem:
>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>> dialog pops up
>>>>>>> complaining that the card does not have the required functions.
>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>> german.
>>>>>>> I added some translations:
>>>>>>>
>>>>>>> ************************************************************
>>> ***************************
>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>
>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>     0: OMNIKEY CardMan 3x21 0
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>> ---  Karte: Muscle Card
>>>>>>> ---    ATR:
>>>>>>>           3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>   ;.....1.EJCOPv24
>>>>>>>           31 b7                                              1.
>>>>>>>
>>>>>>>
>>>>>>> =======================================================
>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>> card in the reader is being analized)
>>>>>>>
>>>>>>> --------------===========================--------------
>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>> ---  Karte: Muscle Card
>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>> container)
>>>>>>>
>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>> x21 0
>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>    3x21 0
>>>>>>>
>>>>>>> --------------===========================--------------
>>>>>>> ================ Zertifikat 0 ================
>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>
>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>
>>>>>>> --------------===========================--------------
>>>>>>>
>>>>>>> Fertig.
>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>> -SCinfo command has been executed with success)
>>>>>>> ************************************************************
>>> ***************************
>>>>>>>
>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>> attachment to this mail,
>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>> But how?
>>>>>>>
>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>
>>>>>>> Any help would be appreciated!
>>>>>>>
>>>>>>> Best Regards,
>>>>>>> Michael
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>> ------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in
>>> Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>> compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>
>>>>>>
>>>>>> --
>>>>>>
>>>>>>    Douglas E. Engert  <[hidden email]>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>> ------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in
>>> Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>> compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------
>>> ------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
In reply to this post by Philip Wendland


On 1/23/2015 9:48 AM, Philip Wendland wrote:

> Hello,
>
> Michael Heydemann helped me trying to find a solution for this. He was
> as well not able to read the Issuer Identification Number or Card Image
> Number from his Java Card(s).
> I tried to use STORE DATA to maybe write those numbers on uninitialized
> Java Cards, but did not have success either. Unless we missed something,
> the GP method of obtaining serial numbers seems to be too unreliable.
>
> A solution we thought of would be to write a number to the applet's
> filesystem that stays the same for the applet's lifecycle. I am still
> not sure what the best approach would be:

See my previous reply. The PKCS#15 ASN.1 object should have the serialNumber,
OpenSC supports PKCS#15 cards, aor cards that emulate PKCS#15, which
requires them to have filled in the p15card->tokeninfo->serial_number

The real problem may be that sc_pkcs15_get_object_guid() in pkcs15.c
does not use p15card->tokeninfo->serial_number but calls
sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);


> 1) Let the user define a serial number. He can ensure that the serial
> number is unique among all the cards in the given environment.
> 2) Derive a serial number based on the first certificate that was found.
> The serial will stay the same even if the certificate will be removed
> later. If no certificate was found, use a public key for derivation. If
> no public key was found, fail.
> 3) Use a random number.
>
> Opinions on this matter are highly appreciated. Thanks!
>
>
> Kind regards,
> Philip
>
> Am 1/23/2015 10:52 AM, schrieb Philip Wendland:
>> Hello Martin Paljak,
>>
>> On 01/19/2015 07:11 PM, Martin Paljak wrote:
>>> Hello,
>>>
>>> The way to get a "hardware" serial for JavaCard-s is quite well defined by
>>> GlobalPlatform: concatnation of Issuer Identification Number + Card Image
>>> Number, which are readable without authentication from decent cards (some
>>> chinese JavaCard-s are exceptions)
>>>
>> Thanks for the Info. I tried reading those numbers from 4 different Java
>> Cards. Allthough defined by GlobalPlatform:
>>
>> Security Domains shall support at least the following data object tags:
>> • Tag '42': Issuer Identification Number (or Security Domain Provider
>> Identification Number);
>> • Tag '45': Card Image Number (or Security Domain Image Number);
>> • Tag '66': Card Data (or Security Domain Management Data);
>>
>> only 1 card (a very old Athena Pro 72K - I don't even have ISD keys for
>> that card) returned the requested data. Unfortunately, this seems very
>> unreliable. Or did I send a wrong request?
>>
>> I used GET DATA to the ISD:
>> cla ins p1p2
>> 80  CA  0045 00 and
>> 80  CA  0042 00
>>
>> Maybe deriving the serial number from a certificate/public key is a
>> better (more portable) approach. But there might be side-effects that I
>> don't think of right now.
>> Then again, what certificate should be chosen? There might be more than
>> one certificates/public key in the applet. Certificates might also be
>> deleted from the filesystem again.
>>
>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>> with the rest of the framework. Why is there a mandatory "extension" for
>>> something that should be part of the core? It either should be a required
>>> part of the usual card function structure, maybe with some sensible
>>> defaults or fallbacks or the "serial" must derived from some unique data
>>> (certificate?) if the callback is not there or no data present.
>>>
>> I kind of agree. When writing card drivers for OpenSC you usually look
>> at the sc_card_operations struct, for me it was not clear for a long
>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>> functionality.
>> (Windows-support was never an requirement for the isoapplet anyway,
>> until now.)
>>
>>> The question is how to "grow" the framework: either extend the card
>>> function pointers (that right now is almost 1:1 ISO and old, first
>>> implementations) or via card controls. I would choose extending the card
>>> function pointers.
>>>
>>> Also, the requirements for for the "serial" must be written down: for
>>> example, if the serial remains the same but card content changes, does this
>>> matter? does this affect some caching somewhere? Is the serial binary or
>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>
>>> Martin
>>>
>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>> spare time is limited until then.
>>>>
>>>> However, the problem will be to find a unique identifier for any generic
>>>> card..
>>>>
>>>> Kind regards,
>>>> Philip
>>>>
>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>> of your questions
>>>>> about the state of the muscle applet and isoapplet].
>>>>>
>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>
>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>> ever information is available that
>>>>> windows could use to uniquely identify the card. This is then stored
>>>> with the certificates in the windows store.
>>>>> At a later time, windows uses certificates from the store and can then
>>>> prompt to have the card mounted, so it can use the
>>>>> matching key on the card.
>>>>>
>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>> code change.
>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>> not.
>>>>> card-belpic.c
>>>>> card-default.c
>>>>> card-gemsafeV1.c
>>>>> card-ias.c
>>>>> card-incrypto34.c
>>>>> card-jcop.c
>>>>> card-mcrd.c
>>>>> card-miocos.c
>>>>> card-muscle.c
>>>>> card-setcos.c
>>>>> iso7816.c
>>>>>
>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>> card-acos5.c
>>>>> card-akis.c
>>>>> card-asepcos.c
>>>>> card-atrust-acos.c
>>>>> card-authentic.c
>>>>> card-cardos.c
>>>>> card-dnie.c
>>>>> card-entersafe.c
>>>>> card-epass2003.c
>>>>> card-flex.c
>>>>> card-gpk.c
>>>>> card-iasecc.c
>>>>> card-itacns.c
>>>>> card-myeid.c
>>>>> card-oberthur.c
>>>>> card-openpgp.c
>>>>> card-piv.c
>>>>> card-rtecp.c
>>>>> card-rutoken.c
>>>>> card-sc-hsm.c
>>>>> card-starcos.c
>>>>> card-tcos.c
>>>>> card-westcos.c
>>>>>
>>>>>
>>>>> To answer some other questions you asked is a private e-mail:
>>>>>
>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>> card_ctl commands.
>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>> sure if the concept of
>>>>> a unique "serial number" is part of ISO7816.
>>>>>
>>>>> I also don't know the state of the muscle applet, or if it has something
>>>> that can be used as a serial number either.
>>>>>
>>>>>
>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>
>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>> from summer lat year.
>>>>>> Does this mean, that the nightly build could fix this?
>>>>>> What version I should pull/download?
>>>>>>
>>>>>> Thank you a lot,
>>>>>> Michael
>>>>>>
>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>
>>>>>>> This is the same problem as:
>>>>>>>
>>>>>>>     https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>
>>>>>>>
>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>
>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>
>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>> work.
>>>>>>>> I am working on a little project and explored all the nice tools of
>>>> OpenSC.
>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>> that.
>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>> Card,
>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>> using the card
>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>
>>>>>>>> Hardware:
>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>
>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>> bash scripts
>>>>>>>> to install all required software, installing muscle applet to the
>>>> card, and
>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>> on
>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>
>>>>>>>> (2) Loading some test data:
>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>> card.
>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>> Here is one set of data I created:
>>>>>>>>
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>> Version        : 0
>>>>>>>> Serial number  : 0000
>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>> Last update    : 20150119080705Z
>>>>>>>> Flags          : EID compliant
>>>>>>>>
>>>>>>>> PIN [User PIN]
>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>> ID             : 01
>>>>>>>> Flags          : [0x10], initialized
>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>> Pad char       : 0x00
>>>>>>>> Reference      : 1
>>>>>>>> Type           : ascii-numeric
>>>>>>>> Path           : 3f005015
>>>>>>>>
>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>> Access Flags   : [0x0]
>>>>>>>> ModLength      : 1024
>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>> Native         : yes
>>>>>>>> Path           : 3f005015
>>>>>>>> Auth ID        : 01
>>>>>>>> ID             : 01
>>>>>>>>
>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>> Access Flags   : [0x0]
>>>>>>>> ModLength      : 1024
>>>>>>>> Key ref        : 0
>>>>>>>> Native         : no
>>>>>>>> Path           : 3f0050153000
>>>>>>>> ID             : 01
>>>>>>>>
>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153100
>>>>>>>> ID             : 01
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153101
>>>>>>>> ID             : 02
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153102
>>>>>>>> ID             : 03
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153103
>>>>>>>> ID             : 04
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153104
>>>>>>>> ID             : 05
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>> but with same result.
>>>>>>>> I acquired the ATR of the card and properly installed my
>>>> opens-minidriver.inf:
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> [Version]
>>>>>>>> Signature="$Windows NT$"
>>>>>>>> Class=SmartCard
>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>> Provider=%ProviderName%
>>>>>>>> CatalogFile=delta.cat
>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>> [Manufacturer]
>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>
>>>>>>>> [Minidriver.NTamd64]
>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>
>>>>>>>> [Minidriver.NTx86]
>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>
>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>> 00640181010c829000
>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>> 00640181010c829000
>>>>>>>> [DefaultInstall]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [SourceDisksFiles]
>>>>>>>> %SmartCardCardModule%=1
>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>
>>>>>>>> [SourceDisksNames]
>>>>>>>> 1 = %MediaDescription%
>>>>>>>>
>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass
>>>>>>>>
>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>> AddReg=AddRegDefault
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Services
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Services
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.HW
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.HW
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>
>>>>>>>>
>>>>>>>> [amd64_CopyFiles]
>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>
>>>>>>>> [x86_CopyFiles]
>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>
>>>>>>>> [wow64_CopyFiles]
>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>
>>>>>>>> [AddRegWOW64]
>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>> Base Smart Card Crypto Provider"
>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>> SmartCardCardModule64%
>>>>>>>> [AddRegDefault]
>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>> Smart Card Crypto Provider"
>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>> Smart Card Key Storage Provider"
>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>
>>>>>>>> [DestinationDirs]
>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>
>>>>>>>>
>>>>>>>> ; =================== Generic ==================================
>>>>>>>>
>>>>>>>> [Strings]
>>>>>>>> ProviderName =„OpenSC"
>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>> Card"
>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> When the card is inserted the driver is used as shown in device
>>>> manager
>>>>>>>> as well as in certutil.exe.
>>>>>>>> Now here is the actual problem:
>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>> dialog pops up
>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>> german.
>>>>>>>> I added some translations:
>>>>>>>>
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>
>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>      0: OMNIKEY CardMan 3x21 0
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>> ---  Karte: Muscle Card
>>>>>>>> ---    ATR:
>>>>>>>>            3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>    ;.....1.EJCOPv24
>>>>>>>>            31 b7                                              1.
>>>>>>>>
>>>>>>>>
>>>>>>>> =======================================================
>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>> card in the reader is being analized)
>>>>>>>> --------------===========================--------------
>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>> ---  Karte: Muscle Card
>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>> container)
>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>> x21 0
>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>     3x21 0
>>>>>>>>
>>>>>>>> --------------===========================--------------
>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>
>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>> --------------===========================--------------
>>>>>>>>
>>>>>>>> Fertig.
>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>> -SCinfo command has been executed with success)
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>> attachment to this mail,
>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>> But how?
>>>>>>>>
>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>
>>>>>>>> Any help would be appreciated!
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>> ------------------
>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>> Ashburn.
>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>> compliant.
>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>     Douglas E. Engert  <[hidden email]>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>> ------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in
>>>> Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>> compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
In reply to this post by Martin Paljak-4
Martin,

If this:
> The real problem may be that sc_pkcs15_get_object_guid() in pkcs15.c
> does not use p15card->tokeninfo->serial_number but calls
> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);

is the problem, then the framework does not need to grow. We must make sure
all cards fill in p15card->tokeninfo->serial_number if they are to work correctly on Windows.

pkcs15-tool.c and pkcs15init/pkcs15-iasecc.c sc_pkcs15_get_object_guid()


On 1/19/2015 12:11 PM, Martin Paljak wrote:

> Hello,
>
> The way to get a "hardware" serial for JavaCard-s is quite well defined by GlobalPlatform: concatnation of Issuer Identification Number + Card Image Number, which are readable without authentication
> from decent cards (some chinese JavaCard-s are exceptions)
>
> Nevertheless, the presence of the "get serial" card control is out of sync with the rest of the framework. Why is there a mandatory "extension" for something that should be part of the core? It either
> should be a required part of the usual card function structure, maybe with some sensible defaults or fallbacks or the "serial" must derived from some unique data (certificate?) if the callback is not
> there or no data present.
>
> The question is how to "grow" the framework: either extend the card function pointers (that right now is almost 1:1 ISO and old, first implementations) or via card controls. I would choose extending
> the card function pointers.
>
> Also, the requirements for for the "serial" must be written down: for example, if the serial remains the same but card content changes, does this matter? does this affect some caching somewhere? Is
> the serial binary or string, how long? Is it supposed to be globally unique or just for a batch?
>
> Martin
>
> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hi,
>
>     I will try to solve this problem for the IsoApplet this weekend. My
>     spare time is limited until then.
>
>     However, the problem will be to find a unique identifier for any generic
>     card..
>
>     Kind regards,
>     Philip
>
>     On 19.01.2015 17:26, Douglas E Engert wrote:
>      > [I should have sent this to the opensc-devel, as others can address some of your questions
>      > about the state of the muscle applet and isoapplet].
>      >
>      > No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>      >
>      > Some equivalent code needs to be added to card-muscle.c, to use what ever information is available that
>      > windows could use to uniquely identify the card. This is then stored with the certificates in the windows store.
>      > At a later time, windows uses certificates from the store and can then prompt to have the card mounted, so it can use the
>      > matching key on the card.
>      >
>      > You or someone else that can test a mod to card-muscle.c could submit a code change.
>      >
>      > There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do not.
>      >
>      > card-belpic.c
>      > card-default.c
>      > card-gemsafeV1.c
>      > card-ias.c
>      > card-incrypto34.c
>      > card-jcop.c
>      > card-mcrd.c
>      > card-miocos.c
>      > card-muscle.c
>      > card-setcos.c
>      > iso7816.c
>      >
>      > Cards that support SC_CARDCTL_GET_SERIALNR
>      > card-acos5.c
>      > card-akis.c
>      > card-asepcos.c
>      > card-atrust-acos.c
>      > card-authentic.c
>      > card-cardos.c
>      > card-dnie.c
>      > card-entersafe.c
>      > card-epass2003.c
>      > card-flex.c
>      > card-gpk.c
>      > card-iasecc.c
>      > card-itacns.c
>      > card-myeid.c
>      > card-oberthur.c
>      > card-openpgp.c
>      > card-piv.c
>      > card-rtecp.c
>      > card-rutoken.c
>      > card-sc-hsm.c
>      > card-starcos.c
>      > card-tcos.c
>      > card-westcos.c
>      >
>      >
>      > To answer some other questions you asked is a private e-mail:
>      >
>      > iso7816.c which implements the basic ISO commands does not support and card_ctl commands.
>      > I believe that the IsoApplet is designed to use the iso7816.c I am not sure if the concept of
>      > a unique "serial number" is part of ISO7816.
>      >
>      > I also don't know the state of the muscle applet, or if it has something that can be used as a serial number either.
>      >
>      >
>      >
>      > On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>      >> WOW.. Thank you a lot.. I think I owe you a beer..
>      >>
>      >> I checked the fix is from November last year, and the 0.14 version is from summer lat year.
>      >> Does this mean, that the nightly build could fix this?
>      >> What version I should pull/download?
>      >>
>      >> Thank you a lot,
>      >> Michael
>      >>
>      >>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email] <mailto:[hidden email]>>:
>      >>>
>      >>> This is the same problem as:
>      >>>
>      >>> https://github.com/OpenSC/__OpenSC/pull/321 <https://github.com/OpenSC/OpenSC/pull/321>
>      >>>
>      >>>
>      >>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>      >>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>      >>>
>      >>> The card-muscle.c (and others in OpenSC) does not support SC_CARDCTL_GET_SERIALNR
>      >>> to get a card "serial number" which windows requires.
>      >>>
>      >>>
>      >>>
>      >>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>      >>>> Dear OpenSC Development Team,
>      >>>>
>      >>>> First of all, I would like to say that I really appreciate your great work.
>      >>>> I am working on a little project and explored all the nice tools of OpenSC.
>      >>>> Unfortunately since one week I cannot get around a certain problem.
>      >>>> I hope this mailing list is the right place and you can help me with that.
>      >>>>
>      >>>> My project is about  (1) setting up a PKCS#11 key store on a Java Card,
>      >>>> (2 ) loading some test data (keys and certificates) on it, and (3) using the card
>      >>>> with the Windows 7 Key Management.
>      >>>>
>      >>>> Hardware:
>      >>>> * Card Reader: Omnikey 3121USB
>      >>>> * Java Card: J2A080 - NXP, 80k
>      >>>>
>      >>>> (1) Setting up PKCS#11 key store:
>      >>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
>      >>>> to install all required software, installing muscle applet to the card, and
>      >>>> removing the muscle applet from the card. I followed the instructions on
>      >>>> _http://blog.ev0ke.net/muscle-__jcop/_ <http://blog.ev0ke.net/muscle-jcop/_> and everything worked well.
>      >>>>
>      >>>> (2) Loading some test data:
>      >>>> I tried some different ways to get some keys and certificates on the card.
>      >>>> None of them delivered data which is accepted by Windows 7.
>      >>>> Here is one set of data I created:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>      >>>> PKCS#15 Card [MUSCLE]:
>      >>>> Version        : 0
>      >>>> Serial number  : 0000
>      >>>> Manufacturer ID: Identity Alliance
>      >>>> Last update    : 20150119080705Z
>      >>>> Flags          : EID compliant
>      >>>>
>      >>>> PIN [User PIN]
>      >>>> Object Flags   : [0x3], private, modifiable
>      >>>> ID             : 01
>      >>>> Flags          : [0x10], initialized
>      >>>> Length         : min_len:4, max_len:8, stored_len:8
>      >>>> Pad char       : 0x00
>      >>>> Reference      : 1
>      >>>> Type           : ascii-numeric
>      >>>> Path           : 3f005015
>      >>>>
>      >>>> Private RSA Key [Card Owner]
>      >>>> Object Flags   : [0x3], private, modifiable
>      >>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>      >>>> Access Flags   : [0x0]
>      >>>> ModLength      : 1024
>      >>>> Key ref        : 0 (0x0)
>      >>>> Native         : yes
>      >>>> Path           : 3f005015
>      >>>> Auth ID        : 01
>      >>>> ID             : 01
>      >>>>
>      >>>> Public RSA Key [Card Owner]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>      >>>> Access Flags   : [0x0]
>      >>>> ModLength      : 1024
>      >>>> Key ref        : 0
>      >>>> Native         : no
>      >>>> Path           : 3f0050153000
>      >>>> ID             : 01
>      >>>>
>      >>>> X.509 Certificate [Card Owner Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153100
>      >>>> ID             : 01
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 2 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153101
>      >>>> ID             : 02
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 3 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153102
>      >>>> ID             : 03
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 4 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153103
>      >>>> ID             : 04
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>>
>      >>>> X.509 Certificate [Contact 5 Certificate]
>      >>>> Object Flags   : [0x2], modifiable
>      >>>> Authority      : no
>      >>>> Path           : 3f0050153104
>      >>>> ID             : 05
>      >>>> Encoded serial : 02 09 00F695059953A904F9
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> (3) Using the card in Windows 7:
>      >>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>      >>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>      >>>> but with same result.
>      >>>> I acquired the ATR of the card and properly installed my opens-minidriver.inf:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> [Version]
>      >>>> Signature="$Windows NT$"
>      >>>> Class=SmartCard
>      >>>> ClassGuid={990A2BD7-E738-46c7-__B26F-1CF8FB9F1391}
>      >>>> Provider=%ProviderName%
>      >>>> CatalogFile=delta.cat <http://delta.cat>
>      >>>> DriverVer=05/02/2010,@OPENSC___VERSION_MAJOR@,@OPENSC___VERSION_MINOR@,@OPENSC___VERSION_FIX@,0
>      >>>>
>      >>>> [Manufacturer]
>      >>>> %ProviderName%=Minidriver,__NTamd64,NTamd64.6.1,NTx86,__NTx86.6.1
>      >>>>
>      >>>> [Minidriver.NTamd64]
>      >>>> %CardDeviceName%=Minidriver64___Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTx86]
>      >>>> %CardDeviceName%=Minidriver32___Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTamd64.6.1]
>      >>>> %CardDeviceName%=Minidriver64___61_Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [Minidriver.NTx86.6.1]
>      >>>> %CardDeviceName%=Minidriver32___61_Install,SCFILTER\CID___00640181010c829000
>      >>>>
>      >>>> [DefaultInstall]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.ntamd64]
>      >>>> CopyFiles=amd64_CopyFiles
>      >>>> CopyFiles=wow64_CopyFiles
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.NTx86]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.ntamd64.6.1]
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [DefaultInstall.NTx86.6.1]
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [SourceDisksFiles]
>      >>>> %SmartCardCardModule%=1
>      >>>> %SmartCardCardModule64%=1
>      >>>>
>      >>>> [SourceDisksNames]
>      >>>> 1 = %MediaDescription%
>      >>>>
>      >>>> [Minidriver64_Install.NT]
>      >>>> CopyFiles=amd64_CopyFiles
>      >>>> CopyFiles=wow64_CopyFiles
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [Minidriver64_61_Install.NT]
>      >>>> AddReg=AddRegWOW64
>      >>>> AddReg=AddRegDefault
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass
>      >>>>
>      >>>> [Minidriver32_Install.NT]
>      >>>> CopyFiles=x86_CopyFiles
>      >>>> AddReg=AddRegDefault
>      >>>>
>      >>>> [Minidriver32_61_Install.NT]
>      >>>> AddReg=AddRegDefault
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__Services]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Services
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__Services]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Services
>      >>>>
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__HW]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.HW
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__CoInstallers]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.CoInstallers
>      >>>>
>      >>>>
>      >>>> [Minidriver64_61_Install.NT.__Interfaces]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Interfaces
>      >>>>
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__HW]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.HW
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__CoInstallers]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.CoInstallers
>      >>>>
>      >>>>
>      >>>> [Minidriver32_61_Install.NT.__Interfaces]
>      >>>> Include=umpass.inf
>      >>>> Needs=UmPass.Interfaces
>      >>>>
>      >>>>
>      >>>> [amd64_CopyFiles]
>      >>>> ;%SmartCardCardModule%,%__SmartCardCardModule64%
>      >>>>
>      >>>> [x86_CopyFiles]
>      >>>> ;%SmartCardCardModule%
>      >>>>
>      >>>> [wow64_CopyFiles]
>      >>>> ;%SmartCardCardModule64%
>      >>>>
>      >>>> [AddRegWOW64]
>      >>>> HKLM, %SmartCardNameWOW64%,"ATR",__0x00000001,3b,f8,13,00,00,81,__31,fe,45,4A,43,4f,50,76,32,34,__31,b7
>      >>>> HKLM, %SmartCardNameWOW64%,"ATRMask"__,0x00000001,ff,ff,ff,ff,ff,ff,__ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,__ff,ff
>      >>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"__Microsoft Base Smart Card Crypto Provider"
>      >>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"__Microsoft Smart Card Key Storage Provider"
>      >>>> HKLM, %SmartCardNameWOW64%,"__80000001",0x00000000,%__SmartCardCardModule64%
>      >>>>
>      >>>> [AddRegDefault]
>      >>>> HKLM, %SmartCardName%,"ATR",__0x00000001,3b,f8,13,00,00,81,__31,fe,45,4A,43,4f,50,76,32,34,__31,b7
>      >>>> HKLM, %SmartCardName%,"ATRMask",__0x00000001,ff,ff,ff,ff,ff,ff,__ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,__ff,ff
>      >>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"__Microsoft Base Smart Card Crypto Provider"
>      >>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"__Microsoft Smart Card Key Storage Provider"
>      >>>> HKLM, %SmartCardName%,"80000001",__0x00000000,%__SmartCardCardModule%
>      >>>>
>      >>>> [DestinationDirs]
>      >>>> amd64_CopyFiles=10,system32
>      >>>> x86_CopyFiles=10,system32
>      >>>> wow64_CopyFiles=10,syswow64
>      >>>>
>      >>>>
>      >>>> ; =================== Generic ==============================__====
>      >>>>
>      >>>> [Strings]
>      >>>> ProviderName =„OpenSC"
>      >>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>      >>>> CardDeviceName=„Muscle Card"
>      >>>> SmartCardName="SOFTWARE\__Microsoft\Cryptography\Calais\__SmartCards\Muscle Card"
>      >>>> SmartCardNameWOW64="SOFTWARE\__Wow6432Node\Microsoft\__Cryptography\Calais\__SmartCards\Muscle Card"
>      >>>> SmartCardCardModule="opensc-__minidriver.dll"
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> When the card is inserted the driver is used as shown in device manager
>      >>>> as well as in certutil.exe.
>      >>>> Now here is the actual problem:
>      >>>> When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
>      >>>> complaining that the card does not have the required functions.
>      >>>> The terminal output is like this. I am sorry for pasting this in german.
>      >>>> I added some translations:
>      >>>>
>      >>>> ******************************__******************************__***************************
>      >>>> Microsoft Windows [Version 6.1.7601]
>      >>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>      >>>>
>      >>>> C:\Users\developer>certutil -scinfo
>      >>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>      >>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>      >>>> Leser: 1 (Reader: 1)
>      >>>>    0: OMNIKEY CardMan 3x21 0
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>      >>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>      >>>> --- Status: Die Smartcard kann verwendet werden.
>      >>>> ---  Karte: Muscle Card
>      >>>> ---    ATR:
>      >>>>          3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
>      >>>>          31 b7                                              1.
>      >>>>
>      >>>>
>      >>>> ==============================__=========================
>      >>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>      >>>> ---  Karte: Muscle Card
>      >>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>      >>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)
>      >>>>
>      >>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>      >>>> x21 0
>      >>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>      >>>>   3x21 0
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>> ================ Zertifikat 0 ================
>      >>>> --- Leser: OMNIKEY CardMan 3x21 0
>      >>>> ---  Karte: Smart Security Device (Brainchild)
>      >>>> Anbieter = Microsoft Smart Card Key Storage Provider
>      >>>> Schl¸sselcontainer = (null) [Standardcontainer]
>      >>>>
>      >>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)
>      >>>>
>      >>>> --------------================__===========--------------
>      >>>>
>      >>>> Fertig.
>      >>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
>      >>>> ******************************__******************************__***************************
>      >>>>
>      >>>> I also configured to use a log file in opensc.conf and debug level 9.
>      >>>> Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
>      >>>> but I am not sure if this is working with a mailing list.
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>>
>      >>>> I already inspected the log, but found nothing suspicious.
>      >>>> I think maybe there have to be a private key to be marked
>      >>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>      >>>> But how?
>      >>>>
>      >>>> Or maybe I am completely wrong and something different is going wrong.
>      >>>>
>      >>>> Any help would be appreciated!
>      >>>>
>      >>>> Best Regards,
>      >>>> Michael
>      >>>>
>      >>>>
>      >>>>
>      >>>> ------------------------------__------------------------------__------------------
>      >>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>      >>>> GigeNET is offering a free month of service with a new server in Ashburn.
>      >>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>      >>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>      >>>> http://p.sf.net/sfu/gigenet
>      >>>>
>      >>>>
>      >>>>
>      >>>> _________________________________________________
>      >>>> Opensc-devel mailing list
>      >>>> [hidden email] <mailto:[hidden email]>
>      >>>> https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>      >>>>
>      >>>
>      >>> --
>      >>>
>      >>>   Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>      >>>
>      >>>
>      >>> ------------------------------__------------------------------__------------------
>      >>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>      >>> GigeNET is offering a free month of service with a new server in Ashburn.
>      >>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>      >>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>      >>> http://p.sf.net/sfu/gigenet
>      >>> _________________________________________________
>      >>> Opensc-devel mailing list
>      >>> [hidden email] <mailto:[hidden email]>
>      >>> https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>      >>
>      >
>
>
>     ------------------------------__------------------------------__------------------
>     New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>     GigeNET is offering a free month of service with a new server in Ashburn.
>     Choose from 2 high performing configs, both with 100TB of bandwidth.
>     Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>     http://p.sf.net/sfu/gigenet
>     _________________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/__lists/listinfo/opensc-devel <https://lists.sourceforge.net/lists/listinfo/opensc-devel>
>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
In reply to this post by Douglas E Engert
On 01/23/2015 04:54 PM, Douglas E Engert wrote:

