Minidriver still marked experimental

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Minidriver still marked experimental

Andreas Schwier (ML)
Hi,

is there a reason that we still mark the minidriver as experimental and
do not install it by default ?

IMHO we should change that and include the minidriver in the default
installation. It won't be used anyway until the card's ATR is added to
the registry.

I observed a strange behaviour in Win7/64: If I only install the 64 bit
version of OpenSC 0.14, then Windows finds the certificate on the card,
but when using the private key it reports "No driver for the smart card
found". If I additionally install the 32 bit version, then it works fine.

Does anyone have an explanation for that ? Is Windows using 64 and 32
bit modules simultaneously ?

Andreas


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Douglas E Engert

On 7/5/2014 6:34 AM, Andreas Schwier wrote:

> Hi,
>
> is there a reason that we still mark the minidriver as experimental and
> do not install it by default ?
>
> IMHO we should change that and include the minidriver in the default
> installation. It won't be used anyway until the card's ATR is added to
> the registry.
>
> I observed a strange behaviour in Win7/64: If I only install the 64 bit
> version of OpenSC 0.14, then Windows finds the certificate on the card,
> but when using the private key it reports "No driver for the smart card
> found". If I additionally install the 32 bit version, then it works fine.
>
> Does anyone have an explanation for that ? Is Windows using 64 and 32
> bit modules simultaneously ?

It could. When you inset the card, it it tries to find the ATR and matching
registry info. This could be a 64 bit process. Then if application is
32 bit, like Thunderbird, it needs the 32 bit version to use it.

For more debuging look at minidriver.c for CARDMOD_LOW_LEVEL_DEBUG
and  if "C:\\tmp\\md.log" can be opened.
When DLL is loaded, some additional info is printed as well as other useful Windows
messages.




>
> Andreas
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Viktor Tarasov-3
In reply to this post by Andreas Schwier (ML)
Hi,


On Sat, Jul 5, 2014 at 1:34 PM, Andreas Schwier <[hidden email]> wrote:

is there a reason that we still mark the minidriver as experimental and
do not install it by default ?

IMHO we should change that and include the minidriver in the default
installation. It won't be used anyway until the card's ATR is added to
the registry.

I agree and consider that minidriver is sufficiently developed and tested.
If no other suggestions, I will change it's install level and title.


I observed a strange behaviour in Win7/64: If I only install the 64 bit
version of OpenSC 0.14, then Windows finds the certificate on the card,
but when using the private key it reports "No driver for the smart card
found". If I additionally install the 32 bit version, then it works fine.

Does anyone have an explanation for that ? Is Windows using 64 and 32
bit modules simultaneously ?

Andreas


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Andreas Schwier (ML)
Hi Viktor,

great.

Did you or anyone else try to bundle the minidriver with a card driver
installer for Windows and get a WHQL certification for it ?

We have a driver installer for the SmartCard-HSM, however that is signed
with our own code signing key and not an Authenticode cert from
Microsoft. As far as I understand the process to get a trusted signature
for which Win7 will not complain, is to get a WHQL certification for the
card / driver bundle.

Anyone with experience on that ?

Maybe we can join forces and get that done for a couple of popular cards
supported by OpenSC ?

Andreas

On 07/11/2014 05:13 PM, Viktor Tarasov wrote:

> Hi,
>
>
> On Sat, Jul 5, 2014 at 1:34 PM, Andreas Schwier <
> [hidden email]> wrote:
>>
>>
>> is there a reason that we still mark the minidriver as experimental and
>> do not install it by default ?
>>
>> IMHO we should change that and include the minidriver in the default
>> installation. It won't be used anyway until the card's ATR is added to
>> the registry.
>>
>
> I agree and consider that minidriver is sufficiently developed and tested.
> If no other suggestions, I will change it's install level and title.
>
>
>> I observed a strange behaviour in Win7/64: If I only install the 64 bit
>> version of OpenSC 0.14, then Windows finds the certificate on the card,
>> but when using the private key it reports "No driver for the smart card
>> found". If I additionally install the 32 bit version, then it works fine.
>>
>> Does anyone have an explanation for that ? Is Windows using 64 and 32
>> bit modules simultaneously ?
>>
>> Andreas
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Open source business process management suite built on Java and Eclipse
>> Turn processes into business applications with Bonita BPM Community Edition
>> Quickly connect people, data, and systems into organized workflows
>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>> http://p.sf.net/sfu/Bonitasoft
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


