OpenSC Developer

OpenSC Internet Explorer

classic Classic list List threaded Threaded
30 messages Options
12
Shaun Schutte (TIS innovation park)
Reply | Threaded
Open this post in threaded view
|

OpenSC Internet Explorer

Shaun Schutte (TIS innovation park)

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi List,

I was wondering if anyone here managed to get some smart cards working
with Internet Explorer. Upstream there are some "reg" files that
configure some cards such as ePass2003, Feitan and so forth...
Do they really work well with Internet Explorer? (Do the smart cards
work at all with IE? If so... how?)

We are a small province in the north of Italy and would like to
implement a FOSS solution to manage smart cards. Our OpenSC-GUI
frontend, creates an easy way to change the PIN, however getting the
OpenSC drivers to play nice with Internet Explorer seems to be rather
tricky... (All works under Linux but the majority of the userbase uses
Windows and IE)

The project can be found here:
https://github.com/tis-innovation-park/OpenSC-GUI/


Before going into a lot of details I was wondering if anyone on this
list managed to get the Italian CNS (European Health Insurance Card)
working with Internet Explorer. All works great under Firefox.
I have been playing with a lot of registry settings but somehow think
that the problems are related to the minidriver?

This topic somehow relates to the issues that were mentioned previously,
concerning deprecated drivers and the maintenance thereof. I am more
than happy to provide all sorts of information regarding this topic!

Kind Regards,

- --
shaun
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iJwEAQECAAYFAlRIBC4ACgkQ3XULNXOD2nl1cAQAovBo44pTjSzU94X2d/GWpw0X
lUZRix8ww1FyCd5K9QlPP8EO8Q63nT6WPIcLnjni9bgUfCJqr/YNRZtAktrwRy6V
YXIE3jxE+mWPSoIX/f/pBY6aK/00GmBO4XWhU0E+bRAsQH+vhPfuuv4BTRJYeMvQ
51d2j5yw+gTSq1apfKo=
=9wcq
-----END PGP SIGNATURE-----



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert


On 10/22/2014 2:23 PM, Shaun Schutte (TIS innovation park) wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Hi List,
>
> I was wondering if anyone here managed to get some smart cards working
> with Internet Explorer. Upstream there are some "reg" files that
> configure some cards such as ePass2003, Feitan and so forth...

Are you having problems with the registry setting for your cards?


> Do they really work well with Internet Explorer? (Do the smart cards
> work at all with IE? If so... how?)

the minidriver should work with Internet Explorer.
If you are on a Windows 64 bit machine, and running Internet Explorer
in 32 bit, (or any other 32 bit application needed smart card access)
you need to also install the 32 bit version of OpenSC.

Task manager processes shows which are 32 bit.


>
> We are a small province in the north of Italy and would like to
> implement a FOSS solution to manage smart cards. Our OpenSC-GUI
> frontend, creates an easy way to change the PIN, however getting the
> OpenSC drivers to play nice with Internet Explorer seems to be rather
> tricky... (All works under Linux but the majority of the userbase uses
> Windows and IE)
>
> The project can be found here:
> https://github.com/tis-innovation-park/OpenSC-GUI/


This points at:
https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM

Is this to show how to set the registry setting to Windows
will use the minidriver?



>
>
> Before going into a lot of details I was wondering if anyone on this
> list managed to get the Italian CNS (European Health Insurance Card)
> working with Internet Explorer. All works great under Firefox.

Is this the 64 bit or 32 bit version?



> I have been playing with a lot of registry settings but somehow think
> that the problems are related to the minidriver?

Can you get the certutil.exe to see the smart card?

>
> This topic somehow relates to the issues that were mentioned previously,
> concerning deprecated drivers and the maintenance thereof. I am more
> than happy to provide all sorts of information regarding this topic!
>
> Kind Regards,
>
> - --
> shaun
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
>
> iJwEAQECAAYFAlRIBC4ACgkQ3XULNXOD2nl1cAQAovBo44pTjSzU94X2d/GWpw0X
> lUZRix8ww1FyCd5K9QlPP8EO8Q63nT6WPIcLnjni9bgUfCJqr/YNRZtAktrwRy6V
> YXIE3jxE+mWPSoIX/f/pBY6aK/00GmBO4XWhU0E+bRAsQH+vhPfuuv4BTRJYeMvQ
> 51d2j5yw+gTSq1apfKo=
> =9wcq
> -----END PGP SIGNATURE-----
>
>
>
> ------------------------------------------------------------------------------
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte (TIS innovation park)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Shaun Schutte (TIS innovation park)
Thanks for the response Douglas,

> Hi List,
>
> I was wondering if anyone here managed to get some smart cards working
> with Internet Explorer. Upstream there are some "reg" files that
> configure some cards such as ePass2003, Feitan and so forth...
>
> > Are you having problems with the registry setting for your cards?

This is where I am not too sure where the problem is.
All tests are being done on vanilla installs of Windows 7, 32 bit. I get
the images from here, might be useful for someone when it comes to
testing: https://gist.github.com/magnetikonline/5274656
(VirtualBox is used as well. OpenSC works fine with Firefox and Smart
Card based authentication works as expected)

This is a Siemens card and in order to find out what the Registry
settings are, I installed the proprietary drivers to see what was being
done to the registry and the result was the following:


> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
> Nazionale dei Servizi (Athena)]
> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>
>   00
> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>
>   ff,ff,00
> "Crypto Provider"="Siemens Card API CSP"
>  
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
> Nazionale dei Servizi (CardOS)]
> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>
>   31,80,00
> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>
>   ff,ff,ff,ff,00
> "Crypto Provider"="Siemens Card API CSP"
So I manually changed it and made sure the Crypto Provider was Microsoft
and that the opensc-minidriver.dll was being used in System 32.

> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
> @=""
>  
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
> Nazionale dei Servizi (Athena)]
> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>
>   00
> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>
>   ff,ff,00
> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
> Provider"
> "80000001"="opensc-minidriver.dll"
>  
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
> Nazionale dei Servizi (CardOS)]
> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>
>   31,80,00
> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>
>   ff,ff,ff,ff,00
> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
> Provider"
> "80000001"="opensc-minidriver.dll"
To make sure the correct DLL was being called I checked with Windows
debugger when running cardutil.exe:

>> ModLoad: 75df0000 75e0f000   C:\Windows\system32\IMM32.DLL
>> ModLoad: 75900000 759cc000   C:\Windows\system32\MSCTF.dll
>> ModLoad: 74070000 740b0000   C:\Windows\system32\uxtheme.dll
>> ModLoad: 73d80000 73d93000   C:\Windows\System32\dwmapi.dll
>> ModLoad: 75460000 7546c000   C:\Windows\System32\CRYPTBASE.dll
>> ModLoad: 71e20000 71e43000   C:\Windows\system32\winscard.dll
>> ModLoad: 754d0000 754f9000   C:\Windows\System32\WINSTA.dll
>> ModLoad: 74b00000 74b0d000   C:\Windows\System32\WTSAPI32.dll
>> ModLoad: 71e20000 71e43000   C:\Windows\System32\WinSCard.dll
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> ModLoad: 74f80000 74f96000   C:\Windows\System32\CRYPTSP.dll
>> ModLoad: 6c710000 6c733000   C:\Windows\System32\basecsp.dll
>> ModLoad: 74d20000 74d5b000   C:\Windows\system32\rsaenh.dll
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> ModLoad: 64e80000 65025000   C:\Windows\System32\opensc-minidriver.dll
>> (640.ecc): Unknown exception - code 00000001 (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>> (640.ecc): Unknown exception - code 8010000a (first chance)
>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
However no luck in getting anything working.

Interestingly enough, when running "opensc-tool -a", the ATR is
different to that of the proprietary driver:

> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05

So I am not even sure if the registry settings are correct since the
ATR's are contradicting one another.


>
> > This points at:
> > https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
>
> > Is this to show how to set the registry setting to Windows
> > will use the minidriver?
>
>

I think this would be the base to start however I am also not sure. Was
wondering if anyone here might know. There are definitely some registry
settings being created when installing OpenSC unless I am missing something:

https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg


>
> I have been playing with a lot of registry settings but somehow think
> that the problems are related to the minidriver?
>
> > Can you get the certutil.exe to see the smart card?
>

I tried it and it does see the card, read the ATR but there is still
something missing. To explain a little more I have attached a screenshot
that might clarify things a little more.
Hopefully someone has had similar issues or can easily identify what I
am doing wrong?

Thanks in advance,

--
shaun


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

opensc-minidriver-issue.png (1M) Download Attachment
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert


On 10/23/2014 1:42 AM, Shaun Schutte (TIS innovation park) wrote:

> Thanks for the response Douglas,
>
>> Hi List,
>>
>> I was wondering if anyone here managed to get some smart cards working
>> with Internet Explorer. Upstream there are some "reg" files that
>> configure some cards such as ePass2003, Feitan and so forth...
>>
>>> Are you having problems with the registry setting for your cards?
>
> This is where I am not too sure where the problem is.
> All tests are being done on vanilla installs of Windows 7, 32 bit. I get
> the images from here, might be useful for someone when it comes to
> testing: https://gist.github.com/magnetikonline/5274656
> (VirtualBox is used as well. OpenSC works fine with Firefox and Smart
> Card based authentication works as expected)

So the card is initialized.






>
> This is a Siemens card and in order to find out what the Registry
> settings are, I installed the proprietary drivers to see what was being
> done to the registry and the result was the following:
>
>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (Athena)]
>> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>>
>>    00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>>
>>    ff,ff,00
>> "Crypto Provider"="Siemens Card API CSP"
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (CardOS)]
>> "ATR"=    hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>>
>>    31,80,00
                  3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05

>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>>
>>    ff,ff,ff,ff,00
>> "Crypto Provider"="Siemens Card API CSP"
>
> So I manually changed it and made sure the Crypto Provider was Microsoft
> and that the opensc-minidriver.dll was being used in System 32.
>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
>> @=""
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (Athena)]
>> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>>
>>    00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>>
>>    ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
>> Provider"
>> "80000001"="opensc-minidriver.dll"
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>>
>>    31,80,00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>>
>>    ff,ff,ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
>> Provider"
>> "80000001"="opensc-minidriver.dll"
>
> To make sure the correct DLL was being called I checked with Windows
> debugger when running cardutil.exe:
>
>>> ModLoad: 75df0000 75e0f000   C:\Windows\system32\IMM32.DLL
>>> ModLoad: 75900000 759cc000   C:\Windows\system32\MSCTF.dll
>>> ModLoad: 74070000 740b0000   C:\Windows\system32\uxtheme.dll
>>> ModLoad: 73d80000 73d93000   C:\Windows\System32\dwmapi.dll
>>> ModLoad: 75460000 7546c000   C:\Windows\System32\CRYPTBASE.dll
>>> ModLoad: 71e20000 71e43000   C:\Windows\system32\winscard.dll
>>> ModLoad: 754d0000 754f9000   C:\Windows\System32\WINSTA.dll
>>> ModLoad: 74b00000 74b0d000   C:\Windows\System32\WTSAPI32.dll
>>> ModLoad: 71e20000 71e43000   C:\Windows\System32\WinSCard.dll
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> ModLoad: 74f80000 74f96000   C:\Windows\System32\CRYPTSP.dll
>>> ModLoad: 6c710000 6c733000   C:\Windows\System32\basecsp.dll
>>> ModLoad: 74d20000 74d5b000   C:\Windows\system32\rsaenh.dll
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> ModLoad: 64e80000 65025000   C:\Windows\System32\opensc-minidriver.dll
>>> (640.ecc): Unknown exception - code 00000001 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): Unknown exception - code 8010000a (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>
> However no luck in getting anything working.
>
> Interestingly enough, when running "opensc-tool -a", the ATR is
> different to that of the proprietary driver:
>
>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05

See:
http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt

>
> So I am not even sure if the registry settings are correct since the
> ATR's are contradicting one another.

It looks like the ATR  when "and"ed with the ATRmask is covered by the second
definition.


But why did you added the line:
  "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"


I would uninstall the vendor's code and registry settings then try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="opensc-minidriver.dll"


What version of OpenSC are you using?

https://github.com/OpenSC/OpenSC/wiki

has links to 0.14.0 and nightly builds.

The restart windows...

The minidriver can also write a debug log to c:\tmp\md.log
make to writable by everyone.

The OpenSC debug log could also show something.
Edit the opensc.conf and set debug = 7; debug_file = some file;
also write able by everyone.


>
>
>>
>>> This points at:
>>> https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
>>
>>> Is this to show how to set the registry setting to Windows
>>> will use the minidriver?
>>
>>
>
> I think this would be the base to start however I am also not sure. Was
> wondering if anyone here might know. There are definitely some registry
> settings being created when installing OpenSC unless I am missing something:
>
> https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg
>
>
>>
>> I have been playing with a lot of registry settings but somehow think
>> that the problems are related to the minidriver?
>>
>>> Can you get the certutil.exe to see the smart card?
>>
>
> I tried it and it does see the card, read the ATR but there is still
> something missing.

Are certificates on your card readable without entering the PIN?
If not look at the certutil.exe options to see if you can tell it to logon.

With firefox, can you see the certificates without entering the PIN?



> To explain a little more I have attached a screenshot
> that might clarify things a little more.
> Hopefully someone has had similar issues or can easily identify what I
> am doing wrong?
>
> Thanks in advance,
>
> --
> shaun
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert
In reply to this post by Shaun Schutte (TIS innovation park)
P.S.

If you used the vendor's driver, it may have read the certificates,
and stored them in the user's certificate store pointing at a container
based on the vendor's naming convention which points at the smartcard
holding the matching keys.

Then when you used the OpenSC version, the certificate is found, but certutil
looks for the key using the vendor's container name, not the container name
used by the OpenSC minidriver.

So if you can start from a fresh W7, without the vendor's drivers that might
help.


On 10/23/2014 1:42 AM, Shaun Schutte (TIS innovation park) wrote:

> Thanks for the response Douglas,
>
>> Hi List,
>>
>> I was wondering if anyone here managed to get some smart cards working
>> with Internet Explorer. Upstream there are some "reg" files that
>> configure some cards such as ePass2003, Feitan and so forth...
>>
>>> Are you having problems with the registry setting for your cards?
>
> This is where I am not too sure where the problem is.
> All tests are being done on vanilla installs of Windows 7, 32 bit. I get
> the images from here, might be useful for someone when it comes to
> testing: https://gist.github.com/magnetikonline/5274656
> (VirtualBox is used as well. OpenSC works fine with Firefox and Smart
> Card based authentication works as expected)
>
> This is a Siemens card and in order to find out what the Registry
> settings are, I installed the proprietary drivers to see what was being
> done to the registry and the result was the following:
>
>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (Athena)]
>> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>>
>>    00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>>
>>    ff,ff,00
>> "Crypto Provider"="Siemens Card API CSP"
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>>
>>    31,80,00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>>
>>    ff,ff,ff,ff,00
>> "Crypto Provider"="Siemens Card API CSP"
>
> So I manually changed it and made sure the Crypto Provider was Microsoft
> and that the opensc-minidriver.dll was being used in System 32.
>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards]
>> @=""
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (Athena)]
>> "ATR"=hex:3b,df,18,00,81,31,fe,7d,00,6b,15,0c,01,80,01,00,01,43,4e,53,10,31,80,\
>>
>>    00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,ff,ff,ff,ff,\
>>
>>    ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
>> Provider"
>> "80000001"="opensc-minidriver.dll"
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Carta
>> Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,\
>>
>>    31,80,00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
>>
>>    ff,ff,ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
>> Provider"
>> "80000001"="opensc-minidriver.dll"
>
> To make sure the correct DLL was being called I checked with Windows
> debugger when running cardutil.exe:
>
>>> ModLoad: 75df0000 75e0f000   C:\Windows\system32\IMM32.DLL
>>> ModLoad: 75900000 759cc000   C:\Windows\system32\MSCTF.dll
>>> ModLoad: 74070000 740b0000   C:\Windows\system32\uxtheme.dll
>>> ModLoad: 73d80000 73d93000   C:\Windows\System32\dwmapi.dll
>>> ModLoad: 75460000 7546c000   C:\Windows\System32\CRYPTBASE.dll
>>> ModLoad: 71e20000 71e43000   C:\Windows\system32\winscard.dll
>>> ModLoad: 754d0000 754f9000   C:\Windows\System32\WINSTA.dll
>>> ModLoad: 74b00000 74b0d000   C:\Windows\System32\WTSAPI32.dll
>>> ModLoad: 71e20000 71e43000   C:\Windows\System32\WinSCard.dll
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> ModLoad: 74f80000 74f96000   C:\Windows\System32\CRYPTSP.dll
>>> ModLoad: 6c710000 6c733000   C:\Windows\System32\basecsp.dll
>>> ModLoad: 74d20000 74d5b000   C:\Windows\system32\rsaenh.dll
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> ModLoad: 64e80000 65025000   C:\Windows\System32\opensc-minidriver.dll
>>> (640.ecc): Unknown exception - code 00000001 (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>>> (640.ecc): Unknown exception - code 8010000a (first chance)
>>> (640.ecc): C++ EH exception - code e06d7363 (first chance)
>
> However no luck in getting anything working.
>
> Interestingly enough, when running "opensc-tool -a", the ATR is
> different to that of the proprietary driver:
>
>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>
> So I am not even sure if the registry settings are correct since the
> ATR's are contradicting one another.
>
>
>>
>>> This points at:
>>> https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
>>
>>> Is this to show how to set the registry setting to Windows
>>> will use the minidriver?
>>
>>
>
> I think this would be the base to start however I am also not sure. Was
> wondering if anyone here might know. There are definitely some registry
> settings being created when installing OpenSC unless I am missing something:
>
> https://github.com/OpenSC/OpenSC/blob/master/src/minidriver/minidriver-sc-hsm.reg
>
>
>>
>> I have been playing with a lot of registry settings but somehow think
>> that the problems are related to the minidriver?
>>
>>> Can you get the certutil.exe to see the smart card?
>>
>
> I tried it and it does see the card, read the ATR but there is still
> something missing. To explain a little more I have attached a screenshot
> that might clarify things a little more.
> Hopefully someone has had similar issues or can easily identify what I
> am doing wrong?
>
> Thanks in advance,
>
> --
> shaun
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte (TIS innovation park)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Shaun Schutte (TIS innovation park)
In reply to this post by Douglas E Engert
On 10/23/2014 01:57 PM, Douglas E Engert wrote:

However no luck in getting anything working.

Interestingly enough, when running "opensc-tool -a", the ATR is
different to that of the proprietary driver:

3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05

See:
http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt

Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches.



So I am not even sure if the registry settings are correct since the
ATR's are contradicting one another.

It looks like the ATR  when "and"ed with the ATRmask is covered by the second
definition.


But why did you added the line:
 "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"


I would uninstall the vendor's code and registry settings then try:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="opensc-minidriver.dll"


Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card:

C:\Users\IEUser>certutil -SCInfo
The Microsoft Smart Card Resource Manager is running. Current reader/card status:
Readers: 1
 0: ACS CCID USB Reader 0
--- Reader: ACS CCID USB Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
--- Card: OpenSC Carta Nazionale dei Servizi (CardOS)
--- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k
         01 11 01 43 4e 53 10 31 80 05 ...CNS.1..



What version of OpenSC are you using?

https://github.com/OpenSC/OpenSC/wiki

has links to 0.14.0 and nightly builds.

OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/
The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge.


The restart windows...

The minidriver can also write a debug log to c:\tmp\md.log
make to writable by everyone.

Ok I have attached the debug log to this mail.

Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408


Not too sure what this means.


The OpenSC debug log could also show something.
Edit the opensc.conf and set debug = 7; debug_file = some file;
also write able by everyone.


I have set OpenSC to debug however nothing gets written into the log file when using IE.

Are certificates on your card readable without entering the PIN?

No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required.

If not look at the certutil.exe options to see if you can tell it to logon.

I checked and unfortunately this does not seem to be the case, unless I am missing something obvious.
Just out of interest, does IE explorer use certutil to interact with the cards?


With firefox, can you see the certificates without entering the PIN?

No a PIN is always required to access the cert on the card.

I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla installation.


--
shaun


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

md.log (13K) Download Attachment
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert


On 10/24/2014 4:33 AM, Shaun Schutte wrote:

> On 10/23/2014 01:57 PM, Douglas E Engert wrote:
>>
>>> However no luck in getting anything working.
>>>
>>> Interestingly enough, when running "opensc-tool -a", the ATR is
>>> different to that of the proprietary driver:
>>>
>>>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>>
>> See:
>> http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt
>
> Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches.
>
>>
>>>
>>> So I am not even sure if the registry settings are correct since the
>>> ATR's are contradicting one another.
>>
>> It looks like the ATR  when "and"ed with the ATRmask is covered by the second
>> definition.
>>
>>
>> But why did you added the line:
>>  "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>>
>>
>> I would uninstall the vendor's code and registry settings then try:
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "80000001"="opensc-minidriver.dll"
>>
>
> Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card:
>
> C:\Users\IEUser>certutil -SCInfo
> The Microsoft Smart Card Resource Manager is running. Current reader/card status:
> Readers: 1
>   0: ACS CCID USB Reader 0
> --- Reader: ACS CCID USB Reader 0
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
> --- Status: The card is being shared by a process.
> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS)
> --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k
>           01 11 01 43 4e 53 10 31 80 05 ...CNS.1..
>
>
>>
>> What version of OpenSC are you using?
>>
>> https://github.com/OpenSC/OpenSC/wiki
>>
>> has links to 0.14.0 and nightly builds.
>
> OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/
> The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge.
>
>>
>> The restart windows...
>>
>> The minidriver can also write a debug log to c:\tmp\md.log
>> make to writable by everyone.
>
> Ok I have attached the debug log to this mail.
>
>> Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408
>
>
> Not too sure what this means.
>
>>
>> The OpenSC debug log could also show something.
>> Edit the opensc.conf and set debug = 7; debug_file = some file;
>> also write able by everyone.
>>
>
> I have set OpenSC to debug however nothing gets written into the log file when using IE.
>
>> Are certificates on your card readable without entering the PIN?
>
> No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required.
>

In Windows, the certs may be read by one process, and stored in the certificate store with a containerID.
The later, (maybe days) another process, will looks for a cert to use, find it in the cert store,
use the containerID to identify the card with the private key, and ask for the card to be inserted,
and then the PIN will be requested.

So my question was to read the certificates on the card, is the PIN required. (The first part
of the above.)


>> If not look at the certutil.exe options to see if you can tell it to logon.
>
> I checked and unfortunately this does not seem to be the case, unless I am missing something obvious.
> Just out of interest, does IE explorer use certutil to interact with the cards?

No, but it uses the certificate store. You can also see the certificate store from the internet options.
certutil.exe -store MY can show a users certs.

>
>>
>> With firefox, can you see the certificates without entering the PIN?
>
> No a PIN is always required to access the cert on the card.

Its the same question as above, can you read the certificate before having to use the PIN. The PIN is
needed to use the keys, and see some of the objects on the card.

Under tools->options->view certificates can you see the certificates on the card without having
to enter the PIN?

>
> I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla
> installation.
>
>
> --
> shaun
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte (TIS innovation park)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Shaun Schutte (TIS innovation park)

No, but it uses the certificate store. You can also see the certificate store from the internet options.
certutil.exe -store MY can show a users certs.

Ok thank you for the information,




With firefox, can you see the certificates without entering the PIN?

No a PIN is always required to access the cert on the card.

Its the same question as above, can you read the certificate before having to use the PIN. The PIN is
needed to use the keys, and see some of the objects on the card.

Under tools->options->view certificates can you see the certificates on the card without having
to enter the PIN?

Sorry about that, I misunderstood the question.
Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN.


--

shaun

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert
You had said:
"I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches."

Do people in that province have any problems using IE or certutil.exe?

I don't know much about the Italian infrastructure.
What is the difference between your cards and theirs?


Now that you started over without the vendor's drivers, and a clean cert store,
can you try
certutil.exe -SCinfo should show the certs at least.

It should put up a "Windows Security", "Microsoft Smart Card Provider" window prompting for a PIN so it can verify the private key on the card
matches the certificate. (You can cancel the prompt, and it will go on to the next certificate.)

The issue could also the certificate trust chain. Is your CA in the trusted certificates?

Internet options->Content->certificates->Personal
Or
certutil.exe -user -store "My"




On 10/24/2014 7:39 AM, Shaun Schutte wrote:

>
>> No, but it uses the certificate store. You can also see the certificate store from the internet options.
>> certutil.exe -store MY can show a users certs.
>
> Ok thank you for the information,
>
>>
>>>
>>>>
>>>> With firefox, can you see the certificates without entering the PIN?
>>>
>>> No a PIN is always required to access the cert on the card.
>>
>> Its the same question as above, can you read the certificate before having to use the PIN. The PIN is
>> needed to use the keys, and see some of the objects on the card.
>>
>> Under tools->options->view certificates can you see the certificates on the card without having
>> to enter the PIN?
>
> Sorry about that, I misunderstood the question.
> Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN.
>
>
> --
>
> shaun

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert
In reply to this post by Shaun Schutte (TIS innovation park)
Looking at the md.log trace it has:

MD virtual file system: file 'cmapfile' added
set 'cmapfile'
Found 1 private key(s) in the card.
sc_pkcs15_get_object_guid() error -1408


-1408 is SC_ERROR_NOT_SUPPORTED

If you can get the opensc.conf debug to work, that would help find this.

Although the example in opensc.conf may show:
debug_file = %TEMP%\opensc-debug.log

the minidriver will be run from system processes where %TEMP% is not set.
So for now, make it an absolute path like C:\tmp\opensc-debug.log
It must also be writable by everyone for now.



On 10/24/2014 4:33 AM, Shaun Schutte wrote:

> On 10/23/2014 01:57 PM, Douglas E Engert wrote:
>>
>>> However no luck in getting anything working.
>>>
>>> Interestingly enough, when running "opensc-tool -a", the ATR is
>>> different to that of the proprietary driver:
>>>
>>>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>>
>> See:
>> http://ludovic.rousseau.free.fr/softwares/pcsc-tools/smartcard_list.txt
>
> Thanks for information, I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches.
>
>>
>>>
>>> So I am not even sure if the registry settings are correct since the
>>> ATR's are contradicting one another.
>>
>> It looks like the ATR  when "and"ed with the ATRmask is covered by the second
>> definition.
>>
>>
>> But why did you added the line:
>>  "Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage Provider"
>>
>>
>> I would uninstall the vendor's code and registry settings then try:
>>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,00
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "80000001"="opensc-minidriver.dll"
>>
>
> Right. Did that and removed the vendor's code (reset the snapshot in VritualBox). Windows tries to install the driver for the smart card and fails, however certutil is functioning and can see the card:
>
> C:\Users\IEUser>certutil -SCInfo
> The Microsoft Smart Card Resource Manager is running. Current reader/card status:
> Readers: 1
>   0: ACS CCID USB Reader 0
> --- Reader: ACS CCID USB Reader 0
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
> --- Status: The card is being shared by a process.
> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS)
> --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k
>           01 11 01 43 4e 53 10 31 80 05 ...CNS.1..
>
>
>>
>> What version of OpenSC are you using?
>>
>> https://github.com/OpenSC/OpenSC/wiki
>>
>> has links to 0.14.0 and nightly builds.
>
> OpenSC 14.0. Currently I am testing the nightly build here: https://opensc.fr/jenkins/view/OpenSC-master/
> The results are thus far the same with the stable version of OpenSC 14.0 msi found on Sourceforge.
>
>>
>> The restart windows...
>>
>> The minidriver can also write a debug log to c:\tmp\md.log
>> make to writable by everyone.
>
> Ok I have attached the debug log to this mail.
>
>> Found 1 private key(s) in the card. sc_pkcs15_get_object_guid() error -1408
>
>
> Not too sure what this means.
>
>>
>> The OpenSC debug log could also show something.
>> Edit the opensc.conf and set debug = 7; debug_file = some file;
>> also write able by everyone.
>>
>
> I have set OpenSC to debug however nothing gets written into the log file when using IE.
>
>> Are certificates on your card readable without entering the PIN?
>
> No the PIN is required to read the certificates. When authenticating to an eGov website the pin is always required.
>
>> If not look at the certutil.exe options to see if you can tell it to logon.
>
> I checked and unfortunately this does not seem to be the case, unless I am missing something obvious.
> Just out of interest, does IE explorer use certutil to interact with the cards?
>
>>
>> With firefox, can you see the certificates without entering the PIN?
>
> No a PIN is always required to access the cert on the card.
>
> I did these tests on a fresh install of Windows 7 (Snapshot on VirtuaBox) so there are no dirvers by the vendor. Only OpenSC 14.0 is installed and the one registry entry, otherwise it is a vanilla
> installation.
>
>
> --
> shaun
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
In reply to this post by Douglas E Engert
Il 24/10/2014 14:17, Douglas E Engert ha scritto:
> So my question was to read the certificates on the card, is the PIN required. (The first part
> of the above.)

 PIN is not required for reading CNS certificates (Mozilla firefox
requires pin anyway, but this is another story):

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -y cert -O
Using slot 2 with a present token (0x5)
Certificate Object, type = X.509 cert
  label:      CNS0
  ID:         01

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -r -a
CNS0 -y cert > rob.cert
Using slot 2 with a present token (0x5)

$ openssl x509 -in rob.cert -inform DER -noout -text
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 404042 (0x62a4a)
    Signature Algorithm: sha1WithRSAEncryption
        Issuer: C=IT, O=Postecom S.p.A., OU=Servizi di Certificazione,
CN=Provincia Autonoma di Trento - CA Cittadini
        Validity
            Not Before: Feb 18 13:20:05 2011 GMT
            Not After : Dec 24 00:59:59 2016 GMT
        Subject: C=IT, O=TS-CNS, OU=Provincia Autonoma di Trento,
CN=RSLRRT64E08A952W/6042100941441607.Z6ugCe0i067316vhbUAjO3PIvkk=
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:d5:7c:70:08:b7:08:5f:6f:38:77:3f:6c:f0:3a:
                    eb:24:c9:c9:8c:4d:33:72:2a:73:d7:9d:55:71:7e:
                    4a:f9:bc:2b:23:35:ad:13:5e:ff:53:51:7a:40:0d:
                    93:3e:39:8f:60:43:ec:35:56:8b:d4:e7:be:5c:79:
                    84:08:28:ec:65:da:71:a9:b9:ef:0f:36:65:c1:38:
                    4b:b3:a9:76:0f:c4:d6:15:2b:29:9c:15:22:79:12:
                    b9:b1:59:88:0e:e9:57:48:dc:2f:73:8e:63:61:31:
                    a5:25:9d:d6:93:fe:fe:12:22:dd:cb:2a:bd:48:e2:
                    89:08:9c:66:27:eb:57:02:03
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Certificate Policies:
                Policy: 1.3.76.16.2.1
                  User Notice:
                    Explicit Text: Identifies X.509 authentication
certificates issued for the italian National Service Card (CNS) project
in according to the italian regulation
                Policy: 1.3.76.11.1.3.1
                  CPS: http://postecert.poste.it

            Authority Information Access:
                OCSP - URI:http://postecert.poste.it/ocsp

            X509v3 Key Usage: critical
                Digital Signature
            X509v3 Extended Key Usage:
                TLS Web Client Authentication
            X509v3 Authority Key Identifier:

keyid:EE:61:F1:1E:A3:42:7C:FF:E0:47:85:7B:71:5E:5B:A9:2C:6A:88:07

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:http://postecert.poste.it/cns/provinciatrento/crl.crl

            X509v3 Subject Key Identifier:
                02:D4:0C:40:FA:1F:EC:33:1F:B1:D2:64:6B:1D:84:58:FF:12:D3:3A
    Signature Algorithm: sha1WithRSAEncryption
         25:c8:c6:6a:34:68:39:dc:3f:1a:c7:3d:3f:7e:ee:03:ec:29:
         be:de:4f:cc:be:76:20:ce:08:aa:0a:06:75:b9:b4:2a:40:19:
         04:69:62:17:e7:c9:21:d0:44:b7:3a:e0:82:8e:74:54:2b:ff:
         21:66:11:48:73:7f:01:cf:67:13:d3:0d:49:89:20:60:71:00:
         78:c9:4d:37:1b:dc:14:be:e8:75:3f:73:db:e0:9f:a7:05:61:
         2f:7c:75:2d:27:b1:3f:4b:33:68:8e:03:08:47:21:15:0d:0a:
         7c:7d:c0:6f:52:6a:8e:61:bc:20:70:ff:37:01:fb:f9:3a:db:
         c5:5c:d9:57:44:aa:61:9b:7a:6d:4a:86:c1:b9:d4:82:e6:b9:
         85:a6:5c:9d:9f:20:e6:aa:df:f2:04:a2:31:bb:65:34:15:32:
         85:a9:3e:ad:55:34:4f:33:fe:26:75:a5:e6:14:01:67:47:08:
         ed:27:fd:02:e5:45:63:bc:57:b9:ae:14:48:f2:c2:df:ba:b0:
         8f:ed:77:62:1c:d8:f3:06:2b:ba:3f:56:5f:bc:10:e9:68:94:
         61:cf:74:75:98:f7:9a:f6:69:ab:9a:4e:c2:95:96:88:51:b8:
         ad:76:aa:47:60:bd:be:9f:7e:de:ec:7f:e0:5c:fe:36:94:c2:
         97:d0:ab:a0



------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
In reply to this post by Douglas E Engert
Il 23/10/2014 00:29, Douglas E Engert ha scritto:
> We are a small province in the north of Italy and would like to
>> implement a FOSS solution to manage smart cards. Our OpenSC-GUI
>> frontend, creates an easy way to change the PIN, however getting the
>> OpenSC drivers to play nice with Internet Explorer seems to be rather
>> tricky... (All works under Linux but the majority of the userbase uses
>> Windows and IE)

Hello,
I work for the Trento Municipality in the near Trentino Province; I own
a CNS and very interested in your GUI. I wold be happy to help.

bye
rob

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
In reply to this post by Shaun Schutte (TIS innovation park)
Il 24/10/2014 11:33, Shaun Schutte ha scritto:
...
> Right. Did that and removed the vendor's code (reset the snapshot in
> VritualBox). Windows tries to install the driver for the smart card and
> fails,

I am following your same steps; in my case the Driver successfully
installs.


however certutil is functioning and can see the card:

>
> C:\Users\IEUser>certutil -SCInfo
> The Microsoft Smart Card Resource Manager is running. Current
> reader/card status:
> Readers: 1
>  0: ACS CCID USB Reader 0
> --- Reader: ACS CCID USB Reader 0
> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
> --- Status: The card is being shared by a process.
> --- Card: OpenSC Carta Nazionale dei Servizi (CardOS)
> --- ATR: 3b ff 18 00 ff c1 0a 31 fe 55 00 6b 05 08 c8 0c ;......1.U.k
>          01 11 01 43 4e 53 10 31 80 05 ...CNS.1..
>

Here is my "certutil -SCInfo" output:

>certutil -SCInfo
Gestione risorse smart card in esecuzione.
Stato corrente lettore/scheda:
Lettori: 1
  0: Generic Usb Smart Card Reader 0
--- Lettore: Generic Usb Smart Card Reader 0
--- Stato: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Stato: La scheda è disponibile per l'utilizzo.
---   Scheda:
---    ATR:
        3b ff 18 00 ff c1 0a 31  fe 55 00 6b 05 08 c8 0c   ;......1.U.k....
        01 11 01 43 4e 53 10 31  80 05                     ...CNS.1..


=======================================================
Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0
SCardGetCardTypeProviderName: Impossibile trovare il file specificato.
0x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0
x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
--------------===========================--------------

Eseguito.
CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2)
CertUtil: Impossibile trovare il file specificato.

rob


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
Il 26/10/2014 12:33, Roberto Resoli ha scritto:
> Il 24/10/2014 11:33, Shaun Schutte ha scritto:
> ...
>> > Right. Did that and removed the vendor's code (reset the snapshot in
>> > VritualBox). Windows tries to install the driver for the smart card and
>> > fails,
> I am following your same steps; in my case the Driver successfully
> installs.

I think this was because i had another smartcard  registry setting:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CPS

with

"Smart Card Key Storage Provider"="Microsoft Smart Card Key Storage
Provider"

inside.

Correspondingly, in c:\tmp\md.log I had lines like this :

P:2052 T:1908 pCardData:0000000000255050 CardAcquireContext,
dwVersion=7, name=TSCPS,hScard=0x00000000, hSCardCtx=0x00000002

Now I have deleted both "TSCPS" key, md.log and set a new "CPS" card:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CPS]
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="opensc-minidriver.dll"
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,0c,01,11,01,43,4e,53,10,\
  31,80,05
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,\
  ff,ff,ff,ff,00

certutil -SCInfo outputs the same error:

-----------------
Gestione risorse smart card in esecuzione.
Stato corrente lettore/scheda:
Lettori: 1
  0: Generic Usb Smart Card Reader 0
--- Lettore: Generic Usb Smart Card Reader 0
--- Stato: SCARD_STATE_PRESENT | SCARD_STATE_UNPOWERED
--- Stato: La scheda è disponibile per l'utilizzo.
---   Scheda:
---    ATR:
        3b ff 18 00 ff c1 0a 31  fe 55 00 6b 05 08 c8 0c   ;......1.U.k....
        01 11 01 43 4e 53 10 31  80 05                     ...CNS.1..


=======================================================
Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0
SCardGetCardTypeProviderName: Impossibile trovare il file specificato.
0x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0
x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
--------------===========================--------------

Eseguito.
CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2)
CertUtil: Impossibile trovare il file specificato.
-------------

No SmartCard driver installation is triggered, nor any md.log is generated.

rob

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
In reply to this post by Douglas E Engert
Il 24/10/2014 17:00, Douglas E Engert ha scritto:
> You had said:
> "I checked and the card is there, it is listed under Trentino, we are the neighboring province to the north. ATR matches."
>
> Do people in that province have any problems using IE or certutil.exe?

Here I am: yes, i tried several times a way to make the minidriver work
with CNS cards, but without success. The card is the same, I don't know
if the "proprietary driver" atr Shaun Schutte is referring to is from
another cardos device, but atr read using opensc matches anyway.

c:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool -a
Using reader with a card: Generic Usb Smart Card Reader 0
3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05

> I don't know much about the Italian infrastructure.
> What is the difference between your cards and theirs?

There are around more recent cards, issued by another certification
authority (under the same CNS specifications and for the same usage as
"European Health Insurance Card" ), but mine appears to be the same
CardOS as Shaun Schutte one.

>
> Now that you started over without the vendor's drivers,
> and a clean cert store,

I have to try in this condition as well.

rob




------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Shaun Schutte (TIS innovation park)
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Shaun Schutte (TIS innovation park)
In reply to this post by Douglas E Engert



Now that you started over without the vendor's drivers, and a clean cert store,
can you try
certutil.exe -SCinfo should show the certs at least.

The output of certutil.exe -SCInfo is the following:

C:\Users\IEUser>certutil.exe -SCInfo
The Microsoft Smart Card Resource Manager is running.
Current reader/card status:
Readers: 1
  0: ACS CCID USB Reader 0
--- Reader: ACS CCID USB Reader 0
--- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
--- Status: The card is being shared by a process.
---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
---    ATR:
        3b ff 18 00 ff c1 0a 31  fe 55 00 6b 05 08 c8 0c   ;......1.U.k....
        01 11 01 43 4e 53 10 31  80 05                     ...CNS.1..


=======================================================
Analyzing card in reader: ACS CCID USB Reader 0
2014-10-27 06:50:26.149 set 'cmapfile'
2014-10-27 06:50:41.264 set 'cmapfile'

--------------===========================--------------
================ Certificate 0 ================
--- Reader: ACS CCID USB Reader 0
---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
Provider = Microsoft Base Smart Card Crypto Provider
Key Container = (null) [Default Container]

2014-10-27 06:50:57.777 set 'cmapfile'
2014-10-27 06:51:04.436 set 'cmapfile'
2014-10-27 06:51:19.819 set 'cmapfile'
Cannot open the AT_SIGNATURE key for reader: ACS CCID USB Reader 0
2014-10-27 06:53:55.694 set 'cmapfile'
2014-10-27 06:53:56.966 set 'cmapfile'
2014-10-27 06:53:58.230 set 'cmapfile'
Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0
SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WI
N32: 2)
Cannot retrieve Provider Name for OpenSC Carta Nazionale dei Servizi (CardOS)
--------------===========================--------------

Done.
CertUtil: -SCInfo command completed successfully.




It should put up a "Windows Security", "Microsoft Smart Card Provider" window prompting for a PIN so it can verify the private key on the card
matches the certificate. (You can cancel the prompt, and it will go on to the next certificate.)

This is true, a window does pop up but it is not "Windows Security" or Microsoft Smart Card Provider" prompting for a PIN, but rather a window that simply says "Insert a smart card";
"Smart card inserted" : Carata Nazionale dei Servizi (CardOS)
"Smart card status" : Am smart card was detected but is not required for the current operation. The smart card you are using may be missing required driver software or a required certificate.
Scrot attached to this email.


The issue could also the certificate trust chain. Is your CA in the trusted certificates?

No the CA is unfortunately not there.


Internet options->Content->certificates->Personal
Or
certutil.exe -user -store "My"

Running the command works however nothing gets imported into the certificate trust chain. However, when using the proprietary drivers, you are prompted to "save" the certificate
 when using IE and then the certificate is stored correctly and listed in IE. (This I checked when I installed the Siemens drivers so I could compare it with OpenSC, however now the testing environment and the certificate store is free from any Siemens drivers and the cert store empty. Clean Windows 7 installation).

The province of Trentino and Alto Adige use the exact same cards, as Roberto Resoli can confirm.


-1408 is SC_ERROR_NOT_SUPPORTED

If you can get the opensc.conf debug to work, that would help find this.

Although the example in opensc.conf may show:
debug_file = %TEMP%\opensc-debug.log

the minidriver will be run from system processes where %TEMP% is not set.
So for now, make it an absolute path like C:\tmp\opensc-debug.log
It must also be writable by everyone for now.

Check.
I have set both log files to write to C:\tmp, full permissions are enabled (I had that issue with nothing writing to md.log before and the permissions were the cause.)

However I cannot get opensc to output anything to the opensc-debug.log. It is as if running certutil, or starting IE, no calls are made to the minidriver.dll.

I can confirm what Roberto is experiencing:

=======================================================
Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0
SCardGetCardTypeProviderName: Impossibile trovare il file specificato.
0x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0
x2 (WIN32: 2)
Impossibile recuperare il nome del provider per
--------------===========================--------------

Eseguito.
CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2)
CertUtil: Impossibile trovare il file specificato.
-------------

No SmartCard driver installation is triggered, nor any md.log is generated.

The only way I have gotten some kind of output from OpenSC, is to run it under Windows Debugger. It is part of the Windows SDK kit, and when running certutil with -SCInfo aas argument I am at least getting a lot of information, which I hope might bring us a little closer to solving this issue, the log file is attached and here seems to be something interesting from the log:

2014-10-20 05:05:14.037 trying driver 'itacns'
2014-10-20 05:05:14.037 ATR     : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
2014-10-20 05:05:14.037 ignored - wrong length
2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b
2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31
2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0
2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b
2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1
2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43
2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e
2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53
2014-10-20 05:05:14.037 Matching 31 against atr[23] == 31
2014-10-20 05:05:14.037 Matching 80 against atr[24] == 80
2014-10-20 05:05:14.037 matched: Italian CNS
2014-10-20 05:05:14.037 [opensc-pkcs11] card-itacns.c:205:itacns_init: called
2014-10-20 05:05:14.037 ATR     : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
2014-10-20 05:05:14.037 ignored - wrong length
2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b
2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31
2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0
2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b
2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1
2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43
2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e
2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53
2014-10-20 05:05:14.047 Matching 31 against atr[23] == 31
2014-10-20 05:05:14.047 Matching 80 against atr[24] == 80
2014-10-20 05:05:14.047 card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:0/0
2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1220:sc_card_sm_check: called
2014-10-20 05:05:14.047 card->sm_ctx.ops.open 00000000
2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1226:sc_card_sm_check: returning with: 0 (Success)
2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:250:sc_connect_card: returning with: 0 (Success)
2014-10-20 05:05:14.047 ACS CCID USB Reader 0: Connected SC card 061AE178
2014-10-20 05:05:14.047 [opensc-pkcs11] dir.c:140:sc_enum_apps: called
2014-10-20 05:05:14.047 called; type=2, path=3f002f00
2014-10-20 05:05:14.047 [opensc-pkcs11] card-itacns.c:473:itacns_select_file: called
2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:325:sc_lock: called
2014-10-20 05:05:14.047 [opensc-pkcs11] reader-pcsc.c:517:pcsc_lock: called
2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:526:sc_transmit: called
2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:380:sc_single_transmit: called
2014-10-20 05:05:14.047 CLA:0, INS:A4, P1:8, P2:0, data(2) 0016C86A
2014-10-20 05:05:14.047 reader 'ACS CCID USB Reader 0'

The itacns is simply the registry entry that contains the following:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
"ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,05
"ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
"Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
"80000001"="opensc-minidriver.dll

What other information could we provide that could make troubleshooting this a little easier?

Getting the opensc-logging to work would certainly help, I am betting that when I run Firefox and authenticate myself to the website the log file will get filled up pretty quickly with using certutil and / or IE nothing gets written.


Hello,
I work for the Trento Municipality in the near Trentino Province; I own
a CNS and very interested in your GUI. I wold be happy to help.

bye
rob

Sure thing, all help is appreciated and its all FOSS, you can check it out here:

https://github.com/tis-innovation-park/OpenSC-GUI/

--
shaun






On 10/24/2014 7:39 AM, Shaun Schutte wrote:

No, but it uses the certificate store. You can also see the certificate store from the internet options.
certutil.exe -store MY can show a users certs.

Ok thank you for the information,




With firefox, can you see the certificates without entering the PIN?

No a PIN is always required to access the cert on the card.

Its the same question as above, can you read the certificate before having to use the PIN. The PIN is
needed to use the keys, and see some of the objects on the card.

Under tools->options->view certificates can you see the certificates on the card without having
to enter the PIN?

Sorry about that, I misunderstood the question.
Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN.


--

shaun



--

Shaun Schutte
Free Software & Open Technologies
Developer

TIS innovation park
Via Siemens 19 | 39100 Bolzano | Italia
Siemensstraße 19 | 39100 Bozen | Italien
T +39 0471 068101    F +39 0471 068100
[hidden email]  www.tis.bz.it

 Short information regarding use of personal data. According to Section 13 of Italian Legislative Decree no. 196 of 30 June 2003, we inform you that we process your personal data in order to fulfill contractual and fiscal obligations and also to send you information regarding our services and events. Your personal data are processed with and without electronic means and by respecting data subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. At any time and without formalities you can write an e-mail to [hidden email] in order to object the processing of your personal data for the purpose of sending advertising materials and also to exercise the right to access personal data and other rights referred to in Section 7 of Decree 196/2003. The data controller is TIS – Techno Innovation Alto Adige, via Siemens n. 19 Bolzano. You can find the complete information on the web site www.tis.bz.it



------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

opensc-minidriver-issue.png (1M) Download Attachment
opensc-debug.log (549K) Download Attachment
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
Hello,

some comments in the relevant places follows:

Il 27/10/2014 15:41, Shaun Schutte ha scritto:

>
>
>>
>> Now that you started over without the vendor's drivers, and a clean
>> cert store,
>> can you try
>> certutil.exe -SCinfo should show the certs at least.
>
> The output of certutil.exe -SCInfo is the following:
>
>> C:\Users\IEUser>certutil.exe -SCInfo
>> The Microsoft Smart Card Resource Manager is running.
>> Current reader/card status:
>> Readers: 1
>>   0: ACS CCID USB Reader 0
>> --- Reader: ACS CCID USB Reader 0
>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
>> --- Status: The card is being shared by a process.
>> ---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
>> ---    ATR:
>>         3b ff 18 00 ff c1 0a 31  fe 55 00 6b 05 08 c8 0c ;......1.U.k....
>>         01 11 01 43 4e 53 10 31  80 05 ...CNS.1..
>>
>>
>> =======================================================
>> Analyzing card in reader: ACS CCID USB Reader 0

The following lines are lacking in my tests:

>> 2014-10-27 06:50:26.149 set 'cmapfile'
>> 2014-10-27 06:50:41.264 set 'cmapfile'
>>
>> --------------===========================--------------

The following seems promising ...

>> ================ Certificate 0 ================
>> --- Reader: ACS CCID USB Reader 0
>> ---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
>> Provider = Microsoft Base Smart Card Crypto Provider
>> Key Container = (null) [Default Container]
>>
>> 2014-10-27 06:50:57.777 set 'cmapfile'
>> 2014-10-27 06:51:04.436 set 'cmapfile'
>> 2014-10-27 06:51:19.819 set 'cmapfile'
>> Cannot open the AT_SIGNATURE key for reader: ACS CCID USB Reader 0
>> 2014-10-27 06:53:55.694 set 'cmapfile'
>> 2014-10-27 06:53:56.966 set 'cmapfile'
>> 2014-10-27 06:53:58.230 set 'cmapfile'

Unfortunately the error here down is the same as mine;

>> Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0
>> SCardGetCardTypeProviderName: The system cannot find the file
>> specified. 0x2 (WI
>> N32: 2)
>> Cannot retrieve Provider Name for OpenSC Carta Nazionale dei Servizi
>> (CardOS)
>> --------------===========================--------------
>>
>> Done.
>> CertUtil: -SCInfo command completed successfully.
>
>
>
>>
>> It should put up a "Windows Security", "Microsoft Smart Card Provider"
>> window prompting for a PIN so it can verify the private key on the card
>> matches the certificate. (You can cancel the prompt, and it will go on
>> to the next certificate.)
>
> This is true, a window does pop up but it is not "Windows Security" or
> Microsoft Smart Card Provider" prompting for a PIN, but rather a window
> that simply says "Insert a smart card";
> "Smart card inserted" : Carata Nazionale dei Servizi (CardOS)
> "Smart card status" : Am smart card was detected but is not required for
> the current operation. The smart card you are using may be missing
> required driver software or a required certificate.
> Scrot attached to this email.
>
>>
>> The issue could also the certificate trust chain. Is your CA in the
>> trusted certificates?

I guess from the screenshot that the "Cannot open the AT_KEYEXCHANGE key
for reader: ACS CCID USB Reader 0" appears after you answer the prompt
in some way; is it correct?

> No the CA is unfortunately not there.

I can't find the issuing CA on

http://www.provincia.bz.it/cartaservizi/download.asp

Where may I find it?

"Provincia Autonoma di Trento" CA certificates are linked at the bottom of:

http://www.cartaservizi.provincia.tn.it/scarica_software/



Could you send me attach your personal certificate, extracted using:

$ pkcs11-tool --module </path/of/opensc-pkcs11> -r -a
CNS0 -y cert > your.cert

or

$ pkcs15-tool -r 01 > your.pem.cert

as you prefer?


> The province of Trentino and Alto Adige use the exact same cards, as
> Roberto Resoli can confirm.

yes, the first bunch of cards, CardOS M4, issued by PosteCom CA

>> -1408 is SC_ERROR_NOT_SUPPORTED
>>
>> If you can get the opensc.conf debug to work, that would help find this.
>>
>> Although the example in opensc.conf may show:
>> debug_file = %TEMP%\opensc-debug.log
>>
>> the minidriver will be run from system processes where %TEMP% is not set.
>> So for now, make it an absolute path like C:\tmp\opensc-debug.log
>> It must also be writable by everyone for now.

In my case opensc debug log works, what is the full path of the
opensc.conf file you modified?

> Check.
> I have set both log files to write to C:\tmp, full permissions are
> enabled (I had that issue with nothing writing to md.log before and the
> permissions were the cause.)

I have to recheck permission, no md.log for me.

...

> I can confirm what Roberto is experiencing:
>
>> =======================================================
>> Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0
>> SCardGetCardTypeProviderName: Impossibile trovare il file specificato.
>> 0x2 (WIN32: 2)
>> Impossibile recuperare il nome del provider per
>> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0
>> x2 (WIN32: 2)
>> Impossibile recuperare il nome del provider per
>> --------------===========================--------------
>>
>> Eseguito.
>> CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2)
>> CertUtil: Impossibile trovare il file specificato.
>> -------------

without certificate related lines, nor any prompt, in my case.

>> No SmartCard driver installation is triggered, nor any md.log is generated.
>
> The only way I have gotten some kind of output from OpenSC, is to run it
> under Windows Debugger.

will try this as well

> It is part of the Windows SDK kit, and when
> running certutil with -SCInfo aas argument I am at least getting a lot
> of information, which I hope might bring us a little closer to solving
> this issue, the log file is attached and here seems to be something
> interesting from the log:
>
>> 2014-10-20 05:05:14.037 trying driver 'itacns'
>> 2014-10-20 05:05:14.037 ATR     :
>> 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>>
...
>
> The itacns is simply the registry entry that contains the following:

itacns is the opensc driver contributed by Emanuele Pucciarelli, who
unfortunately seems following this list no more.

...

>> Hello,
>> I work for the Trento Municipality in the near Trentino Province; I own
>> a CNS and very interested in your GUI. I wold be happy to help.
>>
>> bye
>> rob
>
> Sure thing, all help is appreciated and its all FOSS, you can check it
> out here:
>
> https://github.com/tis-innovation-park/OpenSC-GUI/

Yes, i will try it ASAP.

bye,
rob


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Douglas E Engert
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Douglas E Engert
In reply to this post by Shaun Schutte (TIS innovation park)
OK, this helps a lot. The card itacns.c does not support reading a serial number.

Anyone want to add the code?

Windows and thus the minidriver, needs a unique GUID for a card, because of the way
it works. It stores in the Microsoft certificate stash the certificate and a GUID that represents
the card that has the private key. Thus it can find a certificate with out the card then ask to have
the card inserted.

The card-itacns.c or pkcs15-itacns.c does not have the needed code to get the GUID.


In the opensc-debug.log:

601: 2014-10-20 05:05:14.037 matched: Italian CNS
602: 2014-10-20 05:05:14.037 [opensc-pkcs11] card-itacns.c:205:itacns_init: called

617: 2014-10-20 05:05:14.047 card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:0/0

   type 23002 = SC_CARD_TYPE_ITACNS_CNS

7376: 2014-10-20 05:19:25.699 [cardmod] pkcs15.c:2701:sc_pkcs15_get_object_guid: called

   (minidriver requesting the GUID used on Windows to identify the card. On cards that do not have a GUID,
    the serial number of the card is used to derive the equivalent of a GUID.)

7377: 2014-10-20 05:19:25.699 [cardmod] card.c:769:sc_card_ctl: called

7378: 2014-10-20 05:19:25.699 card_ctl(5) not supported
7379: 2014-10-20 05:19:25.699 [cardmod] pkcs15.c:2728:sc_pkcs15_get_object_guid: 'GET_SERIALNR' failed: -1408 (Not supported)
7380: 2014-10-20 05:19:25.699 sc_pkcs15_get_object_guid() error -1408
7381: 2014-10-20 05:19:25.699
7382:  P:1084 T:3100 pCardData:0246E460 hScard=0xEA040000 hSCardCtx=0xCD020002 CardDeleteContext
7383: 2014-10-20 05:19:25.699 disassociate_card

The card-itacns.c does not support the card_ctl and thus does not support SC_CARDCTL_GET_SERIALNR.

For cards that do not have a serial number, but do have some other data on the card that is unique,
there is a pkcs15->ops.get_guid  function (The piv.c is the only one that does,
as the PIV card does not have serial number, but does have a CHUID with either a GUID or the FASCN that
is used to derive a GUID. See: pkcs15-piv.c piv_get_guid  and how it is set:
p15card->ops.get_guid = piv_get_guid;

So someone who knows the CNS code need to implement a get_guid, or a card_ctl function that supports
SC_CARDCTL_GET_SERIALNR


As another test,
The opensc-tool --serial
will show the serial number or "sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed\n"



On 10/27/2014 9:41 AM, Shaun Schutte wrote:

>
>
>>
>> Now that you started over without the vendor's drivers, and a clean cert store,
>> can you try
>> certutil.exe -SCinfo should show the certs at least.
>
> The output of certutil.exe -SCInfo is the following:
>
>> C:\Users\IEUser>certutil.exe -SCInfo
>> The Microsoft Smart Card Resource Manager is running.
>> Current reader/card status:
>> Readers: 1
>>   0: ACS CCID USB Reader 0
>> --- Reader: ACS CCID USB Reader 0
>> --- Status: SCARD_STATE_PRESENT | SCARD_STATE_INUSE
>> --- Status: The card is being shared by a process.
>> ---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
>> ---    ATR:
>>         3b ff 18 00 ff c1 0a 31  fe 55 00 6b 05 08 c8 0c ;......1.U.k....
>>         01 11 01 43 4e 53 10 31  80 05 ...CNS.1..
>>
>>
>> =======================================================
>> Analyzing card in reader: ACS CCID USB Reader 0
>> 2014-10-27 06:50:26.149 set 'cmapfile'
>> 2014-10-27 06:50:41.264 set 'cmapfile'
>>
>> --------------===========================--------------
>> ================ Certificate 0 ================
>> --- Reader: ACS CCID USB Reader 0
>> ---   Card: OpenSC Carta Nazionale dei Servizi (CardOS)
>> Provider = Microsoft Base Smart Card Crypto Provider
>> Key Container = (null) [Default Container]
>>
>> 2014-10-27 06:50:57.777 set 'cmapfile'
>> 2014-10-27 06:51:04.436 set 'cmapfile'
>> 2014-10-27 06:51:19.819 set 'cmapfile'
>> Cannot open the AT_SIGNATURE key for reader: ACS CCID USB Reader 0
>> 2014-10-27 06:53:55.694 set 'cmapfile'
>> 2014-10-27 06:53:56.966 set 'cmapfile'
>> 2014-10-27 06:53:58.230 set 'cmapfile'
>> Cannot open the AT_KEYEXCHANGE key for reader: ACS CCID USB Reader 0
>> SCardGetCardTypeProviderName: The system cannot find the file specified. 0x2 (WI
>> N32: 2)
>> Cannot retrieve Provider Name for OpenSC Carta Nazionale dei Servizi (CardOS)
>> --------------===========================--------------
>>
>> Done.
>> CertUtil: -SCInfo command completed successfully.
>
>
>
>>
>> It should put up a "Windows Security", "Microsoft Smart Card Provider" window prompting for a PIN so it can verify the private key on the card
>> matches the certificate. (You can cancel the prompt, and it will go on to the next certificate.)
>
> This is true, a window does pop up but it is not "Windows Security" or Microsoft Smart Card Provider" prompting for a PIN, but rather a window that simply says "Insert a smart card";
> "Smart card inserted" : Carata Nazionale dei Servizi (CardOS)
> "Smart card status" : Am smart card was detected but is not required for the current operation. The smart card you are using may be missing required driver software or a required certificate.
> Scrot attached to this email.
>
>>
>> The issue could also the certificate trust chain. Is your CA in the trusted certificates?
>
> No the CA is unfortunately not there.
>
>>
>> Internet options->Content->certificates->Personal
>> Or
>> certutil.exe -user -store "My"
>
> Running the command works however nothing gets imported into the certificate trust chain. However, when using the proprietary drivers, you are prompted to "save" the certificate
>   when using IE and then the certificate is stored correctly and listed in IE. (This I checked when I installed the Siemens drivers so I could compare it with OpenSC, however now the testing
> environment and the certificate store is free from any Siemens drivers and the cert store empty. Clean Windows 7 installation).
>
> The province of Trentino and Alto Adige use the exact same cards, as Roberto Resoli can confirm.
>
>>
>> -1408 is SC_ERROR_NOT_SUPPORTED
>>
>> If you can get the opensc.conf debug to work, that would help find this.
>>
>> Although the example in opensc.conf may show:
>> debug_file = %TEMP%\opensc-debug.log
>>
>> the minidriver will be run from system processes where %TEMP% is not set.
>> So for now, make it an absolute path like C:\tmp\opensc-debug.log
>> It must also be writable by everyone for now.
>
> Check.
> I have set both log files to write to C:\tmp, full permissions are enabled (I had that issue with nothing writing to md.log before and the permissions were the cause.)
>
> However I cannot get opensc to output anything to the opensc-debug.log. It is as if running certutil, or starting IE, no calls are made to the minidriver.dll.
>
> I can confirm what Roberto is experiencing:
>
>> =======================================================
>> Analisi della scheda nel lettore: Generic Usb Smart Card Reader 0
>> SCardGetCardTypeProviderName: Impossibile trovare il file specificato.
>> 0x2 (WIN32: 2)
>> Impossibile recuperare il nome del provider per
>> SCardGetCardTypeProviderName: Impossibile trovare il file specificato. 0
>> x2 (WIN32: 2)
>> Impossibile recuperare il nome del provider per
>> --------------===========================--------------
>>
>> Eseguito.
>> CertUtil: comando -SCInfo NON RIUSCITO: 0x2 (WIN32: 2)
>> CertUtil: Impossibile trovare il file specificato.
>> -------------
>>
>> No SmartCard driver installation is triggered, nor any md.log is generated.
>
> The only way I have gotten some kind of output from OpenSC, is to run it under Windows Debugger. It is part of the Windows SDK kit, and when running certutil with -SCInfo aas argument I am at least
> getting a lot of information, which I hope might bring us a little closer to solving this issue, the log file is attached and here seems to be something interesting from the log:
>
>> 2014-10-20 05:05:14.037 trying driver 'itacns'
>> 2014-10-20 05:05:14.037 ATR     : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>> 2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
>> 2014-10-20 05:05:14.037 ignored - wrong length
>> 2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b
>> 2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31
>> 2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0
>> 2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b
>> 2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1
>> 2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43
>> 2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e
>> 2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53
>> 2014-10-20 05:05:14.037 Matching 31 against atr[23] == 31
>> 2014-10-20 05:05:14.037 Matching 80 against atr[24] == 80
>> 2014-10-20 05:05:14.037 matched: Italian CNS
>> 2014-10-20 05:05:14.037 [opensc-pkcs11] card-itacns.c:205:itacns_init: called
>> 2014-10-20 05:05:14.037 ATR     : 3b:ff:18:00:ff:c1:0a:31:fe:55:00:6b:05:08:c8:0c:01:11:01:43:4e:53:10:31:80:05
>> 2014-10-20 05:05:14.037 ATR try : 3b:f4:18:00:ff:81:31:80:55:00:31:80:00:c7
>> 2014-10-20 05:05:14.037 ignored - wrong length
>> 2014-10-20 05:05:14.037 Matching 3b against atr[0] == 3b
>> 2014-10-20 05:05:14.037 Matching 31 against atr[7] == 31
>> 2014-10-20 05:05:14.037 Matching 0 against atr[10] == 0
>> 2014-10-20 05:05:14.037 Matching 6b against atr[11] == 6b
>> 2014-10-20 05:05:14.037 Matching 1 against atr[16] == 1
>> 2014-10-20 05:05:14.037 Matching 43 against atr[19] == 43
>> 2014-10-20 05:05:14.037 Matching 4e against atr[20] == 4e
>> 2014-10-20 05:05:14.037 Matching 53 against atr[21] == 53
>> 2014-10-20 05:05:14.047 Matching 31 against atr[23] == 31
>> 2014-10-20 05:05:14.047 Matching 80 against atr[24] == 80
>> 2014-10-20 05:05:14.047 card info name:'CNS card', type:23002, flags:0x0, max_send/recv_size:0/0
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1220:sc_card_sm_check: called
>> 2014-10-20 05:05:14.047 card->sm_ctx.ops.open 00000000
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:1226:sc_card_sm_check: returning with: 0 (Success)
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:250:sc_connect_card: returning with: 0 (Success)
>> 2014-10-20 05:05:14.047 ACS CCID USB Reader 0: Connected SC card 061AE178
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] dir.c:140:sc_enum_apps: called
>> 2014-10-20 05:05:14.047 called; type=2, path=3f002f00
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] card-itacns.c:473:itacns_select_file: called
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:559:sc_transmit_apdu: called
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] card.c:325:sc_lock: called
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] reader-pcsc.c:517:pcsc_lock: called
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:526:sc_transmit: called
>> 2014-10-20 05:05:14.047 [opensc-pkcs11] apdu.c:380:sc_single_transmit: called
>> 2014-10-20 05:05:14.047 CLA:0, INS:A4, P1:8, P2:0, data(2) 0016C86A
>> 2014-10-20 05:05:14.047 reader 'ACS CCID USB Reader 0'
>
> The itacns is simply the registry entry that contains the following:
>
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\OpenSC Carta Nazionale dei Servizi (CardOS)]
>> "ATR"=hex:3b,ff,18,00,ff,c1,0a,31,fe,55,00,6b,05,08,c8,00,01,00,01,43,4e,53,10,31,80,05
>> "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,ff,00,ff,00,ff,ff,ff,ff,ff,ff,ff,00
>> "Crypto Provider"="Microsoft Base Smart Card Crypto Provider"
>> "80000001"="opensc-minidriver.dll
>
> What other information could we provide that could make troubleshooting this a little easier?
>
> Getting the opensc-logging to work would certainly help, I am betting that when I run Firefox and authenticate myself to the website the log file will get filled up pretty quickly with using certutil
> and / or IE nothing gets written.
>
>
>> Hello,
>> I work for the Trento Municipality in the near Trentino Province; I own
>> a CNS and very interested in your GUI. I wold be happy to help.
>>
>> bye
>> rob
>
> Sure thing, all help is appreciated and its all FOSS, you can check it out here:
>
> https://github.com/tis-innovation-park/OpenSC-GUI/
>
> --
> shaun
>
>
>>
>>
>>
>>
>> On 10/24/2014 7:39 AM, Shaun Schutte wrote:
>>>
>>>> No, but it uses the certificate store. You can also see the certificate store from the internet options.
>>>> certutil.exe -store MY can show a users certs.
>>>
>>> Ok thank you for the information,
>>>
>>>>
>>>>>
>>>>>>
>>>>>> With firefox, can you see the certificates without entering the PIN?
>>>>>
>>>>> No a PIN is always required to access the cert on the card.
>>>>
>>>> Its the same question as above, can you read the certificate before having to use the PIN. The PIN is
>>>> needed to use the keys, and see some of the objects on the card.
>>>>
>>>> Under tools->options->view certificates can you see the certificates on the card without having
>>>> to enter the PIN?
>>>
>>> Sorry about that, I misunderstood the question.
>>> Yes, under Firefox tools->options->view certificates I can see/read the certificate without entering the PIN.
>>>
>>>
>>> --
>>>
>>> shaun
>>
>
>
> --
>
> Shaun Schutte
> Free Software & Open Technologies
> Developer
>
> TIS innovation park
> Via Siemens 19 | 39100 Bolzano | Italia
> Siemensstraße 19 | 39100 Bozen | Italien
> T +39 0471 068101    F +39 0471 068100
> [hidden email] <mailto:%[hidden email]%22> www.tis.bz.it
>
> Short information regarding use of personal data. According to Section 13 of Italian Legislative Decree no. 196 of 30 June 2003, we inform you that we process your personal data in order to fulfill
> contractual and fiscal obligations and also to send you information regarding our services and events. Your personal data are processed with and without electronic means and by respecting data
> subjects' rights, fundamental freedoms and dignity, particularly with regard to confidentiality, personal identity and the right to personal data protection. At any time and without formalities you
> can write an e-mail to [hidden email] <mailto:%[hidden email]%22> in order to object the processing of your personal data for the purpose of sending advertising materials and also to exercise
> the right to access personal data and other rights referred to in Section 7 of Decree 196/2003. The data controller is TIS – Techno Innovation Alto Adige, via Siemens n. 19 Bolzano. You can find the
> complete information on the web site www.tis.bz.it
>
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
Il 27/10/2014 21:06, Douglas E Engert ha scritto:
> OK, this helps a lot. The card itacns.c does not support reading a serial number.
>
> Anyone want to add the code?

I could help but I have no experience of CNS code, and currently no time
at all to dedicate. As I said E. Pucciarelli which is the author seems
no more interested in the project.

Shaun, somone in your organization or some contractor could take care of
it? I can offer all the help I can.

> Windows and thus the minidriver, needs a unique GUID for a card, because of the way
> it works. It stores in the Microsoft certificate stash the certificate and a GUID that represents
> the card that has the private key. Thus it can find a certificate with out the card then ask to have
> the card inserted.
>
> The card-itacns.c or pkcs15-itacns.c does not have the needed code to get the GUID.
...
> So someone who knows the CNS code need to implement a get_guid, or a card_ctl function that supports
> SC_CARDCTL_GET_SERIALNR

Thanks, I start to catch the point.

> As another test,
> The opensc-tool --serial
> will show the serial number or "sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed\n"

yes:

$ opensc-tool --serial
Using reader with a card: ACS ACR38U 00 00
sc_card_ctl(*, SC_CARDCTL_GET_SERIALNR, *) failed

bye,
rob

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Roberto Resoli-2
Reply | Threaded
Open this post in threaded view
|

Re: OpenSC Internet Explorer

Roberto Resoli-2
In reply to this post by Shaun Schutte (TIS innovation park)
Il 27/10/2014 15:41, Shaun Schutte ha scritto:
> The only way I have gotten some kind of output from OpenSC, is to run it
> under Windows Debugger. It is part of the Windows SDK kit, and when
> running certutil with -SCInfo aas argument I am at least getting a lot
> of information,

I am trying to replicate your steps. I installes windbg from the Windows
SDK kit, but never used it before; i tried

windbg certutil -SCInfo

What steps are needed to provide debug symbols for opensc to the debugger?

Thanks,
rob

------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
12
Free forum by Nabble Edit this page