> After looking closer at the code for minidriver, serial number and card_ctl...
>
> The minidriver in md_set_cardid() uses the serial number from
> p15card->tokeninfo->serial_number
>
> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>
> ***THIS MAY BE THE PROBLEM***
>
> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>
> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>
> Do all PKCS#15 cards have this file?
> Do they all fill in the serial_number?
>
> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
> p15card->tokeninfo->serial_number.
>
> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
> is properly filled in.
>
> So the requirement for windows that a card driver have a card_ctl for serial_number
> maybe that the p15card->tokeninfo->serial_number must be filled in.
>

Very interesting find.

See also:
$ pkcs15-tool -D
PKCS#15 Card [JavaCard isoApplet]:
        Version        : 0
        Serial number  : 0000

I think this is the serial number from the EF(TokenInfo). Version seems
to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
the card conforms to.

I followed the code path in pkcs15-init from creating the file
structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
in pkcs15-lib.c.
The code at line 866 ff. seems to fit very well to your point (that the
minidriver should first read the EF(TokenInfo), and call the cardctl
only if this is not possible):

/* set serial number if explicitly specified */
if (args->serial)   {
        sc_pkcs15init_set_serial(profile, args->serial);
}
else {
        /* otherwise try to get the serial number from the card */
        struct sc_serial_number serialnr;
        r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
        (...)


Here is an example of how to set the IsoApplet up with a serial number
in EF(TokenInfo) (without any modification to the driver or applet):

[*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
Interface] (21121440179920) 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
User PIN [User PIN] required.
Please enter User PIN [User PIN]:

[*@*]$ pkcs15-tool -D
Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
Interface] (21121440179920) 00 00
PKCS#15 Card [JavaCard isoApplet]:
        Version        : 0
        Serial number  : 42424242424242424242424242424242


So with changing the minidriver accordingly, it should be able to get
the serial number.

>
> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
> of a smart card is contained in the cardId file.
> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
> Under V7.07, Section 5.4.1 Card Identifier.
>

Interesting as well:
"This value is assigned by Microsoft software to assure that a unique
value is generated for the card. It is unrelated to the serial number
that may or may not be assigned to the card during manufacture."


> For example the PIV card edge specifications are defined by NIST, and implemented
> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
> defined called the CHUID.
>
>   https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>
> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
> by the U.S. federal government, but to make the specifications more  usable for
> non-government, it can also contain a GUID. Section 2 of the above goes into
> detail on these.
>
> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
> and use the FASC-N or GUID as define above. The Microsoft build in driver will
> also use the CHUID, and derive a number it can use as the cardId.
>
> The point being, the intent is to give Microsoft a unique number for a card,
> unique in the sense the all the cards used on a local system have different numbers.
> (Other uses of the number may require it to be global unique...)
>
> The same number should be returned by the card each time so cached certificates
> can be associated with a card containing the matching key.
>
> How that number is obtained for the card is up to the applet.
>
>>
>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>> with the rest of the framework. Why is there a mandatory "extension" for
>>> something that should be part of the core?
>
> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
> would have defined a serial number.
>
>
> It either should be a required
>>> part of the usual card function structure, maybe with some sensible
>>> defaults or fallbacks or the "serial" must derived from some unique data
>>> (certificate?) if the callback is not there or no data present.
>
> Yes, but if the card has many certificates, that can be changed independently,
> that will not work very well.
>
> One of the first OpenSC command a user tries is opensc-tool  --serial
> 23 of the 33 or so card-*.c support reading a serial number, because it
> is still optional.
>
> Thus the minidriver in md_set_cardid() uses the serial number from
> p15card->tokeninfo->serial_number
>
> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>
> ***THIS MAY BE THE PROBLEM***
>
> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>
> For a PKCS#15 card with the tokeninfo there
> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>
> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
> p15card->tokeninfo->serial_number.
>
> Thus the minidriver should not depend on cardctl if if the
>
>
>
>>>
>>
>> I kind of agree. When writing card drivers for OpenSC you usually look
>> at the sc_card_operations struct, for me it was not clear for a long
>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>> functionality.
>> (Windows-support was never an requirement for the isoapplet anyway,
>> until now.)
>
> I would expect now days, Windows support would be highly desirable,
> and the OpenSC minidriver can do that i there is a way to get a serial number
> form the card driver.
>
>
>>
>>> The question is how to "grow" the framework: either extend the card
>>> function pointers (that right now is almost 1:1 ISO and old, first
>>> implementations) or via card controls. I would choose extending the card
>>> function pointers.
>>>
>>> Also, the requirements for for the "serial" must be written down: for
>>> example, if the serial remains the same but card content changes, does this
>>> matter? does this affect some caching somewhere? Is the serial binary or
>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>
>>> Martin
>>>
>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>> wrote:
>>>
>>>> Hi,
>>>>
>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>> spare time is limited until then.
>>>>
>>>> However, the problem will be to find a unique identifier for any generic
>>>> card..
>>>>
>>>> Kind regards,
>>>> Philip
>>>>
>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>> of your questions
>>>>> about the state of the muscle applet and isoapplet].
>>>>>
>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>
>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>> ever information is available that
>>>>> windows could use to uniquely identify the card. This is then stored
>>>> with the certificates in the windows store.
>>>>> At a later time, windows uses certificates from the store and can then
>>>> prompt to have the card mounted, so it can use the
>>>>> matching key on the card.
>>>>>
>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>> code change.
>>>>>
>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>> not.
>>>>>
>>>>> card-belpic.c
>>>>> card-default.c
>>>>> card-gemsafeV1.c
>>>>> card-ias.c
>>>>> card-incrypto34.c
>>>>> card-jcop.c
>>>>> card-mcrd.c
>>>>> card-miocos.c
>>>>> card-muscle.c
>>>>> card-setcos.c
>>>>> iso7816.c
>>>>>
>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>> card-acos5.c
>>>>> card-akis.c
>>>>> card-asepcos.c
>>>>> card-atrust-acos.c
>>>>> card-authentic.c
>>>>> card-cardos.c
>>>>> card-dnie.c
>>>>> card-entersafe.c
>>>>> card-epass2003.c
>>>>> card-flex.c
>>>>> card-gpk.c
>>>>> card-iasecc.c
>>>>> card-itacns.c
>>>>> card-myeid.c
>>>>> card-oberthur.c
>>>>> card-openpgp.c
>>>>> card-piv.c
>>>>> card-rtecp.c
>>>>> card-rutoken.c
>>>>> card-sc-hsm.c
>>>>> card-starcos.c
>>>>> card-tcos.c
>>>>> card-westcos.c
>>>>>
>>>>>
>>>>> To answer some other questions you asked is a private e-mail:
>>>>>
>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>> card_ctl commands.
>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>> sure if the concept of
>>>>> a unique "serial number" is part of ISO7816.
>>>>>
>>>>> I also don't know the state of the muscle applet, or if it has something
>>>> that can be used as a serial number either.
>>>>>
>>>>>
>>>>>
>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>
>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>> from summer lat year.
>>>>>> Does this mean, that the nightly build could fix this?
>>>>>> What version I should pull/download?
>>>>>>
>>>>>> Thank you a lot,
>>>>>> Michael
>>>>>>
>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>
>>>>>>> This is the same problem as:
>>>>>>>
>>>>>>>    https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>
>>>>>>>
>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>
>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>
>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>> work.
>>>>>>>> I am working on a little project and explored all the nice tools of
>>>> OpenSC.
>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>> that.
>>>>>>>>
>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>> Card,
>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>> using the card
>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>
>>>>>>>> Hardware:
>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>
>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>> bash scripts
>>>>>>>> to install all required software, installing muscle applet to the
>>>> card, and
>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>> on
>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>
>>>>>>>> (2) Loading some test data:
>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>> card.
>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>> Here is one set of data I created:
>>>>>>>>
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>> Version        : 0
>>>>>>>> Serial number  : 0000
>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>> Last update    : 20150119080705Z
>>>>>>>> Flags          : EID compliant
>>>>>>>>
>>>>>>>> PIN [User PIN]
>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>> ID             : 01
>>>>>>>> Flags          : [0x10], initialized
>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>> Pad char       : 0x00
>>>>>>>> Reference      : 1
>>>>>>>> Type           : ascii-numeric
>>>>>>>> Path           : 3f005015
>>>>>>>>
>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>> Access Flags   : [0x0]
>>>>>>>> ModLength      : 1024
>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>> Native         : yes
>>>>>>>> Path           : 3f005015
>>>>>>>> Auth ID        : 01
>>>>>>>> ID             : 01
>>>>>>>>
>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>> Access Flags   : [0x0]
>>>>>>>> ModLength      : 1024
>>>>>>>> Key ref        : 0
>>>>>>>> Native         : no
>>>>>>>> Path           : 3f0050153000
>>>>>>>> ID             : 01
>>>>>>>>
>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153100
>>>>>>>> ID             : 01
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153101
>>>>>>>> ID             : 02
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153102
>>>>>>>> ID             : 03
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153103
>>>>>>>> ID             : 04
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>
>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>> Authority      : no
>>>>>>>> Path           : 3f0050153104
>>>>>>>> ID             : 05
>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>>
>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>> but with same result.
>>>>>>>> I acquired the ATR of the card and properly installed my
>>>> opens-minidriver.inf:
>>>>>>>>
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> [Version]
>>>>>>>> Signature="$Windows NT$"
>>>>>>>> Class=SmartCard
>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>> Provider=%ProviderName%
>>>>>>>> CatalogFile=delta.cat
>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>
>>>>>>>> [Manufacturer]
>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>
>>>>>>>> [Minidriver.NTamd64]
>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>
>>>>>>>> [Minidriver.NTx86]
>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>
>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>> 00640181010c829000
>>>>>>>>
>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>> 00640181010c829000
>>>>>>>>
>>>>>>>> [DefaultInstall]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [SourceDisksFiles]
>>>>>>>> %SmartCardCardModule%=1
>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>
>>>>>>>> [SourceDisksNames]
>>>>>>>> 1 = %MediaDescription%
>>>>>>>>
>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>> AddReg=AddRegWOW64
>>>>>>>> AddReg=AddRegDefault
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass
>>>>>>>>
>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>> AddReg=AddRegDefault
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>> AddReg=AddRegDefault
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Services
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Services
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.HW
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.HW
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>
>>>>>>>>
>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>> Include=umpass.inf
>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>
>>>>>>>>
>>>>>>>> [amd64_CopyFiles]
>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>
>>>>>>>> [x86_CopyFiles]
>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>
>>>>>>>> [wow64_CopyFiles]
>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>
>>>>>>>> [AddRegWOW64]
>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>> Base Smart Card Crypto Provider"
>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>> SmartCardCardModule64%
>>>>>>>>
>>>>>>>> [AddRegDefault]
>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>> Smart Card Crypto Provider"
>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>> Smart Card Key Storage Provider"
>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>
>>>>>>>> [DestinationDirs]
>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>
>>>>>>>>
>>>>>>>> ; =================== Generic ==================================
>>>>>>>>
>>>>>>>> [Strings]
>>>>>>>> ProviderName =„OpenSC"
>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>> Card"
>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>>
>>>>>>>> When the card is inserted the driver is used as shown in device
>>>> manager
>>>>>>>> as well as in certutil.exe.
>>>>>>>> Now here is the actual problem:
>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>> dialog pops up
>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>> german.
>>>>>>>> I added some translations:
>>>>>>>>
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>
>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>     0: OMNIKEY CardMan 3x21 0
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>> ---  Karte: Muscle Card
>>>>>>>> ---    ATR:
>>>>>>>>           3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>   ;.....1.EJCOPv24
>>>>>>>>           31 b7                                              1.
>>>>>>>>
>>>>>>>>
>>>>>>>> =======================================================
>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>> card in the reader is being analized)
>>>>>>>>
>>>>>>>> --------------===========================--------------
>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>> ---  Karte: Muscle Card
>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>> container)
>>>>>>>>
>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>> x21 0
>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>    3x21 0
>>>>>>>>
>>>>>>>> --------------===========================--------------
>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>
>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>
>>>>>>>> --------------===========================--------------
>>>>>>>>
>>>>>>>> Fertig.
>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>> -SCinfo command has been executed with success)
>>>>>>>> ************************************************************
>>>> ***************************
>>>>>>>>
>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>> attachment to this mail,
>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>> But how?
>>>>>>>>
>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>
>>>>>>>> Any help would be appreciated!
>>>>>>>>
>>>>>>>> Best Regards,
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>> ------------------
>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>> Ashburn.
>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>> compliant.
>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> Opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>>>
>>>>>>> --
>>>>>>>
>>>>>>>    Douglas E. Engert  <[hidden email]>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>> ------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in
>>>> Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>> compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------
>>>> ------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
returns the same thing as it does now for existing cards.
The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
if a change is to be made in only sc_pkcs15_get_object_guid
Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.

On 1/23/2015 11:08 AM, Philip Wendland wrote:

> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>> After looking closer at the code for minidriver, serial number and card_ctl...
>>
>> The minidriver in md_set_cardid() uses the serial number from
>> p15card->tokeninfo->serial_number
>>
>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>
>> ***THIS MAY BE THE PROBLEM***
>>
>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>
>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>
>> Do all PKCS#15 cards have this file?
>> Do they all fill in the serial_number?
>>
>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>> p15card->tokeninfo->serial_number.
>>
>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>> is properly filled in.
>>
>> So the requirement for windows that a card driver have a card_ctl for serial_number
>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>
>
> Very interesting find.
>
> See also:
> $ pkcs15-tool -D
> PKCS#15 Card [JavaCard isoApplet]:
> Version        : 0
> Serial number  : 0000
>
> I think this is the serial number from the EF(TokenInfo). Version seems
> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
> the card conforms to.
>
> I followed the code path in pkcs15-init from creating the file
> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
> in pkcs15-lib.c.
> The code at line 866 ff. seems to fit very well to your point (that the
> minidriver should first read the EF(TokenInfo), and call the cardctl
> only if this is not possible):
>
> /* set serial number if explicitly specified */
> if (args->serial)   {
> sc_pkcs15init_set_serial(profile, args->serial);
> }
> else {
> /* otherwise try to get the serial number from the card */
> struct sc_serial_number serialnr;
> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
> (...)
>
>
> Here is an example of how to set the IsoApplet up with a serial number
> in EF(TokenInfo) (without any modification to the driver or applet):
>
> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
> Interface] (21121440179920) 00 00
> New User PIN.
> Please enter User PIN:
> Please type again to verify:
> Unblock Code for New User PIN (Optional - press return for no PIN).
> Please enter User unblocking PIN (PUK):
> Please type again to verify:
> User PIN [User PIN] required.
> Please enter User PIN [User PIN]:
>
> [*@*]$ pkcs15-tool -D
> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
> Interface] (21121440179920) 00 00
> PKCS#15 Card [JavaCard isoApplet]:
> Version        : 0
> Serial number  : 42424242424242424242424242424242
>
>
> So with changing the minidriver accordingly, it should be able to get
> the serial number.
>
>>
>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>> of a smart card is contained in the cardId file.
>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>> Under V7.07, Section 5.4.1 Card Identifier.
>>
>
> Interesting as well:
> "This value is assigned by Microsoft software to assure that a unique
> value is generated for the card. It is unrelated to the serial number
> that may or may not be assigned to the card during manufacture."
>
>
>> For example the PIV card edge specifications are defined by NIST, and implemented
>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>> defined called the CHUID.
>>
>>    https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>
>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>> by the U.S. federal government, but to make the specifications more  usable for
>> non-government, it can also contain a GUID. Section 2 of the above goes into
>> detail on these.
>>
>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>> also use the CHUID, and derive a number it can use as the cardId.
>>
>> The point being, the intent is to give Microsoft a unique number for a card,
>> unique in the sense the all the cards used on a local system have different numbers.
>> (Other uses of the number may require it to be global unique...)
>>
>> The same number should be returned by the card each time so cached certificates
>> can be associated with a card containing the matching key.
>>
>> How that number is obtained for the card is up to the applet.
>>
>>>
>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>> something that should be part of the core?
>>
>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>> would have defined a serial number.
>>
>>
>> It either should be a required
>>>> part of the usual card function structure, maybe with some sensible
>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>> (certificate?) if the callback is not there or no data present.
>>
>> Yes, but if the card has many certificates, that can be changed independently,
>> that will not work very well.
>>
>> One of the first OpenSC command a user tries is opensc-tool  --serial
>> 23 of the 33 or so card-*.c support reading a serial number, because it
>> is still optional.
>>
>> Thus the minidriver in md_set_cardid() uses the serial number from
>> p15card->tokeninfo->serial_number
>>
>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>
>> ***THIS MAY BE THE PROBLEM***
>>
>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>
>> For a PKCS#15 card with the tokeninfo there
>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>
>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>> p15card->tokeninfo->serial_number.
>>
>> Thus the minidriver should not depend on cardctl if if the
>>
>>
>>
>>>>
>>>
>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>> at the sc_card_operations struct, for me it was not clear for a long
>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>> functionality.
>>> (Windows-support was never an requirement for the isoapplet anyway,
>>> until now.)
>>
>> I would expect now days, Windows support would be highly desirable,
>> and the OpenSC minidriver can do that i there is a way to get a serial number
>> form the card driver.
>>
>>
>>>
>>>> The question is how to "grow" the framework: either extend the card
>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>> implementations) or via card controls. I would choose extending the card
>>>> function pointers.
>>>>
>>>> Also, the requirements for for the "serial" must be written down: for
>>>> example, if the serial remains the same but card content changes, does this
>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>
>>>> Martin
>>>>
>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>> spare time is limited until then.
>>>>>
>>>>> However, the problem will be to find a unique identifier for any generic
>>>>> card..
>>>>>
>>>>> Kind regards,
>>>>> Philip
>>>>>
>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>> of your questions
>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>
>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>
>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>> ever information is available that
>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>> with the certificates in the windows store.
>>>>>> At a later time, windows uses certificates from the store and can then
>>>>> prompt to have the card mounted, so it can use the
>>>>>> matching key on the card.
>>>>>>
>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>> code change.
>>>>>>
>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>> not.
>>>>>>
>>>>>> card-belpic.c
>>>>>> card-default.c
>>>>>> card-gemsafeV1.c
>>>>>> card-ias.c
>>>>>> card-incrypto34.c
>>>>>> card-jcop.c
>>>>>> card-mcrd.c
>>>>>> card-miocos.c
>>>>>> card-muscle.c
>>>>>> card-setcos.c
>>>>>> iso7816.c
>>>>>>
>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>> card-acos5.c
>>>>>> card-akis.c
>>>>>> card-asepcos.c
>>>>>> card-atrust-acos.c
>>>>>> card-authentic.c
>>>>>> card-cardos.c
>>>>>> card-dnie.c
>>>>>> card-entersafe.c
>>>>>> card-epass2003.c
>>>>>> card-flex.c
>>>>>> card-gpk.c
>>>>>> card-iasecc.c
>>>>>> card-itacns.c
>>>>>> card-myeid.c
>>>>>> card-oberthur.c
>>>>>> card-openpgp.c
>>>>>> card-piv.c
>>>>>> card-rtecp.c
>>>>>> card-rutoken.c
>>>>>> card-sc-hsm.c
>>>>>> card-starcos.c
>>>>>> card-tcos.c
>>>>>> card-westcos.c
>>>>>>
>>>>>>
>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>
>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>> card_ctl commands.
>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>> sure if the concept of
>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>
>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>> that can be used as a serial number either.
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>
>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>> from summer lat year.
>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>> What version I should pull/download?
>>>>>>>
>>>>>>> Thank you a lot,
>>>>>>> Michael
>>>>>>>
>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>
>>>>>>>> This is the same problem as:
>>>>>>>>
>>>>>>>>     https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>
>>>>>>>>
>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>
>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>
>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>> work.
>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>> OpenSC.
>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>> that.
>>>>>>>>>
>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>> Card,
>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>> using the card
>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>
>>>>>>>>> Hardware:
>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>
>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>> bash scripts
>>>>>>>>> to install all required software, installing muscle applet to the
>>>>> card, and
>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>> on
>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>
>>>>>>>>> (2) Loading some test data:
>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>> card.
>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>> Here is one set of data I created:
>>>>>>>>>
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>> Version        : 0
>>>>>>>>> Serial number  : 0000
>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>> Flags          : EID compliant
>>>>>>>>>
>>>>>>>>> PIN [User PIN]
>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>> ID             : 01
>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>> Pad char       : 0x00
>>>>>>>>> Reference      : 1
>>>>>>>>> Type           : ascii-numeric
>>>>>>>>> Path           : 3f005015
>>>>>>>>>
>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>> ModLength      : 1024
>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>> Native         : yes
>>>>>>>>> Path           : 3f005015
>>>>>>>>> Auth ID        : 01
>>>>>>>>> ID             : 01
>>>>>>>>>
>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>> ModLength      : 1024
>>>>>>>>> Key ref        : 0
>>>>>>>>> Native         : no
>>>>>>>>> Path           : 3f0050153000
>>>>>>>>> ID             : 01
>>>>>>>>>
>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Authority      : no
>>>>>>>>> Path           : 3f0050153100
>>>>>>>>> ID             : 01
>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>
>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Authority      : no
>>>>>>>>> Path           : 3f0050153101
>>>>>>>>> ID             : 02
>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>
>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Authority      : no
>>>>>>>>> Path           : 3f0050153102
>>>>>>>>> ID             : 03
>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>
>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Authority      : no
>>>>>>>>> Path           : 3f0050153103
>>>>>>>>> ID             : 04
>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>
>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>> Authority      : no
>>>>>>>>> Path           : 3f0050153104
>>>>>>>>> ID             : 05
>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>>
>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>> but with same result.
>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>> opens-minidriver.inf:
>>>>>>>>>
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>> [Version]
>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>> Class=SmartCard
>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>> Provider=%ProviderName%
>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>
>>>>>>>>> [Manufacturer]
>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>
>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>
>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>
>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>> 00640181010c829000
>>>>>>>>>
>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>> 00640181010c829000
>>>>>>>>>
>>>>>>>>> [DefaultInstall]
>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [SourceDisksFiles]
>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>
>>>>>>>>> [SourceDisksNames]
>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>
>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass
>>>>>>>>>
>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>
>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass
>>>>>>>>>
>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>
>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>
>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>
>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>> Include=umpass.inf
>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>
>>>>>>>>> [x86_CopyFiles]
>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>
>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>
>>>>>>>>> [AddRegWOW64]
>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>> Base Smart Card Crypto Provider"
>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>> SmartCardCardModule64%
>>>>>>>>>
>>>>>>>>> [AddRegDefault]
>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>> Smart Card Crypto Provider"
>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>> Smart Card Key Storage Provider"
>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>
>>>>>>>>> [DestinationDirs]
>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>
>>>>>>>>> [Strings]
>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>> Card"
>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>>
>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>> manager
>>>>>>>>> as well as in certutil.exe.
>>>>>>>>> Now here is the actual problem:
>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>> dialog pops up
>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>> german.
>>>>>>>>> I added some translations:
>>>>>>>>>
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>
>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>      0: OMNIKEY CardMan 3x21 0
>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>> ---    ATR:
>>>>>>>>>            3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>    ;.....1.EJCOPv24
>>>>>>>>>            31 b7                                              1.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> =======================================================
>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>> card in the reader is being analized)
>>>>>>>>>
>>>>>>>>> --------------===========================--------------
>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>> container)
>>>>>>>>>
>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>> x21 0
>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>     3x21 0
>>>>>>>>>
>>>>>>>>> --------------===========================--------------
>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>
>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>
>>>>>>>>> --------------===========================--------------
>>>>>>>>>
>>>>>>>>> Fertig.
>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>> -SCinfo command has been executed with success)
>>>>>>>>> ************************************************************
>>>>> ***************************
>>>>>>>>>
>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>> attachment to this mail,
>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>> But how?
>>>>>>>>>
>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>
>>>>>>>>> Any help would be appreciated!
>>>>>>>>>
>>>>>>>>> Best Regards,
>>>>>>>>> Michael
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>> Ashburn.
>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>> compliant.
>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> _______________________________________________
>>>>>>>>> Opensc-devel mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>
>>>>>>>>
>>>>>>>> --
>>>>>>>>
>>>>>>>>     Douglas E. Engert  <[hidden email]>
>>>>>>>>
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>> Ashburn.
>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>> compliant.
>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>> _______________________________________________
>>>>>>>> Opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------
>>>>> ------------------
>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>> http://p.sf.net/sfu/gigenet
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> [hidden email]
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
From what I have seen, the card->serialnr is used by card driver cardctl
implementations to cache the serial number that is returned by
SC_CARDCTL_GET_SERIALNR.

At some other places in the minidriver, the
p15card->tokeninfo->serial_number (char *) is converted to
sc_serial_number_t (u8[]) using sc_hex_to_bin(). The
p15card->tokeninfo->serial_number seems to be the the character string
representation of the binary serial number.

A solution in sc_pkcs15_get_object_guid() would be to use the
p15card->tokeninfo->serial_number if not NULL and convert it to bin. If
it is not filled in, the cardctl could be called to preserve the
existing behavior for cards that do not fill the tokeninfo->.. .
I am currently investigating where and if the tokeninfo->.. is filled
for several types of cards.

An open question for PKCS#15-cards is if the number found in
EF(TokenInfo) is (a) always present and (b) is equal to what is returned
by the cardctl function currently used in the minidriver.

On 01/23/2015 08:42 PM, Douglas E Engert wrote:

> OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
> returns the same thing as it does now for existing cards.
> The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
> the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
> if a change is to be made in only sc_pkcs15_get_object_guid
> Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.
>
> On 1/23/2015 11:08 AM, Philip Wendland wrote:
>> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>>> After looking closer at the code for minidriver, serial number and card_ctl...
>>>
>>> The minidriver in md_set_cardid() uses the serial number from
>>> p15card->tokeninfo->serial_number
>>>
>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>
>>> ***THIS MAY BE THE PROBLEM***
>>>
>>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>>
>>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>
>>> Do all PKCS#15 cards have this file?
>>> Do they all fill in the serial_number?
>>>
>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>> p15card->tokeninfo->serial_number.
>>>
>>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>>> is properly filled in.
>>>
>>> So the requirement for windows that a card driver have a card_ctl for serial_number
>>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>>
>>
>> Very interesting find.
>>
>> See also:
>> $ pkcs15-tool -D
>> PKCS#15 Card [JavaCard isoApplet]:
>> Version        : 0
>> Serial number  : 0000
>>
>> I think this is the serial number from the EF(TokenInfo). Version seems
>> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
>> the card conforms to.
>>
>> I followed the code path in pkcs15-init from creating the file
>> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
>> in pkcs15-lib.c.
>> The code at line 866 ff. seems to fit very well to your point (that the
>> minidriver should first read the EF(TokenInfo), and call the cardctl
>> only if this is not possible):
>>
>> /* set serial number if explicitly specified */
>> if (args->serial)   {
>> sc_pkcs15init_set_serial(profile, args->serial);
>> }
>> else {
>> /* otherwise try to get the serial number from the card */
>> struct sc_serial_number serialnr;
>> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>> (...)
>>
>>
>> Here is an example of how to set the IsoApplet up with a serial number
>> in EF(TokenInfo) (without any modification to the driver or applet):
>>
>> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>> Interface] (21121440179920) 00 00
>> New User PIN.
>> Please enter User PIN:
>> Please type again to verify:
>> Unblock Code for New User PIN (Optional - press return for no PIN).
>> Please enter User unblocking PIN (PUK):
>> Please type again to verify:
>> User PIN [User PIN] required.
>> Please enter User PIN [User PIN]:
>>
>> [*@*]$ pkcs15-tool -D
>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>> Interface] (21121440179920) 00 00
>> PKCS#15 Card [JavaCard isoApplet]:
>> Version        : 0
>> Serial number  : 42424242424242424242424242424242
>>
>>
>> So with changing the minidriver accordingly, it should be able to get
>> the serial number.
>>
>>>
>>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>>> of a smart card is contained in the cardId file.
>>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>>> Under V7.07, Section 5.4.1 Card Identifier.
>>>
>>
>> Interesting as well:
>> "This value is assigned by Microsoft software to assure that a unique
>> value is generated for the card. It is unrelated to the serial number
>> that may or may not be assigned to the card during manufacture."
>>
>>
>>> For example the PIV card edge specifications are defined by NIST, and implemented
>>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>>> defined called the CHUID.
>>>
>>>    https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>>
>>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>>> by the U.S. federal government, but to make the specifications more  usable for
>>> non-government, it can also contain a GUID. Section 2 of the above goes into
>>> detail on these.
>>>
>>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>>> also use the CHUID, and derive a number it can use as the cardId.
>>>
>>> The point being, the intent is to give Microsoft a unique number for a card,
>>> unique in the sense the all the cards used on a local system have different numbers.
>>> (Other uses of the number may require it to be global unique...)
>>>
>>> The same number should be returned by the card each time so cached certificates
>>> can be associated with a card containing the matching key.
>>>
>>> How that number is obtained for the card is up to the applet.
>>>
>>>>
>>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>>> something that should be part of the core?
>>>
>>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>>> would have defined a serial number.
>>>
>>>
>>> It either should be a required
>>>>> part of the usual card function structure, maybe with some sensible
>>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>>> (certificate?) if the callback is not there or no data present.
>>>
>>> Yes, but if the card has many certificates, that can be changed independently,
>>> that will not work very well.
>>>
>>> One of the first OpenSC command a user tries is opensc-tool  --serial
>>> 23 of the 33 or so card-*.c support reading a serial number, because it
>>> is still optional.
>>>
>>> Thus the minidriver in md_set_cardid() uses the serial number from
>>> p15card->tokeninfo->serial_number
>>>
>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>
>>> ***THIS MAY BE THE PROBLEM***
>>>
>>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>>
>>> For a PKCS#15 card with the tokeninfo there
>>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>
>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>> p15card->tokeninfo->serial_number.
>>>
>>> Thus the minidriver should not depend on cardctl if if the
>>>
>>>
>>>
>>>>>
>>>>
>>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>>> at the sc_card_operations struct, for me it was not clear for a long
>>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>>> functionality.
>>>> (Windows-support was never an requirement for the isoapplet anyway,
>>>> until now.)
>>>
>>> I would expect now days, Windows support would be highly desirable,
>>> and the OpenSC minidriver can do that i there is a way to get a serial number
>>> form the card driver.
>>>
>>>
>>>>
>>>>> The question is how to "grow" the framework: either extend the card
>>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>>> implementations) or via card controls. I would choose extending the card
>>>>> function pointers.
>>>>>
>>>>> Also, the requirements for for the "serial" must be written down: for
>>>>> example, if the serial remains the same but card content changes, does this
>>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>>
>>>>> Martin
>>>>>
>>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>>> wrote:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>>> spare time is limited until then.
>>>>>>
>>>>>> However, the problem will be to find a unique identifier for any generic
>>>>>> card..
>>>>>>
>>>>>> Kind regards,
>>>>>> Philip
>>>>>>
>>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>>> of your questions
>>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>>
>>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>>
>>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>>> ever information is available that
>>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>>> with the certificates in the windows store.
>>>>>>> At a later time, windows uses certificates from the store and can then
>>>>>> prompt to have the card mounted, so it can use the
>>>>>>> matching key on the card.
>>>>>>>
>>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>>> code change.
>>>>>>>
>>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>>> not.
>>>>>>>
>>>>>>> card-belpic.c
>>>>>>> card-default.c
>>>>>>> card-gemsafeV1.c
>>>>>>> card-ias.c
>>>>>>> card-incrypto34.c
>>>>>>> card-jcop.c
>>>>>>> card-mcrd.c
>>>>>>> card-miocos.c
>>>>>>> card-muscle.c
>>>>>>> card-setcos.c
>>>>>>> iso7816.c
>>>>>>>
>>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>>> card-acos5.c
>>>>>>> card-akis.c
>>>>>>> card-asepcos.c
>>>>>>> card-atrust-acos.c
>>>>>>> card-authentic.c
>>>>>>> card-cardos.c
>>>>>>> card-dnie.c
>>>>>>> card-entersafe.c
>>>>>>> card-epass2003.c
>>>>>>> card-flex.c
>>>>>>> card-gpk.c
>>>>>>> card-iasecc.c
>>>>>>> card-itacns.c
>>>>>>> card-myeid.c
>>>>>>> card-oberthur.c
>>>>>>> card-openpgp.c
>>>>>>> card-piv.c
>>>>>>> card-rtecp.c
>>>>>>> card-rutoken.c
>>>>>>> card-sc-hsm.c
>>>>>>> card-starcos.c
>>>>>>> card-tcos.c
>>>>>>> card-westcos.c
>>>>>>>
>>>>>>>
>>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>>
>>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>>> card_ctl commands.
>>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>>> sure if the concept of
>>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>>
>>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>>> that can be used as a serial number either.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>>
>>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>>> from summer lat year.
>>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>>> What version I should pull/download?
>>>>>>>>
>>>>>>>> Thank you a lot,
>>>>>>>> Michael
>>>>>>>>
>>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>>
>>>>>>>>> This is the same problem as:
>>>>>>>>>
>>>>>>>>>     https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>>
>>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>>
>>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>>> work.
>>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>>> OpenSC.
>>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>>> that.
>>>>>>>>>>
>>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>>> Card,
>>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>>> using the card
>>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>>
>>>>>>>>>> Hardware:
>>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>>
>>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>>> bash scripts
>>>>>>>>>> to install all required software, installing muscle applet to the
>>>>>> card, and
>>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>>> on
>>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>>
>>>>>>>>>> (2) Loading some test data:
>>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>>> card.
>>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>>> Here is one set of data I created:
>>>>>>>>>>
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>>> Version        : 0
>>>>>>>>>> Serial number  : 0000
>>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>>> Flags          : EID compliant
>>>>>>>>>>
>>>>>>>>>> PIN [User PIN]
>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>> ID             : 01
>>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>>> Pad char       : 0x00
>>>>>>>>>> Reference      : 1
>>>>>>>>>> Type           : ascii-numeric
>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>
>>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>> ModLength      : 1024
>>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>>> Native         : yes
>>>>>>>>>> Path           : 3f005015
>>>>>>>>>> Auth ID        : 01
>>>>>>>>>> ID             : 01
>>>>>>>>>>
>>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>> ModLength      : 1024
>>>>>>>>>> Key ref        : 0
>>>>>>>>>> Native         : no
>>>>>>>>>> Path           : 3f0050153000
>>>>>>>>>> ID             : 01
>>>>>>>>>>
>>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Authority      : no
>>>>>>>>>> Path           : 3f0050153100
>>>>>>>>>> ID             : 01
>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>
>>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Authority      : no
>>>>>>>>>> Path           : 3f0050153101
>>>>>>>>>> ID             : 02
>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>
>>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Authority      : no
>>>>>>>>>> Path           : 3f0050153102
>>>>>>>>>> ID             : 03
>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>
>>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Authority      : no
>>>>>>>>>> Path           : 3f0050153103
>>>>>>>>>> ID             : 04
>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>
>>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>> Authority      : no
>>>>>>>>>> Path           : 3f0050153104
>>>>>>>>>> ID             : 05
>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>>
>>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>>> but with same result.
>>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>>> opens-minidriver.inf:
>>>>>>>>>>
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>> [Version]
>>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>>> Class=SmartCard
>>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>>> Provider=%ProviderName%
>>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>>
>>>>>>>>>> [Manufacturer]
>>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>>
>>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>
>>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>
>>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>>> 00640181010c829000
>>>>>>>>>>
>>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>>> 00640181010c829000
>>>>>>>>>>
>>>>>>>>>> [DefaultInstall]
>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [SourceDisksFiles]
>>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>>
>>>>>>>>>> [SourceDisksNames]
>>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>>> Include=umpass.inf
>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>>
>>>>>>>>>> [x86_CopyFiles]
>>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>>
>>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>>
>>>>>>>>>> [AddRegWOW64]
>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>>> Base Smart Card Crypto Provider"
>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>>> SmartCardCardModule64%
>>>>>>>>>>
>>>>>>>>>> [AddRegDefault]
>>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>>> Smart Card Crypto Provider"
>>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>>> Smart Card Key Storage Provider"
>>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>>
>>>>>>>>>> [DestinationDirs]
>>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>>
>>>>>>>>>> [Strings]
>>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>>> Card"
>>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>>
>>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>>> manager
>>>>>>>>>> as well as in certutil.exe.
>>>>>>>>>> Now here is the actual problem:
>>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>>> dialog pops up
>>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>>> german.
>>>>>>>>>> I added some translations:
>>>>>>>>>>
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>>
>>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>>      0: OMNIKEY CardMan 3x21 0
>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>> ---    ATR:
>>>>>>>>>>            3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>>    ;.....1.EJCOPv24
>>>>>>>>>>            31 b7                                              1.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> =======================================================
>>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>>> card in the reader is being analized)
>>>>>>>>>>
>>>>>>>>>> --------------===========================--------------
>>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>>> container)
>>>>>>>>>>
>>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>> x21 0
>>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>     3x21 0
>>>>>>>>>>
>>>>>>>>>> --------------===========================--------------
>>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>>
>>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>>
>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>
>>>>>>>>>> Fertig.
>>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>>> -SCinfo command has been executed with success)
>>>>>>>>>> ************************************************************
>>>>>> ***************************
>>>>>>>>>>
>>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>>> attachment to this mail,
>>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>>> But how?
>>>>>>>>>>
>>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>>
>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>
>>>>>>>>>> Best Regards,
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>> Ashburn.
>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>> compliant.
>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> --
>>>>>>>>>
>>>>>>>>>     Douglas E. Engert  <[hidden email]>
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>> Ashburn.
>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>> compliant.
>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>> _______________________________________________
>>>>>>>>> Opensc-devel mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>>>
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------
>>>>>> ------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>
>>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert
Who added sc_pkcs15_get_object_guid to the code?

Why did it use the card->serialnr or the tokeninfo->serial_number first?

And it appears to be trying to get a GUID for an object, and not for the card.
Will it provide the same GUID for more then one object on the card?


On 1/24/2015 9:54 AM, Philip Wendland wrote:

>  From what I have seen, the card->serialnr is used by card driver cardctl
> implementations to cache the serial number that is returned by
> SC_CARDCTL_GET_SERIALNR.
>
> At some other places in the minidriver, the
> p15card->tokeninfo->serial_number (char *) is converted to
> sc_serial_number_t (u8[]) using sc_hex_to_bin(). The
> p15card->tokeninfo->serial_number seems to be the the character string
> representation of the binary serial number.
>
> A solution in sc_pkcs15_get_object_guid() would be to use the
> p15card->tokeninfo->serial_number if not NULL and convert it to bin. If
> it is not filled in, the cardctl could be called to preserve the
> existing behavior for cards that do not fill the tokeninfo->.. .
> I am currently investigating where and if the tokeninfo->.. is filled
> for several types of cards.

I have been looking at this too and that sounds reasonable but does not cover all cards.

Here is what I have so far. It is complicated by a card may have a a serial nunber,
but a PKCS#15 card may also have a tokenInfo file that contains a serial number.
One or both may be missing, and they may not be the same. As you pointed out pkcs15init
has a parameter for serial.

There are cards that:

  o ALWAYS set the card->serialnr.

  o ONLY set the card->serialnr if a card_ctl (SC_CARDCTL_GET_SERIALNR) is made.

  o DONT set the card->serialnr because they dont support card_ctl(SC_CARDCTL_GET_SERIALNR)

  o Set card->serialnr during an INIT routine. They may have a card_ctl(SC_CARDCTL_GET_SERIALNR)
    that returns the card->serialnr.

There there are the PKCS#15 modles that set the tokeninfo->serial_number
  o  pkcs15.c will read the tokeninfo file parse it and if present set the tokeninfo->serial_number
     and use card->serialnr if needed.
     BUT if there is no tokeninfo file it will not create the tokeninfo

  o  PKCS15 emulation modules may also set tokeninfo->serial


CARD SERIALNR

types.h: /* structure for the card serial number (normally the ICCSN) */
#define SC_MAX_SERIALNR         32
typedef struct sc_serial_number {
         unsigned char value[SC_MAX_SERIALNR];
         size_t len;

         struct sc_iin iin;
} sc_serial_number_t;

Above is contained in  sc_card_t as
   struct sc_serial_number serialnr;

  These cards drivers all refer to card->serialnr:

./libopensc/card-epass2003.c
     ONLY epass2003_card_ctl calls epass2003_get_serialnr
       
./libopensc/card-authentic.c
   ALWAYS authentic_init and authentic_card_ctl call authentic_get_serialnr

./libopensc/card-myeid.c
     ONLY myeid_card_ctl calls myeid_get_serialnr

./libopensc/card-iasecc.c
     ALWAYS iasecc_init and iasecc_card_ctl call iasecc_get_serialnr

./libopensc/card-starcos.c
     ONLY starcos_card_ctl calls starcos_get_serialnr
       
./libopensc/card-akis.c
     ONLY akis_card_ctl calls  akis_get_serialnr

./libopensc/card-flex.c
   ONLY flex_card_ctl calls flex_get_serialnr

./libopensc/card-openpgp.c
    ALWAYS pgp_init sets card->serialnr   pgp_card_ctl uses card->serialnr

./libopensc/card-cardos.c
   ONLY cardos_card_ctl calls  cardos_get_serialnr

./libopensc/card-asepcos.c
   ONLY asepcos_card_ctl calls asepcos_get_serialnr

./libopensc/card-piv.c
   ONLY piv_card_ctl will call piv_get_serial_nr_from_CHUI

./libopensc/card-acos5.c
   ONLY acos5_card_ctl calls acos5_get_serialnr

./libopensc/card-itacns.c
   ONLY itacns_card_ctl calls itacns_get_serialnr

./libopensc/iasecc-sm.c
   does: sm_info->serialnr = card->serialnr;

./libopensc/card-entersafe.c
   ONLY entersafe_card_ctl_2048 calls entersafe_get_serialnr

./libopensc/card-atrust-acos.c
   ONLY atrust_acos_card_ctl calls acos_get_serialnr

./libopensc/card-oberthur.c
   INIT auth_select_aid  sets card->serialnr, auth_card_ctl calls auth_get_serialnr whihc uses card->serialnr

./libopensc/card-dnie.c
   ONLY dnie_card_ctl calls dnie_get_serialnr

./libopensc/card-gpk.c
   ONLY gpk_card_ctl calls  gpk_get_serialnr and only supported for GPK16000

./libopensc/card-tcos.c
   ONLY tcos_card_ctl calls tcos_get_serialnr


TOKENINFO SERIAL_NUMBER

serial number as asci null terminated printable string used in sc_pkcs15_tokeninfo
typedef struct sc_pkcs15_tokeninfo { ...
         char *serial_number; ...
                } sc_pkcs15_tokeninfo_t;

pkcs15.c sc_pkcs15_parse_tokeninfo() converts hex to asci
using
  198                 for (ii = 0; ii < serial_len; ii++) {
  199                         char byte[3];
  200
  201                         sprintf(byte, "%02X", serial[ii]);
  202                         strcat(ti->serial_number, byte);
  203                 }

  Null terminated, and length can be found.

  These file call sc_pkcs15_parse_tokeninfo:
  ./libopensc/pkcs15-dnie.c
  ./libopensc/pkcs15-sc-hsm.c
  ./libopensc/pkcs15-pteid.c

But, why, do they need to if pkcs15.c is parsing the tokenInfo too?

  ./libopensc/pkcs15.c
     sc_pkcs15_bind_internal will try and read "EF(TokenInfo) file"
        then call sc_pkcs15_parse_tokeninfo
       
        BUT it will only do the following if there was a "EF(TokenInfo) file"
        If not no attempt to use the card->serialnr is made.
       
1145         if (!p15card->tokeninfo->serial_number && card->serialnr.len)   {
1146                 char *serial = calloc(1, card->serialnr.len*2 + 1);
1147                 size_t ii;
1148
1149                 for(ii=0;ii<card->serialnr.len;ii++)
1150                         sprintf(serial + ii*2, "%02X", *(card->serialnr.value + ii));
1151
1152                 p15card->tokeninfo->serial_number = serial;

./libopensc/pkcs15-openpgp.c
        sc_pkcs15emu_openpgp_init will use serialnr if present, and set tokeninfo->serial_number
       
./libopensc/pkcs15-oberthur.c
   sc_pkcs15emu_oberthur_init will use serialnr if present, and set tokeninfo->serial_number

What should other pkcs15 emulation modules be doing?


>
> An open question for PKCS#15-cards is if the number found in
> EF(TokenInfo) is (a) always present and (b) is equal to what is returned
> by the cardctl function currently used in the minidriver.
>
> On 01/23/2015 08:42 PM, Douglas E Engert wrote:
>> OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
>> returns the same thing as it does now for existing cards.
>> The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
>> the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
>> if a change is to be made in only sc_pkcs15_get_object_guid
>> Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.
>>
>> On 1/23/2015 11:08 AM, Philip Wendland wrote:
>>> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>>>> After looking closer at the code for minidriver, serial number and card_ctl...
>>>>
>>>> The minidriver in md_set_cardid() uses the serial number from
>>>> p15card->tokeninfo->serial_number
>>>>
>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>
>>>> ***THIS MAY BE THE PROBLEM***
>>>>
>>>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>>>
>>>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>
>>>> Do all PKCS#15 cards have this file?
>>>> Do they all fill in the serial_number?
>>>>
>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>> p15card->tokeninfo->serial_number.
>>>>
>>>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>>>> is properly filled in.
>>>>
>>>> So the requirement for windows that a card driver have a card_ctl for serial_number
>>>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>>>
>>>
>>> Very interesting find.
>>>
>>> See also:
>>> $ pkcs15-tool -D
>>> PKCS#15 Card [JavaCard isoApplet]:
>>> Version        : 0
>>> Serial number  : 0000
>>>
>>> I think this is the serial number from the EF(TokenInfo). Version seems
>>> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
>>> the card conforms to.
>>>
>>> I followed the code path in pkcs15-init from creating the file
>>> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
>>> in pkcs15-lib.c.
>>> The code at line 866 ff. seems to fit very well to your point (that the
>>> minidriver should first read the EF(TokenInfo), and call the cardctl
>>> only if this is not possible):
>>>
>>> /* set serial number if explicitly specified */
>>> if (args->serial)   {
>>> sc_pkcs15init_set_serial(profile, args->serial);
>>> }
>>> else {
>>> /* otherwise try to get the serial number from the card */
>>> struct sc_serial_number serialnr;
>>> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>> (...)
>>>
>>>
>>> Here is an example of how to set the IsoApplet up with a serial number
>>> in EF(TokenInfo) (without any modification to the driver or applet):
>>>
>>> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>> Interface] (21121440179920) 00 00
>>> New User PIN.
>>> Please enter User PIN:
>>> Please type again to verify:
>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>> Please enter User unblocking PIN (PUK):
>>> Please type again to verify:
>>> User PIN [User PIN] required.
>>> Please enter User PIN [User PIN]:
>>>
>>> [*@*]$ pkcs15-tool -D
>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>> Interface] (21121440179920) 00 00
>>> PKCS#15 Card [JavaCard isoApplet]:
>>> Version        : 0
>>> Serial number  : 42424242424242424242424242424242
>>>
>>>
>>> So with changing the minidriver accordingly, it should be able to get
>>> the serial number.
>>>
>>>>
>>>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>>>> of a smart card is contained in the cardId file.
>>>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>>>> Under V7.07, Section 5.4.1 Card Identifier.
>>>>
>>>
>>> Interesting as well:
>>> "This value is assigned by Microsoft software to assure that a unique
>>> value is generated for the card. It is unrelated to the serial number
>>> that may or may not be assigned to the card during manufacture."
>>>
>>>
>>>> For example the PIV card edge specifications are defined by NIST, and implemented
>>>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>>>> defined called the CHUID.
>>>>
>>>>     https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>>>
>>>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>>>> by the U.S. federal government, but to make the specifications more  usable for
>>>> non-government, it can also contain a GUID. Section 2 of the above goes into
>>>> detail on these.
>>>>
>>>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>>>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>>>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>>>> also use the CHUID, and derive a number it can use as the cardId.
>>>>
>>>> The point being, the intent is to give Microsoft a unique number for a card,
>>>> unique in the sense the all the cards used on a local system have different numbers.
>>>> (Other uses of the number may require it to be global unique...)
>>>>
>>>> The same number should be returned by the card each time so cached certificates
>>>> can be associated with a card containing the matching key.
>>>>
>>>> How that number is obtained for the card is up to the applet.
>>>>
>>>>>
>>>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>>>> something that should be part of the core?
>>>>
>>>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>>>> would have defined a serial number.
>>>>
>>>>
>>>> It either should be a required
>>>>>> part of the usual card function structure, maybe with some sensible
>>>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>>>> (certificate?) if the callback is not there or no data present.
>>>>
>>>> Yes, but if the card has many certificates, that can be changed independently,
>>>> that will not work very well.
>>>>
>>>> One of the first OpenSC command a user tries is opensc-tool  --serial
>>>> 23 of the 33 or so card-*.c support reading a serial number, because it
>>>> is still optional.
>>>>
>>>> Thus the minidriver in md_set_cardid() uses the serial number from
>>>> p15card->tokeninfo->serial_number
>>>>
>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>
>>>> ***THIS MAY BE THE PROBLEM***
>>>>
>>>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>>>
>>>> For a PKCS#15 card with the tokeninfo there
>>>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>
>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>> p15card->tokeninfo->serial_number.
>>>>
>>>> Thus the minidriver should not depend on cardctl if if the
>>>>
>>>>
>>>>
>>>>>>
>>>>>
>>>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>>>> at the sc_card_operations struct, for me it was not clear for a long
>>>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>>>> functionality.
>>>>> (Windows-support was never an requirement for the isoapplet anyway,
>>>>> until now.)
>>>>
>>>> I would expect now days, Windows support would be highly desirable,
>>>> and the OpenSC minidriver can do that i there is a way to get a serial number
>>>> form the card driver.
>>>>
>>>>
>>>>>
>>>>>> The question is how to "grow" the framework: either extend the card
>>>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>>>> implementations) or via card controls. I would choose extending the card
>>>>>> function pointers.
>>>>>>
>>>>>> Also, the requirements for for the "serial" must be written down: for
>>>>>> example, if the serial remains the same but card content changes, does this
>>>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>>>
>>>>>> Martin
>>>>>>
>>>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>>>> wrote:
>>>>>>
>>>>>>> Hi,
>>>>>>>
>>>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>>>> spare time is limited until then.
>>>>>>>
>>>>>>> However, the problem will be to find a unique identifier for any generic
>>>>>>> card..
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Philip
>>>>>>>
>>>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>>>> of your questions
>>>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>>>
>>>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>>>
>>>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>>>> ever information is available that
>>>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>>>> with the certificates in the windows store.
>>>>>>>> At a later time, windows uses certificates from the store and can then
>>>>>>> prompt to have the card mounted, so it can use the
>>>>>>>> matching key on the card.
>>>>>>>>
>>>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>>>> code change.
>>>>>>>>
>>>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>>>> not.
>>>>>>>>
>>>>>>>> card-belpic.c
>>>>>>>> card-default.c
>>>>>>>> card-gemsafeV1.c
>>>>>>>> card-ias.c
>>>>>>>> card-incrypto34.c
>>>>>>>> card-jcop.c
>>>>>>>> card-mcrd.c
>>>>>>>> card-miocos.c
>>>>>>>> card-muscle.c
>>>>>>>> card-setcos.c
>>>>>>>> iso7816.c
>>>>>>>>
>>>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>>>> card-acos5.c
>>>>>>>> card-akis.c
>>>>>>>> card-asepcos.c
>>>>>>>> card-atrust-acos.c
>>>>>>>> card-authentic.c
>>>>>>>> card-cardos.c
>>>>>>>> card-dnie.c
>>>>>>>> card-entersafe.c
>>>>>>>> card-epass2003.c
>>>>>>>> card-flex.c
>>>>>>>> card-gpk.c
>>>>>>>> card-iasecc.c
>>>>>>>> card-itacns.c
>>>>>>>> card-myeid.c
>>>>>>>> card-oberthur.c
>>>>>>>> card-openpgp.c
>>>>>>>> card-piv.c
>>>>>>>> card-rtecp.c
>>>>>>>> card-rutoken.c
>>>>>>>> card-sc-hsm.c
>>>>>>>> card-starcos.c
>>>>>>>> card-tcos.c
>>>>>>>> card-westcos.c
>>>>>>>>
>>>>>>>>
>>>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>>>
>>>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>>>> card_ctl commands.
>>>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>>>> sure if the concept of
>>>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>>>
>>>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>>>> that can be used as a serial number either.
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>>>
>>>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>>>> from summer lat year.
>>>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>>>> What version I should pull/download?
>>>>>>>>>
>>>>>>>>> Thank you a lot,
>>>>>>>>> Michael
>>>>>>>>>
>>>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>>>
>>>>>>>>>> This is the same problem as:
>>>>>>>>>>
>>>>>>>>>>      https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>>>
>>>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>>>
>>>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>>>> work.
>>>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>>>> OpenSC.
>>>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>>>> that.
>>>>>>>>>>>
>>>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>>>> Card,
>>>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>>>> using the card
>>>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>>>
>>>>>>>>>>> Hardware:
>>>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>>>
>>>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>>>> bash scripts
>>>>>>>>>>> to install all required software, installing muscle applet to the
>>>>>>> card, and
>>>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>>>> on
>>>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>>>
>>>>>>>>>>> (2) Loading some test data:
>>>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>>>> card.
>>>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>>>> Here is one set of data I created:
>>>>>>>>>>>
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>>>> Version        : 0
>>>>>>>>>>> Serial number  : 0000
>>>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>>>> Flags          : EID compliant
>>>>>>>>>>>
>>>>>>>>>>> PIN [User PIN]
>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>> ID             : 01
>>>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>>>> Pad char       : 0x00
>>>>>>>>>>> Reference      : 1
>>>>>>>>>>> Type           : ascii-numeric
>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>
>>>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>>>> Native         : yes
>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>> Auth ID        : 01
>>>>>>>>>>> ID             : 01
>>>>>>>>>>>
>>>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>> Key ref        : 0
>>>>>>>>>>> Native         : no
>>>>>>>>>>> Path           : 3f0050153000
>>>>>>>>>>> ID             : 01
>>>>>>>>>>>
>>>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Authority      : no
>>>>>>>>>>> Path           : 3f0050153100
>>>>>>>>>>> ID             : 01
>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>
>>>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Authority      : no
>>>>>>>>>>> Path           : 3f0050153101
>>>>>>>>>>> ID             : 02
>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>
>>>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Authority      : no
>>>>>>>>>>> Path           : 3f0050153102
>>>>>>>>>>> ID             : 03
>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>
>>>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Authority      : no
>>>>>>>>>>> Path           : 3f0050153103
>>>>>>>>>>> ID             : 04
>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>
>>>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>> Authority      : no
>>>>>>>>>>> Path           : 3f0050153104
>>>>>>>>>>> ID             : 05
>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>>
>>>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>>>> but with same result.
>>>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>>>> opens-minidriver.inf:
>>>>>>>>>>>
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>> [Version]
>>>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>>>> Class=SmartCard
>>>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>>>> Provider=%ProviderName%
>>>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>>>
>>>>>>>>>>> [Manufacturer]
>>>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>>>> 00640181010c829000
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>>>> 00640181010c829000
>>>>>>>>>>>
>>>>>>>>>>> [DefaultInstall]
>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [SourceDisksFiles]
>>>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>>>
>>>>>>>>>>> [SourceDisksNames]
>>>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>>>
>>>>>>>>>>> [x86_CopyFiles]
>>>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>>>
>>>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>>>
>>>>>>>>>>> [AddRegWOW64]
>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>>>> Base Smart Card Crypto Provider"
>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>>>> SmartCardCardModule64%
>>>>>>>>>>>
>>>>>>>>>>> [AddRegDefault]
>>>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>>>> Smart Card Crypto Provider"
>>>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>>>> Smart Card Key Storage Provider"
>>>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>>>
>>>>>>>>>>> [DestinationDirs]
>>>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>>>
>>>>>>>>>>> [Strings]
>>>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>>>> Card"
>>>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>>
>>>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>>>> manager
>>>>>>>>>>> as well as in certutil.exe.
>>>>>>>>>>> Now here is the actual problem:
>>>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>>>> dialog pops up
>>>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>>>> german.
>>>>>>>>>>> I added some translations:
>>>>>>>>>>>
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>>>
>>>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>>>       0: OMNIKEY CardMan 3x21 0
>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>> ---    ATR:
>>>>>>>>>>>             3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>>>     ;.....1.EJCOPv24
>>>>>>>>>>>             31 b7                                              1.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> =======================================================
>>>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>>>> card in the reader is being analized)
>>>>>>>>>>>
>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>>>> container)
>>>>>>>>>>>
>>>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>> x21 0
>>>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>      3x21 0
>>>>>>>>>>>
>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>>>
>>>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>>>
>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>
>>>>>>>>>>> Fertig.
>>>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>>>> -SCinfo command has been executed with success)
>>>>>>>>>>> ************************************************************
>>>>>>> ***************************
>>>>>>>>>>>
>>>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>>>> attachment to this mail,
>>>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>>>> But how?
>>>>>>>>>>>
>>>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>>>
>>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>>
>>>>>>>>>>> Best Regards,
>>>>>>>>>>> Michael
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>> Ashburn.
>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>> compliant.
>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>> [hidden email]
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> --
>>>>>>>>>>
>>>>>>>>>>      Douglas E. Engert  <[hidden email]>
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>> Ashburn.
>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>> compliant.
>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> ------------------------------------------------------------
>>>>>>> ------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>
>>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>> http://p.sf.net/sfu/gigenet
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> [hidden email]
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Martin Paljak-4
On Sat, Jan 24, 2015 at 8:45 PM, Douglas E Engert <[hidden email]> wrote:
> SC_CARDCTL_GET_SERIALNR

I think it makes sense to look at the history.

git log -S SC_CARDCTL_GET_SERIALNR | tail

Which gives:

8d9ace2d7f484cea63911f03a7560e376d3bafdd

Which just adds a serial to the card structure and a "low level
control call" (more like low level ioctl kind of thing, not part of
standard framework/platform) for fetching it. Somehow this sneaked
into more code (copycat) which then sneaked into "common code in upper
layers".

If tokeninfo serial comes from a reference specification and makes
sense in the context of OpenSC, which tries to wrap around PKCS#15
concepts and layer, while  the "card serial" is quite arbitrary and
has no documentation nor reference, just.. "serial".

PKCS#15 tells:
TokenInfo.serialNumber: This field shall contain the token’s unique
serial number, for IC card issued in accordance with ISO/IEC 7812-1
([12]) and coded in accordance with ISO/IEC 8583 ([18]).

Which I have little knowledge about, but wikipedia has some:

http://en.wikipedia.org/wiki/ISO/IEC_7812
http://en.wikipedia.org/wiki/ISO_8583

Does OpenSC conform to the format? Should it? I know for sure that
there are emulation drivers that set the serial number to what is
meaningful in the context (card serial as printed on the plastic)
rather than what is written in the specification. Anything can be
written into a standard but that does not mean it must be followed
100%.

IMHO the question here is a right and consistent abstraction layer. Be
it PKCS#15 or be it a low level, card specific "card serial" and it
better have some consistent format and consequences for having/not
having one. and if 2/3 or more "drivers" have something, it calls for
a refactoring and extending the platform.

--
Martin
+372 515 6495

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Douglas E Engert


On 1/24/2015 1:45 PM, Martin Paljak wrote:

> On Sat, Jan 24, 2015 at 8:45 PM, Douglas E Engert <[hidden email]> wrote:
>> SC_CARDCTL_GET_SERIALNR
>
> I think it makes sense to look at the history.
>
> git log -S SC_CARDCTL_GET_SERIALNR | tail
>
> Which gives:
>
> 8d9ace2d7f484cea63911f03a7560e376d3bafdd

I was interested in  why sc_pkcs15_get_object_guid
is using the card_ctl to get serial number  when it should be
in tokeninfo->serial_number  or card->serialnr.

It looks like most cards will not fill serialnr in unless requested.
but there is no reason other then an extra operation, to not have
all card drivers fill this in.

Then pkcs15 can read the tokenInfo file, and fill in tokeninfo->serial_number,
or fill it in from card->serialnr.

These commits added the sc_pkcs15_get_object_guid

commit 98325ab7f247552fee95e3211717385c4d5fcd13
commit f8ba3ea76d976056a21e672f7f334ca555c7bb52

>
> Which just adds a serial to the card structure and a "low level
> control call" (more like low level ioctl kind of thing, not part of
> standard framework/platform) for fetching it. Somehow this sneaked
> into more code (copycat) which then sneaked into "common code in upper
> layers".

opensc-tool --serial
uses this to get the serial number, so I would not say sneaked in.
During development of a card driver, that looks like one of the first things
one would want to try.

>
> If tokeninfo serial comes from a reference specification and makes
> sense in the context of OpenSC, which tries to wrap around PKCS#15
> concepts and layer, while  the "card serial" is quite arbitrary and
> has no documentation nor reference, just.. "serial".
>
> PKCS#15 tells:
> TokenInfo.serialNumber: This field shall contain the token’s unique
> serial number, for IC card issued in accordance with ISO/IEC 7812-1
> ([12]) and coded in accordance with ISO/IEC 8583 ([18]).
>
> Which I have little knowledge about, but wikipedia has some:
>
> http://en.wikipedia.org/wiki/ISO/IEC_7812
> http://en.wikipedia.org/wiki/ISO_8583
>
> Does OpenSC conform to the format? Should it? I know for sure that
> there are emulation drivers that set the serial number to what is
> meaningful in the context (card serial as printed on the plastic)
> rather than what is written in the specification. Anything can be
> written into a standard but that does not mean it must be followed
> 100%.

I don't think they do, many use different lengths, and refer to vendor's
serial numbers.

>
> IMHO the question here is a right and consistent abstraction layer. Be
> it PKCS#15 or be it a low level, card specific "card serial" and it
> better have some consistent format and consequences for having/not
> having one. and if 2/3 or more "drivers" have something, it calls for
> a refactoring and extending the platform.

Right now if a card does not have a card_ctl, it won't work with the minidriver.
So I would say all card should fill in at least tokeninfo->serial_number.

>
> --
> Martin
> +372 515 6495
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Viktor Tarasov-3
In reply to this post by Douglas E Engert
On 01/24/2015 07:45 PM, Douglas E Engert wrote:
> Who added sc_pkcs15_get_object_guid to the code?
Me


> Why did it use the card->serialnr or the tokeninfo->serial_number first?
Object GUID has to be stable and sufficiently unique (at least for the cards of the same group/type/...) .
In ancient OpenSC tradition the ID of PKCS#15 objects is one byte -- same value for all cards initiated with OpenSC.

That's why, the object GUID is created from the Object ID concatenated with the card's serial.
Only first 16 bytes are needed for GUID, so, if the Object ID is long (SHA1 or similar in 'modern' OpenSC), serial number do (can to) not participate in GUID.
(It's true for the builds without openssl. With openssl all data participate because SHA1-hashed before being used to get GUID).

Minidriver defines the cardid from the TokenInfo->serialnb and do not use CARDCTL call.

We can change sc_pkcs15_get_object_guid() and complete the absence of supported "GET_SERIAL" CTL call
by the using of TokenInfo->serialnb to diversify the object GUID.
In this order it will not affect the existing card support and cards.


> And it appears to be trying to get a GUID for an object, and not for the card.
Only to get GUID of object. Cardid in minidriver is taken from TokenInfo.

> Will it provide the same GUID for more then one object on the card?
No. PKCS#15 card should not have two objects of the same type and with the same Object ID.


>
>
> On 1/24/2015 9:54 AM, Philip Wendland wrote:
>>   From what I have seen, the card->serialnr is used by card driver cardctl
>> implementations to cache the serial number that is returned by
>> SC_CARDCTL_GET_SERIALNR.
>>
>> At some other places in the minidriver, the
>> p15card->tokeninfo->serial_number (char *) is converted to
>> sc_serial_number_t (u8[]) using sc_hex_to_bin(). The
>> p15card->tokeninfo->serial_number seems to be the the character string
>> representation of the binary serial number.
>>
>> A solution in sc_pkcs15_get_object_guid() would be to use the
>> p15card->tokeninfo->serial_number if not NULL and convert it to bin. If
>> it is not filled in, the cardctl could be called to preserve the
>> existing behavior for cards that do not fill the tokeninfo->.. .
>> I am currently investigating where and if the tokeninfo->.. is filled
>> for several types of cards.
> I have been looking at this too and that sounds reasonable but does not cover all cards.
>
> Here is what I have so far. It is complicated by a card may have a a serial nunber,
> but a PKCS#15 card may also have a tokenInfo file that contains a serial number.
> One or both may be missing, and they may not be the same. As you pointed out pkcs15init
> has a parameter for serial.
>
> There are cards that:
>
>    o ALWAYS set the card->serialnr.
>
>    o ONLY set the card->serialnr if a card_ctl (SC_CARDCTL_GET_SERIALNR) is made.
>
>    o DONT set the card->serialnr because they dont support card_ctl(SC_CARDCTL_GET_SERIALNR)
>
>    o Set card->serialnr during an INIT routine. They may have a card_ctl(SC_CARDCTL_GET_SERIALNR)
>      that returns the card->serialnr.
>
> There there are the PKCS#15 modles that set the tokeninfo->serial_number
>    o  pkcs15.c will read the tokeninfo file parse it and if present set the tokeninfo->serial_number
>       and use card->serialnr if needed.
>       BUT if there is no tokeninfo file it will not create the tokeninfo
>
>    o  PKCS15 emulation modules may also set tokeninfo->serial
>
>
> CARD SERIALNR
>
> types.h: /* structure for the card serial number (normally the ICCSN) */
> #define SC_MAX_SERIALNR         32
> typedef struct sc_serial_number {
>           unsigned char value[SC_MAX_SERIALNR];
>           size_t len;
>
>           struct sc_iin iin;
> } sc_serial_number_t;
>
> Above is contained in  sc_card_t as
>     struct sc_serial_number serialnr;
>
>    These cards drivers all refer to card->serialnr:
>
> ./libopensc/card-epass2003.c
>       ONLY epass2003_card_ctl calls epass2003_get_serialnr
>
> ./libopensc/card-authentic.c
>     ALWAYS authentic_init and authentic_card_ctl call authentic_get_serialnr
>
> ./libopensc/card-myeid.c
>       ONLY myeid_card_ctl calls myeid_get_serialnr
>
> ./libopensc/card-iasecc.c
>       ALWAYS iasecc_init and iasecc_card_ctl call iasecc_get_serialnr
>
> ./libopensc/card-starcos.c
>       ONLY starcos_card_ctl calls starcos_get_serialnr
>
> ./libopensc/card-akis.c
>       ONLY akis_card_ctl calls  akis_get_serialnr
>
> ./libopensc/card-flex.c
>     ONLY flex_card_ctl calls flex_get_serialnr
>
> ./libopensc/card-openpgp.c
>      ALWAYS pgp_init sets card->serialnr   pgp_card_ctl uses card->serialnr
>
> ./libopensc/card-cardos.c
>     ONLY cardos_card_ctl calls  cardos_get_serialnr
>
> ./libopensc/card-asepcos.c
>     ONLY asepcos_card_ctl calls asepcos_get_serialnr
>
> ./libopensc/card-piv.c
>     ONLY piv_card_ctl will call piv_get_serial_nr_from_CHUI
>
> ./libopensc/card-acos5.c
>     ONLY acos5_card_ctl calls acos5_get_serialnr
>
> ./libopensc/card-itacns.c
>     ONLY itacns_card_ctl calls itacns_get_serialnr
>
> ./libopensc/iasecc-sm.c
>     does: sm_info->serialnr = card->serialnr;
>
> ./libopensc/card-entersafe.c
>     ONLY entersafe_card_ctl_2048 calls entersafe_get_serialnr
>
> ./libopensc/card-atrust-acos.c
>     ONLY atrust_acos_card_ctl calls acos_get_serialnr
>
> ./libopensc/card-oberthur.c
>     INIT auth_select_aid  sets card->serialnr, auth_card_ctl calls auth_get_serialnr whihc uses card->serialnr
>
> ./libopensc/card-dnie.c
>     ONLY dnie_card_ctl calls dnie_get_serialnr
>
> ./libopensc/card-gpk.c
>     ONLY gpk_card_ctl calls  gpk_get_serialnr and only supported for GPK16000
>
> ./libopensc/card-tcos.c
>     ONLY tcos_card_ctl calls tcos_get_serialnr
>
>
> TOKENINFO SERIAL_NUMBER
>
> serial number as asci null terminated printable string used in sc_pkcs15_tokeninfo
> typedef struct sc_pkcs15_tokeninfo { ...
>           char *serial_number; ...
> } sc_pkcs15_tokeninfo_t;
>
> pkcs15.c sc_pkcs15_parse_tokeninfo() converts hex to asci
> using
>    198                 for (ii = 0; ii < serial_len; ii++) {
>    199                         char byte[3];
>    200
>    201                         sprintf(byte, "%02X", serial[ii]);
>    202                         strcat(ti->serial_number, byte);
>    203                 }
>
>    Null terminated, and length can be found.
>
>    These file call sc_pkcs15_parse_tokeninfo:
>    ./libopensc/pkcs15-dnie.c
>    ./libopensc/pkcs15-sc-hsm.c
>    ./libopensc/pkcs15-pteid.c
>
> But, why, do they need to if pkcs15.c is parsing the tokenInfo too?
>
>    ./libopensc/pkcs15.c
>       sc_pkcs15_bind_internal will try and read "EF(TokenInfo) file"
> then call sc_pkcs15_parse_tokeninfo
>
> BUT it will only do the following if there was a "EF(TokenInfo) file"
> If not no attempt to use the card->serialnr is made.
>
> 1145         if (!p15card->tokeninfo->serial_number && card->serialnr.len)   {
> 1146                 char *serial = calloc(1, card->serialnr.len*2 + 1);
> 1147                 size_t ii;
> 1148
> 1149                 for(ii=0;ii<card->serialnr.len;ii++)
> 1150                         sprintf(serial + ii*2, "%02X", *(card->serialnr.value + ii));
> 1151
> 1152                 p15card->tokeninfo->serial_number = serial;
>
> ./libopensc/pkcs15-openpgp.c
> sc_pkcs15emu_openpgp_init will use serialnr if present, and set tokeninfo->serial_number
>
> ./libopensc/pkcs15-oberthur.c
>     sc_pkcs15emu_oberthur_init will use serialnr if present, and set tokeninfo->serial_number
>
> What should other pkcs15 emulation modules be doing?
>
>
>> An open question for PKCS#15-cards is if the number found in
>> EF(TokenInfo) is (a) always present and (b) is equal to what is returned
>> by the cardctl function currently used in the minidriver.
>>
>> On 01/23/2015 08:42 PM, Douglas E Engert wrote:
>>> OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
>>> returns the same thing as it does now for existing cards.
>>> The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
>>> the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
>>> if a change is to be made in only sc_pkcs15_get_object_guid
>>> Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.
>>>
>>> On 1/23/2015 11:08 AM, Philip Wendland wrote:
>>>> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>>>>> After looking closer at the code for minidriver, serial number and card_ctl...
>>>>>
>>>>> The minidriver in md_set_cardid() uses the serial number from
>>>>> p15card->tokeninfo->serial_number
>>>>>
>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>
>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>
>>>>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>>>>
>>>>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>
>>>>> Do all PKCS#15 cards have this file?
>>>>> Do they all fill in the serial_number?
>>>>>
>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>> p15card->tokeninfo->serial_number.
>>>>>
>>>>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>>>>> is properly filled in.
>>>>>
>>>>> So the requirement for windows that a card driver have a card_ctl for serial_number
>>>>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>>>>
>>>> Very interesting find.
>>>>
>>>> See also:
>>>> $ pkcs15-tool -D
>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>> Version        : 0
>>>> Serial number  : 0000
>>>>
>>>> I think this is the serial number from the EF(TokenInfo). Version seems
>>>> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
>>>> the card conforms to.
>>>>
>>>> I followed the code path in pkcs15-init from creating the file
>>>> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
>>>> in pkcs15-lib.c.
>>>> The code at line 866 ff. seems to fit very well to your point (that the
>>>> minidriver should first read the EF(TokenInfo), and call the cardctl
>>>> only if this is not possible):
>>>>
>>>> /* set serial number if explicitly specified */
>>>> if (args->serial)   {
>>>> sc_pkcs15init_set_serial(profile, args->serial);
>>>> }
>>>> else {
>>>> /* otherwise try to get the serial number from the card */
>>>> struct sc_serial_number serialnr;
>>>> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>> (...)
>>>>
>>>>
>>>> Here is an example of how to set the IsoApplet up with a serial number
>>>> in EF(TokenInfo) (without any modification to the driver or applet):
>>>>
>>>> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>> Interface] (21121440179920) 00 00
>>>> New User PIN.
>>>> Please enter User PIN:
>>>> Please type again to verify:
>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>> Please enter User unblocking PIN (PUK):
>>>> Please type again to verify:
>>>> User PIN [User PIN] required.
>>>> Please enter User PIN [User PIN]:
>>>>
>>>> [*@*]$ pkcs15-tool -D
>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>> Interface] (21121440179920) 00 00
>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>> Version        : 0
>>>> Serial number  : 42424242424242424242424242424242
>>>>
>>>>
>>>> So with changing the minidriver accordingly, it should be able to get
>>>> the serial number.
>>>>
>>>>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>>>>> of a smart card is contained in the cardId file.
>>>>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>>>>> Under V7.07, Section 5.4.1 Card Identifier.
>>>>>
>>>> Interesting as well:
>>>> "This value is assigned by Microsoft software to assure that a unique
>>>> value is generated for the card. It is unrelated to the serial number
>>>> that may or may not be assigned to the card during manufacture."
>>>>
>>>>
>>>>> For example the PIV card edge specifications are defined by NIST, and implemented
>>>>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>>>>> defined called the CHUID.
>>>>>
>>>>>      https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>>>>
>>>>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>>>>> by the U.S. federal government, but to make the specifications more  usable for
>>>>> non-government, it can also contain a GUID. Section 2 of the above goes into
>>>>> detail on these.
>>>>>
>>>>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>>>>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>>>>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>>>>> also use the CHUID, and derive a number it can use as the cardId.
>>>>>
>>>>> The point being, the intent is to give Microsoft a unique number for a card,
>>>>> unique in the sense the all the cards used on a local system have different numbers.
>>>>> (Other uses of the number may require it to be global unique...)
>>>>>
>>>>> The same number should be returned by the card each time so cached certificates
>>>>> can be associated with a card containing the matching key.
>>>>>
>>>>> How that number is obtained for the card is up to the applet.
>>>>>
>>>>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>>>>> something that should be part of the core?
>>>>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>>>>> would have defined a serial number.
>>>>>
>>>>>
>>>>> It either should be a required
>>>>>>> part of the usual card function structure, maybe with some sensible
>>>>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>>>>> (certificate?) if the callback is not there or no data present.
>>>>> Yes, but if the card has many certificates, that can be changed independently,
>>>>> that will not work very well.
>>>>>
>>>>> One of the first OpenSC command a user tries is opensc-tool  --serial
>>>>> 23 of the 33 or so card-*.c support reading a serial number, because it
>>>>> is still optional.
>>>>>
>>>>> Thus the minidriver in md_set_cardid() uses the serial number from
>>>>> p15card->tokeninfo->serial_number
>>>>>
>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>
>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>
>>>>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>>>>
>>>>> For a PKCS#15 card with the tokeninfo there
>>>>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>
>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>> p15card->tokeninfo->serial_number.
>>>>>
>>>>> Thus the minidriver should not depend on cardctl if if the
>>>>>
>>>>>
>>>>>
>>>>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>>>>> at the sc_card_operations struct, for me it was not clear for a long
>>>>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>>>>> functionality.
>>>>>> (Windows-support was never an requirement for the isoapplet anyway,
>>>>>> until now.)
>>>>> I would expect now days, Windows support would be highly desirable,
>>>>> and the OpenSC minidriver can do that i there is a way to get a serial number
>>>>> form the card driver.
>>>>>
>>>>>
>>>>>>> The question is how to "grow" the framework: either extend the card
>>>>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>>>>> implementations) or via card controls. I would choose extending the card
>>>>>>> function pointers.
>>>>>>>
>>>>>>> Also, the requirements for for the "serial" must be written down: for
>>>>>>> example, if the serial remains the same but card content changes, does this
>>>>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>>>>
>>>>>>> Martin
>>>>>>>
>>>>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>>>>> wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>>>>> spare time is limited until then.
>>>>>>>>
>>>>>>>> However, the problem will be to find a unique identifier for any generic
>>>>>>>> card..
>>>>>>>>
>>>>>>>> Kind regards,
>>>>>>>> Philip
>>>>>>>>
>>>>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>>>>> of your questions
>>>>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>>>>
>>>>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>>>>
>>>>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>>>>> ever information is available that
>>>>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>>>>> with the certificates in the windows store.
>>>>>>>>> At a later time, windows uses certificates from the store and can then
>>>>>>>> prompt to have the card mounted, so it can use the
>>>>>>>>> matching key on the card.
>>>>>>>>>
>>>>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>>>>> code change.
>>>>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>>>>> not.
>>>>>>>>> card-belpic.c
>>>>>>>>> card-default.c
>>>>>>>>> card-gemsafeV1.c
>>>>>>>>> card-ias.c
>>>>>>>>> card-incrypto34.c
>>>>>>>>> card-jcop.c
>>>>>>>>> card-mcrd.c
>>>>>>>>> card-miocos.c
>>>>>>>>> card-muscle.c
>>>>>>>>> card-setcos.c
>>>>>>>>> iso7816.c
>>>>>>>>>
>>>>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>>>>> card-acos5.c
>>>>>>>>> card-akis.c
>>>>>>>>> card-asepcos.c
>>>>>>>>> card-atrust-acos.c
>>>>>>>>> card-authentic.c
>>>>>>>>> card-cardos.c
>>>>>>>>> card-dnie.c
>>>>>>>>> card-entersafe.c
>>>>>>>>> card-epass2003.c
>>>>>>>>> card-flex.c
>>>>>>>>> card-gpk.c
>>>>>>>>> card-iasecc.c
>>>>>>>>> card-itacns.c
>>>>>>>>> card-myeid.c
>>>>>>>>> card-oberthur.c
>>>>>>>>> card-openpgp.c
>>>>>>>>> card-piv.c
>>>>>>>>> card-rtecp.c
>>>>>>>>> card-rutoken.c
>>>>>>>>> card-sc-hsm.c
>>>>>>>>> card-starcos.c
>>>>>>>>> card-tcos.c
>>>>>>>>> card-westcos.c
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>>>>
>>>>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>>>>> card_ctl commands.
>>>>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>>>>> sure if the concept of
>>>>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>>>>
>>>>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>>>>> that can be used as a serial number either.
>>>>>>>>>
>>>>>>>>>
>>>>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>>>>
>>>>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>>>>> from summer lat year.
>>>>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>>>>> What version I should pull/download?
>>>>>>>>>>
>>>>>>>>>> Thank you a lot,
>>>>>>>>>> Michael
>>>>>>>>>>
>>>>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>>>>
>>>>>>>>>>> This is the same problem as:
>>>>>>>>>>>
>>>>>>>>>>>       https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>>>>
>>>>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>>>>
>>>>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>>>>> work.
>>>>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>>>>> OpenSC.
>>>>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>>>>> that.
>>>>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>>>>> Card,
>>>>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>>>>> using the card
>>>>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>>>>
>>>>>>>>>>>> Hardware:
>>>>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>>>>
>>>>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>>>>> bash scripts
>>>>>>>>>>>> to install all required software, installing muscle applet to the
>>>>>>>> card, and
>>>>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>>>>> on
>>>>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>>>>
>>>>>>>>>>>> (2) Loading some test data:
>>>>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>>>>> card.
>>>>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>>>>> Here is one set of data I created:
>>>>>>>>>>>>
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>>>>> Version        : 0
>>>>>>>>>>>> Serial number  : 0000
>>>>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>>>>> Flags          : EID compliant
>>>>>>>>>>>>
>>>>>>>>>>>> PIN [User PIN]
>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>>>>> Pad char       : 0x00
>>>>>>>>>>>> Reference      : 1
>>>>>>>>>>>> Type           : ascii-numeric
>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>>
>>>>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>>>>> Native         : yes
>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>> Auth ID        : 01
>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>
>>>>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>> Key ref        : 0
>>>>>>>>>>>> Native         : no
>>>>>>>>>>>> Path           : 3f0050153000
>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>
>>>>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>> Path           : 3f0050153100
>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>
>>>>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>> Path           : 3f0050153101
>>>>>>>>>>>> ID             : 02
>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>
>>>>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>> Path           : 3f0050153102
>>>>>>>>>>>> ID             : 03
>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>
>>>>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>> Path           : 3f0050153103
>>>>>>>>>>>> ID             : 04
>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>
>>>>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>> Path           : 3f0050153104
>>>>>>>>>>>> ID             : 05
>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>>>>> but with same result.
>>>>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>>>>> opens-minidriver.inf:
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> [Version]
>>>>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>>>>> Class=SmartCard
>>>>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>>>>> Provider=%ProviderName%
>>>>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>>>> [Manufacturer]
>>>>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>>>>> 00640181010c829000
>>>>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>>>>> 00640181010c829000
>>>>>>>>>>>> [DefaultInstall]
>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [SourceDisksFiles]
>>>>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>>>>
>>>>>>>>>>>> [SourceDisksNames]
>>>>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>>>>
>>>>>>>>>>>> [x86_CopyFiles]
>>>>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>>>>
>>>>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>>>>
>>>>>>>>>>>> [AddRegWOW64]
>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>>>>> Base Smart Card Crypto Provider"
>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>>>>> SmartCardCardModule64%
>>>>>>>>>>>> [AddRegDefault]
>>>>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>>>>> Smart Card Crypto Provider"
>>>>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>>>>> Smart Card Key Storage Provider"
>>>>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>>>>
>>>>>>>>>>>> [DestinationDirs]
>>>>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>>>>
>>>>>>>>>>>> [Strings]
>>>>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>>>>> Card"
>>>>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>>>>> manager
>>>>>>>>>>>> as well as in certutil.exe.
>>>>>>>>>>>> Now here is the actual problem:
>>>>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>>>>> dialog pops up
>>>>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>>>>> german.
>>>>>>>>>>>> I added some translations:
>>>>>>>>>>>>
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>>>>
>>>>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>>>>        0: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>> ---    ATR:
>>>>>>>>>>>>              3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>>>>      ;.....1.EJCOPv24
>>>>>>>>>>>>              31 b7                                              1.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> =======================================================
>>>>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>>>>> card in the reader is being analized)
>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>>>>> container)
>>>>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>> x21 0
>>>>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>>       3x21 0
>>>>>>>>>>>>
>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>>>>
>>>>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>
>>>>>>>>>>>> Fertig.
>>>>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>>>>> -SCinfo command has been executed with success)
>>>>>>>>>>>> ************************************************************
>>>>>>>> ***************************
>>>>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>>>>> attachment to this mail,
>>>>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>>>>> But how?
>>>>>>>>>>>>
>>>>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>>>>
>>>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>>>
>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>> Michael
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>> Ashburn.
>>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>> compliant.
>>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>>>
>>>>>>>>>>> --
>>>>>>>>>>>
>>>>>>>>>>>       Douglas E. Engert  <[hidden email]>
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>> Ashburn.
>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>> compliant.
>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>> _______________________________________________
>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>> [hidden email]
>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>>>> ------------------------------------------------------------
>>>>>>>> ------------------
>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>> _______________________________________________
>>>>>>>> Opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>
>>>> ------------------------------------------------------------------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Philip Wendland
On 01/24/2015 11:23 PM, Viktor Tarasov wrote:

> On 01/24/2015 07:45 PM, Douglas E Engert wrote:
>> Who added sc_pkcs15_get_object_guid to the code?
> Me
>
>
>> Why did it use the card->serialnr or the tokeninfo->serial_number first?
> Object GUID has to be stable and sufficiently unique (at least for the cards of the same group/type/...) .
> In ancient OpenSC tradition the ID of PKCS#15 objects is one byte -- same value for all cards initiated with OpenSC.
>
> That's why, the object GUID is created from the Object ID concatenated with the card's serial.
> Only first 16 bytes are needed for GUID, so, if the Object ID is long (SHA1 or similar in 'modern' OpenSC), serial number do (can to) not participate in GUID.
> (It's true for the builds without openssl. With openssl all data participate because SHA1-hashed before being used to get GUID).
>
> Minidriver defines the cardid from the TokenInfo->serialnb and do not use CARDCTL call.
>
> We can change sc_pkcs15_get_object_guid() and complete the absence of supported "GET_SERIAL" CTL call
> by the using of TokenInfo->serialnb to diversify the object GUID.
> In this order it will not affect the existing card support and cards.
>

This could be done to preserve the existing behavior.

Is there a use case for users to explicitly specify a serial number
manually (pkcs15-init -C --serial) even if the GET_SERIALNR CTL is
implemented?
If there is one, the serial set by the user would be ignored in this
function for cards that implement the CTL (the CTL/HW serial would be
preferred).
This is currently the case as well.

If the CTL is not implemented, the tokeninfo->serial_number might be
"0000" or similar. This could have side-effects.

>
>> And it appears to be trying to get a GUID for an object, and not for the card.
> Only to get GUID of object. Cardid in minidriver is taken from TokenInfo.
>
>> Will it provide the same GUID for more then one object on the card?
> No. PKCS#15 card should not have two objects of the same type and with the same Object ID.
>
>
>>
>>
>> On 1/24/2015 9:54 AM, Philip Wendland wrote:
>>>   From what I have seen, the card->serialnr is used by card driver cardctl
>>> implementations to cache the serial number that is returned by
>>> SC_CARDCTL_GET_SERIALNR.
>>>
>>> At some other places in the minidriver, the
>>> p15card->tokeninfo->serial_number (char *) is converted to
>>> sc_serial_number_t (u8[]) using sc_hex_to_bin(). The
>>> p15card->tokeninfo->serial_number seems to be the the character string
>>> representation of the binary serial number.
>>>
>>> A solution in sc_pkcs15_get_object_guid() would be to use the
>>> p15card->tokeninfo->serial_number if not NULL and convert it to bin. If
>>> it is not filled in, the cardctl could be called to preserve the
>>> existing behavior for cards that do not fill the tokeninfo->.. .
>>> I am currently investigating where and if the tokeninfo->.. is filled
>>> for several types of cards.
>> I have been looking at this too and that sounds reasonable but does not cover all cards.
>>
>> Here is what I have so far. It is complicated by a card may have a a serial nunber,
>> but a PKCS#15 card may also have a tokenInfo file that contains a serial number.
>> One or both may be missing, and they may not be the same. As you pointed out pkcs15init
>> has a parameter for serial.
>>
>> There are cards that:
>>
>>    o ALWAYS set the card->serialnr.
>>
>>    o ONLY set the card->serialnr if a card_ctl (SC_CARDCTL_GET_SERIALNR) is made.
>>
>>    o DONT set the card->serialnr because they dont support card_ctl(SC_CARDCTL_GET_SERIALNR)
>>
>>    o Set card->serialnr during an INIT routine. They may have a card_ctl(SC_CARDCTL_GET_SERIALNR)
>>      that returns the card->serialnr.
>>
>> There there are the PKCS#15 modles that set the tokeninfo->serial_number
>>    o  pkcs15.c will read the tokeninfo file parse it and if present set the tokeninfo->serial_number
>>       and use card->serialnr if needed.
>>       BUT if there is no tokeninfo file it will not create the tokeninfo
>>
>>    o  PKCS15 emulation modules may also set tokeninfo->serial
>>
>>
>> CARD SERIALNR
>>
>> types.h: /* structure for the card serial number (normally the ICCSN) */
>> #define SC_MAX_SERIALNR         32
>> typedef struct sc_serial_number {
>>           unsigned char value[SC_MAX_SERIALNR];
>>           size_t len;
>>
>>           struct sc_iin iin;
>> } sc_serial_number_t;
>>
>> Above is contained in  sc_card_t as
>>     struct sc_serial_number serialnr;
>>
>>    These cards drivers all refer to card->serialnr:
>>
>> ./libopensc/card-epass2003.c
>>       ONLY epass2003_card_ctl calls epass2003_get_serialnr
>>
>> ./libopensc/card-authentic.c
>>     ALWAYS authentic_init and authentic_card_ctl call authentic_get_serialnr
>>
>> ./libopensc/card-myeid.c
>>       ONLY myeid_card_ctl calls myeid_get_serialnr
>>
>> ./libopensc/card-iasecc.c
>>       ALWAYS iasecc_init and iasecc_card_ctl call iasecc_get_serialnr
>>
>> ./libopensc/card-starcos.c
>>       ONLY starcos_card_ctl calls starcos_get_serialnr
>>
>> ./libopensc/card-akis.c
>>       ONLY akis_card_ctl calls  akis_get_serialnr
>>
>> ./libopensc/card-flex.c
>>     ONLY flex_card_ctl calls flex_get_serialnr
>>
>> ./libopensc/card-openpgp.c
>>      ALWAYS pgp_init sets card->serialnr   pgp_card_ctl uses card->serialnr
>>
>> ./libopensc/card-cardos.c
>>     ONLY cardos_card_ctl calls  cardos_get_serialnr
>>
>> ./libopensc/card-asepcos.c
>>     ONLY asepcos_card_ctl calls asepcos_get_serialnr
>>
>> ./libopensc/card-piv.c
>>     ONLY piv_card_ctl will call piv_get_serial_nr_from_CHUI
>>
>> ./libopensc/card-acos5.c
>>     ONLY acos5_card_ctl calls acos5_get_serialnr
>>
>> ./libopensc/card-itacns.c
>>     ONLY itacns_card_ctl calls itacns_get_serialnr
>>
>> ./libopensc/iasecc-sm.c
>>     does: sm_info->serialnr = card->serialnr;
>>
>> ./libopensc/card-entersafe.c
>>     ONLY entersafe_card_ctl_2048 calls entersafe_get_serialnr
>>
>> ./libopensc/card-atrust-acos.c
>>     ONLY atrust_acos_card_ctl calls acos_get_serialnr
>>
>> ./libopensc/card-oberthur.c
>>     INIT auth_select_aid  sets card->serialnr, auth_card_ctl calls auth_get_serialnr whihc uses card->serialnr
>>
>> ./libopensc/card-dnie.c
>>     ONLY dnie_card_ctl calls dnie_get_serialnr
>>
>> ./libopensc/card-gpk.c
>>     ONLY gpk_card_ctl calls  gpk_get_serialnr and only supported for GPK16000
>>
>> ./libopensc/card-tcos.c
>>     ONLY tcos_card_ctl calls tcos_get_serialnr
>>
>>
>> TOKENINFO SERIAL_NUMBER
>>
>> serial number as asci null terminated printable string used in sc_pkcs15_tokeninfo
>> typedef struct sc_pkcs15_tokeninfo { ...
>>           char *serial_number; ...
>> } sc_pkcs15_tokeninfo_t;
>>
>> pkcs15.c sc_pkcs15_parse_tokeninfo() converts hex to asci
>> using
>>    198                 for (ii = 0; ii < serial_len; ii++) {
>>    199                         char byte[3];
>>    200
>>    201                         sprintf(byte, "%02X", serial[ii]);
>>    202                         strcat(ti->serial_number, byte);
>>    203                 }
>>
>>    Null terminated, and length can be found.
>>
>>    These file call sc_pkcs15_parse_tokeninfo:
>>    ./libopensc/pkcs15-dnie.c
>>    ./libopensc/pkcs15-sc-hsm.c
>>    ./libopensc/pkcs15-pteid.c
>>
>> But, why, do they need to if pkcs15.c is parsing the tokenInfo too?
>>
>>    ./libopensc/pkcs15.c
>>       sc_pkcs15_bind_internal will try and read "EF(TokenInfo) file"
>> then call sc_pkcs15_parse_tokeninfo
>>
>> BUT it will only do the following if there was a "EF(TokenInfo) file"
>> If not no attempt to use the card->serialnr is made.
>>
>> 1145         if (!p15card->tokeninfo->serial_number && card->serialnr.len)   {
>> 1146                 char *serial = calloc(1, card->serialnr.len*2 + 1);
>> 1147                 size_t ii;
>> 1148
>> 1149                 for(ii=0;ii<card->serialnr.len;ii++)
>> 1150                         sprintf(serial + ii*2, "%02X", *(card->serialnr.value + ii));
>> 1151
>> 1152                 p15card->tokeninfo->serial_number = serial;
>>
>> ./libopensc/pkcs15-openpgp.c
>> sc_pkcs15emu_openpgp_init will use serialnr if present, and set tokeninfo->serial_number
>>
>> ./libopensc/pkcs15-oberthur.c
>>     sc_pkcs15emu_oberthur_init will use serialnr if present, and set tokeninfo->serial_number
>>
>> What should other pkcs15 emulation modules be doing?
>>
>>
>>> An open question for PKCS#15-cards is if the number found in
>>> EF(TokenInfo) is (a) always present and (b) is equal to what is returned
>>> by the cardctl function currently used in the minidriver.
>>>
>>> On 01/23/2015 08:42 PM, Douglas E Engert wrote:
>>>> OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
>>>> returns the same thing as it does now for existing cards.
>>>> The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
>>>> the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
>>>> if a change is to be made in only sc_pkcs15_get_object_guid
>>>> Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.
>>>>
>>>> On 1/23/2015 11:08 AM, Philip Wendland wrote:
>>>>> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>>>>>> After looking closer at the code for minidriver, serial number and card_ctl...
>>>>>>
>>>>>> The minidriver in md_set_cardid() uses the serial number from
>>>>>> p15card->tokeninfo->serial_number
>>>>>>
>>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>>
>>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>>
>>>>>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>>>>>
>>>>>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>>
>>>>>> Do all PKCS#15 cards have this file?
>>>>>> Do they all fill in the serial_number?
>>>>>>
>>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>>> p15card->tokeninfo->serial_number.
>>>>>>
>>>>>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>>>>>> is properly filled in.
>>>>>>
>>>>>> So the requirement for windows that a card driver have a card_ctl for serial_number
>>>>>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>>>>>
>>>>> Very interesting find.
>>>>>
>>>>> See also:
>>>>> $ pkcs15-tool -D
>>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>>> Version        : 0
>>>>> Serial number  : 0000
>>>>>
>>>>> I think this is the serial number from the EF(TokenInfo). Version seems
>>>>> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
>>>>> the card conforms to.
>>>>>
>>>>> I followed the code path in pkcs15-init from creating the file
>>>>> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
>>>>> in pkcs15-lib.c.
>>>>> The code at line 866 ff. seems to fit very well to your point (that the
>>>>> minidriver should first read the EF(TokenInfo), and call the cardctl
>>>>> only if this is not possible):
>>>>>
>>>>> /* set serial number if explicitly specified */
>>>>> if (args->serial)   {
>>>>> sc_pkcs15init_set_serial(profile, args->serial);
>>>>> }
>>>>> else {
>>>>> /* otherwise try to get the serial number from the card */
>>>>> struct sc_serial_number serialnr;
>>>>> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>> (...)
>>>>>
>>>>>
>>>>> Here is an example of how to set the IsoApplet up with a serial number
>>>>> in EF(TokenInfo) (without any modification to the driver or applet):
>>>>>
>>>>> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
>>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>>> Interface] (21121440179920) 00 00
>>>>> New User PIN.
>>>>> Please enter User PIN:
>>>>> Please type again to verify:
>>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>>> Please enter User unblocking PIN (PUK):
>>>>> Please type again to verify:
>>>>> User PIN [User PIN] required.
>>>>> Please enter User PIN [User PIN]:
>>>>>
>>>>> [*@*]$ pkcs15-tool -D
>>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>>> Interface] (21121440179920) 00 00
>>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>>> Version        : 0
>>>>> Serial number  : 42424242424242424242424242424242
>>>>>
>>>>>
>>>>> So with changing the minidriver accordingly, it should be able to get
>>>>> the serial number.
>>>>>
>>>>>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>>>>>> of a smart card is contained in the cardId file.
>>>>>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>>>>>> Under V7.07, Section 5.4.1 Card Identifier.
>>>>>>
>>>>> Interesting as well:
>>>>> "This value is assigned by Microsoft software to assure that a unique
>>>>> value is generated for the card. It is unrelated to the serial number
>>>>> that may or may not be assigned to the card during manufacture."
>>>>>
>>>>>
>>>>>> For example the PIV card edge specifications are defined by NIST, and implemented
>>>>>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>>>>>> defined called the CHUID.
>>>>>>
>>>>>>      https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>>>>>
>>>>>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>>>>>> by the U.S. federal government, but to make the specifications more  usable for
>>>>>> non-government, it can also contain a GUID. Section 2 of the above goes into
>>>>>> detail on these.
>>>>>>
>>>>>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>>>>>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>>>>>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>>>>>> also use the CHUID, and derive a number it can use as the cardId.
>>>>>>
>>>>>> The point being, the intent is to give Microsoft a unique number for a card,
>>>>>> unique in the sense the all the cards used on a local system have different numbers.
>>>>>> (Other uses of the number may require it to be global unique...)
>>>>>>
>>>>>> The same number should be returned by the card each time so cached certificates
>>>>>> can be associated with a card containing the matching key.
>>>>>>
>>>>>> How that number is obtained for the card is up to the applet.
>>>>>>
>>>>>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>>>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>>>>>> something that should be part of the core?
>>>>>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>>>>>> would have defined a serial number.
>>>>>>
>>>>>>
>>>>>> It either should be a required
>>>>>>>> part of the usual card function structure, maybe with some sensible
>>>>>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>>>>>> (certificate?) if the callback is not there or no data present.
>>>>>> Yes, but if the card has many certificates, that can be changed independently,
>>>>>> that will not work very well.
>>>>>>
>>>>>> One of the first OpenSC command a user tries is opensc-tool  --serial
>>>>>> 23 of the 33 or so card-*.c support reading a serial number, because it
>>>>>> is still optional.
>>>>>>
>>>>>> Thus the minidriver in md_set_cardid() uses the serial number from
>>>>>> p15card->tokeninfo->serial_number
>>>>>>
>>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>>
>>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>>
>>>>>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>>>>>
>>>>>> For a PKCS#15 card with the tokeninfo there
>>>>>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>>
>>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>>> p15card->tokeninfo->serial_number.
>>>>>>
>>>>>> Thus the minidriver should not depend on cardctl if if the
>>>>>>
>>>>>>
>>>>>>
>>>>>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>>>>>> at the sc_card_operations struct, for me it was not clear for a long
>>>>>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>>>>>> functionality.
>>>>>>> (Windows-support was never an requirement for the isoapplet anyway,
>>>>>>> until now.)
>>>>>> I would expect now days, Windows support would be highly desirable,
>>>>>> and the OpenSC minidriver can do that i there is a way to get a serial number
>>>>>> form the card driver.
>>>>>>
>>>>>>
>>>>>>>> The question is how to "grow" the framework: either extend the card
>>>>>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>>>>>> implementations) or via card controls. I would choose extending the card
>>>>>>>> function pointers.
>>>>>>>>
>>>>>>>> Also, the requirements for for the "serial" must be written down: for
>>>>>>>> example, if the serial remains the same but card content changes, does this
>>>>>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>>>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>>>>>
>>>>>>>> Martin
>>>>>>>>
>>>>>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>>>>>> wrote:
>>>>>>>>
>>>>>>>>> Hi,
>>>>>>>>>
>>>>>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>>>>>> spare time is limited until then.
>>>>>>>>>
>>>>>>>>> However, the problem will be to find a unique identifier for any generic
>>>>>>>>> card..
>>>>>>>>>
>>>>>>>>> Kind regards,
>>>>>>>>> Philip
>>>>>>>>>
>>>>>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>>>>>> of your questions
>>>>>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>>>>>
>>>>>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>>>>>
>>>>>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>>>>>> ever information is available that
>>>>>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>>>>>> with the certificates in the windows store.
>>>>>>>>>> At a later time, windows uses certificates from the store and can then
>>>>>>>>> prompt to have the card mounted, so it can use the
>>>>>>>>>> matching key on the card.
>>>>>>>>>>
>>>>>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>>>>>> code change.
>>>>>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>>>>>> not.
>>>>>>>>>> card-belpic.c
>>>>>>>>>> card-default.c
>>>>>>>>>> card-gemsafeV1.c
>>>>>>>>>> card-ias.c
>>>>>>>>>> card-incrypto34.c
>>>>>>>>>> card-jcop.c
>>>>>>>>>> card-mcrd.c
>>>>>>>>>> card-miocos.c
>>>>>>>>>> card-muscle.c
>>>>>>>>>> card-setcos.c
>>>>>>>>>> iso7816.c
>>>>>>>>>>
>>>>>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>>>>>> card-acos5.c
>>>>>>>>>> card-akis.c
>>>>>>>>>> card-asepcos.c
>>>>>>>>>> card-atrust-acos.c
>>>>>>>>>> card-authentic.c
>>>>>>>>>> card-cardos.c
>>>>>>>>>> card-dnie.c
>>>>>>>>>> card-entersafe.c
>>>>>>>>>> card-epass2003.c
>>>>>>>>>> card-flex.c
>>>>>>>>>> card-gpk.c
>>>>>>>>>> card-iasecc.c
>>>>>>>>>> card-itacns.c
>>>>>>>>>> card-myeid.c
>>>>>>>>>> card-oberthur.c
>>>>>>>>>> card-openpgp.c
>>>>>>>>>> card-piv.c
>>>>>>>>>> card-rtecp.c
>>>>>>>>>> card-rutoken.c
>>>>>>>>>> card-sc-hsm.c
>>>>>>>>>> card-starcos.c
>>>>>>>>>> card-tcos.c
>>>>>>>>>> card-westcos.c
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>>>>>
>>>>>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>>>>>> card_ctl commands.
>>>>>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>>>>>> sure if the concept of
>>>>>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>>>>>
>>>>>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>>>>>> that can be used as a serial number either.
>>>>>>>>>>
>>>>>>>>>>
>>>>>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>>>>>
>>>>>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>>>>>> from summer lat year.
>>>>>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>>>>>> What version I should pull/download?
>>>>>>>>>>>
>>>>>>>>>>> Thank you a lot,
>>>>>>>>>>> Michael
>>>>>>>>>>>
>>>>>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>>>>>
>>>>>>>>>>>> This is the same problem as:
>>>>>>>>>>>>
>>>>>>>>>>>>       https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>>>>>
>>>>>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>>>>>
>>>>>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>>>>>> work.
>>>>>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>>>>>> OpenSC.
>>>>>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>>>>>> that.
>>>>>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>>>>>> Card,
>>>>>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>>>>>> using the card
>>>>>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Hardware:
>>>>>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>>>>>
>>>>>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>>>>>> bash scripts
>>>>>>>>>>>>> to install all required software, installing muscle applet to the
>>>>>>>>> card, and
>>>>>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>>>>>> on
>>>>>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>>>>>
>>>>>>>>>>>>> (2) Loading some test data:
>>>>>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>>>>>> card.
>>>>>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>>>>>> Here is one set of data I created:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>>>>>> Version        : 0
>>>>>>>>>>>>> Serial number  : 0000
>>>>>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>>>>>> Flags          : EID compliant
>>>>>>>>>>>>>
>>>>>>>>>>>>> PIN [User PIN]
>>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>>>>>> Pad char       : 0x00
>>>>>>>>>>>>> Reference      : 1
>>>>>>>>>>>>> Type           : ascii-numeric
>>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>>>
>>>>>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>>>>>> Native         : yes
>>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>>> Auth ID        : 01
>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>
>>>>>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>>> Key ref        : 0
>>>>>>>>>>>>> Native         : no
>>>>>>>>>>>>> Path           : 3f0050153000
>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>
>>>>>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>> Path           : 3f0050153100
>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>
>>>>>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>> Path           : 3f0050153101
>>>>>>>>>>>>> ID             : 02
>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>
>>>>>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>> Path           : 3f0050153102
>>>>>>>>>>>>> ID             : 03
>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>
>>>>>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>> Path           : 3f0050153103
>>>>>>>>>>>>> ID             : 04
>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>
>>>>>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>> Path           : 3f0050153104
>>>>>>>>>>>>> ID             : 05
>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>>>>>> but with same result.
>>>>>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>>>>>> opens-minidriver.inf:
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> [Version]
>>>>>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>>>>>> Class=SmartCard
>>>>>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>>>>>> Provider=%ProviderName%
>>>>>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>>>>> [Manufacturer]
>>>>>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>>>>>> 00640181010c829000
>>>>>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>>>>>> 00640181010c829000
>>>>>>>>>>>>> [DefaultInstall]
>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [SourceDisksFiles]
>>>>>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>>>>>
>>>>>>>>>>>>> [SourceDisksNames]
>>>>>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>>>>>
>>>>>>>>>>>>> [x86_CopyFiles]
>>>>>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>>>>>
>>>>>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>>>>>
>>>>>>>>>>>>> [AddRegWOW64]
>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>>>>>> Base Smart Card Crypto Provider"
>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>>>>>> SmartCardCardModule64%
>>>>>>>>>>>>> [AddRegDefault]
>>>>>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>>>>>> Smart Card Crypto Provider"
>>>>>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>>>>>> Smart Card Key Storage Provider"
>>>>>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>>>>>
>>>>>>>>>>>>> [DestinationDirs]
>>>>>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>>>>>
>>>>>>>>>>>>> [Strings]
>>>>>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>>>>>> Card"
>>>>>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>>>>>> manager
>>>>>>>>>>>>> as well as in certutil.exe.
>>>>>>>>>>>>> Now here is the actual problem:
>>>>>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>>>>>> dialog pops up
>>>>>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>>>>>> german.
>>>>>>>>>>>>> I added some translations:
>>>>>>>>>>>>>
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>>>>>
>>>>>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>>>>>        0: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>>> ---    ATR:
>>>>>>>>>>>>>              3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>>>>>      ;.....1.EJCOPv24
>>>>>>>>>>>>>              31 b7                                              1.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> =======================================================
>>>>>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>>>>>> card in the reader is being analized)
>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>>>>>> container)
>>>>>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>>> x21 0
>>>>>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>>>       3x21 0
>>>>>>>>>>>>>
>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>>>>>
>>>>>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>>
>>>>>>>>>>>>> Fertig.
>>>>>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>>>>>> -SCinfo command has been executed with success)
>>>>>>>>>>>>> ************************************************************
>>>>>>>>> ***************************
>>>>>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>>>>>> attachment to this mail,
>>>>>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>>>>>> But how?
>>>>>>>>>>>>>
>>>>>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>>>>>
>>>>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>>>>
>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>> Michael
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>>> Ashburn.
>>>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>>> compliant.
>>>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>>>>
>>>>>>>>>>>> --
>>>>>>>>>>>>
>>>>>>>>>>>>       Douglas E. Engert  <[hidden email]>
>>>>>>>>>>>>
>>>>>>>>>>>>
>>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>>> Ashburn.
>>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>>> compliant.
>>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>
>>>>>>>>> ------------------------------------------------------------
>>>>>>>>> ------------------
>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>> _______________________________________________
>>>>>>>>> Opensc-devel mailing list
>>>>>>>>> [hidden email]
>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>
>>>>>>> ------------------------------------------------------------------------------
>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>> _______________________________________________
>>>>>>> Opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>> http://p.sf.net/sfu/gigenet
>>>>> _______________________________________________
>>>>> Opensc-devel mailing list
>>>>> [hidden email]
>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>
>>> ------------------------------------------------------------------------------
>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>> http://p.sf.net/sfu/gigenet
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>
>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: AT_SIGNATURE and AT_EXCHANGE Problem

Viktor Tarasov-3
On 01/25/2015 01:07 AM, Philip Wendland wrote:

> On 01/24/2015 11:23 PM, Viktor Tarasov wrote:
>> On 01/24/2015 07:45 PM, Douglas E Engert wrote:
>>> Who added sc_pkcs15_get_object_guid to the code?
>> Me
>>
>>
>>> Why did it use the card->serialnr or the tokeninfo->serial_number first?
>> Object GUID has to be stable and sufficiently unique (at least for the cards of the same group/type/...) .
>> In ancient OpenSC tradition the ID of PKCS#15 objects is one byte -- same value for all cards initiated with OpenSC.
>>
>> That's why, the object GUID is created from the Object ID concatenated with the card's serial.
>> Only first 16 bytes are needed for GUID, so, if the Object ID is long (SHA1 or similar in 'modern' OpenSC), serial number do (can to) not participate in GUID.
>> (It's true for the builds without openssl. With openssl all data participate because SHA1-hashed before being used to get GUID).
>>
>> Minidriver defines the cardid from the TokenInfo->serialnb and do not use CARDCTL call.
>>
>> We can change sc_pkcs15_get_object_guid() and complete the absence of supported "GET_SERIAL" CTL call
>> by the using of TokenInfo->serialnb to diversify the object GUID.
>> In this order it will not affect the existing card support and cards.
>>
> This could be done to preserve the existing behavior.
>
> Is there a use case for users to explicitly specify a serial number
> manually (pkcs15-init -C --serial) even if the GET_SERIALNR CTL is
> implemented?

With '--serial' option the TokenInfo->serial is set. Without this option TokenInfo->serial is set from native card's serial.

> If there is one, the serial set by the user would be ignored in this
> function for cards that implement the CTL (the CTL/HW serial would be
> preferred).
> This is currently the case as well.
Afais not. User supplied serial is written to TokenInfo.


> If the CTL is not implemented, the tokeninfo->serial_number might be
> "0000" or similar. This could have side-effects.
I do not follow what for, maybe I miss something from earlier discussion.
Pkcs15 fw uses TokenInfo, in other cases its card's serial.
In particular case of 'get-object-guid' -- if no native serial, use the one from TokenInfo (as proposed).



>
>>> And it appears to be trying to get a GUID for an object, and not for the card.
>> Only to get GUID of object. Cardid in minidriver is taken from TokenInfo.
>>
>>> Will it provide the same GUID for more then one object on the card?
>> No. PKCS#15 card should not have two objects of the same type and with the same Object ID.
>>
>>
>>>
>>> On 1/24/2015 9:54 AM, Philip Wendland wrote:
>>>>    From what I have seen, the card->serialnr is used by card driver cardctl
>>>> implementations to cache the serial number that is returned by
>>>> SC_CARDCTL_GET_SERIALNR.
>>>>
>>>> At some other places in the minidriver, the
>>>> p15card->tokeninfo->serial_number (char *) is converted to
>>>> sc_serial_number_t (u8[]) using sc_hex_to_bin(). The
>>>> p15card->tokeninfo->serial_number seems to be the the character string
>>>> representation of the binary serial number.
>>>>
>>>> A solution in sc_pkcs15_get_object_guid() would be to use the
>>>> p15card->tokeninfo->serial_number if not NULL and convert it to bin. If
>>>> it is not filled in, the cardctl could be called to preserve the
>>>> existing behavior for cards that do not fill the tokeninfo->.. .
>>>> I am currently investigating where and if the tokeninfo->.. is filled
>>>> for several types of cards.
>>> I have been looking at this too and that sounds reasonable but does not cover all cards.
>>>
>>> Here is what I have so far. It is complicated by a card may have a a serial nunber,
>>> but a PKCS#15 card may also have a tokenInfo file that contains a serial number.
>>> One or both may be missing, and they may not be the same. As you pointed out pkcs15init
>>> has a parameter for serial.
>>>
>>> There are cards that:
>>>
>>>     o ALWAYS set the card->serialnr.
>>>
>>>     o ONLY set the card->serialnr if a card_ctl (SC_CARDCTL_GET_SERIALNR) is made.
>>>
>>>     o DONT set the card->serialnr because they dont support card_ctl(SC_CARDCTL_GET_SERIALNR)
>>>
>>>     o Set card->serialnr during an INIT routine. They may have a card_ctl(SC_CARDCTL_GET_SERIALNR)
>>>       that returns the card->serialnr.
>>>
>>> There there are the PKCS#15 modles that set the tokeninfo->serial_number
>>>     o  pkcs15.c will read the tokeninfo file parse it and if present set the tokeninfo->serial_number
>>>        and use card->serialnr if needed.
>>>        BUT if there is no tokeninfo file it will not create the tokeninfo
>>>
>>>     o  PKCS15 emulation modules may also set tokeninfo->serial
>>>
>>>
>>> CARD SERIALNR
>>>
>>> types.h: /* structure for the card serial number (normally the ICCSN) */
>>> #define SC_MAX_SERIALNR         32
>>> typedef struct sc_serial_number {
>>>            unsigned char value[SC_MAX_SERIALNR];
>>>            size_t len;
>>>
>>>            struct sc_iin iin;
>>> } sc_serial_number_t;
>>>
>>> Above is contained in  sc_card_t as
>>>      struct sc_serial_number serialnr;
>>>
>>>     These cards drivers all refer to card->serialnr:
>>>
>>> ./libopensc/card-epass2003.c
>>>        ONLY epass2003_card_ctl calls epass2003_get_serialnr
>>>
>>> ./libopensc/card-authentic.c
>>>      ALWAYS authentic_init and authentic_card_ctl call authentic_get_serialnr
>>>
>>> ./libopensc/card-myeid.c
>>>        ONLY myeid_card_ctl calls myeid_get_serialnr
>>>
>>> ./libopensc/card-iasecc.c
>>>        ALWAYS iasecc_init and iasecc_card_ctl call iasecc_get_serialnr
>>>
>>> ./libopensc/card-starcos.c
>>>        ONLY starcos_card_ctl calls starcos_get_serialnr
>>>
>>> ./libopensc/card-akis.c
>>>        ONLY akis_card_ctl calls  akis_get_serialnr
>>>
>>> ./libopensc/card-flex.c
>>>      ONLY flex_card_ctl calls flex_get_serialnr
>>>
>>> ./libopensc/card-openpgp.c
>>>       ALWAYS pgp_init sets card->serialnr   pgp_card_ctl uses card->serialnr
>>>
>>> ./libopensc/card-cardos.c
>>>      ONLY cardos_card_ctl calls  cardos_get_serialnr
>>>
>>> ./libopensc/card-asepcos.c
>>>      ONLY asepcos_card_ctl calls asepcos_get_serialnr
>>>
>>> ./libopensc/card-piv.c
>>>      ONLY piv_card_ctl will call piv_get_serial_nr_from_CHUI
>>>
>>> ./libopensc/card-acos5.c
>>>      ONLY acos5_card_ctl calls acos5_get_serialnr
>>>
>>> ./libopensc/card-itacns.c
>>>      ONLY itacns_card_ctl calls itacns_get_serialnr
>>>
>>> ./libopensc/iasecc-sm.c
>>>      does: sm_info->serialnr = card->serialnr;
>>>
>>> ./libopensc/card-entersafe.c
>>>      ONLY entersafe_card_ctl_2048 calls entersafe_get_serialnr
>>>
>>> ./libopensc/card-atrust-acos.c
>>>      ONLY atrust_acos_card_ctl calls acos_get_serialnr
>>>
>>> ./libopensc/card-oberthur.c
>>>      INIT auth_select_aid  sets card->serialnr, auth_card_ctl calls auth_get_serialnr whihc uses card->serialnr
>>>
>>> ./libopensc/card-dnie.c
>>>      ONLY dnie_card_ctl calls dnie_get_serialnr
>>>
>>> ./libopensc/card-gpk.c
>>>      ONLY gpk_card_ctl calls  gpk_get_serialnr and only supported for GPK16000
>>>
>>> ./libopensc/card-tcos.c
>>>      ONLY tcos_card_ctl calls tcos_get_serialnr
>>>
>>>
>>> TOKENINFO SERIAL_NUMBER
>>>
>>> serial number as asci null terminated printable string used in sc_pkcs15_tokeninfo
>>> typedef struct sc_pkcs15_tokeninfo { ...
>>>            char *serial_number; ...
>>> } sc_pkcs15_tokeninfo_t;
>>>
>>> pkcs15.c sc_pkcs15_parse_tokeninfo() converts hex to asci
>>> using
>>>     198                 for (ii = 0; ii < serial_len; ii++) {
>>>     199                         char byte[3];
>>>     200
>>>     201                         sprintf(byte, "%02X", serial[ii]);
>>>     202                         strcat(ti->serial_number, byte);
>>>     203                 }
>>>
>>>     Null terminated, and length can be found.
>>>
>>>     These file call sc_pkcs15_parse_tokeninfo:
>>>     ./libopensc/pkcs15-dnie.c
>>>     ./libopensc/pkcs15-sc-hsm.c
>>>     ./libopensc/pkcs15-pteid.c
>>>
>>> But, why, do they need to if pkcs15.c is parsing the tokenInfo too?
>>>
>>>     ./libopensc/pkcs15.c
>>>        sc_pkcs15_bind_internal will try and read "EF(TokenInfo) file"
>>> then call sc_pkcs15_parse_tokeninfo
>>>
>>> BUT it will only do the following if there was a "EF(TokenInfo) file"
>>> If not no attempt to use the card->serialnr is made.
>>>
>>> 1145         if (!p15card->tokeninfo->serial_number && card->serialnr.len)   {
>>> 1146                 char *serial = calloc(1, card->serialnr.len*2 + 1);
>>> 1147                 size_t ii;
>>> 1148
>>> 1149                 for(ii=0;ii<card->serialnr.len;ii++)
>>> 1150                         sprintf(serial + ii*2, "%02X", *(card->serialnr.value + ii));
>>> 1151
>>> 1152                 p15card->tokeninfo->serial_number = serial;
>>>
>>> ./libopensc/pkcs15-openpgp.c
>>> sc_pkcs15emu_openpgp_init will use serialnr if present, and set tokeninfo->serial_number
>>>
>>> ./libopensc/pkcs15-oberthur.c
>>>      sc_pkcs15emu_oberthur_init will use serialnr if present, and set tokeninfo->serial_number
>>>
>>> What should other pkcs15 emulation modules be doing?
>>>
>>>
>>>> An open question for PKCS#15-cards is if the number found in
>>>> EF(TokenInfo) is (a) always present and (b) is equal to what is returned
>>>> by the cardctl function currently used in the minidriver.
>>>>
>>>> On 01/23/2015 08:42 PM, Douglas E Engert wrote:
>>>>> OK, step in the right direction. but any change must make sure the sc_pkcs15_get_object_guid()
>>>>> returns the same thing as it does now for existing cards.
>>>>> The pkcs15->tokeninfo contains  char*  upto 32 bytes, but no length and may be padded with blanks.
>>>>> the card->serialnr, is hex. Some research on what OpenSC is doing for all card may be needed,
>>>>> if a change is to be made in only sc_pkcs15_get_object_guid
>>>>> Not clear if the card->serialnr is filled in from pkcs15->tokeninfo.
>>>>>
>>>>> On 1/23/2015 11:08 AM, Philip Wendland wrote:
>>>>>> On 01/23/2015 04:54 PM, Douglas E Engert wrote:
>>>>>>> After looking closer at the code for minidriver, serial number and card_ctl...
>>>>>>>
>>>>>>> The minidriver in md_set_cardid() uses the serial number from
>>>>>>> p15card->tokeninfo->serial_number
>>>>>>>
>>>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which *does* call
>>>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>>>
>>>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>>>
>>>>>>> Why does  sc_pkcs15_get_object_guid not use p15card->tokeninfo->serial_number?
>>>>>>>
>>>>>>> PKCS#15 defines the ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>>>
>>>>>>> Do all PKCS#15 cards have this file?
>>>>>>> Do they all fill in the serial_number?
>>>>>>>
>>>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>>>> p15card->tokeninfo->serial_number.
>>>>>>>
>>>>>>> Thus the minidriver should not depend on card-ctl if the p15card->tokeninfo->serial_number
>>>>>>> is properly filled in.
>>>>>>>
>>>>>>> So the requirement for windows that a card driver have a card_ctl for serial_number
>>>>>>> maybe that the p15card->tokeninfo->serial_number must be filled in.
>>>>>>>
>>>>>> Very interesting find.
>>>>>>
>>>>>> See also:
>>>>>> $ pkcs15-tool -D
>>>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>>>> Version        : 0
>>>>>> Serial number  : 0000
>>>>>>
>>>>>> I think this is the serial number from the EF(TokenInfo). Version seems
>>>>>> to be TokenInfo.version defined in PKCS#15, namely the PKCS#15 version
>>>>>> the card conforms to.
>>>>>>
>>>>>> I followed the code path in pkcs15-init from creating the file
>>>>>> structure. It goes to do_init_app(), which calls sc_pkcs15init_add_app()
>>>>>> in pkcs15-lib.c.
>>>>>> The code at line 866 ff. seems to fit very well to your point (that the
>>>>>> minidriver should first read the EF(TokenInfo), and call the cardctl
>>>>>> only if this is not possible):
>>>>>>
>>>>>> /* set serial number if explicitly specified */
>>>>>> if (args->serial)   {
>>>>>> sc_pkcs15init_set_serial(profile, args->serial);
>>>>>> }
>>>>>> else {
>>>>>> /* otherwise try to get the serial number from the card */
>>>>>> struct sc_serial_number serialnr;
>>>>>> r = sc_card_ctl(card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>> (...)
>>>>>>
>>>>>>
>>>>>> Here is an example of how to set the IsoApplet up with a serial number
>>>>>> in EF(TokenInfo) (without any modification to the driver or applet):
>>>>>>
>>>>>> [*@*]$ pkcs15-init -C --serial 42424242424242424242424242424242
>>>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>>>> Interface] (21121440179920) 00 00
>>>>>> New User PIN.
>>>>>> Please enter User PIN:
>>>>>> Please type again to verify:
>>>>>> Unblock Code for New User PIN (Optional - press return for no PIN).
>>>>>> Please enter User unblocking PIN (PUK):
>>>>>> Please type again to verify:
>>>>>> User PIN [User PIN] required.
>>>>>> Please enter User PIN [User PIN]:
>>>>>>
>>>>>> [*@*]$ pkcs15-tool -D
>>>>>> Using reader with a card: Cherry GmbH SmartTerminal ST-2xxx [Vendor
>>>>>> Interface] (21121440179920) 00 00
>>>>>> PKCS#15 Card [JavaCard isoApplet]:
>>>>>> Version        : 0
>>>>>> Serial number  : 42424242424242424242424242424242
>>>>>>
>>>>>>
>>>>>> So with changing the minidriver accordingly, it should be able to get
>>>>>> the serial number.
>>>>>>
>>>>>>> Even Microsoft does not require a serial number, but a CP_CARD_GUID that in their abstraction
>>>>>>> of a smart card is contained in the cardId file.
>>>>>>> See https://msdn.microsoft.com/en-us/library/windows/hardware/dn631754
>>>>>>> Under V7.07, Section 5.4.1 Card Identifier.
>>>>>>>
>>>>>> Interesting as well:
>>>>>> "This value is assigned by Microsoft software to assure that a unique
>>>>>> value is generated for the card. It is unrelated to the serial number
>>>>>> that may or may not be assigned to the card during manufacture."
>>>>>>
>>>>>>
>>>>>>> For example the PIV card edge specifications are defined by NIST, and implemented
>>>>>>> by multiple vendors. There is no "serial number" or a cardId file, but there is an object
>>>>>>> defined called the CHUID.
>>>>>>>
>>>>>>>       https://www.idmanagement.gov/sites/default/files/documents/PACS.pdf
>>>>>>>
>>>>>>> It contains a "Federal Agency Smart Credential Number" (FASC-N) which was used
>>>>>>> by the U.S. federal government, but to make the specifications more  usable for
>>>>>>> non-government, it can also contain a GUID. Section 2 of the above goes into
>>>>>>> detail on these.
>>>>>>>
>>>>>>> THe OpenSC PIV card driver is emulating PKCS#15 so to get a serial number,
>>>>>>> pkcs15-piv.c uses card_ctl to have the card-piv.c read the CHUID,
>>>>>>> and use the FASC-N or GUID as define above. The Microsoft build in driver will
>>>>>>> also use the CHUID, and derive a number it can use as the cardId.
>>>>>>>
>>>>>>> The point being, the intent is to give Microsoft a unique number for a card,
>>>>>>> unique in the sense the all the cards used on a local system have different numbers.
>>>>>>> (Other uses of the number may require it to be global unique...)
>>>>>>>
>>>>>>> The same number should be returned by the card each time so cached certificates
>>>>>>> can be associated with a card containing the matching key.
>>>>>>>
>>>>>>> How that number is obtained for the card is up to the applet.
>>>>>>>
>>>>>>>>> Nevertheless, the presence of the "get serial" card control is out of sync
>>>>>>>>> with the rest of the framework. Why is there a mandatory "extension" for
>>>>>>>>> something that should be part of the core?
>>>>>>> Because it is only mandatory for some systems. It was a afterthought otherwise ISO 7816
>>>>>>> would have defined a serial number.
>>>>>>>
>>>>>>>
>>>>>>> It either should be a required
>>>>>>>>> part of the usual card function structure, maybe with some sensible
>>>>>>>>> defaults or fallbacks or the "serial" must derived from some unique data
>>>>>>>>> (certificate?) if the callback is not there or no data present.
>>>>>>> Yes, but if the card has many certificates, that can be changed independently,
>>>>>>> that will not work very well.
>>>>>>>
>>>>>>> One of the first OpenSC command a user tries is opensc-tool  --serial
>>>>>>> 23 of the 33 or so card-*.c support reading a serial number, because it
>>>>>>> is still optional.
>>>>>>>
>>>>>>> Thus the minidriver in md_set_cardid() uses the serial number from
>>>>>>> p15card->tokeninfo->serial_number
>>>>>>>
>>>>>>> The minidriver also calls sc_pkcs15_get_object_guid() in pkcs15.c which does call
>>>>>>> sc_card_ctl(p15card->card, SC_CARDCTL_GET_SERIALNR, &serialnr);
>>>>>>>
>>>>>>> ***THIS MAY BE THE PROBLEM***
>>>>>>>
>>>>>>> Should sc_pkcs15_get_object_guid at p15card->tokeninfo->serial_number?
>>>>>>>
>>>>>>> For a PKCS#15 card with the tokeninfo there
>>>>>>> is ASN.1 ToekenInfo which has serialNumber OCTET STRING.
>>>>>>>
>>>>>>> For cards doing PKCS#15 emulation, their pkcs15-*.c drivers should be filling in the
>>>>>>> p15card->tokeninfo->serial_number.
>>>>>>>
>>>>>>> Thus the minidriver should not depend on cardctl if if the
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>> I kind of agree. When writing card drivers for OpenSC you usually look
>>>>>>>> at the sc_card_operations struct, for me it was not clear for a long
>>>>>>>> time that the SC_CARDCTL_GET_SERIALNR cardctl is required for windows
>>>>>>>> functionality.
>>>>>>>> (Windows-support was never an requirement for the isoapplet anyway,
>>>>>>>> until now.)
>>>>>>> I would expect now days, Windows support would be highly desirable,
>>>>>>> and the OpenSC minidriver can do that i there is a way to get a serial number
>>>>>>> form the card driver.
>>>>>>>
>>>>>>>
>>>>>>>>> The question is how to "grow" the framework: either extend the card
>>>>>>>>> function pointers (that right now is almost 1:1 ISO and old, first
>>>>>>>>> implementations) or via card controls. I would choose extending the card
>>>>>>>>> function pointers.
>>>>>>>>>
>>>>>>>>> Also, the requirements for for the "serial" must be written down: for
>>>>>>>>> example, if the serial remains the same but card content changes, does this
>>>>>>>>> matter? does this affect some caching somewhere? Is the serial binary or
>>>>>>>>> string, how long? Is it supposed to be globally unique or just for a batch?
>>>>>>>>>
>>>>>>>>> Martin
>>>>>>>>>
>>>>>>>>> On Mon Jan 19 2015 at 7:55:44 PM Philip Wendland <[hidden email]>
>>>>>>>>> wrote:
>>>>>>>>>
>>>>>>>>>> Hi,
>>>>>>>>>>
>>>>>>>>>> I will try to solve this problem for the IsoApplet this weekend. My
>>>>>>>>>> spare time is limited until then.
>>>>>>>>>>
>>>>>>>>>> However, the problem will be to find a unique identifier for any generic
>>>>>>>>>> card..
>>>>>>>>>>
>>>>>>>>>> Kind regards,
>>>>>>>>>> Philip
>>>>>>>>>>
>>>>>>>>>> On 19.01.2015 17:26, Douglas E Engert wrote:
>>>>>>>>>>> [I should have sent this to the opensc-devel, as others can address some
>>>>>>>>>> of your questions
>>>>>>>>>>> about the state of the muscle applet and isoapplet].
>>>>>>>>>>>
>>>>>>>>>>> No, That fix was for the card-itacns.c, you are using the card-muscle.c.
>>>>>>>>>>>
>>>>>>>>>>> Some equivalent code needs to be added to card-muscle.c, to use what
>>>>>>>>>> ever information is available that
>>>>>>>>>>> windows could use to uniquely identify the card. This is then stored
>>>>>>>>>> with the certificates in the windows store.
>>>>>>>>>>> At a later time, windows uses certificates from the store and can then
>>>>>>>>>> prompt to have the card mounted, so it can use the
>>>>>>>>>>> matching key on the card.
>>>>>>>>>>>
>>>>>>>>>>> You or someone else that can test a mod to card-muscle.c could submit a
>>>>>>>>>> code change.
>>>>>>>>>>> There are 33 card-*.c files, 24 support SC_CARDCTL_GET_SERIALNR. 11 do
>>>>>>>>>> not.
>>>>>>>>>>> card-belpic.c
>>>>>>>>>>> card-default.c
>>>>>>>>>>> card-gemsafeV1.c
>>>>>>>>>>> card-ias.c
>>>>>>>>>>> card-incrypto34.c
>>>>>>>>>>> card-jcop.c
>>>>>>>>>>> card-mcrd.c
>>>>>>>>>>> card-miocos.c
>>>>>>>>>>> card-muscle.c
>>>>>>>>>>> card-setcos.c
>>>>>>>>>>> iso7816.c
>>>>>>>>>>>
>>>>>>>>>>> Cards that support SC_CARDCTL_GET_SERIALNR
>>>>>>>>>>> card-acos5.c
>>>>>>>>>>> card-akis.c
>>>>>>>>>>> card-asepcos.c
>>>>>>>>>>> card-atrust-acos.c
>>>>>>>>>>> card-authentic.c
>>>>>>>>>>> card-cardos.c
>>>>>>>>>>> card-dnie.c
>>>>>>>>>>> card-entersafe.c
>>>>>>>>>>> card-epass2003.c
>>>>>>>>>>> card-flex.c
>>>>>>>>>>> card-gpk.c
>>>>>>>>>>> card-iasecc.c
>>>>>>>>>>> card-itacns.c
>>>>>>>>>>> card-myeid.c
>>>>>>>>>>> card-oberthur.c
>>>>>>>>>>> card-openpgp.c
>>>>>>>>>>> card-piv.c
>>>>>>>>>>> card-rtecp.c
>>>>>>>>>>> card-rutoken.c
>>>>>>>>>>> card-sc-hsm.c
>>>>>>>>>>> card-starcos.c
>>>>>>>>>>> card-tcos.c
>>>>>>>>>>> card-westcos.c
>>>>>>>>>>>
>>>>>>>>>>>
>>>>>>>>>>> To answer some other questions you asked is a private e-mail:
>>>>>>>>>>>
>>>>>>>>>>> iso7816.c which implements the basic ISO commands does not support and
>>>>>>>>>> card_ctl commands.
>>>>>>>>>>> I believe that the IsoApplet is designed to use the iso7816.c I am not
>>>>>>>>>> sure if the concept of
>>>>>>>>>>> a unique "serial number" is part of ISO7816.
>>>>>>>>>>>
>>>>>>>>>>> I also don't know the state of the muscle applet, or if it has something
>>>>>>>>>> that can be used as a serial number either.
>>>>>>>>>>>
>>>>>>>>>>> On 1/19/2015 8:37 AM, Michael Heydemann wrote:
>>>>>>>>>>>> WOW.. Thank you a lot.. I think I owe you a beer..
>>>>>>>>>>>>
>>>>>>>>>>>> I checked the fix is from November last year, and the 0.14 version is
>>>>>>>>>> from summer lat year.
>>>>>>>>>>>> Does this mean, that the nightly build could fix this?
>>>>>>>>>>>> What version I should pull/download?
>>>>>>>>>>>>
>>>>>>>>>>>> Thank you a lot,
>>>>>>>>>>>> Michael
>>>>>>>>>>>>
>>>>>>>>>>>>> Am 19.01.2015 um 14:35 schrieb Douglas E Engert <[hidden email]>:
>>>>>>>>>>>>>
>>>>>>>>>>>>> This is the same problem as:
>>>>>>>>>>>>>
>>>>>>>>>>>>>        https://github.com/OpenSC/OpenSC/pull/321
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> 2015-01-19 09:49:34.203 [cardmod] card.c:720:sc_card_ctl: called
>>>>>>>>>>>>> 2015-01-19 09:49:34.203 card_ctl(5) not supported
>>>>>>>>>>>>>
>>>>>>>>>>>>> The card-muscle.c (and others in OpenSC) does not support
>>>>>>>>>> SC_CARDCTL_GET_SERIALNR
>>>>>>>>>>>>> to get a card "serial number" which windows requires.
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> On 1/19/2015 3:30 AM, Michael Heydemann wrote:
>>>>>>>>>>>>>> Dear OpenSC Development Team,
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> First of all, I would like to say that I really appreciate your great
>>>>>>>>>> work.
>>>>>>>>>>>>>> I am working on a little project and explored all the nice tools of
>>>>>>>>>> OpenSC.
>>>>>>>>>>>>>> Unfortunately since one week I cannot get around a certain problem.
>>>>>>>>>>>>>> I hope this mailing list is the right place and you can help me with
>>>>>>>>>> that.
>>>>>>>>>>>>>> My project is about  (1) setting up a PKCS#11 key store on a Java
>>>>>>>>>> Card,
>>>>>>>>>>>>>> (2 ) loading some test data (keys and certificates) on it, and (3)
>>>>>>>>>> using the card
>>>>>>>>>>>>>> with the Windows 7 Key Management.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Hardware:
>>>>>>>>>>>>>> * Card Reader: Omnikey 3121USB
>>>>>>>>>>>>>> * Java Card: J2A080 - NXP, 80k
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> (1) Setting up PKCS#11 key store:
>>>>>>>>>>>>>> I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of
>>>>>>>>>> bash scripts
>>>>>>>>>>>>>> to install all required software, installing muscle applet to the
>>>>>>>>>> card, and
>>>>>>>>>>>>>> removing the muscle applet from the card. I followed the instructions
>>>>>>>>>> on
>>>>>>>>>>>>>> _http://blog.ev0ke.net/muscle-jcop/_ and everything worked well.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> (2) Loading some test data:
>>>>>>>>>>>>>> I tried some different ways to get some keys and certificates on the
>>>>>>>>>> card.
>>>>>>>>>>>>>> None of them delivered data which is accepted by Windows 7.
>>>>>>>>>>>>>> Here is one set of data I created:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
>>>>>>>>>>>>>> PKCS#15 Card [MUSCLE]:
>>>>>>>>>>>>>> Version        : 0
>>>>>>>>>>>>>> Serial number  : 0000
>>>>>>>>>>>>>> Manufacturer ID: Identity Alliance
>>>>>>>>>>>>>> Last update    : 20150119080705Z
>>>>>>>>>>>>>> Flags          : EID compliant
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> PIN [User PIN]
>>>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>> Flags          : [0x10], initialized
>>>>>>>>>>>>>> Length         : min_len:4, max_len:8, stored_len:8
>>>>>>>>>>>>>> Pad char       : 0x00
>>>>>>>>>>>>>> Reference      : 1
>>>>>>>>>>>>>> Type           : ascii-numeric
>>>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Private RSA Key [Card Owner]
>>>>>>>>>>>>>> Object Flags   : [0x3], private, modifiable
>>>>>>>>>>>>>> Usage          : [0x2E], decrypt, sign, signRecover, unwrap
>>>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>>>> Key ref        : 0 (0x0)
>>>>>>>>>>>>>> Native         : yes
>>>>>>>>>>>>>> Path           : 3f005015
>>>>>>>>>>>>>> Auth ID        : 01
>>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Public RSA Key [Card Owner]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>>>>>>>>>>> Access Flags   : [0x0]
>>>>>>>>>>>>>> ModLength      : 1024
>>>>>>>>>>>>>> Key ref        : 0
>>>>>>>>>>>>>> Native         : no
>>>>>>>>>>>>>> Path           : 3f0050153000
>>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X.509 Certificate [Card Owner Certificate]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>>> Path           : 3f0050153100
>>>>>>>>>>>>>> ID             : 01
>>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X.509 Certificate [Contact 2 Certificate]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>>> Path           : 3f0050153101
>>>>>>>>>>>>>> ID             : 02
>>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X.509 Certificate [Contact 3 Certificate]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>>> Path           : 3f0050153102
>>>>>>>>>>>>>> ID             : 03
>>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X.509 Certificate [Contact 4 Certificate]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>>> Path           : 3f0050153103
>>>>>>>>>>>>>> ID             : 04
>>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> X.509 Certificate [Contact 5 Certificate]
>>>>>>>>>>>>>> Object Flags   : [0x2], modifiable
>>>>>>>>>>>>>> Authority      : no
>>>>>>>>>>>>>> Path           : 3f0050153104
>>>>>>>>>>>>>> ID             : 05
>>>>>>>>>>>>>> Encoded serial : 02 09 00F695059953A904F9
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> (3) Using the card in Windows 7:
>>>>>>>>>>>>>> I installed Windows 7  64 Bit in a VirtualBox and installed
>>>>>>>>>>>>>> OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
>>>>>>>>>>>>>> but with same result.
>>>>>>>>>>>>>> I acquired the ATR of the card and properly installed my
>>>>>>>>>> opens-minidriver.inf:
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> [Version]
>>>>>>>>>>>>>> Signature="$Windows NT$"
>>>>>>>>>>>>>> Class=SmartCard
>>>>>>>>>>>>>> ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
>>>>>>>>>>>>>> Provider=%ProviderName%
>>>>>>>>>>>>>> CatalogFile=delta.cat
>>>>>>>>>>>>>> DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@
>>>>>>>>>> ,@OPENSC_VERSION_FIX@,0
>>>>>>>>>>>>>> [Manufacturer]
>>>>>>>>>>>>>> %ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver.NTamd64]
>>>>>>>>>>>>>> %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver.NTx86]
>>>>>>>>>>>>>> %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver.NTamd64.6.1]
>>>>>>>>>>>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_
>>>>>>>>>> 00640181010c829000
>>>>>>>>>>>>>> [Minidriver.NTx86.6.1]
>>>>>>>>>>>>>> %CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_
>>>>>>>>>> 00640181010c829000
>>>>>>>>>>>>>> [DefaultInstall]
>>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [DefaultInstall.ntamd64]
>>>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [DefaultInstall.NTx86]
>>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [DefaultInstall.ntamd64.6.1]
>>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [DefaultInstall.NTx86.6.1]
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [SourceDisksFiles]
>>>>>>>>>>>>>> %SmartCardCardModule%=1
>>>>>>>>>>>>>> %SmartCardCardModule64%=1
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [SourceDisksNames]
>>>>>>>>>>>>>> 1 = %MediaDescription%
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_Install.NT]
>>>>>>>>>>>>>> CopyFiles=amd64_CopyFiles
>>>>>>>>>>>>>> CopyFiles=wow64_CopyFiles
>>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_61_Install.NT]
>>>>>>>>>>>>>> AddReg=AddRegWOW64
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_Install.NT]
>>>>>>>>>>>>>> CopyFiles=x86_CopyFiles
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_61_Install.NT]
>>>>>>>>>>>>>> AddReg=AddRegDefault
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_61_Install.NT.Services]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_61_Install.NT.Services]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.Services
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_61_Install.NT.HW]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_61_Install.NT.CoInstallers]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver64_61_Install.NT.Interfaces]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_61_Install.NT.HW]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.HW
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_61_Install.NT.CoInstallers]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.CoInstallers
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Minidriver32_61_Install.NT.Interfaces]
>>>>>>>>>>>>>> Include=umpass.inf
>>>>>>>>>>>>>> Needs=UmPass.Interfaces
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [amd64_CopyFiles]
>>>>>>>>>>>>>> ;%SmartCardCardModule%,%SmartCardCardModule64%
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [x86_CopyFiles]
>>>>>>>>>>>>>> ;%SmartCardCardModule%
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [wow64_CopyFiles]
>>>>>>>>>>>>>> ;%SmartCardCardModule64%
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [AddRegWOW64]
>>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft
>>>>>>>>>> Base Smart Card Crypto Provider"
>>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage
>>>>>>>>>> Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
>>>>>>>>>>>>>> HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%
>>>>>>>>>> SmartCardCardModule64%
>>>>>>>>>>>>>> [AddRegDefault]
>>>>>>>>>>>>>> HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,
>>>>>>>>>> 31,fe,45,4A,43,4f,50,76,32,34,31,b7
>>>>>>>>>>>>>> HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,
>>>>>>>>>> ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
>>>>>>>>>>>>>> HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base
>>>>>>>>>> Smart Card Crypto Provider"
>>>>>>>>>>>>>> HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft
>>>>>>>>>> Smart Card Key Storage Provider"
>>>>>>>>>>>>>> HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [DestinationDirs]
>>>>>>>>>>>>>> amd64_CopyFiles=10,system32
>>>>>>>>>>>>>> x86_CopyFiles=10,system32
>>>>>>>>>>>>>> wow64_CopyFiles=10,syswow64
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ; =================== Generic ==================================
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> [Strings]
>>>>>>>>>>>>>> ProviderName =„OpenSC"
>>>>>>>>>>>>>> MediaDescription=„OpenSC Card Minidriver Installation Disk"
>>>>>>>>>>>>>> CardDeviceName=„Muscle Card"
>>>>>>>>>>>>>> SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle
>>>>>>>>>> Card"
>>>>>>>>>>>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\
>>>>>>>>>> Cryptography\Calais\SmartCards\Muscle Card"
>>>>>>>>>>>>>> SmartCardCardModule="opensc-minidriver.dll"
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> When the card is inserted the driver is used as shown in device
>>>>>>>>>> manager
>>>>>>>>>>>>>> as well as in certutil.exe.
>>>>>>>>>>>>>> Now here is the actual problem:
>>>>>>>>>>>>>> When I try to use the card with certutil.exe -SCinfo  several times a
>>>>>>>>>> dialog pops up
>>>>>>>>>>>>>> complaining that the card does not have the required functions.
>>>>>>>>>>>>>> The terminal output is like this. I am sorry for pasting this in
>>>>>>>>>> german.
>>>>>>>>>>>>>> I added some translations:
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> Microsoft Windows [Version 6.1.7601]
>>>>>>>>>>>>>> Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> C:\Users\developer>certutil -scinfo
>>>>>>>>>>>>>> Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
>>>>>>>>>>>>>> Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
>>>>>>>>>>>>>> Leser: 1 (Reader: 1)
>>>>>>>>>>>>>>         0: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>>>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
>>>>>>>>>>>>>> --- Status: Die Smartcard kann verwendet werden.
>>>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>>>> ---    ATR:
>>>>>>>>>>>>>>               3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34
>>>>>>>>>>       ;.....1.EJCOPv24
>>>>>>>>>>>>>>               31 b7                                              1.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> =======================================================
>>>>>>>>>>>>>> Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The
>>>>>>>>>> card in the reader is being analized)
>>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>>> ================ Zertifikat 0 ================ (Trans: Certificate 0)
>>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0 (Reader)
>>>>>>>>>>>>>> ---  Karte: Muscle Card
>>>>>>>>>>>>>> Anbieter = Microsoft Base Smart Card Crypto Provider
>>>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard
>>>>>>>>>> container)
>>>>>>>>>>>>>> Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>>>> OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>>>> x21 0
>>>>>>>>>>>>>> Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser:
>>>>>>>>>> OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
>>>>>>>>>>>>>>        3x21 0
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>>> ================ Zertifikat 0 ================
>>>>>>>>>>>>>> --- Leser: OMNIKEY CardMan 3x21 0
>>>>>>>>>>>>>> ---  Karte: Smart Security Device (Brainchild)
>>>>>>>>>>>>>> Anbieter = Microsoft Smart Card Key Storage Provider
>>>>>>>>>>>>>> Schl¸sselcontainer = (null) [Standardcontainer]
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan
>>>>>>>>>> 3x21 0 (Trans:  Key „“ cound not be opened)
>>>>>>>>>>>>>> --------------===========================--------------
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Fertig.
>>>>>>>>>>>>>> CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans:
>>>>>>>>>> -SCinfo command has been executed with success)
>>>>>>>>>>>>>> ************************************************************
>>>>>>>>>> ***************************
>>>>>>>>>>>>>> I also configured to use a log file in opensc.conf and debug level 9.
>>>>>>>>>>>>>> Unfortunately the file is about 2.5 MB. I try to add it as an
>>>>>>>>>> attachment to this mail,
>>>>>>>>>>>>>> but I am not sure if this is working with a mailing list.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> I already inspected the log, but found nothing suspicious.
>>>>>>>>>>>>>> I think maybe there have to be a private key to be marked
>>>>>>>>>>>>>> for use as AT_SIGNATURE and one for AT_EXCHANGE.
>>>>>>>>>>>>>> But how?
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Or maybe I am completely wrong and something different is going wrong.
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Any help would be appreciated!
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> Best Regards,
>>>>>>>>>>>>>> Michael
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>> ------------------
>>>>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>>>> Ashburn.
>>>>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>>>> compliant.
>>>>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>>
>>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>>>>>
>>>>>>>>>>>>> --
>>>>>>>>>>>>>
>>>>>>>>>>>>>        Douglas E. Engert  <[hidden email]>
>>>>>>>>>>>>>
>>>>>>>>>>>>>
>>>>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>> ------------------
>>>>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>>>>> GigeNET is offering a free month of service with a new server in
>>>>>>>>>> Ashburn.
>>>>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely
>>>>>>>>>> compliant.
>>>>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>>>>> _______________________________________________
>>>>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>>>>> [hidden email]
>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>> ------------------------------------------------------------
>>>>>>>>>> ------------------
>>>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>>>> _______________________________________________
>>>>>>>>>> Opensc-devel mailing list
>>>>>>>>>> [hidden email]
>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>>>
>>>>>>>> ------------------------------------------------------------------------------
>>>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>>>> http://p.sf.net/sfu/gigenet
>>>>>>>> _______________________________________________
>>>>>>>> Opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>>>> http://p.sf.net/sfu/gigenet
>>>>>> _______________________________________________
>>>>>> Opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>>>
>>>> ------------------------------------------------------------------------------
>>>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>>>> GigeNET is offering a free month of service with a new server in Ashburn.
>>>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>>>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>>>> http://p.sf.net/sfu/gigenet
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>>
>>
>> ------------------------------------------------------------------------------
>> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
>> GigeNET is offering a free month of service with a new server in Ashburn.
>> Choose from 2 high performing configs, both with 100TB of bandwidth.
>> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
>> http://p.sf.net/sfu/gigenet
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
> ------------------------------------------------------------------------------
> New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
> GigeNET is offering a free month of service with a new server in Ashburn.
> Choose from 2 high performing configs, both with 100TB of bandwidth.
> Higher redundancy.Lower latency.Increased capacity.Completely compliant.
> http://p.sf.net/sfu/gigenet
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
12