-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi List, I was wondering if anyone here managed to get some smart cards working with Internet Explorer. Upstream there are some "reg" files that configure some cards such as ePass2003, Feitan and so forth... Do they really work well with Internet Explorer? (Do the smart cards work at all with IE? If so... how?) We are a small province in the north of Italy and would like to implement a FOSS solution to manage smart cards. Our OpenSC-GUI frontend, creates an easy way to change the PIN, however getting the OpenSC drivers to play nice with Internet Explorer seems to be rather tricky... (All works under Linux but the majority of the userbase uses Windows and IE) The project can be found here: https://github.com/tis-innovation-park/OpenSC-GUI/ Before going into a lot of details I was wondering if anyone on this list managed to get the Italian CNS (European Health Insurance Card) working with Internet Explorer. All works great under Firefox. I have been playing with a lot of registry settings but somehow think that the problems are related to the minidriver? This topic somehow relates to the issues that were mentioned previously, concerning deprecated drivers and the maintenance thereof. I am more than happy to provide all sorts of information regarding this topic! Kind Regards, - -- shaun -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iJwEAQECAAYFAlRIBC4ACgkQ3XULNXOD2nl1cAQAovBo44pTjSzU94X2d/GWpw0X lUZRix8ww1FyCd5K9QlPP8EO8Q63nT6WPIcLnjni9bgUfCJqr/YNRZtAktrwRy6V YXIE3jxE+mWPSoIX/f/pBY6aK/00GmBO4XWhU0E+bRAsQH+vhPfuuv4BTRJYeMvQ 51d2j5yw+gTSq1apfKo= =9wcq -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 10/22/2014 2:23 PM, Shaun Schutte (TIS innovation park) wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Hi List, > > I was wondering if anyone here managed to get some smart cards working > with Internet Explorer. Upstream there are some "reg" files that > configure some cards such as ePass2003, Feitan and so forth... Are you having problems with the registry setting for your cards? > Do they really work well with Internet Explorer? (Do the smart cards > work at all with IE? If so... how?) the minidriver should work with Internet Explorer. If you are on a Windows 64 bit machine, and running Internet Explorer in 32 bit, (or any other 32 bit application needed smart card access) you need to also install the 32 bit version of OpenSC. Task manager processes shows which are 32 bit. > > We are a small province in the north of Italy and would like to > implement a FOSS solution to manage smart cards. Our OpenSC-GUI > frontend, creates an easy way to change the PIN, however getting the > OpenSC drivers to play nice with Internet Explorer seems to be rather > tricky... (All works under Linux but the majority of the userbase uses > Windows and IE) > > The project can be found here: > https://github.com/tis-innovation-park/OpenSC-GUI/ This points at: https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM Is this to show how to set the registry setting to Windows will use the minidriver? > > > Before going into a lot of details I was wondering if anyone on this > list managed to get the Italian CNS (European Health Insurance Card) > working with Internet Explorer. All works great under Firefox. Is this the 64 bit or 32 bit version? > I have been playing with a lot of registry settings but somehow think > that the problems are related to the minidriver? Can you get the certutil.exe to see the smart card? > > This topic somehow relates to the issues that were mentioned previously, > concerning deprecated drivers and the maintenance thereof. I am more > than happy to provide all sorts of information regarding this topic! > > Kind Regards, > > - -- > shaun > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > > iJwEAQECAAYFAlRIBC4ACgkQ3XULNXOD2nl1cAQAovBo44pTjSzU94X2d/GWpw0X > lUZRix8ww1FyCd5K9QlPP8EO8Q63nT6WPIcLnjni9bgUfCJqr/YNRZtAktrwRy6V > YXIE3jxE+mWPSoIX/f/pBY6aK/00GmBO4XWhU0E+bRAsQH+vhPfuuv4BTRJYeMvQ > 51d2j5yw+gTSq1apfKo= > =9wcq > -----END PGP SIGNATURE----- > > > > ------------------------------------------------------------------------------ > _______________________________________________ > Opensc-devel mailing list > [hidden email] > https://lists.sourceforge.net/lists/listinfo/opensc-devel > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Thanks for the response Douglas,
> Hi List, > > I was wondering if anyone here managed to get some smart cards working > with Internet Explorer. Upstream there are some "reg" files that > configure some cards such as ePass2003, Feitan and so forth... > > > Are you having problems with the registry setting for your cards? This is where I am not too sure where the problem is. All tests are being done on vanilla installs of Windows 7, 32 bit. I get the images from here, might be useful for someone when it comes to testing: https://gist.github.com/magnetikonline/5274656 (VirtualBox is used as well. OpenSC works fine with Firefox and Smart Card based authentication works as expected) This is a Siemens card and in order to find out what the Registry settings are, I installed the proprietary drivers to see what was being done to the registry and the result was the following: > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta > Nazionale dei Servizi (Athena)] > "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ > > 00 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ > > ff,ff,00 > "Crypto Provider"="Siemens Card API CSP" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta > Nazionale dei Servizi (CardOS)] > "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ > > 31,80,00 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ > > ff,ff,ff,ff,00 > "Crypto Provider"="Siemens Card API CSP" and that the opensc-minidriver.dll was being used in System 32. > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards] > @="" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta > Nazionale dei Servizi (Athena)] > "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ > > 00 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ > > ff,ff,00 > "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" > "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage > Provider" > "80000001"="opensc-minidriver.dll" > > [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta > Nazionale dei Servizi (CardOS)] > "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ > > 31,80,00 > "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ > > ff,ff,ff,ff,00 > "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" > "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage > Provider" > "80000001"="opensc-minidriver.dll" debugger when running cardutil.exe: >> ModLoad: 75df0000 75e0f000 C:\Windows\system32\IMM32.DLL >> ModLoad: 75900000 759cc000 C:\Windows\system32\MSCTF.dll >> ModLoad: 74070000 740b0000 C:\Windows\system32\uxtheme.dll >> ModLoad: 73d80000 73d93000 C:\Windows\System32\dwmapi.dll >> ModLoad: 75460000 7546c000 C:\Windows\System32\CRYPTBASE.dll >> ModLoad: 71e20000 71e43000 C:\Windows\system32\winscard.dll >> ModLoad: 754d0000 754f9000 C:\Windows\System32\WINSTA.dll >> ModLoad: 74b00000 74b0d000 C:\Windows\System32\WTSAPI32.dll >> ModLoad: 71e20000 71e43000 C:\Windows\System32\WinSCard.dll >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> ModLoad: 74f80000 74f96000 C:\Windows\System32\CRYPTSP.dll >> ModLoad: 6c710000 6c733000 C:\Windows\System32\basecsp.dll >> ModLoad: 74d20000 74d5b000 C:\Windows\system32\rsaenh.dll >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> ModLoad: 64e80000 65025000 C:\Windows\System32\opensc-minidriver.dll >> (640.ecc): Unknown exception - code 00000001 (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) >> (640.ecc): Unknown exception - code 8010000a (first chance) >> (640.ecc): C++ EH exception - code e06d7363 (first chance) Interestingly enough, when running "opensc-tool -a", the ATR is different to that of the proprietary driver: > 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 So I am not even sure if the registry settings are correct since the ATR's are contradicting one another. > > > This points at: > > https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM > > > Is this to show how to set the registry setting to Windows > > will use the minidriver? > > I think this would be the base to start however I am also not sure. Was wondering if anyone here might know. There are definitely some registry settings being created when installing OpenSC unless I am missing something: https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg > > I have been playing with a lot of registry settings but somehow think > that the problems are related to the minidriver? > > > Can you get the certutil.exe to see the smart card? > I tried it and it does see the card, read the ATR but there is still something missing. To explain a little more I have attached a screenshot that might clarify things a little more. Hopefully someone has had similar issues or can easily identify what I am doing wrong? Thanks in advance, -- shaun ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 10/23/2014 1:42 AM, Shaun Schutte (TIS innovation park) wrote: > Thanks for the response Douglas, > >> Hi List, >> >> I was wondering if anyone here managed to get some smart cards working >> with Internet Explorer. Upstream there are some "reg" files that >> configure some cards such as ePass2003, Feitan and so forth... >> >>> Are you having problems with the registry setting for your cards? > > This is where I am not too sure where the problem is. > All tests are being done on vanilla installs of Windows 7, 32 bit. I get > the images from here, might be useful for someone when it comes to > testing: https://gist.github.com/magnetikonline/5274656 > (VirtualBox is used as well. OpenSC works fine with Firefox and Smart > Card based authentication works as expected) So the card is initialized. > > This is a Siemens card and in order to find out what the Registry > settings are, I installed the proprietary drivers to see what was being > done to the registry and the result was the following: > > >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (Athena)] >> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ >> >> 00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ >> >> ff,ff,00 >> "Crypto Provider"="Siemens Card API CSP" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (CardOS)] >> "ATR"= hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ >> >> 31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ >> >> ff,ff,ff,ff,00 >> "Crypto Provider"="Siemens Card API CSP" > > So I manually changed it and made sure the Crypto Provider was Microsoft > and that the opensc-minidriver.dll was being used in System 32. > >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards] >> @="" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (Athena)] >> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ >> >> 00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ >> >> ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >> Provider" >> "80000001"="opensc-minidriver.dll" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ >> >> 31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ >> >> ff,ff,ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >> Provider" >> "80000001"="opensc-minidriver.dll" > > To make sure the correct DLL was being called I checked with Windows > debugger when running cardutil.exe: > >>> ModLoad: 75df0000 75e0f000 C:\Windows\system32\IMM32.DLL >>> ModLoad: 75900000 759cc000 C:\Windows\system32\MSCTF.dll >>> ModLoad: 74070000 740b0000 C:\Windows\system32\uxtheme.dll >>> ModLoad: 73d80000 73d93000 C:\Windows\System32\dwmapi.dll >>> ModLoad: 75460000 7546c000 C:\Windows\System32\CRYPTBASE.dll >>> ModLoad: 71e20000 71e43000 C:\Windows\system32\winscard.dll >>> ModLoad: 754d0000 754f9000 C:\Windows\System32\WINSTA.dll >>> ModLoad: 74b00000 74b0d000 C:\Windows\System32\WTSAPI32.dll >>> ModLoad: 71e20000 71e43000 C:\Windows\System32\WinSCard.dll >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> ModLoad: 74f80000 74f96000 C:\Windows\System32\CRYPTSP.dll >>> ModLoad: 6c710000 6c733000 C:\Windows\System32\basecsp.dll >>> ModLoad: 74d20000 74d5b000 C:\Windows\system32\rsaenh.dll >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> ModLoad: 64e80000 65025000 C:\Windows\System32\opensc-minidriver.dll >>> (640.ecc): Unknown exception - code 00000001 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): Unknown exception - code 8010000a (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) > > However no luck in getting anything working. > > Interestingly enough, when running "opensc-tool -a", the ATR is > different to that of the proprietary driver: > >> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 See: http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt > > So I am not even sure if the registry settings are correct since the > ATR's are contradicting one another. It looks like the ATR when "and"ed with the ATRmask is covered by the second definition. But why did you added the line: "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" I would uninstall the vendor's code and registry settings then try: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)] "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00 "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00 "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" "80000001"="opensc-minidriver.dll" What version of OpenSC are you using? https://github.com/OpenSC/OpenSC/wiki has links to 0.14.0 and nightly builds. The restart windows... The minidriver can also write a debug log to c:\tmp\md.log make to writable by everyone. The OpenSC debug log could also show something. Edit the opensc.conf and set debug = 7; debug_file = some file; also write able by everyone. > > >> >>> This points at: >>> https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM >> >>> Is this to show how to set the registry setting to Windows >>> will use the minidriver? >> >> > > I think this would be the base to start however I am also not sure. Was > wondering if anyone here might know. There are definitely some registry > settings being created when installing OpenSC unless I am missing something: > > https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg > > >> >> I have been playing with a lot of registry settings but somehow think >> that the problems are related to the minidriver? >> >>> Can you get the certutil.exe to see the smart card? >> > > I tried it and it does see the card, read the ATR but there is still > something missing. Are certificates on your card readable without entering the PIN? If not look at the certutil.exe options to see if you can tell it to logon. With firefox, can you see the certificates without entering the PIN? > To explain a little more I have attached a screenshot > that might clarify things a little more. > Hopefully someone has had similar issues or can easily identify what I > am doing wrong? > > Thanks in advance, > > -- > shaun > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Shaun Schutte (TIS innovation park)
P.S.
If you used the vendor's driver, it may have read the certificates, and stored them in the user's certificate store pointing at a container based on the vendor's naming convention which points at the smartcard holding the matching keys. Then when you used the OpenSC version, the certificate is found, but certutil looks for the key using the vendor's container name, not the container name used by the OpenSC minidriver. So if you can start from a fresh W7, without the vendor's drivers that might help. On 10/23/2014 1:42 AM, Shaun Schutte (TIS innovation park) wrote: > Thanks for the response Douglas, > >> Hi List, >> >> I was wondering if anyone here managed to get some smart cards working >> with Internet Explorer. Upstream there are some "reg" files that >> configure some cards such as ePass2003, Feitan and so forth... >> >>> Are you having problems with the registry setting for your cards? > > This is where I am not too sure where the problem is. > All tests are being done on vanilla installs of Windows 7, 32 bit. I get > the images from here, might be useful for someone when it comes to > testing: https://gist.github.com/magnetikonline/5274656 > (VirtualBox is used as well. OpenSC works fine with Firefox and Smart > Card based authentication works as expected) > > This is a Siemens card and in order to find out what the Registry > settings are, I installed the proprietary drivers to see what was being > done to the registry and the result was the following: > > >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (Athena)] >> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ >> >> 00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ >> >> ff,ff,00 >> "Crypto Provider"="Siemens Card API CSP" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ >> >> 31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ >> >> ff,ff,ff,ff,00 >> "Crypto Provider"="Siemens Card API CSP" > > So I manually changed it and made sure the Crypto Provider was Microsoft > and that the opensc-minidriver.dll was being used in System 32. > >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards] >> @="" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (Athena)] >> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\ >> >> 00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\ >> >> ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >> Provider" >> "80000001"="opensc-minidriver.dll" >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta >> Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\ >> >> 31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ >> >> ff,ff,ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage >> Provider" >> "80000001"="opensc-minidriver.dll" > > To make sure the correct DLL was being called I checked with Windows > debugger when running cardutil.exe: > >>> ModLoad: 75df0000 75e0f000 C:\Windows\system32\IMM32.DLL >>> ModLoad: 75900000 759cc000 C:\Windows\system32\MSCTF.dll >>> ModLoad: 74070000 740b0000 C:\Windows\system32\uxtheme.dll >>> ModLoad: 73d80000 73d93000 C:\Windows\System32\dwmapi.dll >>> ModLoad: 75460000 7546c000 C:\Windows\System32\CRYPTBASE.dll >>> ModLoad: 71e20000 71e43000 C:\Windows\system32\winscard.dll >>> ModLoad: 754d0000 754f9000 C:\Windows\System32\WINSTA.dll >>> ModLoad: 74b00000 74b0d000 C:\Windows\System32\WTSAPI32.dll >>> ModLoad: 71e20000 71e43000 C:\Windows\System32\WinSCard.dll >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> ModLoad: 74f80000 74f96000 C:\Windows\System32\CRYPTSP.dll >>> ModLoad: 6c710000 6c733000 C:\Windows\System32\basecsp.dll >>> ModLoad: 74d20000 74d5b000 C:\Windows\system32\rsaenh.dll >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> ModLoad: 64e80000 65025000 C:\Windows\System32\opensc-minidriver.dll >>> (640.ecc): Unknown exception - code 00000001 (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) >>> (640.ecc): Unknown exception - code 8010000a (first chance) >>> (640.ecc): C++ EH exception - code e06d7363 (first chance) > > However no luck in getting anything working. > > Interestingly enough, when running "opensc-tool -a", the ATR is > different to that of the proprietary driver: > >> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 > > So I am not even sure if the registry settings are correct since the > ATR's are contradicting one another. > > >> >>> This points at: >>> https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM >> >>> Is this to show how to set the registry setting to Windows >>> will use the minidriver? >> >> > > I think this would be the base to start however I am also not sure. Was > wondering if anyone here might know. There are definitely some registry > settings being created when installing OpenSC unless I am missing something: > > https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg > > >> >> I have been playing with a lot of registry settings but somehow think >> that the problems are related to the minidriver? >> >>> Can you get the certutil.exe to see the smart card? >> > > I tried it and it does see the card, read the ATR but there is still > something missing. To explain a little more I have attached a screenshot > that might clarify things a little more. > Hopefully someone has had similar issues or can easily identify what I > am doing wrong? > > Thanks in advance, > > -- > shaun > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Douglas E Engert
On 10/23/2014 01:57 PM, Douglas E
Engert wrote:
Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches.
Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card: C:\Users\IEUser>certutil -SCInfo The Microsoft Smart Card Resource Manager is running. Current reader/card status: Readers: 1 0: ACS CCID USB Reader 0 --- Reader: ACS CCID USB Reader 0 --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE --- Status: The card is being shared by a process. --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k 01 11 01 43 4e 53 10 31 80 05 ...CNS.1..
OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/ The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge.
Ok I have attached the debug log to this mail. Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408 Not too sure what this means.
I have set OpenSC to debug however nothing gets written into the log file when using IE. Are certificates on your card readable without entering the PIN? No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required. If not look at the certutil.exe options to see if you can tell it to logon. I checked and unfortunately this does not seem to be the case, unless I am missing something obvious. Just out of interest, does IE explorer use certutil to interact with the cards?
No a PIN is always required to access the cert on the card. I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla installation. --
shaun ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
On 10/24/2014 4:33 AM, Shaun Schutte wrote: > On 10/23/2014 01:57 PM, Douglas E Engert wrote: >> >>> However no luck in getting anything working. >>> >>> Interestingly enough, when running "opensc-tool -a", the ATR is >>> different to that of the proprietary driver: >>> >>>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 >> >> See: >> http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt > > Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches. > >> >>> >>> So I am not even sure if the registry settings are correct since the >>> ATR's are contradicting one another. >> >> It looks like the ATR when "and"ed with the ATRmask is covered by the second >> definition. >> >> >> But why did you added the line: >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" >> >> >> I would uninstall the vendor's code and registry settings then try: >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "80000001"="opensc-minidriver.dll" >> > > Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card: > > C:\Users\IEUser>certutil -SCInfo > The Microsoft Smart Card Resource Manager is running. Current reader/card status: > Readers: 1 > 0: ACS CCID USB Reader 0 > --- Reader: ACS CCID USB Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE > --- Status: The card is being shared by a process. > --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) > --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k > 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. > > >> >> What version of OpenSC are you using? >> >> https://github.com/OpenSC/OpenSC/wiki >> >> has links to 0.14.0 and nightly builds. > > OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/ > The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge. > >> >> The restart windows... >> >> The minidriver can also write a debug log to c:\tmp\md.log >> make to writable by everyone. > > Ok I have attached the debug log to this mail. > >> Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408 > > > Not too sure what this means. > >> >> The OpenSC debug log could also show something. >> Edit the opensc.conf and set debug = 7; debug_file = some file; >> also write able by everyone. >> > > I have set OpenSC to debug however nothing gets written into the log file when using IE. > >> Are certificates on your card readable without entering the PIN? > > No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required. > In Windows, the certs may be read by one process, and stored in the certificate store with a containerID. The later, (maybe days) another process, will looks for a cert to use, find it in the cert store, use the containerID to identify the card with the private key, and ask for the card to be inserted, and then the PIN will be requested. So my question was to read the certificates on the card, is the PIN required. (The first part of the above.) >> If not look at the certutil.exe options to see if you can tell it to logon. > > I checked and unfortunately this does not seem to be the case, unless I am missing something obvious. > Just out of interest, does IE explorer use certutil to interact with the cards? No, but it uses the certificate store. You can also see the certificate store from the internet options. certutil.exe -store MY can show a users certs. > >> >> With firefox, can you see the certificates without entering the PIN? > > No a PIN is always required to access the cert on the card. Its the same question as above, can you read the certificate before having to use the PIN. The PIN is needed to use the keys, and see some of the objects on the card. Under tools->options->view certificates can you see the certificates on the card without having to enter the PIN? > > I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla > installation. > > > -- > shaun > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
No, but it uses the certificate store. You can also see the certificate store from the internet options. Ok thank you for the information,
Sorry about that, I misunderstood the question. Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN. --
shaun ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
You had said:
"I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches." Do people in that province have any problems using IE or certutil.exe? I don't know much about the Italian infrastructure. What is the difference between your cards and theirs? Now that you started over without the vendor's drivers, and a clean cert store, can you try certutil.exe -SCinfo should show the certs at least. It should put up a "Windows Security", "Microsoft Smart Card Provider" window prompting for a PIN so it can verify the private key on the card matches the certificate. (You can cancel the prompt, and it will go on to the next certificate.) The issue could also the certificate trust chain. Is your CA in the trusted certificates? Internet options->Content->certificates->Personal Or certutil.exe -user -store "My" On 10/24/2014 7:39 AM, Shaun Schutte wrote: > >> No, but it uses the certificate store. You can also see the certificate store from the internet options. >> certutil.exe -store MY can show a users certs. > > Ok thank you for the information, > >> >>> >>>> >>>> With firefox, can you see the certificates without entering the PIN? >>> >>> No a PIN is always required to access the cert on the card. >> >> Its the same question as above, can you read the certificate before having to use the PIN. The PIN is >> needed to use the keys, and see some of the objects on the card. >> >> Under tools->options->view certificates can you see the certificates on the card without having >> to enter the PIN? > > Sorry about that, I misunderstood the question. > Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN. > > > -- > > shaun -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Shaun Schutte (TIS innovation park)
Looking at the md.log trace it has:
MD virtual file system: file 'cmapfile' added set 'cmapfile' Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408 -1408 is SC_ERROR_NOT_SUPPORTED If you can get the opensc.conf debug to work, that would help find this. Although the example in opensc.conf may show: debug_file = %TEMP%\opensc-debug.log the minidriver will be run from system processes where %TEMP% is not set. So for now, make it an absolute path like C:\tmp\opensc-debug.log It must also be writable by everyone for now. On 10/24/2014 4:33 AM, Shaun Schutte wrote: > On 10/23/2014 01:57 PM, Douglas E Engert wrote: >> >>> However no luck in getting anything working. >>> >>> Interestingly enough, when running "opensc-tool -a", the ATR is >>> different to that of the proprietary driver: >>> >>>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 >> >> See: >> http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt > > Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches. > >> >>> >>> So I am not even sure if the registry settings are correct since the >>> ATR's are contradicting one another. >> >> It looks like the ATR when "and"ed with the ATRmask is covered by the second >> definition. >> >> >> But why did you added the line: >> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" >> >> >> I would uninstall the vendor's code and registry settings then try: >> >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "80000001"="opensc-minidriver.dll" >> > > Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card: > > C:\Users\IEUser>certutil -SCInfo > The Microsoft Smart Card Resource Manager is running. Current reader/card status: > Readers: 1 > 0: ACS CCID USB Reader 0 > --- Reader: ACS CCID USB Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE > --- Status: The card is being shared by a process. > --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) > --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k > 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. > > >> >> What version of OpenSC are you using? >> >> https://github.com/OpenSC/OpenSC/wiki >> >> has links to 0.14.0 and nightly builds. > > OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/ > The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge. > >> >> The restart windows... >> >> The minidriver can also write a debug log to c:\tmp\md.log >> make to writable by everyone. > > Ok I have attached the debug log to this mail. > >> Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408 > > > Not too sure what this means. > >> >> The OpenSC debug log could also show something. >> Edit the opensc.conf and set debug = 7; debug_file = some file; >> also write able by everyone. >> > > I have set OpenSC to debug however nothing gets written into the log file when using IE. > >> Are certificates on your card readable without entering the PIN? > > No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required. > >> If not look at the certutil.exe options to see if you can tell it to logon. > > I checked and unfortunately this does not seem to be the case, unless I am missing something obvious. > Just out of interest, does IE explorer use certutil to interact with the cards? > >> >> With firefox, can you see the certificates without entering the PIN? > > No a PIN is always required to access the cert on the card. > > I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla > installation. > > > -- > shaun > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Douglas E Engert
Il 24/10/2014 14:17, Douglas E Engert ha scritto:
> So my question was to read the certificates on the card, is the PIN required. (The first part > of the above.) PIN is not required for reading CNS certificates (Mozilla firefox requires pin anyway, but this is another story): $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -y cert -O Using slot 2 with a present token (0x5) Certificate Object, type = X.509 cert label: CNS0 ID: 01 $ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -r -a CNS0 -y cert > rob.cert Using slot 2 with a present token (0x5) $ openssl x509 -in rob.cert -inform DER -noout -text Certificate: Data: Version: 3 (0x2) Serial Number: 404042 (0x62a4a) Signature Algorithm: sha1WithRSAEncryption Issuer: C=IT, O=Postecom S.p.A., OU=Servizi di Certificazione, CN=Provincia Autonoma di Trento - CA Cittadini Validity Not Before: Feb 18 13:20:05 2011 GMT Not After : Dec 24 00:59:59 2016 GMT Subject: C=IT, O=TS-CNS, OU=Provincia Autonoma di Trento, CN=RSLRRT64E08A952W/6042100941441607.Z6ugCe0i067316vhbUAjO3PIvkk= Subject Public Key Info: Public Key Algorithm: rsaEncryption Public-Key: (1024 bit) Modulus: 00:d5:7c:70:08:b7:08:5f:6f:38:77:3f:6c:f0:3a: eb:24:c9:c9:8c:4d:33:72:2a:73:d7:9d:55:71:7e: 4a:f9:bc:2b:23:35:ad:13:5e:ff:53:51:7a:40:0d: 93:3e:39:8f:60:43:ec:35:56:8b:d4:e7:be:5c:79: 84:08:28:ec:65:da:71:a9:b9:ef:0f:36:65:c1:38: 4b:b3:a9:76:0f:c4:d6:15:2b:29:9c:15:22:79:12: b9:b1:59:88:0e:e9:57:48:dc:2f:73:8e:63:61:31: a5:25:9d:d6:93:fe:fe:12:22:dd:cb:2a:bd:48:e2: 89:08:9c:66:27:eb:57:02:03 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Certificate Policies: Policy: 1.3.76.16.2.1 User Notice: Explicit Text: Identifies X.509 authentication certificates issued for the italian National Service Card (CNS) project in according to the italian regulation Policy: 1.3.76.11.1.3.1 CPS: http://postecert.poste.it Authority Information Access: OCSP - URI:http://postecert.poste.it/ocsp X509v3 Key Usage: critical Digital Signature X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Authority Key Identifier: keyid:EE:61:F1:1E:A3:42:7C:FF:E0:47:85:7B:71:5E:5B:A9:2C:6A:88:07 X509v3 CRL Distribution Points: Full Name: URI:http://postecert.poste.it/cns/provinciatrento/crl.crl X509v3 Subject Key Identifier: 02:D4:0C:40:FA:1F:EC:33:1F:B1:D2:64:6B:1D:84:58:FF:12:D3:3A Signature Algorithm: sha1WithRSAEncryption 25:c8:c6:6a:34:68:39:dc:3f:1a:c7:3d:3f:7e:ee:03:ec:29: be:de:4f:cc:be:76:20:ce:08:aa:0a:06:75:b9:b4:2a:40:19: 04:69:62:17:e7:c9:21:d0:44:b7:3a:e0:82:8e:74:54:2b:ff: 21:66:11:48:73:7f:01:cf:67:13:d3:0d:49:89:20:60:71:00: 78:c9:4d:37:1b:dc:14:be:e8:75:3f:73:db:e0:9f:a7:05:61: 2f:7c:75:2d:27:b1:3f:4b:33:68:8e:03:08:47:21:15:0d:0a: 7c:7d:c0:6f:52:6a:8e:61:bc:20:70:ff:37:01:fb:f9:3a:db: c5:5c:d9:57:44:aa:61:9b:7a:6d:4a:86:c1:b9:d4:82:e6:b9: 85:a6:5c:9d:9f:20:e6:aa:df:f2:04:a2:31:bb:65:34:15:32: 85:a9:3e:ad:55:34:4f:33:fe:26:75:a5:e6:14:01:67:47:08: ed:27:fd:02:e5:45:63:bc:57:b9:ae:14:48:f2:c2:df:ba:b0: 8f:ed:77:62:1c:d8:f3:06:2b:ba:3f:56:5f:bc:10:e9:68:94: 61:cf:74:75:98:f7:9a:f6:69:ab:9a:4e:c2:95:96:88:51:b8: ad:76:aa:47:60:bd:be:9f:7e:de:ec:7f:e0:5c:fe:36:94:c2: 97:d0:ab:a0 ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Douglas E Engert
Il 23/10/2014 00:29, Douglas E Engert ha scritto:
> We are a small province in the north of Italy and would like to >> implement a FOSS solution to manage smart cards. Our OpenSC-GUI >> frontend, creates an easy way to change the PIN, however getting the >> OpenSC drivers to play nice with Internet Explorer seems to be rather >> tricky... (All works under Linux but the majority of the userbase uses >> Windows and IE) Hello, I work for the Trento Municipality in the near Trentino Province; I own a CNS and very interested in your GUI. I wold be happy to help. bye rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Shaun Schutte (TIS innovation park)
Il 24/10/2014 11:33, Shaun Schutte ha scritto:
... > Right. Did that and removed the vendor's code (reset the snapshot in > VritualBox). Windows tries to install the driver for the smart card and > fails, I am following your same steps; in my case the Driver successfully installs. however certutil is functioning and can see the card: > > C:\Users\IEUser>certutil -SCInfo > The Microsoft Smart Card Resource Manager is running. Current > reader/card status: > Readers: 1 > 0: ACS CCID USB Reader 0 > --- Reader: ACS CCID USB Reader 0 > --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE > --- Status: The card is being shared by a process. > --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) > --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k > 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. > Here is my "certutil -SCInfo" output: >certutil -SCInfo Gestione risorse smart card in esecuzione. Stato corrente lettore/scheda: Lettori: 1 0: Generic Usb Smart Card Reader 0 --- Lettore: Generic Usb Smart Card Reader 0 --- Stato: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Stato: La scheda è disponibile per l'utilizzo. --- Scheda: --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k.... 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. ======================================================= Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0 SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0x2 (WIN32: 2) Impossibile recuperare il nome del provider per SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0 x2 (WIN32: 2) Impossibile recuperare il nome del provider per --------------===========================-------------- Eseguito. CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2) CertUtil: Impossibile trovare il file specificato. rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Il 26/10/2014 12:33, Roberto Resoli ha scritto:
> Il 24/10/2014 11:33, Shaun Schutte ha scritto: > ... >> > Right. Did that and removed the vendor's code (reset the snapshot in >> > VritualBox). Windows tries to install the driver for the smart card and >> > fails, > I am following your same steps; in my case the Driver successfully > installs. I think this was because i had another smartcard registry setting: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CPS with "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider" inside. Correspondingly, in c:\tmp\md.log I had lines like this : P:2052 T:1908 pCardData:0000000000255050 CardAcquireContext, dwVersion=7, name=TSCPS,hScard=0x00000000, hSCardCtx=0x00000002 Now I have deleted both "TSCPS" key, md.log and set a new "CPS" card: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CPS] "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" "80000001"="opensc-minidriver.dll" "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,0c,01,11,01,43,4e,53,10,\ 31,80,05 "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\ ff,ff,ff,ff,00 certutil -SCInfo outputs the same error: ----------------- Gestione risorse smart card in esecuzione. Stato corrente lettore/scheda: Lettori: 1 0: Generic Usb Smart Card Reader 0 --- Lettore: Generic Usb Smart Card Reader 0 --- Stato: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED --- Stato: La scheda è disponibile per l'utilizzo. --- Scheda: --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k.... 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. ======================================================= Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0 SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0x2 (WIN32: 2) Impossibile recuperare il nome del provider per SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0 x2 (WIN32: 2) Impossibile recuperare il nome del provider per --------------===========================-------------- Eseguito. CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2) CertUtil: Impossibile trovare il file specificato. ------------- No SmartCard driver installation is triggered, nor any md.log is generated. rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Douglas E Engert
Il 24/10/2014 17:00, Douglas E Engert ha scritto:
> You had said: > "I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches." > > Do people in that province have any problems using IE or certutil.exe? Here I am: yes, i tried several times a way to make the minidriver work with CNS cards, but without success. The card is the same, I don't know if the "proprietary driver" atr Shaun Schutte is referring to is from another cardos device, but atr read using opensc matches anyway. c:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -a Using reader with a card: Generic Usb Smart Card Reader 0 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 > I don't know much about the Italian infrastructure. > What is the difference between your cards and theirs? There are around more recent cards, issued by another certification authority (under the same CNS specifications and for the same usage as "European Health Insurance Card" ), but mine appears to be the same CardOS as Shaun Schutte one. > > Now that you started over without the vendor's drivers, > and a clean cert store, I have to try in this condition as well. rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Douglas E Engert
The output of certutil.exe -SCInfo is the following: C:\Users\IEUser>certutil.exe -SCInfo
This is true, a window does pop up but it is not "Windows Security" or Microsoft Smart Card Provider" prompting for a PIN, but rather a window that simply says "Insert a smart card"; "Smart card inserted" : Carata Nazionale dei Servizi (CardOS) "Smart card status" : Am smart card was detected but is not required for the current operation. The smart card you are using may be missing required driver software or a required certificate. Scrot attached to this email.
No the CA is unfortunately not there.
Running the command works however nothing gets imported into the certificate trust chain. However, when using the proprietary drivers, you are prompted to "save" the certificate when using IE and then the certificate is stored correctly and listed in IE. (This I checked when I installed the Siemens drivers so I could compare it with OpenSC, however now the testing environment and the certificate store is free from any Siemens drivers and the cert store empty. Clean Windows 7 installation). The province of Trentino and Alto Adige use the exact same cards, as Roberto Resoli can confirm.
Check. I have set both log files to write to C:\tmp, full permissions are enabled (I had that issue with nothing writing to md.log before and the permissions were the cause.) However I cannot get opensc to output anything to the opensc-debug.log. It is as if running certutil, or starting IE, no calls are made to the minidriver.dll. I can confirm what Roberto is experiencing: ======================================================= Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0 SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0x2 (WIN32: 2) Impossibile recuperare il nome del provider per SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0 x2 (WIN32: 2) Impossibile recuperare il nome del provider per --------------===========================-------------- Eseguito. CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2) CertUtil: Impossibile trovare il file specificato. ------------- No SmartCard driver installation is triggered, nor any md.log is generated. The only way I have gotten some kind of output from OpenSC, is to run it under Windows Debugger. It is part of the Windows SDK kit, and when running certutil with -SCInfo aas argument I am at least getting a lot of information, which I hope might bring us a little closer to solving this issue, the log file is attached and here seems to be something interesting from the log: 2014-10-20 05:05:14.037 trying driver 'itacns' The itacns is simply the registry entry that contains the following: [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)] What other information could we provide that could make troubleshooting this a little easier? Getting the opensc-logging to work would certainly help, I am betting that when I run Firefox and authenticate myself to the website the log file will get filled up pretty quickly with using certutil and / or IE nothing gets written. Hello, I work for the Trento Municipality in the near Trentino Province; I own a CNS and very interested in your GUI. I wold be happy to help. bye rob Sure thing, all help is appreciated and its all FOSS, you can check it out here: https://github.com/tis-innovation-park/OpenSC-GUI/ -- shaun
--
Shaun Schutte Free Software & Open Technologies Developer TIS innovation park Via Siemens 19 | 39100 Bolzano | Italia Siemensstraße 19 | 39100 Bozen | Italien T +39 0471 068101 F +39 0471 068100 [hidden email] www.tis.bz.it Short information regarding use of personal data. According to Section 13 of Italian Legislative Decree no. 196 of 30 June 2003, we inform you that we process your personal data in order to fulfill contractual and fiscal obligations and also to send you information regarding our services and events. Your personal data are processed with and without electronic means and by respecting data subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. At any time and without formalities you can write an e-mail to [hidden email] in order to object the processing of your personal data for the purpose of sending advertising materials and also to exercise the right to access personal data and other rights referred to in Section 7 of Decree 196/2003. The data controller is TIS – Techno Innovation Alto Adige, via Siemens n. 19 Bolzano. You can find the complete information on the web site www.tis.bz.it ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Hello,
some comments in the relevant places follows: Il 27/10/2014 15:41, Shaun Schutte ha scritto: > > >> >> Now that you started over without the vendor's drivers, and a clean >> cert store, >> can you try >> certutil.exe -SCinfo should show the certs at least. > > The output of certutil.exe -SCInfo is the following: > >> C:\Users\IEUser>certutil.exe -SCInfo >> The Microsoft Smart Card Resource Manager is running. >> Current reader/card status: >> Readers: 1 >> 0: ACS CCID USB Reader 0 >> --- Reader: ACS CCID USB Reader 0 >> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE >> --- Status: The card is being shared by a process. >> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) >> --- ATR: >> 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k.... >> 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. >> >> >> ======================================================= >> Analyzing card in reader: ACS CCID USB Reader 0 The following lines are lacking in my tests: >> 2014-10-27 06:50:26.149 set 'cmapfile' >> 2014-10-27 06:50:41.264 set 'cmapfile' >> >> --------------===========================-------------- The following seems promising ... >> ================ Certificate 0 ================ >> --- Reader: ACS CCID USB Reader 0 >> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) >> Provider = Microsoft Base Smart Card Crypto Provider >> Key Container = (null) [Default Container] >> >> 2014-10-27 06:50:57.777 set 'cmapfile' >> 2014-10-27 06:51:04.436 set 'cmapfile' >> 2014-10-27 06:51:19.819 set 'cmapfile' >> Cannot open the AT_SIGNATURE key for reader: ACS CCID USB Reader 0 >> 2014-10-27 06:53:55.694 set 'cmapfile' >> 2014-10-27 06:53:56.966 set 'cmapfile' >> 2014-10-27 06:53:58.230 set 'cmapfile' Unfortunately the error here down is the same as mine; >> Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0 >> SCardGetCardTypeProviderName: The system cannot find the file >> specified. 0x2 (WI >> N32: 2) >> Cannot retrieve Provider Name for OpenSC Carta Nazionale dei Servizi >> (CardOS) >> --------------===========================-------------- >> >> Done. >> CertUtil: -SCInfo command completed successfully. > > > >> >> It should put up a "Windows Security", "Microsoft Smart Card Provider" >> window prompting for a PIN so it can verify the private key on the card >> matches the certificate. (You can cancel the prompt, and it will go on >> to the next certificate.) > > This is true, a window does pop up but it is not "Windows Security" or > Microsoft Smart Card Provider" prompting for a PIN, but rather a window > that simply says "Insert a smart card"; > "Smart card inserted" : Carata Nazionale dei Servizi (CardOS) > "Smart card status" : Am smart card was detected but is not required for > the current operation. The smart card you are using may be missing > required driver software or a required certificate. > Scrot attached to this email. > >> >> The issue could also the certificate trust chain. Is your CA in the >> trusted certificates? I guess from the screenshot that the "Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0" appears after you answer the prompt in some way; is it correct? > No the CA is unfortunately not there. I can't find the issuing CA on http://www.provincia.bz.it/cartaservizi/download.asp Where may I find it? "Provincia Autonoma di Trento" CA certificates are linked at the bottom of: http://www.cartaservizi.provincia.tn.it/scarica_software/ Could you send me attach your personal certificate, extracted using: $ pkcs11-tool --module </path/of/opensc-pkcs11> -r -a CNS0 -y cert > your.cert or $ pkcs15-tool -r 01 > your.pem.cert as you prefer? > The province of Trentino and Alto Adige use the exact same cards, as > Roberto Resoli can confirm. yes, the first bunch of cards, CardOS M4, issued by PosteCom CA >> -1408 is SC_ERROR_NOT_SUPPORTED >> >> If you can get the opensc.conf debug to work, that would help find this. >> >> Although the example in opensc.conf may show: >> debug_file = %TEMP%\opensc-debug.log >> >> the minidriver will be run from system processes where %TEMP% is not set. >> So for now, make it an absolute path like C:\tmp\opensc-debug.log >> It must also be writable by everyone for now. In my case opensc debug log works, what is the full path of the opensc.conf file you modified? > Check. > I have set both log files to write to C:\tmp, full permissions are > enabled (I had that issue with nothing writing to md.log before and the > permissions were the cause.) I have to recheck permission, no md.log for me. ... > I can confirm what Roberto is experiencing: > >> ======================================================= >> Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0 >> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. >> 0x2 (WIN32: 2) >> Impossibile recuperare il nome del provider per >> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0 >> x2 (WIN32: 2) >> Impossibile recuperare il nome del provider per >> --------------===========================-------------- >> >> Eseguito. >> CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2) >> CertUtil: Impossibile trovare il file specificato. >> ------------- without certificate related lines, nor any prompt, in my case. >> No SmartCard driver installation is triggered, nor any md.log is generated. > > The only way I have gotten some kind of output from OpenSC, is to run it > under Windows Debugger. will try this as well > It is part of the Windows SDK kit, and when > running certutil with -SCInfo aas argument I am at least getting a lot > of information, which I hope might bring us a little closer to solving > this issue, the log file is attached and here seems to be something > interesting from the log: > >> 2014-10-20 05:05:14.037 trying driver 'itacns' >> 2014-10-20 05:05:14.037 ATR : >> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 >> > > The itacns is simply the registry entry that contains the following: itacns is the opensc driver contributed by Emanuele Pucciarelli, who unfortunately seems following this list no more. ... >> Hello, >> I work for the Trento Municipality in the near Trentino Province; I own >> a CNS and very interested in your GUI. I wold be happy to help. >> >> bye >> rob > > Sure thing, all help is appreciated and its all FOSS, you can check it > out here: > > https://github.com/tis-innovation-park/OpenSC-GUI/ Yes, i will try it ASAP. bye, rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Shaun Schutte (TIS innovation park)
OK, this helps a lot. The card itacns.c does not support reading a serial number.
Anyone want to add the code? Windows and thus the minidriver, needs a unique GUID for a card, because of the way it works. It stores in the Microsoft certificate stash the certificate and a GUID that represents the card that has the private key. Thus it can find a certificate with out the card then ask to have the card inserted. The card-itacns.c or pkcs15-itacns.c does not have the needed code to get the GUID. In the opensc-debug.log: 601: 2014-10-20 05:05:14.037 matched: Italian CNS 602: 2014-10-20 05:05:14.037 [opensc-pkcs11] card-itacns.c:205:itacns_init: called 617: 2014-10-20 05:05:14.047 card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:0/0 type 23002 = SC_CARD_TYPE_ITACNS_CNS 7376: 2014-10-20 05:19:25.699 [cardmod] pkcs15.c:2701:sc_pkcs15_get_object_guid: called (minidriver requesting the GUID used on Windows to identify the card. On cards that do not have a GUID, the serial number of the card is used to derive the equivalent of a GUID.) 7377: 2014-10-20 05:19:25.699 [cardmod] card.c:769:sc_card_ctl: called 7378: 2014-10-20 05:19:25.699 card_ctl(5) not supported 7379: 2014-10-20 05:19:25.699 [cardmod] pkcs15.c:2728:sc_pkcs15_get_object_guid: 'GET_SERIALNR' failed: -1408 (Not supported) 7380: 2014-10-20 05:19:25.699 sc_pkcs15_get_object_guid() error -1408 7381: 2014-10-20 05:19:25.699 7382: P:1084 T:3100 pCardData:0246E460 hScard=0xEA040000 hSCardCtx=0xCD020002 CardDeleteContext 7383: 2014-10-20 05:19:25.699 disassociate_card The card-itacns.c does not support the card_ctl and thus does not support SC_CARDCTL_GET_SERIALNR. For cards that do not have a serial number, but do have some other data on the card that is unique, there is a pkcs15->ops.get_guid function (The piv.c is the only one that does, as the PIV card does not have serial number, but does have a CHUID with either a GUID or the FASCN that is used to derive a GUID. See: pkcs15-piv.c piv_get_guid and how it is set: p15card->ops.get_guid = piv_get_guid; So someone who knows the CNS code need to implement a get_guid, or a card_ctl function that supports SC_CARDCTL_GET_SERIALNR As another test, The opensc-tool --serial will show the serial number or "sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed\n" On 10/27/2014 9:41 AM, Shaun Schutte wrote: > > >> >> Now that you started over without the vendor's drivers, and a clean cert store, >> can you try >> certutil.exe -SCinfo should show the certs at least. > > The output of certutil.exe -SCInfo is the following: > >> C:\Users\IEUser>certutil.exe -SCInfo >> The Microsoft Smart Card Resource Manager is running. >> Current reader/card status: >> Readers: 1 >> 0: ACS CCID USB Reader 0 >> --- Reader: ACS CCID USB Reader 0 >> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE >> --- Status: The card is being shared by a process. >> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) >> --- ATR: >> 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k.... >> 01 11 01 43 4e 53 10 31 80 05 ...CNS.1.. >> >> >> ======================================================= >> Analyzing card in reader: ACS CCID USB Reader 0 >> 2014-10-27 06:50:26.149 set 'cmapfile' >> 2014-10-27 06:50:41.264 set 'cmapfile' >> >> --------------===========================-------------- >> ================ Certificate 0 ================ >> --- Reader: ACS CCID USB Reader 0 >> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS) >> Provider = Microsoft Base Smart Card Crypto Provider >> Key Container = (null) [Default Container] >> >> 2014-10-27 06:50:57.777 set 'cmapfile' >> 2014-10-27 06:51:04.436 set 'cmapfile' >> 2014-10-27 06:51:19.819 set 'cmapfile' >> Cannot open the AT_SIGNATURE key for reader: ACS CCID USB Reader 0 >> 2014-10-27 06:53:55.694 set 'cmapfile' >> 2014-10-27 06:53:56.966 set 'cmapfile' >> 2014-10-27 06:53:58.230 set 'cmapfile' >> Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0 >> SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WI >> N32: 2) >> Cannot retrieve Provider Name for OpenSC Carta Nazionale dei Servizi (CardOS) >> --------------===========================-------------- >> >> Done. >> CertUtil: -SCInfo command completed successfully. > > > >> >> It should put up a "Windows Security", "Microsoft Smart Card Provider" window prompting for a PIN so it can verify the private key on the card >> matches the certificate. (You can cancel the prompt, and it will go on to the next certificate.) > > This is true, a window does pop up but it is not "Windows Security" or Microsoft Smart Card Provider" prompting for a PIN, but rather a window that simply says "Insert a smart card"; > "Smart card inserted" : Carata Nazionale dei Servizi (CardOS) > "Smart card status" : Am smart card was detected but is not required for the current operation. The smart card you are using may be missing required driver software or a required certificate. > Scrot attached to this email. > >> >> The issue could also the certificate trust chain. Is your CA in the trusted certificates? > > No the CA is unfortunately not there. > >> >> Internet options->Content->certificates->Personal >> Or >> certutil.exe -user -store "My" > > Running the command works however nothing gets imported into the certificate trust chain. However, when using the proprietary drivers, you are prompted to "save" the certificate > when using IE and then the certificate is stored correctly and listed in IE. (This I checked when I installed the Siemens drivers so I could compare it with OpenSC, however now the testing > environment and the certificate store is free from any Siemens drivers and the cert store empty. Clean Windows 7 installation). > > The province of Trentino and Alto Adige use the exact same cards, as Roberto Resoli can confirm. > >> >> -1408 is SC_ERROR_NOT_SUPPORTED >> >> If you can get the opensc.conf debug to work, that would help find this. >> >> Although the example in opensc.conf may show: >> debug_file = %TEMP%\opensc-debug.log >> >> the minidriver will be run from system processes where %TEMP% is not set. >> So for now, make it an absolute path like C:\tmp\opensc-debug.log >> It must also be writable by everyone for now. > > Check. > I have set both log files to write to C:\tmp, full permissions are enabled (I had that issue with nothing writing to md.log before and the permissions were the cause.) > > However I cannot get opensc to output anything to the opensc-debug.log. It is as if running certutil, or starting IE, no calls are made to the minidriver.dll. > > I can confirm what Roberto is experiencing: > >> ======================================================= >> Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0 >> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. >> 0x2 (WIN32: 2) >> Impossibile recuperare il nome del provider per >> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0 >> x2 (WIN32: 2) >> Impossibile recuperare il nome del provider per >> --------------===========================-------------- >> >> Eseguito. >> CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2) >> CertUtil: Impossibile trovare il file specificato. >> ------------- >> >> No SmartCard driver installation is triggered, nor any md.log is generated. > > The only way I have gotten some kind of output from OpenSC, is to run it under Windows Debugger. It is part of the Windows SDK kit, and when running certutil with -SCInfo aas argument I am at least > getting a lot of information, which I hope might bring us a little closer to solving this issue, the log file is attached and here seems to be something interesting from the log: > >> 2014-10-20 05:05:14.037 trying driver 'itacns' >> 2014-10-20 05:05:14.037 ATR : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 >> 2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7 >> 2014-10-20 05:05:14.037 ignored - wrong length >> 2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b >> 2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31 >> 2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0 >> 2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b >> 2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1 >> 2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43 >> 2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e >> 2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53 >> 2014-10-20 05:05:14.037 Matching 31 against atr[23] == 31 >> 2014-10-20 05:05:14.037 Matching 80 against atr[24] == 80 >> 2014-10-20 05:05:14.037 matched: Italian CNS >> 2014-10-20 05:05:14.037 [opensc-pkcs11] card-itacns.c:205:itacns_init: called >> 2014-10-20 05:05:14.037 ATR : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05 >> 2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7 >> 2014-10-20 05:05:14.037 ignored - wrong length >> 2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b >> 2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31 >> 2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0 >> 2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b >> 2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1 >> 2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43 >> 2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e >> 2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53 >> 2014-10-20 05:05:14.047 Matching 31 against atr[23] == 31 >> 2014-10-20 05:05:14.047 Matching 80 against atr[24] == 80 >> 2014-10-20 05:05:14.047 card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:0/0 >> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1220:sc_card_sm_check: called >> 2014-10-20 05:05:14.047 card->sm_ctx.ops.open 00000000 >> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1226:sc_card_sm_check: returning with: 0 (Success) >> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:250:sc_connect_card: returning with: 0 (Success) >> 2014-10-20 05:05:14.047 ACS CCID USB Reader 0: Connected SC card 061AE178 >> 2014-10-20 05:05:14.047 [opensc-pkcs11] dir.c:140:sc_enum_apps: called >> 2014-10-20 05:05:14.047 called; type=2, path=3f002f00 >> 2014-10-20 05:05:14.047 [opensc-pkcs11] card-itacns.c:473:itacns_select_file: called >> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called >> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:325:sc_lock: called >> 2014-10-20 05:05:14.047 [opensc-pkcs11] reader-pcsc.c:517:pcsc_lock: called >> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:526:sc_transmit: called >> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:380:sc_single_transmit: called >> 2014-10-20 05:05:14.047 CLA:0, INS:A4, P1:8, P2:0, data(2) 0016C86A >> 2014-10-20 05:05:14.047 reader 'ACS CCID USB Reader 0' > > The itacns is simply the registry entry that contains the following: > >> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)] >> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,05 >> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00 >> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider" >> "80000001"="opensc-minidriver.dll > > What other information could we provide that could make troubleshooting this a little easier? > > Getting the opensc-logging to work would certainly help, I am betting that when I run Firefox and authenticate myself to the website the log file will get filled up pretty quickly with using certutil > and / or IE nothing gets written. > > >> Hello, >> I work for the Trento Municipality in the near Trentino Province; I own >> a CNS and very interested in your GUI. I wold be happy to help. >> >> bye >> rob > > Sure thing, all help is appreciated and its all FOSS, you can check it out here: > > https://github.com/tis-innovation-park/OpenSC-GUI/ > > -- > shaun > > >> >> >> >> >> On 10/24/2014 7:39 AM, Shaun Schutte wrote: >>> >>>> No, but it uses the certificate store. You can also see the certificate store from the internet options. >>>> certutil.exe -store MY can show a users certs. >>> >>> Ok thank you for the information, >>> >>>> >>>>> >>>>>> >>>>>> With firefox, can you see the certificates without entering the PIN? >>>>> >>>>> No a PIN is always required to access the cert on the card. >>>> >>>> Its the same question as above, can you read the certificate before having to use the PIN. The PIN is >>>> needed to use the keys, and see some of the objects on the card. >>>> >>>> Under tools->options->view certificates can you see the certificates on the card without having >>>> to enter the PIN? >>> >>> Sorry about that, I misunderstood the question. >>> Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN. >>> >>> >>> -- >>> >>> shaun >> > > > -- > > Shaun Schutte > Free Software & Open Technologies > Developer > > TIS innovation park > Via Siemens 19 | 39100 Bolzano | Italia > Siemensstraße 19 | 39100 Bozen | Italien > T +39 0471 068101 F +39 0471 068100 > [hidden email] <mailto:%[hidden email]%22> www.tis.bz.it > > Short information regarding use of personal data. According to Section 13 of Italian Legislative Decree no. 196 of 30 June 2003, we inform you that we process your personal data in order to fulfill > contractual and fiscal obligations and also to send you information regarding our services and events. Your personal data are processed with and without electronic means and by respecting data > subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. At any time and without formalities you > can write an e-mail to [hidden email] <mailto:%[hidden email]%22> in order to object the processing of your personal data for the purpose of sending advertising materials and also to exercise > the right to access personal data and other rights referred to in Section 7 of Decree 196/2003. The data controller is TIS – Techno Innovation Alto Adige, via Siemens n. 19 Bolzano. You can find the > complete information on the web site www.tis.bz.it > > -- Douglas E. Engert <[hidden email]> ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Il 27/10/2014 21:06, Douglas E Engert ha scritto:
> OK, this helps a lot. The card itacns.c does not support reading a serial number. > > Anyone want to add the code? I could help but I have no experience of CNS code, and currently no time at all to dedicate. As I said E. Pucciarelli which is the author seems no more interested in the project. Shaun, somone in your organization or some contractor could take care of it? I can offer all the help I can. > Windows and thus the minidriver, needs a unique GUID for a card, because of the way > it works. It stores in the Microsoft certificate stash the certificate and a GUID that represents > the card that has the private key. Thus it can find a certificate with out the card then ask to have > the card inserted. > > The card-itacns.c or pkcs15-itacns.c does not have the needed code to get the GUID. ... > So someone who knows the CNS code need to implement a get_guid, or a card_ctl function that supports > SC_CARDCTL_GET_SERIALNR Thanks, I start to catch the point. > As another test, > The opensc-tool --serial > will show the serial number or "sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed\n" yes: $ opensc-tool --serial Using reader with a card: ACS ACR38U 00 00 sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed bye, rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
In reply to this post by Shaun Schutte (TIS innovation park)
Il 27/10/2014 15:41, Shaun Schutte ha scritto:
> The only way I have gotten some kind of output from OpenSC, is to run it > under Windows Debugger. It is part of the Windows SDK kit, and when > running certutil with -SCInfo aas argument I am at least getting a lot > of information, I am trying to replicate your steps. I installes windbg from the Windows SDK kit, but never used it before; i tried windbg certutil -SCInfo What steps are needed to provide debug symbols for opensc to the debugger? Thanks, rob ------------------------------------------------------------------------------ _______________________________________________ Opensc-devel mailing list [hidden email] https://lists.sourceforge.net/lists/listinfo/opensc-devel |
Free forum by Nabble | Edit this page |