Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Dear all,

I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0.
The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards

The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch:
https://github.com/OpenSC/OpenSC/pull/357

The result is as follows:
1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad.

2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document.

3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired.

Please find below the output of serveral common commands. Could someone please confirm that
a) the card suitable for this kind of digital signatures in principle
b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch
c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch

If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though.

Best regards, and thanks in advance,
Ferdinand


> $ opensc-tool -i
> OpenSC 0.15.0 [gcc  4.9.2]
> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)

----------------------

> $ opensc-tool --list-readers
> # Detected readers (pcsc)
> Nr.  Card  Features  Name
> 0    Yes   PIN pad   REINER SCT cyberJack RFID komfort (4694896162) 00 00

----------------------

> $ opensc-tool --name
> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
> STARCOS SPK 3.4

----------------------

> $ opensc-tool --atr
> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61

----------------------

> $ pkcs11-tool --list-slots
> Available slots:
> Slot 0 (0xffffffff): Virtual hotplug slot
>   (empty)
> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>   token label        : D-TRUST Card V3.0 standard 2ga (
>   token manufacturer : D-TRUST GmbH (C)
>   token model        : PKCS#15
>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>   hardware version   : 0.0
>   firmware version   : 0.0
>   serial num         :
> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>   token label        : D-TRUST Card V3.0 standard 2ga (
>   token manufacturer : D-TRUST GmbH (C)
>   token model        : PKCS#15
>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>   hardware version   : 0.0
>   firmware version   : 0.0
>   serial num         :

----------------------

> $ pkcs11-tool --list-objects
> Using slot 1 with a present token (0x1)
> Public Key Object; RSA 2048 bits
>   label:      D-TRUST Authentication Key
>   ID:         11
>   Usage:      encrypt, verify, wrap
> Certificate Object, type = X.509 cert
>   label:      D-TRUST Authentication Key
>   ID:         11
> Certificate Object, type = X.509 cert
>   label:      
>   ID:         2d333730343631303735333036303830313534
> Public Key Object; RSA 2048 bits
>   label:      
>   ID:         2d333730343631303735333036303830313534
>   Usage:      encrypt, verify
> Certificate Object, type = X.509 cert
>   label:      
>   ID:         2d32303036363939383139343731343534393238
> Public Key Object; RSA 2048 bits
>   label:      
>   ID:         2d32303036363939383139343731343534393238
>   Usage:      encrypt, verify

----------------------

> $ pkcs15-tool -D
> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]:
> Version : 0
> Serial number :
> Manufacturer ID: D-TRUST GmbH (C)
> Flags : Login required, EID compliant
>
> PIN [PIN1]
> Object Flags : [0x3], private, modifiable
> Auth ID : 03
> ID : 01
> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
> Length : min_len:6, max_len:8, stored_len:8
> Pad char : 0xFF
> Reference : 1 (0x01)
> Type : iso 9664-1
> Path : a000000063504b43532d3135::
>
> PIN [PUK1]
> Object Flags : [0x3], private, modifiable
> ID : 03
> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
> Length : min_len:8, max_len:8, stored_len:8
> Pad char : 0xFF
> Reference : 1 (0x01)
> Type : iso 9664-1
> Path : a000000063504b43532d3135::
>
> PIN [PIN2]
> Object Flags : [0x3], private, modifiable
> Auth ID : 04
> ID : 02
> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
> Length : min_len:6, max_len:8, stored_len:8
> Pad char : 0xFF
> Reference : 129 (0x81)
> Type : iso 9664-1
> Path : 3f000604
>
> PIN [PUK2]
> Object Flags : [0x3], private, modifiable
> ID : 04
> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
> Length : min_len:8, max_len:8, stored_len:8
> Pad char : 0xFF
> Reference : 129 (0x81)
> Type : iso 9664-1
> Path : 3f000604
>
> Private RSA Key [D-TRUST Authentication Key]
> Object Flags : [0x1], private
> Usage : [0x2E], decrypt, sign, signRecover, unwrap
> Access Flags : [0x0]
> ModLength : 2048
> Key ref : 1 (0x1)
> Native : yes
> Path : a000000063504b43532d3135::3f000fff0f01
> Auth ID : 01
> ID : 11
> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35}
> :cmap flags : 0x0
> :sign : 0
> :key-exchange: 0
>
> Private RSA Key [SigG Signature Key]
> Object Flags : [0x1], private
> Usage : [0x200], nonRepudiation
> Access Flags : [0x0]
> ModLength : 2048
> Key ref : 4 (0x4)
> Native : yes
> Path : a000000063504b43532d3135::3f0006040f01
> Auth ID : 02
> ID : 12
> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94}
> :cmap flags : 0x0
> :sign : 0
> :key-exchange: 0
>
> Public RSA Key [D-TRUST Authentication Key]
> Object Flags : [0x2], modifiable
> Usage : [0xD1], encrypt, wrap, verify, verifyRecover
> Access Flags : [0x0]
> ModLength : 2048
> Key ref : 1 (0x1)
> Native : yes
> Path : a000000063504b43532d3135::3f000fff0e01
> Auth ID : 01
> ID : 11
>
> Public RSA Key [SigG Signature Key]
> Object Flags : [0x2], modifiable
> Usage : [0x204], sign, nonRepudiation
> Access Flags : [0x0]
> ModLength : 2048
> Key ref : 4 (0x4)
> Native : yes
> Path : a000000063504b43532d3135::3f0006040e01
> Auth ID : 02
> ID : 12
>
> X.509 Certificate [D-TRUST Authentication Key]
> Object Flags : [0x2], modifiable
> Authority : no
> Path : a000000063504b43532d3135::3f001501c100
> ID : 11
> Encoded serial : 02 03 168A81
> X.509 Certificate [SigG Signature Key]
> Object Flags : [0x2], modifiable
> Authority : no
> Path : a000000063504b43532d3135::3f001501c103
> ID : 12
> Encoded serial : 02 03 168A82
> X.509 Certificate []
> Object Flags : [0x0]
> Authority : no
> Path : a000000063504b43532d3135::3f001501c102
> ID : 2d32303036363939383139343731343534393238
> Encoded serial : 02 03 030E96
> X.509 Certificate []
> Object Flags : [0x0]
> Authority : no
> Path : a000000063504b43532d3135::3f001501c101
> ID : 2d333730343631303735333036303830313534
> Encoded serial : 02 03 097D43
> X.509 Certificate []
> Object Flags : [0x0]
> Authority : no
> Path : a000000063504b43532d3135::3f001501c105
> ID : 37353738323838313038333736373637303437
> Encoded serial : 02 03 159923
> X.509 Certificate []
> Object Flags : [0x0]
> Authority : no
> Path : a000000063504b43532d3135::3f001501c104
> ID : 38323832353936323735353833303736353131
> Encoded serial : 02 03 159924

----------------------

> $ pcsc_scan
> PC/SC device scanner
> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
> Compiled with PC/SC lite version: 1.8.11
> Using reader plug'n play mechanism
> Scanning present readers...
> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>
> Sat Nov 7 01:39:47 2015
> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
> Card state: Card inserted,
> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>
> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
> + TS = 3B --> Direct Convention
> + T0 = D8, Y(1): 1101, K: 8 (historical bytes)
> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
> TC(1) = FF --> Extra guard time: 255 (special value)
> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
> -----
> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
> -----
> TA(3) = FE --> IFSC: 254
> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
> -----
> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
> + Historical bytes: 80 64 04 1A B4 03 81 05
> Category indicator byte: 80 (compact TLV data object)
> Tag: 6, len: 4 (pre-issuing data)
> Data: 04 1A B4 03
> Tag: 8, len: 1 (status indicator)
> LCS (life card cycle): 05
> + TCK = 61 (correct checksum)
>
> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
> D-Trust multicard advanced 3.1
> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse"

Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan.

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Andreas Schwier (ML)
Hi Ferdinand,

can you set OPENSC_DEBUG=9 so we can see what is going on ?

As an alternative you could try [1], which has been tested with D-Trust
3.0 cards.

Andreas

[1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11

On 11/08/2015 09:08 PM, Ferdinand Rau wrote:

> Dear all,
>
> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0.
> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards
>
> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch:
> https://github.com/OpenSC/OpenSC/pull/357
>
> The result is as follows:
> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad.
>
> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document.
>
> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired.
>
> Please find below the output of serveral common commands. Could someone please confirm that
> a) the card suitable for this kind of digital signatures in principle
> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch
> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch
>
> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though.
>
> Best regards, and thanks in advance,
> Ferdinand
>
>
>> $ opensc-tool -i
>> OpenSC 0.15.0 [gcc  4.9.2]
>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>
> ----------------------
>
>> $ opensc-tool --list-readers
>> # Detected readers (pcsc)
>> Nr.  Card  Features  Name
>> 0    Yes   PIN pad   REINER SCT cyberJack RFID komfort (4694896162) 00 00
>
> ----------------------
>
>> $ opensc-tool --name
>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>> STARCOS SPK 3.4
>
> ----------------------
>
>> $ opensc-tool --atr
>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61
>
> ----------------------
>
>> $ pkcs11-tool --list-slots
>> Available slots:
>> Slot 0 (0xffffffff): Virtual hotplug slot
>>   (empty)
>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>   token manufacturer : D-TRUST GmbH (C)
>>   token model        : PKCS#15
>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>   hardware version   : 0.0
>>   firmware version   : 0.0
>>   serial num         :
>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>   token manufacturer : D-TRUST GmbH (C)
>>   token model        : PKCS#15
>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>   hardware version   : 0.0
>>   firmware version   : 0.0
>>   serial num         :
>
> ----------------------
>
>> $ pkcs11-tool --list-objects
>> Using slot 1 with a present token (0x1)
>> Public Key Object; RSA 2048 bits
>>   label:      D-TRUST Authentication Key
>>   ID:         11
>>   Usage:      encrypt, verify, wrap
>> Certificate Object, type = X.509 cert
>>   label:      D-TRUST Authentication Key
>>   ID:         11
>> Certificate Object, type = X.509 cert
>>   label:      
>>   ID:         2d333730343631303735333036303830313534
>> Public Key Object; RSA 2048 bits
>>   label:      
>>   ID:         2d333730343631303735333036303830313534
>>   Usage:      encrypt, verify
>> Certificate Object, type = X.509 cert
>>   label:      
>>   ID:         2d32303036363939383139343731343534393238
>> Public Key Object; RSA 2048 bits
>>   label:      
>>   ID:         2d32303036363939383139343731343534393238
>>   Usage:      encrypt, verify
>
> ----------------------
>
>> $ pkcs15-tool -D
>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]:
>> Version : 0
>> Serial number :
>> Manufacturer ID: D-TRUST GmbH (C)
>> Flags : Login required, EID compliant
>>
>> PIN [PIN1]
>> Object Flags : [0x3], private, modifiable
>> Auth ID : 03
>> ID : 01
>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>> Length : min_len:6, max_len:8, stored_len:8
>> Pad char : 0xFF
>> Reference : 1 (0x01)
>> Type : iso 9664-1
>> Path : a000000063504b43532d3135::
>>
>> PIN [PUK1]
>> Object Flags : [0x3], private, modifiable
>> ID : 03
>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>> Length : min_len:8, max_len:8, stored_len:8
>> Pad char : 0xFF
>> Reference : 1 (0x01)
>> Type : iso 9664-1
>> Path : a000000063504b43532d3135::
>>
>> PIN [PIN2]
>> Object Flags : [0x3], private, modifiable
>> Auth ID : 04
>> ID : 02
>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>> Length : min_len:6, max_len:8, stored_len:8
>> Pad char : 0xFF
>> Reference : 129 (0x81)
>> Type : iso 9664-1
>> Path : 3f000604
>>
>> PIN [PUK2]
>> Object Flags : [0x3], private, modifiable
>> ID : 04
>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>> Length : min_len:8, max_len:8, stored_len:8
>> Pad char : 0xFF
>> Reference : 129 (0x81)
>> Type : iso 9664-1
>> Path : 3f000604
>>
>> Private RSA Key [D-TRUST Authentication Key]
>> Object Flags : [0x1], private
>> Usage : [0x2E], decrypt, sign, signRecover, unwrap
>> Access Flags : [0x0]
>> ModLength : 2048
>> Key ref : 1 (0x1)
>> Native : yes
>> Path : a000000063504b43532d3135::3f000fff0f01
>> Auth ID : 01
>> ID : 11
>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35}
>> :cmap flags : 0x0
>> :sign : 0
>> :key-exchange: 0
>>
>> Private RSA Key [SigG Signature Key]
>> Object Flags : [0x1], private
>> Usage : [0x200], nonRepudiation
>> Access Flags : [0x0]
>> ModLength : 2048
>> Key ref : 4 (0x4)
>> Native : yes
>> Path : a000000063504b43532d3135::3f0006040f01
>> Auth ID : 02
>> ID : 12
>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94}
>> :cmap flags : 0x0
>> :sign : 0
>> :key-exchange: 0
>>
>> Public RSA Key [D-TRUST Authentication Key]
>> Object Flags : [0x2], modifiable
>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover
>> Access Flags : [0x0]
>> ModLength : 2048
>> Key ref : 1 (0x1)
>> Native : yes
>> Path : a000000063504b43532d3135::3f000fff0e01
>> Auth ID : 01
>> ID : 11
>>
>> Public RSA Key [SigG Signature Key]
>> Object Flags : [0x2], modifiable
>> Usage : [0x204], sign, nonRepudiation
>> Access Flags : [0x0]
>> ModLength : 2048
>> Key ref : 4 (0x4)
>> Native : yes
>> Path : a000000063504b43532d3135::3f0006040e01
>> Auth ID : 02
>> ID : 12
>>
>> X.509 Certificate [D-TRUST Authentication Key]
>> Object Flags : [0x2], modifiable
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c100
>> ID : 11
>> Encoded serial : 02 03 168A81
>> X.509 Certificate [SigG Signature Key]
>> Object Flags : [0x2], modifiable
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c103
>> ID : 12
>> Encoded serial : 02 03 168A82
>> X.509 Certificate []
>> Object Flags : [0x0]
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c102
>> ID : 2d32303036363939383139343731343534393238
>> Encoded serial : 02 03 030E96
>> X.509 Certificate []
>> Object Flags : [0x0]
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c101
>> ID : 2d333730343631303735333036303830313534
>> Encoded serial : 02 03 097D43
>> X.509 Certificate []
>> Object Flags : [0x0]
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c105
>> ID : 37353738323838313038333736373637303437
>> Encoded serial : 02 03 159923
>> X.509 Certificate []
>> Object Flags : [0x0]
>> Authority : no
>> Path : a000000063504b43532d3135::3f001501c104
>> ID : 38323832353936323735353833303736353131
>> Encoded serial : 02 03 159924
>
> ----------------------
>
>> $ pcsc_scan
>> PC/SC device scanner
>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
>> Compiled with PC/SC lite version: 1.8.11
>> Using reader plug'n play mechanism
>> Scanning present readers...
>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>
>> Sat Nov 7 01:39:47 2015
>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>> Card state: Card inserted,
>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>
>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>> + TS = 3B --> Direct Convention
>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes)
>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
>> TC(1) = FF --> Extra guard time: 255 (special value)
>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
>> -----
>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
>> -----
>> TA(3) = FE --> IFSC: 254
>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
>> -----
>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
>> + Historical bytes: 80 64 04 1A B4 03 81 05
>> Category indicator byte: 80 (compact TLV data object)
>> Tag: 6, len: 4 (pre-issuing data)
>> Data: 04 1A B4 03
>> Tag: 8, len: 1 (status indicator)
>> LCS (life card cycle): 05
>> + TCK = 61 (correct checksum)
>>
>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>> D-Trust multicard advanced 3.1
>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse"
>
> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan.
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Dear Andreas,

Please find here the requested output of OpenSC:
https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1
(The file was too large for direct mailing)

It was recorded with OPENSC_DEBUG=9 during the following actions:
Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird.

Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-)
I hope the log file is helpful anyway.

I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd

Best,
Ferdinand



On 11/08/2015 10:21 PM, Andreas Schwier <[hidden email]> wrote:

> Hi Ferdinand,
>
> can you set OPENSC_DEBUG=9 so we can see what is going on ?
>
> As an alternative you could try [1], which has been tested with D-Trust
> 3.0 cards.
>
> Andreas
>
> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11
>
> On 11/08/2015 09:08 PM, Ferdinand Rau wrote:
>> Dear all,
>>
>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0.
>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards
>>
>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch:
>> https://github.com/OpenSC/OpenSC/pull/357
>>
>> The result is as follows:
>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad.
>>
>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document.
>>
>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired.
>>
>> Please find below the output of serveral common commands. Could someone please confirm that
>> a) the card suitable for this kind of digital signatures in principle
>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch
>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch
>>
>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though.
>>
>> Best regards, and thanks in advance,
>> Ferdinand
>>
>>
>>> $ opensc-tool -i
>>> OpenSC 0.15.0 [gcc  4.9.2]
>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>>
>> ----------------------
>>
>>> $ opensc-tool --list-readers
>>> # Detected readers (pcsc)
>>> Nr.  Card  Features  Name
>>> 0    Yes   PIN pad   REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>
>> ----------------------
>>
>>> $ opensc-tool --name
>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>> STARCOS SPK 3.4
>>
>> ----------------------
>>
>>> $ opensc-tool --atr
>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61
>>
>> ----------------------
>>
>>> $ pkcs11-tool --list-slots
>>> Available slots:
>>> Slot 0 (0xffffffff): Virtual hotplug slot
>>>   (empty)
>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>   token manufacturer : D-TRUST GmbH (C)
>>>   token model        : PKCS#15
>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>   hardware version   : 0.0
>>>   firmware version   : 0.0
>>>   serial num         :
>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>   token manufacturer : D-TRUST GmbH (C)
>>>   token model        : PKCS#15
>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>   hardware version   : 0.0
>>>   firmware version   : 0.0
>>>   serial num         :
>>
>> ----------------------
>>
>>> $ pkcs11-tool --list-objects
>>> Using slot 1 with a present token (0x1)
>>> Public Key Object; RSA 2048 bits
>>>   label:      D-TRUST Authentication Key
>>>   ID:         11
>>>   Usage:      encrypt, verify, wrap
>>> Certificate Object, type = X.509 cert
>>>   label:      D-TRUST Authentication Key
>>>   ID:         11
>>> Certificate Object, type = X.509 cert
>>>   label:      
>>>   ID:         2d333730343631303735333036303830313534
>>> Public Key Object; RSA 2048 bits
>>>   label:      
>>>   ID:         2d333730343631303735333036303830313534
>>>   Usage:      encrypt, verify
>>> Certificate Object, type = X.509 cert
>>>   label:      
>>>   ID:         2d32303036363939383139343731343534393238
>>> Public Key Object; RSA 2048 bits
>>>   label:      
>>>   ID:         2d32303036363939383139343731343534393238
>>>   Usage:      encrypt, verify
>>
>> ----------------------
>>
>>> $ pkcs15-tool -D
>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]:
>>> Version : 0
>>> Serial number :
>>> Manufacturer ID: D-TRUST GmbH (C)
>>> Flags : Login required, EID compliant
>>>
>>> PIN [PIN1]
>>> Object Flags : [0x3], private, modifiable
>>> Auth ID : 03
>>> ID : 01
>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>> Length : min_len:6, max_len:8, stored_len:8
>>> Pad char : 0xFF
>>> Reference : 1 (0x01)
>>> Type : iso 9664-1
>>> Path : a000000063504b43532d3135::
>>>
>>> PIN [PUK1]
>>> Object Flags : [0x3], private, modifiable
>>> ID : 03
>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>> Length : min_len:8, max_len:8, stored_len:8
>>> Pad char : 0xFF
>>> Reference : 1 (0x01)
>>> Type : iso 9664-1
>>> Path : a000000063504b43532d3135::
>>>
>>> PIN [PIN2]
>>> Object Flags : [0x3], private, modifiable
>>> Auth ID : 04
>>> ID : 02
>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>> Length : min_len:6, max_len:8, stored_len:8
>>> Pad char : 0xFF
>>> Reference : 129 (0x81)
>>> Type : iso 9664-1
>>> Path : 3f000604
>>>
>>> PIN [PUK2]
>>> Object Flags : [0x3], private, modifiable
>>> ID : 04
>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>> Length : min_len:8, max_len:8, stored_len:8
>>> Pad char : 0xFF
>>> Reference : 129 (0x81)
>>> Type : iso 9664-1
>>> Path : 3f000604
>>>
>>> Private RSA Key [D-TRUST Authentication Key]
>>> Object Flags : [0x1], private
>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap
>>> Access Flags : [0x0]
>>> ModLength : 2048
>>> Key ref : 1 (0x1)
>>> Native : yes
>>> Path : a000000063504b43532d3135::3f000fff0f01
>>> Auth ID : 01
>>> ID : 11
>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35}
>>> :cmap flags : 0x0
>>> :sign : 0
>>> :key-exchange: 0
>>>
>>> Private RSA Key [SigG Signature Key]
>>> Object Flags : [0x1], private
>>> Usage : [0x200], nonRepudiation
>>> Access Flags : [0x0]
>>> ModLength : 2048
>>> Key ref : 4 (0x4)
>>> Native : yes
>>> Path : a000000063504b43532d3135::3f0006040f01
>>> Auth ID : 02
>>> ID : 12
>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94}
>>> :cmap flags : 0x0
>>> :sign : 0
>>> :key-exchange: 0
>>>
>>> Public RSA Key [D-TRUST Authentication Key]
>>> Object Flags : [0x2], modifiable
>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover
>>> Access Flags : [0x0]
>>> ModLength : 2048
>>> Key ref : 1 (0x1)
>>> Native : yes
>>> Path : a000000063504b43532d3135::3f000fff0e01
>>> Auth ID : 01
>>> ID : 11
>>>
>>> Public RSA Key [SigG Signature Key]
>>> Object Flags : [0x2], modifiable
>>> Usage : [0x204], sign, nonRepudiation
>>> Access Flags : [0x0]
>>> ModLength : 2048
>>> Key ref : 4 (0x4)
>>> Native : yes
>>> Path : a000000063504b43532d3135::3f0006040e01
>>> Auth ID : 02
>>> ID : 12
>>>
>>> X.509 Certificate [D-TRUST Authentication Key]
>>> Object Flags : [0x2], modifiable
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c100
>>> ID : 11
>>> Encoded serial : 02 03 168A81
>>> X.509 Certificate [SigG Signature Key]
>>> Object Flags : [0x2], modifiable
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c103
>>> ID : 12
>>> Encoded serial : 02 03 168A82
>>> X.509 Certificate []
>>> Object Flags : [0x0]
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c102
>>> ID : 2d32303036363939383139343731343534393238
>>> Encoded serial : 02 03 030E96
>>> X.509 Certificate []
>>> Object Flags : [0x0]
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c101
>>> ID : 2d333730343631303735333036303830313534
>>> Encoded serial : 02 03 097D43
>>> X.509 Certificate []
>>> Object Flags : [0x0]
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c105
>>> ID : 37353738323838313038333736373637303437
>>> Encoded serial : 02 03 159923
>>> X.509 Certificate []
>>> Object Flags : [0x0]
>>> Authority : no
>>> Path : a000000063504b43532d3135::3f001501c104
>>> ID : 38323832353936323735353833303736353131
>>> Encoded serial : 02 03 159924
>>
>> ----------------------
>>
>>> $ pcsc_scan
>>> PC/SC device scanner
>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
>>> Compiled with PC/SC lite version: 1.8.11
>>> Using reader plug'n play mechanism
>>> Scanning present readers...
>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>
>>> Sat Nov 7 01:39:47 2015
>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>> Card state: Card inserted,
>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>
>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>> + TS = 3B --> Direct Convention
>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes)
>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
>>> TC(1) = FF --> Extra guard time: 255 (special value)
>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
>>> -----
>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
>>> -----
>>> TA(3) = FE --> IFSC: 254
>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
>>> -----
>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
>>> + Historical bytes: 80 64 04 1A B4 03 81 05
>>> Category indicator byte: 80 (compact TLV data object)
>>> Tag: 6, len: 4 (pre-issuing data)
>>> Data: 04 1A B4 03
>>> Tag: 8, len: 1 (status indicator)
>>> LCS (life card cycle): 05
>>> + TCK = 61 (correct checksum)
>>>
>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>> D-Trust multicard advanced 3.1
>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse"
>>
>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan.
>>
>> ------------------------------------------------------------------------------
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Andreas Schwier (ML)
Hi Ferdinand,

I can't see any interaction with the card other than using the random
number generator (00 84 00 00 APDUs in the log). I'm not sure what
Thunderbird is trying to do.



On 11/09/2015 09:51 AM, Ferdinand Rau wrote:

> Dear Andreas,
>
> Please find here the requested output of OpenSC:
> https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1
> (The file was too large for direct mailing)
>
> It was recorded with OPENSC_DEBUG=9 during the following actions:
> Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird.
>
> Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-)
> I hope the log file is helpful anyway.
>
> I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd
>
> Best,
> Ferdinand
>
>
>
> On 11/08/2015 10:21 PM, Andreas Schwier <[hidden email]> wrote:
>> Hi Ferdinand,
>>
>> can you set OPENSC_DEBUG=9 so we can see what is going on ?
>>
>> As an alternative you could try [1], which has been tested with D-Trust
>> 3.0 cards.
>>
>> Andreas
>>
>> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11
>>
>> On 11/08/2015 09:08 PM, Ferdinand Rau wrote:
>>> Dear all,
>>>
>>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0.
>>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards
>>>
>>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch:
>>> https://github.com/OpenSC/OpenSC/pull/357
>>>
>>> The result is as follows:
>>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad.
>>>
>>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document.
>>>
>>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired.
>>>
>>> Please find below the output of serveral common commands. Could someone please confirm that
>>> a) the card suitable for this kind of digital signatures in principle
>>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch
>>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch
>>>
>>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though.
>>>
>>> Best regards, and thanks in advance,
>>> Ferdinand
>>>
>>>
>>>> $ opensc-tool -i
>>>> OpenSC 0.15.0 [gcc  4.9.2]
>>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>>>
>>> ----------------------
>>>
>>>> $ opensc-tool --list-readers
>>>> # Detected readers (pcsc)
>>>> Nr.  Card  Features  Name
>>>> 0    Yes   PIN pad   REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>
>>> ----------------------
>>>
>>>> $ opensc-tool --name
>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>> STARCOS SPK 3.4
>>>
>>> ----------------------
>>>
>>>> $ opensc-tool --atr
>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61
>>>
>>> ----------------------
>>>
>>>> $ pkcs11-tool --list-slots
>>>> Available slots:
>>>> Slot 0 (0xffffffff): Virtual hotplug slot
>>>>   (empty)
>>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>>   token manufacturer : D-TRUST GmbH (C)
>>>>   token model        : PKCS#15
>>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>>   hardware version   : 0.0
>>>>   firmware version   : 0.0
>>>>   serial num         :
>>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>>   token manufacturer : D-TRUST GmbH (C)
>>>>   token model        : PKCS#15
>>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>>   hardware version   : 0.0
>>>>   firmware version   : 0.0
>>>>   serial num         :
>>>
>>> ----------------------
>>>
>>>> $ pkcs11-tool --list-objects
>>>> Using slot 1 with a present token (0x1)
>>>> Public Key Object; RSA 2048 bits
>>>>   label:      D-TRUST Authentication Key
>>>>   ID:         11
>>>>   Usage:      encrypt, verify, wrap
>>>> Certificate Object, type = X.509 cert
>>>>   label:      D-TRUST Authentication Key
>>>>   ID:         11
>>>> Certificate Object, type = X.509 cert
>>>>   label:      
>>>>   ID:         2d333730343631303735333036303830313534
>>>> Public Key Object; RSA 2048 bits
>>>>   label:      
>>>>   ID:         2d333730343631303735333036303830313534
>>>>   Usage:      encrypt, verify
>>>> Certificate Object, type = X.509 cert
>>>>   label:      
>>>>   ID:         2d32303036363939383139343731343534393238
>>>> Public Key Object; RSA 2048 bits
>>>>   label:      
>>>>   ID:         2d32303036363939383139343731343534393238
>>>>   Usage:      encrypt, verify
>>>
>>> ----------------------
>>>
>>>> $ pkcs15-tool -D
>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]:
>>>> Version : 0
>>>> Serial number :
>>>> Manufacturer ID: D-TRUST GmbH (C)
>>>> Flags : Login required, EID compliant
>>>>
>>>> PIN [PIN1]
>>>> Object Flags : [0x3], private, modifiable
>>>> Auth ID : 03
>>>> ID : 01
>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>>> Length : min_len:6, max_len:8, stored_len:8
>>>> Pad char : 0xFF
>>>> Reference : 1 (0x01)
>>>> Type : iso 9664-1
>>>> Path : a000000063504b43532d3135::
>>>>
>>>> PIN [PUK1]
>>>> Object Flags : [0x3], private, modifiable
>>>> ID : 03
>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>>> Length : min_len:8, max_len:8, stored_len:8
>>>> Pad char : 0xFF
>>>> Reference : 1 (0x01)
>>>> Type : iso 9664-1
>>>> Path : a000000063504b43532d3135::
>>>>
>>>> PIN [PIN2]
>>>> Object Flags : [0x3], private, modifiable
>>>> Auth ID : 04
>>>> ID : 02
>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>>> Length : min_len:6, max_len:8, stored_len:8
>>>> Pad char : 0xFF
>>>> Reference : 129 (0x81)
>>>> Type : iso 9664-1
>>>> Path : 3f000604
>>>>
>>>> PIN [PUK2]
>>>> Object Flags : [0x3], private, modifiable
>>>> ID : 04
>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>>> Length : min_len:8, max_len:8, stored_len:8
>>>> Pad char : 0xFF
>>>> Reference : 129 (0x81)
>>>> Type : iso 9664-1
>>>> Path : 3f000604
>>>>
>>>> Private RSA Key [D-TRUST Authentication Key]
>>>> Object Flags : [0x1], private
>>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap
>>>> Access Flags : [0x0]
>>>> ModLength : 2048
>>>> Key ref : 1 (0x1)
>>>> Native : yes
>>>> Path : a000000063504b43532d3135::3f000fff0f01
>>>> Auth ID : 01
>>>> ID : 11
>>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35}
>>>> :cmap flags : 0x0
>>>> :sign : 0
>>>> :key-exchange: 0
>>>>
>>>> Private RSA Key [SigG Signature Key]
>>>> Object Flags : [0x1], private
>>>> Usage : [0x200], nonRepudiation
>>>> Access Flags : [0x0]
>>>> ModLength : 2048
>>>> Key ref : 4 (0x4)
>>>> Native : yes
>>>> Path : a000000063504b43532d3135::3f0006040f01
>>>> Auth ID : 02
>>>> ID : 12
>>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94}
>>>> :cmap flags : 0x0
>>>> :sign : 0
>>>> :key-exchange: 0
>>>>
>>>> Public RSA Key [D-TRUST Authentication Key]
>>>> Object Flags : [0x2], modifiable
>>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover
>>>> Access Flags : [0x0]
>>>> ModLength : 2048
>>>> Key ref : 1 (0x1)
>>>> Native : yes
>>>> Path : a000000063504b43532d3135::3f000fff0e01
>>>> Auth ID : 01
>>>> ID : 11
>>>>
>>>> Public RSA Key [SigG Signature Key]
>>>> Object Flags : [0x2], modifiable
>>>> Usage : [0x204], sign, nonRepudiation
>>>> Access Flags : [0x0]
>>>> ModLength : 2048
>>>> Key ref : 4 (0x4)
>>>> Native : yes
>>>> Path : a000000063504b43532d3135::3f0006040e01
>>>> Auth ID : 02
>>>> ID : 12
>>>>
>>>> X.509 Certificate [D-TRUST Authentication Key]
>>>> Object Flags : [0x2], modifiable
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c100
>>>> ID : 11
>>>> Encoded serial : 02 03 168A81
>>>> X.509 Certificate [SigG Signature Key]
>>>> Object Flags : [0x2], modifiable
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c103
>>>> ID : 12
>>>> Encoded serial : 02 03 168A82
>>>> X.509 Certificate []
>>>> Object Flags : [0x0]
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c102
>>>> ID : 2d32303036363939383139343731343534393238
>>>> Encoded serial : 02 03 030E96
>>>> X.509 Certificate []
>>>> Object Flags : [0x0]
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c101
>>>> ID : 2d333730343631303735333036303830313534
>>>> Encoded serial : 02 03 097D43
>>>> X.509 Certificate []
>>>> Object Flags : [0x0]
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c105
>>>> ID : 37353738323838313038333736373637303437
>>>> Encoded serial : 02 03 159923
>>>> X.509 Certificate []
>>>> Object Flags : [0x0]
>>>> Authority : no
>>>> Path : a000000063504b43532d3135::3f001501c104
>>>> ID : 38323832353936323735353833303736353131
>>>> Encoded serial : 02 03 159924
>>>
>>> ----------------------
>>>
>>>> $ pcsc_scan
>>>> PC/SC device scanner
>>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
>>>> Compiled with PC/SC lite version: 1.8.11
>>>> Using reader plug'n play mechanism
>>>> Scanning present readers...
>>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>
>>>> Sat Nov 7 01:39:47 2015
>>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>> Card state: Card inserted,
>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>>
>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>> + TS = 3B --> Direct Convention
>>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes)
>>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
>>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
>>>> TC(1) = FF --> Extra guard time: 255 (special value)
>>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
>>>> -----
>>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
>>>> -----
>>>> TA(3) = FE --> IFSC: 254
>>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
>>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
>>>> -----
>>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
>>>> + Historical bytes: 80 64 04 1A B4 03 81 05
>>>> Category indicator byte: 80 (compact TLV data object)
>>>> Tag: 6, len: 4 (pre-issuing data)
>>>> Data: 04 1A B4 03
>>>> Tag: 8, len: 1 (status indicator)
>>>> LCS (life card cycle): 05
>>>> + TCK = 61 (correct checksum)
>>>>
>>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
>>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>> D-Trust multicard advanced 3.1
>>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse"
>>>
>>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan.
>>>
>>> ------------------------------------------------------------------------------
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
> ------------------------------------------------------------------------------
> Presto, an open source distributed SQL query engine for big data, initially
> developed by Facebook, enables you to easily query your data on Hadoop in a
> more interactive manner. Teradata is also now providing full enterprise
> support for Presto. Download a free open source copy now.
> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
Presto, an open source distributed SQL query engine for big data, initially
developed by Facebook, enables you to easily query your data on Hadoop in a
more interactive manner. Teradata is also now providing full enterprise
support for Presto. Download a free open source copy now.
http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Ok. I will investigate and report back in a couple of days.

Ferdinand

On 11/09/2015 14:36 AM, Andreas Schwier <[hidden email]> wrote:

> Hi Ferdinand,
>
> I can't see any interaction with the card other than using the random
> number generator (00 84 00 00 APDUs in the log). I'm not sure what
> Thunderbird is trying to do.
>
>
>
> On 11/09/2015 09:51 AM, Ferdinand Rau wrote:
>> Dear Andreas,
>>
>> Please find here the requested output of OpenSC:
>> https://www.dropbox.com/s/9boccale15atwkd/OPENSC_DEBUG.txt.zip?dl=1
>> (The file was too large for direct mailing)
>>
>> It was recorded with OPENSC_DEBUG=9 during the following actions:
>> Starting Thunderbird, connecting the reader, inserting the smart card, trying to send an encrypted e-mail, waiting for error message, killing Thunderbird.
>>
>> Note that with OPENSC_DEBUG set to 9, Thunderbird freezes before presenting the previously mentioned error message. It may be related to the enormous 500000 lines of DEBUG output OpenSC had to process :-)
>> I hope the log file is helpful anyway.
>>
>> I have had issues with this particular card reader and CTAPI. If there is no other way to make this work, I can still try the sc-hsm-embedded alternative, but currently, I prefer to stay with pcscd
>>
>> Best,
>> Ferdinand
>>
>>
>>
>> On 11/08/2015 10:21 PM, Andreas Schwier <[hidden email]> wrote:
>>> Hi Ferdinand,
>>>
>>> can you set OPENSC_DEBUG=9 so we can see what is going on ?
>>>
>>> As an alternative you could try [1], which has been tested with D-Trust
>>> 3.0 cards.
>>>
>>> Andreas
>>>
>>> [1] https://github.com/CardContact/sc-hsm-embedded/wiki/PKCS11
>>>
>>> On 11/08/2015 09:08 PM, Ferdinand Rau wrote:
>>>> Dear all,
>>>>
>>>> I am trying to get PDF signatures to work with LibreOffice 5.0 and my D-TRUST card 3.0, which requires a properly set up Mozilla NSS, which in turn requires OpenSC. I access the card via an USB smart card reader "ReinerSCT cyberJack RFID komfort" on Debian Jessie Linux with OpenSC 0.15.0.
>>>> The card is listed here, but not explicitly marked as supported: https://github.com/OpenSC/OpenSC/wiki/German-ID-Cards
>>>>
>>>> The card is (probably) a Starcos 3.4 type card, therefore, I compiled OpenSC 0.15.0 with the following patch:
>>>> https://github.com/OpenSC/OpenSC/pull/357
>>>>
>>>> The result is as follows:
>>>> 1. I can see the certificates on the card in Mozilla NSS after entering my PIN number on the reader's pinpad.
>>>>
>>>> 2. I can select a certificate for signing in LibreOffice. Then, I am asked for my PIN both in a dialog on screen and again on the reader's pinpad. The reader's display says "PIN correct" and there is no error message, but no signature is applied to the document.
>>>>
>>>> 3. Alternatively, I tried signing an e-mail in Thunderbird. The result is slightly different: When sending the e-mail, I am prompted to enter my PIN on the reader's pinpad. The reader's display says "PIN correct", but the signing fails with the following error message: "Sending message failed. You specified that this message should be digitally signed, but the application either failed to find the signing certificate specified in your Mail & Newsgroups Account Settings, or the certificate has expired." Needless to say, the certificate has not expired.
>>>>
>>>> Please find below the output of serveral common commands. Could someone please confirm that
>>>> a) the card suitable for this kind of digital signatures in principle
>>>> b) the card is not supposed to work with OpenSC 0.15.0 without the aforementioned patch
>>>> c) the card is supposed to work with OpenSC 0.15.0 with the patch and all future versions including the patch
>>>>
>>>> If someone can help with the troubleshooting, that would be awesome. Just getting definitve answers to the above a),b),c) would be a real good starting point, though.
>>>>
>>>> Best regards, and thanks in advance,
>>>> Ferdinand
>>>>
>>>>
>>>>> $ opensc-tool -i
>>>>> OpenSC 0.15.0 [gcc  4.9.2]
>>>>> Enabled features: zlib readline openssl pcsc(libpcsclite.so.1)
>>>>
>>>> ----------------------
>>>>
>>>>> $ opensc-tool --list-readers
>>>>> # Detected readers (pcsc)
>>>>> Nr.  Card  Features  Name
>>>>> 0    Yes   PIN pad   REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>
>>>> ----------------------
>>>>
>>>>> $ opensc-tool --name
>>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>> STARCOS SPK 3.4
>>>>
>>>> ----------------------
>>>>
>>>>> $ opensc-tool --atr
>>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>> 3b:d8:18:ff:81:b1:fe:45:1f:03:80:64:04:1a:b4:03:81:05:61
>>>>
>>>> ----------------------
>>>>
>>>>> $ pkcs11-tool --list-slots
>>>>> Available slots:
>>>>> Slot 0 (0xffffffff): Virtual hotplug slot
>>>>>   (empty)
>>>>> Slot 1 (0x1): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>>>   token manufacturer : D-TRUST GmbH (C)
>>>>>   token model        : PKCS#15
>>>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>>>   hardware version   : 0.0
>>>>>   firmware version   : 0.0
>>>>>   serial num         :
>>>>> Slot 2 (0x2): REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>>   token label        : D-TRUST Card V3.0 standard 2ga (
>>>>>   token manufacturer : D-TRUST GmbH (C)
>>>>>   token model        : PKCS#15
>>>>>   token flags        : rng, login required, PIN initialized, PIN pad present, token initialized
>>>>>   hardware version   : 0.0
>>>>>   firmware version   : 0.0
>>>>>   serial num         :
>>>>
>>>> ----------------------
>>>>
>>>>> $ pkcs11-tool --list-objects
>>>>> Using slot 1 with a present token (0x1)
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      D-TRUST Authentication Key
>>>>>   ID:         11
>>>>>   Usage:      encrypt, verify, wrap
>>>>> Certificate Object, type = X.509 cert
>>>>>   label:      D-TRUST Authentication Key
>>>>>   ID:         11
>>>>> Certificate Object, type = X.509 cert
>>>>>   label:      
>>>>>   ID:         2d333730343631303735333036303830313534
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      
>>>>>   ID:         2d333730343631303735333036303830313534
>>>>>   Usage:      encrypt, verify
>>>>> Certificate Object, type = X.509 cert
>>>>>   label:      
>>>>>   ID:         2d32303036363939383139343731343534393238
>>>>> Public Key Object; RSA 2048 bits
>>>>>   label:      
>>>>>   ID:         2d32303036363939383139343731343534393238
>>>>>   Usage:      encrypt, verify
>>>>
>>>> ----------------------
>>>>
>>>>> $ pkcs15-tool -D
>>>>> Using reader with a card: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>> PKCS#15 Card [D-TRUST Card V3.0 standard 2ga]:
>>>>> Version : 0
>>>>> Serial number :
>>>>> Manufacturer ID: D-TRUST GmbH (C)
>>>>> Flags : Login required, EID compliant
>>>>>
>>>>> PIN [PIN1]
>>>>> Object Flags : [0x3], private, modifiable
>>>>> Auth ID : 03
>>>>> ID : 01