--

    ---------    CardContact Software & System Consulting
   |.##> <##.|   Andreas Schwier
   |#       #|   Schülerweg 38
   |#       #|   32429 Minden, Germany
   |'##> <##'|   Phone +49 571 56149
    ---------    http://www.cardcontact.de
                 http://www.tscons.de
                 http://www.openscdp.org
                 http://www.smartcard-hsm.com


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Tristan Timmermans
In reply to this post by Douglas E Engert

Douglas,

It could. When you inset the card, it it tries to find the ATR and matching
registry info. This could be a 64 bit process. Then if application is
32 bit, like Thunderbird, it needs the 32 bit version to use it.

Doesn't a 32bit process on a 64 windows collect the wow6432node calais entry from the registry and can you toy with that? Next to it you can use the 32bit opensc-pkcs11.dll for firefox/thunderbird but I haven't tried installing any 32bit drivers on a 64bit OS so I could be wrong here.

Yours,

Tristan

--

For more debuging look at minidriver.c for CARDMOD_LOW_LEVEL_DEBUG
and  if "C:\\tmp\\md.log" can be opened.
When DLL is loaded, some additional info is printed as well as other useful Windows
messages.




>
> Andreas
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Open source business process management suite built on Java and Eclipse
Turn processes into business applications with Bonita BPM Community Edition
Quickly connect people, data, and systems into organized workflows
Winner of BOSSIE, CODIE, OW2 and Gartner awards
http://p.sf.net/sfu/Bonitasoft
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Douglas E Engert
In reply to this post by Viktor Tarasov-3


On 7/11/2014 10:13 AM, Viktor Tarasov wrote:

> Hi,
>
>
> On Sat, Jul 5, 2014 at 1:34 PM, Andreas Schwier <[hidden email] <mailto:[hidden email]>> wrote:
>
>
>     is there a reason that we still mark the minidriver as experimental and
>     do not install it by default ?
>
>     IMHO we should change that and include the minidriver in the default
>     installation. It won't be used anyway until the card's ATR is added to
>     the registry.
>
>
> I agree and consider that minidriver is sufficiently developed and tested.

Yes and no. The minidriver may be called during smartcard login by the LSA.
Therefore it and all its files should not be modifiable by a non admin user.
This would include all of the OpenSC dlls as well as the opensc.conf file.

in minidriver.c the #define CARDMOD_LOW_LEVEL_DEBUG 1
at line 212 should be removed. The code can still be built by
by adding -DCARDMOD_LOW_LEVEL_DEBUG in the make file.

debugging outout is written to C:\\tmp\\md.log" and a user could
create this file and make it world readable and writable, thus exposing
some if the debug output. (Note the opensc.conf has not been read when
the debugging is started.)

The same goes for the opensc.conf with its debug and debug_output options
and any registry settings.
We need to look closely at all of debugging output that might enabled by a
non admin user, in order to capture debuging output
at a later time during system operations or by some other user of the system.
This output could include PINs of other users in the output.

> If no other suggestions, I will change it's install level and title.

I would leave it experimental these issues are addressed.

>
>
>     I observed a strange behaviour in Win7/64: If I only install the 64 bit
>     version of OpenSC 0.14, then Windows finds the certificate on the card,
>     but when using the private key it reports "No driver for the smart card
>     found". If I additionally install the 32 bit version, then it works fine.
>
>     Does anyone have an explanation for that ? Is Windows using 64 and 32
>     bit modules simultaneously ?
>
>     Andreas
>
>
>     ------------------------------------------------------------------------------
>     Open source business process management suite built on Java and Eclipse
>     Turn processes into business applications with Bonita BPM Community Edition
>     Quickly connect people, data, and systems into organized workflows
>     Winner of BOSSIE, CODIE, OW2 and Gartner awards
>     http://p.sf.net/sfu/Bonitasoft
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
>
> ------------------------------------------------------------------------------
> Open source business process management suite built on Java and Eclipse
> Turn processes into business applications with Bonita BPM Community Edition
> Quickly connect people, data, and systems into organized workflows
> Winner of BOSSIE, CODIE, OW2 and Gartner awards
> http://p.sf.net/sfu/Bonitasoft
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Douglas E Engert
In reply to this post by Tristan Timmermans


On 7/11/2014 10:53 AM, Tristan Timmermans wrote:

>
> Douglas,
>
>
>     It could. When you inset the card, it it tries to find the ATR and matching
>     registry info. This could be a 64 bit process. Then if application is
>     32 bit, like Thunderbird, it needs the 32 bit version to use it.
>
> Doesn't a 32bit process on a 64 windows collect the wow6432node calais entry from the registry and can you toy with that? Next to it you can use the 32bit opensc-pkcs11.dll for firefox/thunderbird but
> I haven't tried installing any 32bit drivers on a 64bit OS so I could be wrong here.
>

Good question, I don't know the answer.

(I no longer have the good test environment I had before retiring. Enve then the
only card I was really interested in was the PIV. Microsoft has a PIV driver for Window 7
so the OpenSC driver was not used on any of our Windows 7 64 bit systems. I had
done testing testing of OpenSC minidriver on Vista and XP, 32 bit.
and that is were the CARDMOD_LOW_LEVEL_DEBUG code came from.)



> Yours,
>
> Tristan
>
> --
> http://www.ubiqu.nl
> [hidden email] <mailto:[hidden email]>
>
>     For more debuging look at minidriver.c for CARDMOD_LOW_LEVEL_DEBUG
>     and  if "C:\\tmp\\md.log" can be opened.
>     When DLL is loaded, some additional info is printed as well as other useful Windows
>     messages.
>
>
>
>
>      >
>      > Andreas
>      >
>      >
>      > ------------------------------------------------------------------------------
>      > Open source business process management suite built on Java and Eclipse
>      > Turn processes into business applications with Bonita BPM Community Edition
>      > Quickly connect people, data, and systems into organized workflows
>      > Winner of BOSSIE, CODIE, OW2 and Gartner awards
>      > http://p.sf.net/sfu/Bonitasoft
>      > _______________________________________________
>      > Opensc-devel mailing list
>      > [hidden email] <mailto:[hidden email]>
>      > https://lists.sourceforge.net/lists/listinfo/opensc-devel
>      >
>
>     --
>
>        Douglas E. Engert  <[hidden email] <mailto:[hidden email]>>
>
>
>     ------------------------------------------------------------------------------
>     Open source business process management suite built on Java and Eclipse
>     Turn processes into business applications with Bonita BPM Community Edition
>     Quickly connect people, data, and systems into organized workflows
>     Winner of BOSSIE, CODIE, OW2 and Gartner awards
>     http://p.sf.net/sfu/Bonitasoft
>     _______________________________________________
>     Opensc-devel mailing list
>     [hidden email] <mailto:[hidden email]>
>     https://lists.sourceforge.net/lists/listinfo/opensc-devel
>
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Viktor Tarasov-3
In reply to this post by Andreas Schwier (ML)
On 07/11/2014 05:29 PM, Andreas Schwier wrote:

> Hi Viktor,
>
> great.
>
> Did you or anyone else try to bundle the minidriver with a card driver
> installer for Windows and get a WHQL certification for it ?
>
> We have a driver installer for the SmartCard-HSM, however that is signed
> with our own code signing key and not an Authenticode cert from
> Microsoft. As far as I understand the process to get a trusted signature
> for which Win7 will not complain, is to get a WHQL certification for the
> card / driver bundle.
>
> Anyone with experience on that ?

I have no such experience,
mostly I worked with the cards that have its own 'official' producer of MW with minidriver.

Afaiu, there cannot be two 'offficial' minidrivers for the same card,
and so, there was no place for such initiative.

> .
> Maybe we can join forces and get that done for a couple of popular cards
> supported by OpenSC ?
> Andreas
>
> On 07/11/2014 05:13 PM, Viktor Tarasov wrote:
>> Hi,
>>
>>
>> On Sat, Jul 5, 2014 at 1:34 PM, Andreas Schwier <
>> [hidden email]> wrote:
>>>
>>> is there a reason that we still mark the minidriver as experimental and
>>> do not install it by default ?
>>>
>>> IMHO we should change that and include the minidriver in the default
>>> installation. It won't be used anyway until the card's ATR is added to
>>> the registry.
>>>
>> I agree and consider that minidriver is sufficiently developed and tested.
>> If no other suggestions, I will change it's install level and title.
>>
>>
>>> I observed a strange behaviour in Win7/64: If I only install the 64 bit
>>> version of OpenSC 0.14, then Windows finds the certificate on the card,
>>> but when using the private key it reports "No driver for the smart card
>>> found". If I additionally install the 32 bit version, then it works fine.
>>>
>>> Does anyone have an explanation for that ? Is Windows using 64 and 32
>>> bit modules simultaneously ?
>>>
>>> Andreas
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Open source business process management suite built on Java and Eclipse
>>> Turn processes into business applications with Bonita BPM Community Edition
>>> Quickly connect people, data, and systems into organized workflows
>>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>>> http://p.sf.net/sfu/Bonitasoft
>>> _______________________________________________
>>> Opensc-devel mailing list
>>> [hidden email]
>>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> Open source business process management suite built on Java and Eclipse
>> Turn processes into business applications with Bonita BPM Community Edition
>> Quickly connect people, data, and systems into organized workflows
>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>> http://p.sf.net/sfu/Bonitasoft
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Minidriver still marked experimental

Viktor Tarasov-3
In reply to this post by Douglas E Engert
On 07/11/2014 06:26 PM, Douglas E Engert wrote:

>
> On 7/11/2014 10:13 AM, Viktor Tarasov wrote:
>> Hi,
>>
>>
>> On Sat, Jul 5, 2014 at 1:34 PM, Andreas Schwier <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>
>>      is there a reason that we still mark the minidriver as experimental and
>>      do not install it by default ?
>>
>>      IMHO we should change that and include the minidriver in the default
>>      installation. It won't be used anyway until the card's ATR is added to
>>      the registry.
>>
>>
>> I agree and consider that minidriver is sufficiently developed and tested.
> Yes and no. The minidriver may be called during smartcard login by the LSA.
> Therefore it and all its files should not be modifiable by a non admin user.
> This would include all of the OpenSC dlls as well as the opensc.conf file.

OpenSC files are installed into SYSTEM and PROGRAMFILES, normally, they are protected from the non-admin user.
OpenSC minidriver DLL is statically linked with opensc library.
It uses opensc.conf but can live without -- needs to be tested.


Currently the MSI do not installs the cards CALAIS registry entries
(I guess, we can do it for the cards with the REG files in current OpenSC sources -- sc-hsm, feitian, westcos).
Minidriver DLL in installed into SYSTEM directory, but right after installation minidriver is not taken into account by system.



> in minidriver.c the #define CARDMOD_LOW_LEVEL_DEBUG 1
> at line 212 should be removed. The code can still be built by
> by adding -DCARDMOD_LOW_LEVEL_DEBUG in the make file.
>
> debugging outout is written to C:\\tmp\\md.log" and a user could
> create this file and make it world readable and writable, thus exposing
> some if the debug output. (Note the opensc.conf has not been read when
> the debugging is started.)
>
> The same goes for the opensc.conf with its debug and debug_output options
> and any registry settings.
> We need to look closely at all of debugging output that might enabled by a
> non admin user, in order to capture debuging output
> at a later time during system operations or by some other user of the system.
> This output could include PINs of other users in the output.


Agree, all these has to be revised before installing minidriver by default.


>
>> If no other suggestions, I will change it's install level and title.
> I would leave it experimental these issues are addressed.
>
>>
>>      I observed a strange behaviour in Win7/64: If I only install the 64 bit
>>      version of OpenSC 0.14, then Windows finds the certificate on the card,
>>      but when using the private key it reports "No driver for the smart card
>>      found". If I additionally install the 32 bit version, then it works fine.
>>
>>      Does anyone have an explanation for that ? Is Windows using 64 and 32
>>      bit modules simultaneously ?
>>
>>      Andreas
>>
>>
>>      ------------------------------------------------------------------------------
>>      Open source business process management suite built on Java and Eclipse
>>      Turn processes into business applications with Bonita BPM Community Edition
>>      Quickly connect people, data, and systems into organized workflows
>>      Winner of BOSSIE, CODIE, OW2 and Gartner awards
>>      http://p.sf.net/sfu/Bonitasoft
>>      _______________________________________________
>>      Opensc-devel mailing list
>>      [hidden email] <mailto:[hidden email]>
>>      https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Open source business process management suite built on Java and Eclipse
>> Turn processes into business applications with Bonita BPM Community Edition
>> Quickly connect people, data, and systems into organized workflows
>> Winner of BOSSIE, CODIE, OW2 and Gartner awards
>> http://p.sf.net/sfu/Bonitasoft
>>
>>
>>
>> _______________________________________________
>> Opensc-devel mailing list
>> [hidden email]
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel