AT_SIGNATURE and AT_EXCHANGE Problem

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

AT_SIGNATURE and AT_EXCHANGE Problem

Michael Heydemann
Dear OpenSC Development Team,

First of all, I would like to say that I really appreciate your great work.
I am working on a little project and explored all the nice tools of OpenSC.
Unfortunately since one week I cannot get around a certain problem.
I hope this mailing list is the right place and you can help me with that.

My project is about  (1) setting up a PKCS#11 key store on a Java Card,
(2 ) loading some test data (keys and certificates) on it, and (3) using the card
with the Windows 7 Key Management.

Hardware: 
* Card Reader: Omnikey 3121USB
* Java Card: J2A080 - NXP, 80k

(1) Setting up PKCS#11 key store:
I have installed Ubuntu 14.04.1 in VirtualBox and wrote a bunch of bash scripts
to install all required software, installing muscle applet to the card, and 
removing the muscle applet from the card. I followed the instructions on
http://blog.ev0ke.net/muscle-jcop/ and everything worked well.

(2) Loading some test data:
I tried some different ways to get some keys and certificates on the card.
None of them delivered data which is accepted by Windows 7.
Here is one set of data I created:

***************************************************************************************
Using reader with a card: OMNIKEY CardMan (076B:3022) 3021 00 00
PKCS#15 Card [MUSCLE]:
Version        : 0
Serial number  : 0000
Manufacturer ID: Identity Alliance
Last update    : 20150119080705Z
Flags          : EID compliant

PIN [User PIN]
Object Flags   : [0x3], private, modifiable
ID             : 01
Flags          : [0x10], initialized
Length         : min_len:4, max_len:8, stored_len:8
Pad char       : 0x00
Reference      : 1
Type           : ascii-numeric
Path           : 3f005015

Private RSA Key [Card Owner]
Object Flags   : [0x3], private, modifiable
Usage          : [0x2E], decrypt, sign, signRecover, unwrap
Access Flags   : [0x0]
ModLength      : 1024
Key ref        : 0 (0x0)
Native         : yes
Path           : 3f005015
Auth ID        : 01
ID             : 01

Public RSA Key [Card Owner]
Object Flags   : [0x2], modifiable
Usage          : [0xD1], encrypt, wrap, verify, verifyRecover
Access Flags   : [0x0]
ModLength      : 1024
Key ref        : 0
Native         : no
Path           : 3f0050153000
ID             : 01

X.509 Certificate [Card Owner Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153100
ID             : 01
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 2 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153101
ID             : 02
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 3 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153102
ID             : 03
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 4 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153103
ID             : 04
Encoded serial : 02 09 00F695059953A904F9

X.509 Certificate [Contact 5 Certificate]
Object Flags   : [0x2], modifiable
Authority      : no
Path           : 3f0050153104
ID             : 05
Encoded serial : 02 09 00F695059953A904F9
***************************************************************************************

(3) Using the card in Windows 7:
I installed Windows 7  64 Bit in a VirtualBox and installed
OpenSC-0.12.2-win64.msi. I also tried OpenSC-0.14.0-win64.msi,
but with same result.
I acquired the ATR of the card and properly installed my opens-minidriver.inf:

***************************************************************************************
[Version]
Signature="$Windows NT$"
Class=SmartCard
ClassGuid={990A2BD7-E738-46c7-B26F-1CF8FB9F1391}
Provider=%ProviderName%
CatalogFile=delta.cat
DriverVer=05/02/2010,@OPENSC_VERSION_MAJOR@,@OPENSC_VERSION_MINOR@,@OPENSC_VERSION_FIX@,0

[Manufacturer]
%ProviderName%=Minidriver,NTamd64,NTamd64.6.1,NTx86,NTx86.6.1

[Minidriver.NTamd64]
%CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTx86]
%CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTamd64.6.1]
%CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTx86.6.1]
%CardDeviceName%=Minidriver32_61_Install,SCFILTER\CID_00640181010c829000

[DefaultInstall]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[DefaultInstall.ntamd64]
CopyFiles=amd64_CopyFiles
CopyFiles=wow64_CopyFiles
AddReg=AddRegWOW64
AddReg=AddRegDefault

[DefaultInstall.NTx86]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[DefaultInstall.ntamd64.6.1]
AddReg=AddRegWOW64
AddReg=AddRegDefault

[DefaultInstall.NTx86.6.1]
AddReg=AddRegDefault

[SourceDisksFiles]
%SmartCardCardModule%=1
%SmartCardCardModule64%=1

[SourceDisksNames]
1 = %MediaDescription%

[Minidriver64_Install.NT]
CopyFiles=amd64_CopyFiles
CopyFiles=wow64_CopyFiles
AddReg=AddRegWOW64
AddReg=AddRegDefault

[Minidriver64_61_Install.NT]
AddReg=AddRegWOW64
AddReg=AddRegDefault
Include=umpass.inf
Needs=UmPass

[Minidriver32_Install.NT]
CopyFiles=x86_CopyFiles
AddReg=AddRegDefault

[Minidriver32_61_Install.NT]
AddReg=AddRegDefault
Include=umpass.inf
Needs=UmPass

[Minidriver64_61_Install.NT.Services]
Include=umpass.inf
Needs=UmPass.Services

[Minidriver32_61_Install.NT.Services]
Include=umpass.inf
Needs=UmPass.Services


[Minidriver64_61_Install.NT.HW]
Include=umpass.inf
Needs=UmPass.HW

[Minidriver64_61_Install.NT.CoInstallers]
Include=umpass.inf
Needs=UmPass.CoInstallers


[Minidriver64_61_Install.NT.Interfaces]
Include=umpass.inf
Needs=UmPass.Interfaces


[Minidriver32_61_Install.NT.HW]
Include=umpass.inf
Needs=UmPass.HW

[Minidriver32_61_Install.NT.CoInstallers]
Include=umpass.inf
Needs=UmPass.CoInstallers


[Minidriver32_61_Install.NT.Interfaces]
Include=umpass.inf
Needs=UmPass.Interfaces


[amd64_CopyFiles]
;%SmartCardCardModule%,%SmartCardCardModule64%

[x86_CopyFiles]
;%SmartCardCardModule%

[wow64_CopyFiles]
;%SmartCardCardModule64%

[AddRegWOW64]
HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
HKLM, %SmartCardNameWOW64%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
HKLM, %SmartCardNameWOW64%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
HKLM, %SmartCardNameWOW64%,"80000001",0x00000000,%SmartCardCardModule64%

[AddRegDefault]
HKLM, %SmartCardName%,"ATR",0x00000001,3b,f8,13,00,00,81,31,fe,45,4A,43,4f,50,76,32,34,31,b7
HKLM, %SmartCardName%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff
HKLM, %SmartCardName%,"Crypto Provider",0x00000000,"Microsoft Base Smart Card Crypto Provider"
HKLM, %SmartCardName%,"Smart Card Key Storage Provider",0x00000000,"Microsoft Smart Card Key Storage Provider"
HKLM, %SmartCardName%,"80000001",0x00000000,%SmartCardCardModule%

[DestinationDirs]
amd64_CopyFiles=10,system32
x86_CopyFiles=10,system32
wow64_CopyFiles=10,syswow64


; =================== Generic ==================================

[Strings]
ProviderName =„OpenSC"
MediaDescription=„OpenSC Card Minidriver Installation Disk"
CardDeviceName=„Muscle Card"
SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Muscle Card"
SmartCardCardModule="opensc-minidriver.dll"
***************************************************************************************

When the card is inserted the driver is used as shown in device manager
as well as in certutil.exe.
Now here is the actual problem:
When I try to use the card with certutil.exe -SCinfo  several times a dialog pops up
complaining that the card does not have the required functions.
The terminal output is like this. I am sorry for pasting this in german.
I added some translations:

***************************************************************************************
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. Alle Rechte vorbehalten.

C:\Users\developer>certutil -scinfo
Die Microsoft Smartcard-Ressourcenverwaltung wird ausgef¸hrt.
Aktueller Leser-/Kartenstatus: (Current Reader/Card Status)
Leser: 1 (Reader: 1)
  0: OMNIKEY CardMan 3x21 0
--- Leser: OMNIKEY CardMan 3x21 0 (Reader)
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Status: Die Smartcard kann verwendet werden.
---  Karte: Muscle Card
---    ATR:
        3b f8 13 00 00 81 31 fe  45 4a 43 4f 50 76 32 34   ;.....1.EJCOPv24
        31 b7                                              1.


=======================================================
Karte im Leser wird analysiert: OMNIKEY CardMan 3x21 0 (Trans: The card in the reader is being analized)

--------------===========================--------------
================ Zertifikat 0 ================ (Trans: Certificate 0)
--- Leser: OMNIKEY CardMan 3x21 0 (Reader)
---  Karte: Muscle Card
Anbieter = Microsoft Base Smart Card Crypto Provider
Schl¸sselcontainer = (null) [Standardcontainer] (Trans: standard container)

Schl¸ssel "AT_SIGNATURE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3 (Trans:  Key „AT_SIGNATURE“ could not be opened)
x21 0
Schl¸ssel "AT_KEYEXCHANGE" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan (Trans:  Key „AT_SIGNATURE“ could not be opened)
 3x21 0

--------------===========================--------------
================ Zertifikat 0 ================
--- Leser: OMNIKEY CardMan 3x21 0
---  Karte: Smart Security Device (Brainchild)
Anbieter = Microsoft Smart Card Key Storage Provider
Schl¸sselcontainer = (null) [Standardcontainer]

Schl¸ssel "" kann nicht geˆffnet werden f¸r Leser: OMNIKEY CardMan 3x21 0 (Trans:  Key „“ cound not be opened)

--------------===========================--------------

Fertig.
CertUtil: -SCInfo-Befehl wurde erfolgreich ausgef¸hrt. (Trans: -SCinfo command has been executed with success)
***************************************************************************************

I also configured to use a log file in opensc.conf and debug level 9.
Unfortunately the file is about 2.5 MB. I try to add it as an attachment to this mail,
but I am not sure if this is working with a mailing list.
Update: Attachment seems not to be a good idea.


I already inspected the log, but found nothing suspicious.
I think maybe there have to be a private key to be marked
for use as AT_SIGNATURE and one for AT_EXCHANGE.
But how?

Or maybe I am completely wrong and something different is going wrong.

Any help would be appreciated!

Best Regards,
Michael Heydemann

------------------------------------------------------------------------------
New Year. New Location. New Benefits. New Data Center in Ashburn, VA.
GigeNET is offering a free month of service with a new server in Ashburn.
Choose from 2 high performing configs, both with 100TB of bandwidth.
Higher redundancy.Lower latency.Increased capacity.Completely compliant.
http://p.sf.net/sfu/gigenet
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (4K) Download Attachment