>>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>>>> Length : min_len:6, max_len:8, stored_len:8
>>>>> Pad char : 0xFF
>>>>> Reference : 1 (0x01)
>>>>> Type : iso 9664-1
>>>>> Path : a000000063504b43532d3135::
>>>>>
>>>>> PIN [PUK1]
>>>>> Object Flags : [0x3], private, modifiable
>>>>> ID : 03
>>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>>>> Length : min_len:8, max_len:8, stored_len:8
>>>>> Pad char : 0xFF
>>>>> Reference : 1 (0x01)
>>>>> Type : iso 9664-1
>>>>> Path : a000000063504b43532d3135::
>>>>>
>>>>> PIN [PIN2]
>>>>> Object Flags : [0x3], private, modifiable
>>>>> Auth ID : 04
>>>>> ID : 02
>>>>> Flags : [0x833], case-sensitive, local, initialized, needs-padding, exchangeRefData
>>>>> Length : min_len:6, max_len:8, stored_len:8
>>>>> Pad char : 0xFF
>>>>> Reference : 129 (0x81)
>>>>> Type : iso 9664-1
>>>>> Path : 3f000604
>>>>>
>>>>> PIN [PUK2]
>>>>> Object Flags : [0x3], private, modifiable
>>>>> ID : 04
>>>>> Flags : [0x873], case-sensitive, local, initialized, needs-padding, unblockingPin, exchangeRefData
>>>>> Length : min_len:8, max_len:8, stored_len:8
>>>>> Pad char : 0xFF
>>>>> Reference : 129 (0x81)
>>>>> Type : iso 9664-1
>>>>> Path : 3f000604
>>>>>
>>>>> Private RSA Key [D-TRUST Authentication Key]
>>>>> Object Flags : [0x1], private
>>>>> Usage : [0x2E], decrypt, sign, signRecover, unwrap
>>>>> Access Flags : [0x0]
>>>>> ModLength : 2048
>>>>> Key ref : 1 (0x1)
>>>>> Native : yes
>>>>> Path : a000000063504b43532d3135::3f000fff0f01
>>>>> Auth ID : 01
>>>>> ID : 11
>>>>> MD:guid : {a8abd012-eb59-b862-bf9b-c1ea443d2f35}
>>>>> :cmap flags : 0x0
>>>>> :sign : 0
>>>>> :key-exchange: 0
>>>>>
>>>>> Private RSA Key [SigG Signature Key]
>>>>> Object Flags : [0x1], private
>>>>> Usage : [0x200], nonRepudiation
>>>>> Access Flags : [0x0]
>>>>> ModLength : 2048
>>>>> Key ref : 4 (0x4)
>>>>> Native : yes
>>>>> Path : a000000063504b43532d3135::3f0006040f01
>>>>> Auth ID : 02
>>>>> ID : 12
>>>>> MD:guid : {c4f87a62-90ae-e1ac-fc1f-26083974ce94}
>>>>> :cmap flags : 0x0
>>>>> :sign : 0
>>>>> :key-exchange: 0
>>>>>
>>>>> Public RSA Key [D-TRUST Authentication Key]
>>>>> Object Flags : [0x2], modifiable
>>>>> Usage : [0xD1], encrypt, wrap, verify, verifyRecover
>>>>> Access Flags : [0x0]
>>>>> ModLength : 2048
>>>>> Key ref : 1 (0x1)
>>>>> Native : yes
>>>>> Path : a000000063504b43532d3135::3f000fff0e01
>>>>> Auth ID : 01
>>>>> ID : 11
>>>>>
>>>>> Public RSA Key [SigG Signature Key]
>>>>> Object Flags : [0x2], modifiable
>>>>> Usage : [0x204], sign, nonRepudiation
>>>>> Access Flags : [0x0]
>>>>> ModLength : 2048
>>>>> Key ref : 4 (0x4)
>>>>> Native : yes
>>>>> Path : a000000063504b43532d3135::3f0006040e01
>>>>> Auth ID : 02
>>>>> ID : 12
>>>>>
>>>>> X.509 Certificate [D-TRUST Authentication Key]
>>>>> Object Flags : [0x2], modifiable
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c100
>>>>> ID : 11
>>>>> Encoded serial : 02 03 168A81
>>>>> X.509 Certificate [SigG Signature Key]
>>>>> Object Flags : [0x2], modifiable
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c103
>>>>> ID : 12
>>>>> Encoded serial : 02 03 168A82
>>>>> X.509 Certificate []
>>>>> Object Flags : [0x0]
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c102
>>>>> ID : 2d32303036363939383139343731343534393238
>>>>> Encoded serial : 02 03 030E96
>>>>> X.509 Certificate []
>>>>> Object Flags : [0x0]
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c101
>>>>> ID : 2d333730343631303735333036303830313534
>>>>> Encoded serial : 02 03 097D43
>>>>> X.509 Certificate []
>>>>> Object Flags : [0x0]
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c105
>>>>> ID : 37353738323838313038333736373637303437
>>>>> Encoded serial : 02 03 159923
>>>>> X.509 Certificate []
>>>>> Object Flags : [0x0]
>>>>> Authority : no
>>>>> Path : a000000063504b43532d3135::3f001501c104
>>>>> ID : 38323832353936323735353833303736353131
>>>>> Encoded serial : 02 03 159924
>>>>
>>>> ----------------------
>>>>
>>>>> $ pcsc_scan
>>>>> PC/SC device scanner
>>>>> V 1.4.23 (c) 2001-2011, Ludovic Rousseau <[hidden email]>
>>>>> Compiled with PC/SC lite version: 1.8.11
>>>>> Using reader plug'n play mechanism
>>>>> Scanning present readers...
>>>>> 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>>
>>>>> Sat Nov 7 01:39:47 2015
>>>>> Reader 0: REINER SCT cyberJack RFID komfort (4694896162) 00 00
>>>>> Card state: Card inserted,
>>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>>>
>>>>> ATR: 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>>> + TS = 3B --> Direct Convention
>>>>> + T0 = D8, Y(1): 1101, K: 8 (historical bytes)
>>>>> TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
>>>>> 129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
>>>>> TC(1) = FF --> Extra guard time: 255 (special value)
>>>>> TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
>>>>> -----
>>>>> TD(2) = B1 --> Y(i+1) = 1011, Protocol T = 1
>>>>> -----
>>>>> TA(3) = FE --> IFSC: 254
>>>>> TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
>>>>> TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following
>>>>> -----
>>>>> TA(4) = 03 --> Clock stop: not supported - Class accepted by the card: (3G) A 5V B 3V
>>>>> + Historical bytes: 80 64 04 1A B4 03 81 05
>>>>> Category indicator byte: 80 (compact TLV data object)
>>>>> Tag: 6, len: 4 (pre-issuing data)
>>>>> Data: 04 1A B4 03
>>>>> Tag: 8, len: 1 (status indicator)
>>>>> LCS (life card cycle): 05
>>>>> + TCK = 61 (correct checksum)
>>>>>
>>>>> Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
>>>>> 3B D8 18 FF 81 B1 FE 45 1F 03 80 64 04 1A B4 03 81 05 61
>>>>> D-Trust multicard advanced 3.1
>>>>> German public health insurance card ("Gesundheitskarte"), issuer SBK "Siemens Betriebskrankenkasse"
>>>>
>>>> Note: This is not fully correct. This type of card is used for the German health insurance, but also for other uses, such as my QES signautre card. The name is incorrectly hardcoded in the list that ships with pcsc_scan.
>>>>
>>>> ------------------------------------------------------------------------------
>>>> _______________________________________________
>>>> Opensc-devel mailing list
>>>> [hidden email]
>>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Presto, an open source distributed SQL query engine for big data, initially
>> developed by Facebook, enables you to easily query your data on Hadoop in a
>> more interactive manner. Teradata is also now providing full enterprise
>> support for Presto. Download a free open source copy now.
>> http://pubads.g.doubleclick.net/gampad/clk?id=250295911&iu=/4140
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Hi Andreas,

here is another log, recorded with OPENSC_DEBUG=2 (like this, Thunderbird does not freeze). Again, I am prompted to enter my PIN once before Thunderbird presents the error message.

I am wondering about these lines, but I am not sure this is related to my issue:
0xb73f3700 08:31:19.130 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported)
0xb73f3700 08:31:19.130 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported)

Best,
Ferdinand


0xb73f3700 08:31:13.755 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
0xb73f3700 08:31:13.756 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:13.756 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:13.756 [opensc-pkcs11] card.c:148:sc_connect_card: called
0xb73f3700 08:31:13.757 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:13.858 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:15.285 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:15.320 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.672 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:16.690 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success)
0xb73f3700 08:31:16.691 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:16.715 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.728 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:16.756 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.772 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:16.788 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.809 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.835 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:16.859 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:16.886 [opensc-pkcs11] card-starcos.c:609:starcos_select_fid: returning with: 0 (Success)
0xb73f3700 08:31:18.948 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:18.958 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found)
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called
0xb73f3700 08:31:18.959 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called
0xb73f3700 08:31:18.962 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:18.976 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success)
0xb73f3700 08:31:18.976 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:18.987 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found)
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called
0xb73f3700 08:31:18.988 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called
0xb73f3700 08:31:18.991 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:19.015 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success)
0xb73f3700 08:31:19.015 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] card-starcos.c:555:starcos_select_fid: returning with: -1201 (File not found)
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-piv.c:234:piv_detect_card: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-esinit.c:82:sc_pkcs15emu_entersafe_init_ex: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-esinit.c:38:entersafe_detect_card: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-oberthur.c:1041:sc_pkcs15emu_oberthur_init_ex: called
0xb73f3700 08:31:19.025 [opensc-pkcs11] pkcs15-oberthur.c:1028:oberthur_detect_card: called
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:19.028 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:19.028 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported)
0xb73f3700 08:31:19.028 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported)
0xb73f3700 08:31:19.130 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xb73f3700 08:31:19.130 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:19.130 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: -1408 (Not supported)
0xb73f3700 08:31:19.130 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: -1408 (Not supported)
0xa80feb40 08:31:19.228 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
0xa80feb40 08:31:19.228 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xa80feb40 08:31:19.229 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0x9b8feb40 08:31:31.923 [opensc-pkcs11] card-starcos.c:621:starcos_select_file: called
0x9b8feb40 08:31:31.941 [opensc-pkcs11] card-starcos.c:472:starcos_select_aid: returning with: 0 (Success)
0x9b8feb40 08:31:31.942 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0x9b8feb40 08:31:31.942 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0x9b8feb40 08:31:38.724 [opensc-pkcs11] card-starcos.c:1713:starcos_pin_cmd: returning with: 0 (Success)
0x9b8feb40 08:31:38.724 [opensc-pkcs11] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0xa80feb40 08:31:38.732 [opensc-pkcs11] reader-pcsc.c:377:pcsc_detect_card_presence: returning with: 5
0xb73f3700 08:31:47.923 [opensc-pkcs11] ctx.c:799:sc_release_context: called


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Hello Andreas,

I took a step back and tried to get things working just using the commend line tools, but without success.
Eventually, I found out that I cannot even run 'pkcs11-tool --test' successfully.

Here, you can download a log file of a failed 'pkcs11-tool --test' with OPENSC_DEBUG=9:
https://www.dropbox.com/s/3jhe77n5ri1674k/log.txt.zip?dl=1

The reader does ask for the PIN and reports "PIN correct", but the test fails anyway with the following message:
> error: PKCS11 function C_Sign failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)

Best regards,
Ferdinand

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Douglas E Engert
One of the sign operations looks like it works.

Data to be signed 7648 7691. Response with the signature 7691.  PKCS#11 return 7722

and Start of failed sign 7773  data to be signed 7842  response 7849  with 7982  PKCS#11 return 9868


It could be that the newer card wants CKA_ALWAYS_AUTHENTICATE = TRUE, which is called in PKCS#15 user_consent.

CKA_ALWAYS_AUTHENTICATE says the card requires the PIN to have been sent before each crypto operation for the
selected key.

pkcs11-tool.c line 3675  if (getALWAYS_AUTHENTICATE(sess, privKeyObject))
is asking if pin needs to be sent again.

When uses without a pin pad reader, the  PIN may have been cached, and sc_pkcs15_pincache_revalidate
may have provided the pin without you knowledge.
With a pin pad reader, the pin can not be cached, it never enters the host computer.


Some simple things to try to prove the above is the problem.

Use a non pinpad reader. If that works look at the log for the sc_pkcs15_pincache_revalidate being called and providing the key.

then try uncomenting in opensc.conf  this line.
# use_pin_caching = false;

it should fail, with sc_pkcs15_pincache_revalidate saying there is not pin cached.






On 11/18/2015 7:13 AM, Ferdinand Rau wrote:

> Hello Andreas,
>
> I took a step back and tried to get things working just using the commend line tools, but without success.
> Eventually, I found out that I cannot even run 'pkcs11-tool --test' successfully.
>
> Here, you can download a log file of a failed 'pkcs11-tool --test' with OPENSC_DEBUG=9:
> https://www.dropbox.com/s/3jhe77n5ri1674k/log.txt.zip?dl=1
>
> The reader does ask for the PIN and reports "PIN correct", but the test fails anyway with the following message:
>> error: PKCS11 function C_Sign failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)
>
> Best regards,
> Ferdinand
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Ferdinand Rau
Douglas,

I don't have a reader without pin pad at hand, currently, but I will try this once I'll have the chance.
Just for the record: Setting "use_pin_caching = false;" when using a reader _with_ pin pid did not change anything (as expected).

Best,
Ferdinand


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Issue with signatures with D-TRUST card 3.0 (STARCOS 3.4) smart card

Douglas E Engert
Well try uncommenting in opensc.conf:

96                 # enable_pinpad = false;

Most pin pad readers can function as non-pin pad readers.



On 11/18/2015 1:57 PM, Ferdinand Rau wrote:

> Douglas,
>
> I don't have a reader without pin pad at hand, currently, but I will try this once I'll have the chance.
> Just for the record: Setting "use_pin_caching = false;" when using a reader _with_ pin pid did not change anything (as expected).
>
> Best,
> Ferdinand
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel