PKCS#15 Emulator

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

PKCS#15 Emulator

Galoh Haron
Hello, received 

I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
How to test the emulation works? 
Because when i tried to run command pkcs15-tool -r 00, i received 
"Certificate read failed: Invalid ASN.1 object"

Based on the log,

2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
2012-07-02 22:06:20.340 
Incoming APDU data [   17 bytes] =====================================
84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
00                                              .
======================================================================
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
2012-07-02 22:06:20.340 certificate size is 1035
2012-07-02 22:06:20.340 called, left=1031, depth 0
2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'tbsCertificate'
2012-07-02 22:06:20.340  called, left=880, depth 1
2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
2012-07-02 22:06:20.340  decoding 'version'
2012-07-02 22:06:20.340   called, left=3, depth 2
2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
2012-07-02 22:06:20.340   decoding 'version'
2012-07-02 22:06:20.340   decoding 'version' returned 2
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
2012-07-02 22:06:20.340  decoding 'serialNumber'
2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'signature'
2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'issuer'
2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'validity'
2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'subject'
2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
2012-07-02 22:06:20.340 called, left=157, depth 0
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'algorithm'
2012-07-02 22:06:20.340  called, left=13, depth 1
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
2012-07-02 22:06:20.340  decoding 'algorithm'
2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
2012-07-02 22:06:20.340  decoding 'nullParam'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
2012-07-02 22:06:20.340 called, left=138, depth 0
2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
2012-07-02 22:06:20.340  called, left=135, depth 1
2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
2012-07-02 22:06:20.340  decoding 'modulus'
2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
2012-07-02 22:06:20.340  decoding 'exponent'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
2012-07-02 22:06:20.340  decoding 'extensions'
2012-07-02 22:06:20.340   called, left=328, depth 2
2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340   decoding 'x509v3'
2012-07-02 22:06:20.340    called, left=324, depth 3
2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'certificatePolicies'
2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'keyUsage'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
2012-07-02 22:06:20.340  called, left=13, depth 1
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
2012-07-02 22:06:20.340  decoding 'algorithm'
2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
2012-07-02 22:06:20.340  decoding 'nullParam'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
2012-07-02 22:06:20.340 decoding 'signatureValue'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 encoding 'serialNumber'
2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
2012-07-02 22:06:20.340 length of encoded item=18
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
2012-07-02 22:06:20.340 X.509 certificate not found
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called

Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
Or did i misunderstand the whole pkcs#15 emulator concept?

-galoh

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Galoh Haron
Hello all,

I guess i need to clarify the question on pkcs#15 emulator again.

1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?

I am trying to get the minidriver to work with the pkcs#15 emulator.

Thank you.



On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email]> wrote:
Hello, 

I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
How to test the emulation works? 
Because when i tried to run command pkcs15-tool -r 00, i received 
"Certificate read failed: Invalid ASN.1 object"

Based on the log,

2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
2012-07-02 22:06:20.340 
Incoming APDU data [   17 bytes] =====================================
84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
00                                              .
======================================================================
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
2012-07-02 22:06:20.340 certificate size is 1035
2012-07-02 22:06:20.340 called, left=1031, depth 0
2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'tbsCertificate'
2012-07-02 22:06:20.340  called, left=880, depth 1
2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
2012-07-02 22:06:20.340  decoding 'version'
2012-07-02 22:06:20.340   called, left=3, depth 2
2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
2012-07-02 22:06:20.340   decoding 'version'
2012-07-02 22:06:20.340   decoding 'version' returned 2
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
2012-07-02 22:06:20.340  decoding 'serialNumber'
2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'signature'
2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'issuer'
2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'validity'
2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'subject'
2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
2012-07-02 22:06:20.340 called, left=157, depth 0
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'algorithm'
2012-07-02 22:06:20.340  called, left=13, depth 1
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
2012-07-02 22:06:20.340  decoding 'algorithm'
2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
2012-07-02 22:06:20.340  decoding 'nullParam'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
2012-07-02 22:06:20.340 called, left=138, depth 0
2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
2012-07-02 22:06:20.340  called, left=135, depth 1
2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
2012-07-02 22:06:20.340  decoding 'modulus'
2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
2012-07-02 22:06:20.340  decoding 'exponent'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
2012-07-02 22:06:20.340  decoding 'extensions'
2012-07-02 22:06:20.340   called, left=328, depth 2
2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340   decoding 'x509v3'
2012-07-02 22:06:20.340    called, left=324, depth 3
2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'certificatePolicies'
2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
2012-07-02 22:06:20.340    decoding 'keyUsage'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
2012-07-02 22:06:20.340  called, left=13, depth 1
2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
2012-07-02 22:06:20.340  decoding 'algorithm'
2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
2012-07-02 22:06:20.340  decoding 'nullParam'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
2012-07-02 22:06:20.340 decoding 'signatureValue'
2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
2012-07-02 22:06:20.340 encoding 'serialNumber'
2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
2012-07-02 22:06:20.340 length of encoded item=18
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
2012-07-02 22:06:20.340 X.509 certificate not found
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called

Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
Or did i misunderstand the whole pkcs#15 emulator concept?

-galoh


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Viktor Tarasov-3
Hello,

Le 04/07/2012 03:16, Galoh Haron a écrit :
> I guess i need to clarify the question on pkcs#15 emulator again.
>
> 1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
> 2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
> 3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?


I would start from implementing the card driver with the basic 'sc_card_operations' handlers
and testing all the stuff with the opensc-explorer .

Then make a list of the pre-existing objects (PINs, Pub/Priv keys, certs, data) that you wish to see exposed with the libopensc/pkcs15 API as the PKCS#15 objects.

After that take as example some existing emulator to see how to prepare data before calling the 'sc_pkcs15emu_add_**' functions
and host to register your 'init_ex' procedure in pkcs15-syn.c .

Then your can start the testing with the pkcs15-* tools, and finally minidriver.


>
> I am trying to get the minidriver to work with the pkcs#15 emulator.
> Thank you.

Kind regards,
Viktor.


>
> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email] <mailto:[hidden email]>> wrote:
>
>     Hello,
>
>     I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
>     How to test the emulation works?
>     Because when i tried to run command pkcs15-tool -r 00, i received
>     "Certificate read failed: Invalid ASN.1 object"
>
>     Based on the log,
>
>     2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
>     2012-07-02 22:06:20.340
>     Incoming APDU data [   17 bytes] =====================================
>     84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>     00                                              .
>     ======================================================================
>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
>     2012-07-02 22:06:20.340 certificate size is 1035
>     2012-07-02 22:06:20.340 called, left=1031, depth 0
>     2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
>     2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>     2012-07-02 22:06:20.340  called, left=880, depth 1
>     2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
>     2012-07-02 22:06:20.340  decoding 'version'
>     2012-07-02 22:06:20.340   called, left=3, depth 2
>     2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>     2012-07-02 22:06:20.340   decoding 'version'
>     2012-07-02 22:06:20.340   decoding 'version' returned 2
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>     2012-07-02 22:06:20.340  decoding 'serialNumber'
>     2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>     2012-07-02 22:06:20.340  decoding 'signature'
>     2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>     2012-07-02 22:06:20.340  decoding 'issuer'
>     2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>     2012-07-02 22:06:20.340  decoding 'validity'
>     2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>     2012-07-02 22:06:20.340  decoding 'subject'
>     2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
>     2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>     2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>     2012-07-02 22:06:20.340 called, left=157, depth 0
>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>     2012-07-02 22:06:20.340 decoding 'algorithm'
>     2012-07-02 22:06:20.340  called, left=13, depth 1
>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>     2012-07-02 22:06:20.340  decoding 'algorithm'
>     2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>     2012-07-02 22:06:20.340  decoding 'nullParam'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>     2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>     2012-07-02 22:06:20.340 called, left=138, depth 0
>     2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>     2012-07-02 22:06:20.340  called, left=135, depth 1
>     2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>     2012-07-02 22:06:20.340  decoding 'modulus'
>     2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>     2012-07-02 22:06:20.340  decoding 'exponent'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
>     2012-07-02 22:06:20.340  decoding 'extensions'
>     2012-07-02 22:06:20.340   called, left=328, depth 2
>     2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340   decoding 'x509v3'
>     2012-07-02 22:06:20.340    called, left=324, depth 3
>     2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>     2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>     2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>     2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>     2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
>     2012-07-02 22:06:20.340    decoding 'keyUsage'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
>     2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>     2012-07-02 22:06:20.340  called, left=13, depth 1
>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>     2012-07-02 22:06:20.340  decoding 'algorithm'
>     2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>     2012-07-02 22:06:20.340  decoding 'nullParam'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>     2012-07-02 22:06:20.340 decoding 'signatureValue'
>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 encoding 'serialNumber'
>     2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>     2012-07-02 22:06:20.340 length of encoded item=18
>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>     2012-07-02 22:06:20.340 X.509 certificate not found
>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
>     2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
>     2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
>     2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
>     2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called
>
>     Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
>     Or did i misunderstand the whole pkcs#15 emulator concept?
>
>     -galoh
>
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Galoh Haron
hello all,

I found errors in running certutil -scinfo
1) Can't open the AT_SIGNATURE key for reader
2) Can't open the At_KEYEXCHANGE key for reader
3) Cannot open the key for reader

A pops dialog show .." A smart card was detected but is not the one
required for the current operation. The smart card you are using may
be missing required driver software or a required certificate".

i can view the certificate in mozilla web browser.

to minidrive everything
1) I configure the registry as per minidriver-westcost.reg
2) I configure the opensc-minidriver.inf and change the device ID
according to the historical atr bytes
3) install the inf accordingly

what else should i do.?


On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov <[hidden email]> wrote:

> Hello,
>
> Le 04/07/2012 03:16, Galoh Haron a écrit :
>> I guess i need to clarify the question on pkcs#15 emulator again.
>>
>> 1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
>> 2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
>> 3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?
>
>
> I would start from implementing the card driver with the basic 'sc_card_operations' handlers
> and testing all the stuff with the opensc-explorer .
>
> Then make a list of the pre-existing objects (PINs, Pub/Priv keys, certs, data) that you wish to see exposed with the libopensc/pkcs15 API as the PKCS#15 objects.
>
> After that take as example some existing emulator to see how to prepare data before calling the 'sc_pkcs15emu_add_**' functions
> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>
> Then your can start the testing with the pkcs15-* tools, and finally minidriver.
>
>
>>
>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>> Thank you.
>
> Kind regards,
> Viktor.
>
>
>>
>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email] <mailto:[hidden email]>> wrote:
>>
>>     Hello,
>>
>>     I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
>>     How to test the emulation works?
>>     Because when i tried to run command pkcs15-tool -r 00, i received
>>     "Certificate read failed: Invalid ASN.1 object"
>>
>>     Based on the log,
>>
>>     2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
>>     2012-07-02 22:06:20.340
>>     Incoming APDU data [   17 bytes] =====================================
>>     84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>     00                                              .
>>     ======================================================================
>>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
>>     2012-07-02 22:06:20.340 certificate size is 1035
>>     2012-07-02 22:06:20.340 called, left=1031, depth 0
>>     2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
>>     2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>     2012-07-02 22:06:20.340  called, left=880, depth 1
>>     2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
>>     2012-07-02 22:06:20.340  decoding 'version'
>>     2012-07-02 22:06:20.340   called, left=3, depth 2
>>     2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>     2012-07-02 22:06:20.340   decoding 'version'
>>     2012-07-02 22:06:20.340   decoding 'version' returned 2
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>     2012-07-02 22:06:20.340  decoding 'serialNumber'
>>     2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>     2012-07-02 22:06:20.340  decoding 'signature'
>>     2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>     2012-07-02 22:06:20.340  decoding 'issuer'
>>     2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>     2012-07-02 22:06:20.340  decoding 'validity'
>>     2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>     2012-07-02 22:06:20.340  decoding 'subject'
>>     2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
>>     2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>     2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>     2012-07-02 22:06:20.340 called, left=157, depth 0
>>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>     2012-07-02 22:06:20.340 decoding 'algorithm'
>>     2012-07-02 22:06:20.340  called, left=13, depth 1
>>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>     2012-07-02 22:06:20.340  decoding 'algorithm'
>>     2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>     2012-07-02 22:06:20.340  decoding 'nullParam'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>     2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>     2012-07-02 22:06:20.340 called, left=138, depth 0
>>     2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>     2012-07-02 22:06:20.340  called, left=135, depth 1
>>     2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>     2012-07-02 22:06:20.340  decoding 'modulus'
>>     2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>     2012-07-02 22:06:20.340  decoding 'exponent'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
>>     2012-07-02 22:06:20.340  decoding 'extensions'
>>     2012-07-02 22:06:20.340   called, left=328, depth 2
>>     2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340   decoding 'x509v3'
>>     2012-07-02 22:06:20.340    called, left=324, depth 3
>>     2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>     2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>     2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>     2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>     2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
>>     2012-07-02 22:06:20.340    decoding 'keyUsage'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
>>     2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>     2012-07-02 22:06:20.340  called, left=13, depth 1
>>     2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>     2012-07-02 22:06:20.340  decoding 'algorithm'
>>     2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>     2012-07-02 22:06:20.340  decoding 'nullParam'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>     2012-07-02 22:06:20.340 decoding 'signatureValue'
>>     2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 encoding 'serialNumber'
>>     2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>     2012-07-02 22:06:20.340 length of encoded item=18
>>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>     2012-07-02 22:06:20.340 X.509 certificate not found
>>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
>>     2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
>>     2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>     2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
>>     2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called
>>
>>     Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
>>     Or did i misunderstand the whole pkcs#15 emulator concept?
>>
>>     -galoh
>>
>>
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Douglas E. Engert


On 7/10/2012 3:35 AM, Galoh Haron wrote:

> hello all,
>
> I found errors in running certutil -scinfo
> 1) Can't open the AT_SIGNATURE key for reader
> 2) Can't open the At_KEYEXCHANGE key for reader
> 3) Cannot open the key for reader
>
> A pops dialog show .." A smart card was detected but is not the one
> required for the current operation. The smart card you are using may
> be missing required driver software or a required certificate".

Sounds like  the MS code is having problems using the minidriver.
This could be because your registry is not configured correctly
or you code is doing something that does not work under the minidriver.
The minidriver may be called during login by more then one process,
and by more then one thread. Depending on how your code is written this may
cause problems.  The minidriver may stay loaded by more then one process
for long times. During login, there is no HKLU registry as there is no
current user. This also implies that access to files is limited.

>
> i can view the certificate in mozilla web browser.
>
> to minidrive everything
> 1) I configure the registry as per minidriver-westcost.reg
  Send your changes to the list.

> 2) I configure the opensc-minidriver.inf and change the device ID
> according to the historical atr bytes
> 3) install the inf accordingly

Send the inf changes to the list.

>
> what else should i do.?

You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
See minidriver.c around line 100. Its only for debugging.
You will need to create the C:\tmp\cardmod.log and make it writable
by everyone.


>
>
> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov <[hidden email]> wrote:
>> Hello,
>>
>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>
>>> 1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
>>> 2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
>>> 3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?
>>
>>
>> I would start from implementing the card driver with the basic 'sc_card_operations' handlers
>> and testing all the stuff with the opensc-explorer .
>>
>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys, certs, data) that you wish to see exposed with the libopensc/pkcs15 API as the PKCS#15 objects.
>>
>> After that take as example some existing emulator to see how to prepare data before calling the 'sc_pkcs15emu_add_**' functions
>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>
>> Then your can start the testing with the pkcs15-* tools, and finally minidriver.
>>
>>
>>>
>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>> Thank you.
>>
>> Kind regards,
>> Viktor.
>>
>>
>>>
>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email] <mailto:[hidden email]>> wrote:
>>>
>>>      Hello,
>>>
>>>      I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
>>>      How to test the emulation works?
>>>      Because when i tried to run command pkcs15-tool -r 00, i received
>>>      "Certificate read failed: Invalid ASN.1 object"
>>>
>>>      Based on the log,
>>>
>>>      2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
>>>      2012-07-02 22:06:20.340
>>>      Incoming APDU data [   17 bytes] =====================================
>>>      84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>>      00                                              .
>>>      ======================================================================
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
>>>      2012-07-02 22:06:20.340 certificate size is 1035
>>>      2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>      2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
>>>      2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>      2012-07-02 22:06:20.340  called, left=880, depth 1
>>>      2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
>>>      2012-07-02 22:06:20.340  decoding 'version'
>>>      2012-07-02 22:06:20.340   called, left=3, depth 2
>>>      2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>      2012-07-02 22:06:20.340   decoding 'version'
>>>      2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>      2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>      2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>>      2012-07-02 22:06:20.340  decoding 'signature'
>>>      2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>      2012-07-02 22:06:20.340  decoding 'issuer'
>>>      2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>      2012-07-02 22:06:20.340  decoding 'validity'
>>>      2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>      2012-07-02 22:06:20.340  decoding 'subject'
>>>      2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
>>>      2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>      2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>>      2012-07-02 22:06:20.340 called, left=157, depth 0
>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>>      2012-07-02 22:06:20.340 decoding 'algorithm'
>>>      2012-07-02 22:06:20.340  called, left=13, depth 1
>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>      2012-07-02 22:06:20.340  decoding 'algorithm'
>>>      2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>      2012-07-02 22:06:20.340  decoding 'nullParam'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>>      2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>      2012-07-02 22:06:20.340 called, left=138, depth 0
>>>      2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>      2012-07-02 22:06:20.340  called, left=135, depth 1
>>>      2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>      2012-07-02 22:06:20.340  decoding 'modulus'
>>>      2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>      2012-07-02 22:06:20.340  decoding 'exponent'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
>>>      2012-07-02 22:06:20.340  decoding 'extensions'
>>>      2012-07-02 22:06:20.340   called, left=328, depth 2
>>>      2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340   decoding 'x509v3'
>>>      2012-07-02 22:06:20.340    called, left=324, depth 3
>>>      2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>      2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>      2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>      2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>      2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
>>>      2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
>>>      2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>      2012-07-02 22:06:20.340  called, left=13, depth 1
>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>      2012-07-02 22:06:20.340  decoding 'algorithm'
>>>      2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>      2012-07-02 22:06:20.340  decoding 'nullParam'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>      2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>      2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>>      2012-07-02 22:06:20.340 length of encoded item=18
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>      2012-07-02 22:06:20.340 X.509 certificate not found
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
>>>      2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
>>>      2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>      2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
>>>      2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called
>>>
>>>      Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
>>>      Or did i misunderstand the whole pkcs#15 emulator concept?
>>>
>>>      -galoh
>>>
>>>
>>>
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Galoh Haron
Douglas,

here is the changes list that i have made for the opensc-minidrver.inf
and .minidriver-westcos.reg

.inf

[Minidriver.NTamd64]
+ %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_7320006C009000
- %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTx86]
+ %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_7320006C009000
- %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000

[Minidriver.NTamd64.6.1]
+ %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_7320006C009000
- %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000

[AddRegWOW64]
+ HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,67,00,00,73,20,00,6c,00,90,00
- HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3f,69,00,00,00,64,01,00,00,00,80,90,00
- HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff

[Strings]
+SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
- SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Cev Westcos"
+SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
- SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Cev
Westcos"

.reg
Windows Registry Editor Version 5.00

+ [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD]
- [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CEV
WESTCOS]
+ "ATR"=hex:3b,67,00,00,73,20,00,6c,00,90,00
- "ATR"=hex:3f,69,00,00,00,64,01,00,00,00,80,90,00
- "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff

Part of the cardmod.log section


********** DllMain hModule=0x6C8B0000 reason=1 Reserved=00000000 P:13632 T:14000
** DllMain Attach ModuleFileName=C:\Windows\system32\certutil.exe
==================================================================

P:13632 T:14000 pCardData:0048E4D8 CardAcquireContext, dwVersion=7,
name=MyKAD,hScard=0xEA020000, hSCardCtx=0xCD010002
request version pCardData->dwVersion = 7
pCardData->dwVersion = 7
create ctx
sc_context_create passed r = 0
associate_card
cardmod_use_handles 0
sc_ctx_get_reader_count(ctx): 1
Broadcom Corp Contacted SmartCard 0
sc_connect_card result = 0, Success
PKCS#15 initialization result: 0, Success
serial number r=0 len1=7 len2=32 --- 0049707C:16
 0000  00000000 0256F107 08090A0B 0C0D0E0F
Found 2 certificat(s) in the card.
Found 2 private key(s) in the card.
Found 1 pin(s) in the card.
prkey_info->subject 0 (subject_len=0)modulus_length=1024 subject --- 00000000:0
prkey_info->subject 1 (subject_len=0)modulus_length=1024 subject --- 00000000:0
cert->subject 0 --- 01D8A360:107
 0000  310B3009 06035504 0613024D 59312330  21060355 0403131A 47414C4F 48205241
 0020  53484944 41482042 494E5449 20484152  4F4E3115 30130603 55040513 0C373630
 0040  35323031 30353937 36312030 1E06092A  864886F7 0D010901 16116772 6861726F
 0060  6E40676D 61696C2E 636F6D
cert->subject 1 --- 01D8A360:107
 0000  310B3009 06035504 0613024D 59312330  21060355 0403131A 47414C4F 48205241
 0020  53484944 41482042 494E5449 20484152  4F4E3115 30130603 55040513 0C373630
 0040  35323031 30353937 36312030 1E06092A  864886F7 0D010901 16116772 6861726F
 0060  6E40676D 61696C2E 636F6D
PIN [PIN]
        Com. Flags: 0x3
        ID        : 01
        Flags     : [0x31], case-sensitive, initialized, needs-padding
        Length    : min_len:6, max_len:8, stored_len:8
        Pad char  : 0xFF
        Reference : 1
        Type      : ascii-numeric
        Path      :
OpenSC init done.

P:13632 T:14000 pCardData:0048E4D8 CardGetProperty
CardGetProperty wszProperty=Card Identifier, cbData=16, dwFlags=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
CardGUID --- 00493C70:16
 0000  00000000 0256F107 08090A0B 0C0D0E0F

P:13632 T:14000 pCardData:0048E4D8 CardReadFile
pszDirectoryName = <NULL>, pszFileName = cardcf, dwFlags = 0,
pcbData=0, *ppbData=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
return cardcf --- 00480888:6
 0000  00002900 2348

P:13632 T:14000 pCardData:0048E4D8 CardGetProperty
CardGetProperty wszProperty=Read Only Mode, cbData=4, dwFlags=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
pcardReadOnly--- 00480898:4
 0000  01000000

P:13632 T:14000 pCardData:0048E4D8 CardGetProperty
CardGetProperty wszProperty=Cache Mode, cbData=4, dwFlags=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
pCardCacheMode --- 00480898:4
 0000  03000000

P:13632 T:14000 pCardData:0048E4D8 CardGetProperty
CardGetProperty wszProperty=Supports Windows x.509 Enrollment,
cbData=4, dwFlags=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
pSupportsX509Enrolment --- 00480898:4
 0000  00000000

P:13632 T:14000 pCardData:0048E4D8 CardReadFile
pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0,
pcbData=0, *ppbData=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
sc_pkcs15_read_certificate return 0

P:13632 T:14000 pCardData:0048E4D8 CardGetProperty
CardGetProperty wszProperty=PIN Information, cbData=36, dwFlags=1
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
returning info on PIN ROLE_USER ( Auth ) [1]
--- 004741B0:36
 0000  06000000 00000000 01000000 00000000  00000000 06000000 00000000 00000000
 0020  00000000

P:13632 T:14000 pCardData:0048E4D8 CardReadFile
pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0,
pcbData=0, *ppbData=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
sc_pkcs15_read_certificate return 0

P:13632 T:14000 pCardData:0048E4D8 CardDeleteContext
disassociate_card
sc_pkcs15_unbind
sc_disconnect_card
release context
**********************************************************************


Thank you.

On Tue, Jul 10, 2012 at 9:20 PM, Douglas E. Engert <[hidden email]> wrote:

>
>
> On 7/10/2012 3:35 AM, Galoh Haron wrote:
>> hello all,
>>
>> I found errors in running certutil -scinfo
>> 1) Can't open the AT_SIGNATURE key for reader
>> 2) Can't open the At_KEYEXCHANGE key for reader
>> 3) Cannot open the key for reader
>>
>> A pops dialog show .." A smart card was detected but is not the one
>> required for the current operation. The smart card you are using may
>> be missing required driver software or a required certificate".
>
> Sounds like  the MS code is having problems using the minidriver.
> This could be because your registry is not configured correctly
> or you code is doing something that does not work under the minidriver.
> The minidriver may be called during login by more then one process,
> and by more then one thread. Depending on how your code is written this may
> cause problems.  The minidriver may stay loaded by more then one process
> for long times. During login, there is no HKLU registry as there is no
> current user. This also implies that access to files is limited.
>
>>
>> i can view the certificate in mozilla web browser.
>>
>> to minidrive everything
>> 1) I configure the registry as per minidriver-westcost.reg
>   Send your changes to the list.
>
>> 2) I configure the opensc-minidriver.inf and change the device ID
>> according to the historical atr bytes
>> 3) install the inf accordingly
>
> Send the inf changes to the list.
>
>>
>> what else should i do.?
>
> You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
> See minidriver.c around line 100. Its only for debugging.
> You will need to create the C:\tmp\cardmod.log and make it writable
> by everyone.
>
>
>>
>>
>> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov <[hidden email]> wrote:
>>> Hello,
>>>
>>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>>
>>>> 1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
>>>> 2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
>>>> 3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?
>>>
>>>
>>> I would start from implementing the card driver with the basic 'sc_card_operations' handlers
>>> and testing all the stuff with the opensc-explorer .
>>>
>>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys, certs, data) that you wish to see exposed with the libopensc/pkcs15 API as the PKCS#15 objects.
>>>
>>> After that take as example some existing emulator to see how to prepare data before calling the 'sc_pkcs15emu_add_**' functions
>>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>>
>>> Then your can start the testing with the pkcs15-* tools, and finally minidriver.
>>>
>>>
>>>>
>>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>>> Thank you.
>>>
>>> Kind regards,
>>> Viktor.
>>>
>>>
>>>>
>>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email] <mailto:[hidden email]>> wrote:
>>>>
>>>>      Hello,
>>>>
>>>>      I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
>>>>      How to test the emulation works?
>>>>      Because when i tried to run command pkcs15-tool -r 00, i received
>>>>      "Certificate read failed: Invalid ASN.1 object"
>>>>
>>>>      Based on the log,
>>>>
>>>>      2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
>>>>      2012-07-02 22:06:20.340
>>>>      Incoming APDU data [   17 bytes] =====================================
>>>>      84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>>>      00                                              .
>>>>      ======================================================================
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
>>>>      2012-07-02 22:06:20.340 certificate size is 1035
>>>>      2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>>      2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
>>>>      2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>>      2012-07-02 22:06:20.340  called, left=880, depth 1
>>>>      2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
>>>>      2012-07-02 22:06:20.340  decoding 'version'
>>>>      2012-07-02 22:06:20.340   called, left=3, depth 2
>>>>      2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>>      2012-07-02 22:06:20.340   decoding 'version'
>>>>      2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>>      2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>>      2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>>>      2012-07-02 22:06:20.340  decoding 'signature'
>>>>      2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>>      2012-07-02 22:06:20.340  decoding 'issuer'
>>>>      2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>>      2012-07-02 22:06:20.340  decoding 'validity'
>>>>      2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>>      2012-07-02 22:06:20.340  decoding 'subject'
>>>>      2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
>>>>      2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>>      2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>>>      2012-07-02 22:06:20.340 called, left=157, depth 0
>>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>>>      2012-07-02 22:06:20.340 decoding 'algorithm'
>>>>      2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>      2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>      2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>>      2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>>>      2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>>      2012-07-02 22:06:20.340 called, left=138, depth 0
>>>>      2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>>      2012-07-02 22:06:20.340  called, left=135, depth 1
>>>>      2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>>      2012-07-02 22:06:20.340  decoding 'modulus'
>>>>      2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>>      2012-07-02 22:06:20.340  decoding 'exponent'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
>>>>      2012-07-02 22:06:20.340  decoding 'extensions'
>>>>      2012-07-02 22:06:20.340   called, left=328, depth 2
>>>>      2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340   decoding 'x509v3'
>>>>      2012-07-02 22:06:20.340    called, left=324, depth 3
>>>>      2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>>      2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>>      2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>>      2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>>      2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
>>>>      2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
>>>>      2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>>      2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>      2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>      2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>      2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>>      2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>>      2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>>      2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>>>      2012-07-02 22:06:20.340 length of encoded item=18
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>>      2012-07-02 22:06:20.340 X.509 certificate not found
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
>>>>      2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
>>>>      2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>>      2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
>>>>      2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called
>>>>
>>>>      Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
>>>>      Or did i misunderstand the whole pkcs#15 emulator concept?
>>>>
>>>>      -galoh
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> opensc-devel mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>
> --
>
>   Douglas E. Engert  <[hidden email]>
>   Argonne National Laboratory
>   9700 South Cass Avenue
>   Argonne, Illinois  60439
>   (630) 252-5444
>
>
> _______________________________________________
> opensc-devel mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-devel
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Douglas E. Engert
In reply to this post by Douglas E. Engert


On 7/10/2012 8:19 PM, Galoh Haron wrote:

> Douglas,
>
> here is the changes list that i have made for the opensc-minidrver.inf
> and .minidriver-westcos.reg
>
> .inf
>
> [Minidriver.NTamd64]
> + %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_7320006C009000
> - %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>
> [Minidriver.NTx86]
> + %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_7320006C009000
> - %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>
> [Minidriver.NTamd64.6.1]
> + %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_7320006C009000
> - %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>
> [AddRegWOW64]
> + HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3b,67,00,00,73,20,00,6c,00,90,00
> - HKLM, %SmartCardNameWOW64%,"ATR",0x00000001,3f,69,00,00,00,64,01,00,00,00,80,90,00
> - HKLM, %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>
> [Strings]
> +SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
> - SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Cev Westcos"
> +SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
> - SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Cev
> Westcos"
>
> .reg
> Windows Registry Editor Version 5.00
>
> + [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD]
> - [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CEV
> WESTCOS]
> + "ATR"=hex:3b,67,00,00,73,20,00,6c,00,90,00
> - "ATR"=hex:3f,69,00,00,00,64,01,00,00,00,80,90,00
> - "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>
> I have attached the cardmod.log if you required it.
>

In line 85 of the trace:
P:13632 T:14000 pCardData:0048E4D8 CardReadFile
pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0, *ppbData=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
check_reader_status r=5 flags 0x00000005
sc_pkcs15_read_certificate return 0

There is no cmapfile returned, and shortly after, the CardDeleteContext
is called.


In my version that may be out of date from 5/26/2011,
when I last  looked at this code, a cmapfile is returned,
My trace was from  a smart card login, and not from certutil.exe

P:816 T:820 pCardData:00F15700 CardReadFile
pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0, *ppbData=0
check_reader_status
pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001
check_reader_status r=5 flags 0x00000005
sc_pkcs15_read_certificate return 0
Guid={31323334-3536-3738-390c-075480510916}
cmapfile entry 0 --- 00F1FB68:86
  0000  7B003300 31003300 32003300 33003300  34002D00 33003500 33003600 2D003300
  0020  37003300 38002D00 33003900 30006300  2D003000 37003500 34003800 30003500

After this things progress to passing he certificate back.

So it looks like some of the minidriver is not creating the cmapfile,
maybe because it can not find something form your card.


Look at line 832 in minidriver.c (opensc-0.12.2 version)
  if(pubkey->algorithm == SC_ALGORITHM_RSA)
is true.



> Thank you.
>
>
>
> On Tue, Jul 10, 2012 at 9:20 PM, Douglas E. Engert <[hidden email]> wrote:
>>
>>
>> On 7/10/2012 3:35 AM, Galoh Haron wrote:
>>> hello all,
>>>
>>> I found errors in running certutil -scinfo
>>> 1) Can't open the AT_SIGNATURE key for reader
>>> 2) Can't open the At_KEYEXCHANGE key for reader
>>> 3) Cannot open the key for reader
>>>
>>> A pops dialog show .." A smart card was detected but is not the one
>>> required for the current operation. The smart card you are using may
>>> be missing required driver software or a required certificate".
>>
>> Sounds like  the MS code is having problems using the minidriver.
>> This could be because your registry is not configured correctly
>> or you code is doing something that does not work under the minidriver.
>> The minidriver may be called during login by more then one process,
>> and by more then one thread. Depending on how your code is written this may
>> cause problems.  The minidriver may stay loaded by more then one process
>> for long times. During login, there is no HKLU registry as there is no
>> current user. This also implies that access to files is limited.
>>
>>>
>>> i can view the certificate in mozilla web browser.
>>>
>>> to minidrive everything
>>> 1) I configure the registry as per minidriver-westcost.reg
>>    Send your changes to the list.
>>
>>> 2) I configure the opensc-minidriver.inf and change the device ID
>>> according to the historical atr bytes
>>> 3) install the inf accordingly
>>
>> Send the inf changes to the list.
>>
>>>
>>> what else should i do.?
>>
>> You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
>> See minidriver.c around line 100. Its only for debugging.
>> You will need to create the C:\tmp\cardmod.log and make it writable
>> by everyone.
>>
>>
>>>
>>>
>>> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov <[hidden email]> wrote:
>>>> Hello,
>>>>
>>>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>>>
>>>>> 1) I have created pkcs15-thecard.c and work on sc_pks15emu-thecard_init_ex
>>>>> 2) With some code's modification, the command  of opensc-tool -i, opensc-tool -a opensc -s work.
>>>>> 3) Any other steps missing for the emulator to work or perhaps a tiny miny write up for developers to work on the emulator ?
>>>>
>>>>
>>>> I would start from implementing the card driver with the basic 'sc_card_operations' handlers
>>>> and testing all the stuff with the opensc-explorer .
>>>>
>>>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys, certs, data) that you wish to see exposed with the libopensc/pkcs15 API as the PKCS#15 objects.
>>>>
>>>> After that take as example some existing emulator to see how to prepare data before calling the 'sc_pkcs15emu_add_**' functions
>>>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>>>
>>>> Then your can start the testing with the pkcs15-* tools, and finally minidriver.
>>>>
>>>>
>>>>>
>>>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>>>> Thank you.
>>>>
>>>> Kind regards,
>>>> Viktor.
>>>>
>>>>
>>>>>
>>>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email] <mailto:[hidden email]>> wrote:
>>>>>
>>>>>       Hello,
>>>>>
>>>>>       I am trying to emulate a non pkcs#15  smart card with no support for MF selection.
>>>>>       How to test the emulation works?
>>>>>       Because when i tried to run command pkcs15-tool -r 00, i received
>>>>>       "Certificate read failed: Invalid ASN.1 object"
>>>>>
>>>>>       Based on the log,
>>>>>
>>>>>       2012-07-02 22:06:20.293 [pkcs15-tool] reader-pcsc.c:176:pcsc_internal_transmit: called
>>>>>       2012-07-02 22:06:20.340
>>>>>       Incoming APDU data [   17 bytes] =====================================
>>>>>       84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>>>>       00                                              .
>>>>>       ======================================================================
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card-mykad.c:506:mykad_check_sw: called
>>>>>       2012-07-02 22:06:20.340 certificate size is 1035
>>>>>       2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>>>       2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>>>       2012-07-02 22:06:20.340  called, left=880, depth 1
>>>>>       2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000, OPTIONAL
>>>>>       2012-07-02 22:06:20.340  decoding 'version'
>>>>>       2012-07-02 22:06:20.340   called, left=3, depth 2
>>>>>       2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>>>       2012-07-02 22:06:20.340   decoding 'version'
>>>>>       2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>>>       2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>>>       2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340  decoding 'signature'
>>>>>       2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340  decoding 'issuer'
>>>>>       2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340  decoding 'validity'
>>>>>       2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340  decoding 'subject'
>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>>>       2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>>>>       2012-07-02 22:06:20.340 called, left=157, depth 0
>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340 decoding 'algorithm'
>>>>>       2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>       2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>       2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>>>       2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>>>>       2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>>>       2012-07-02 22:06:20.340 called, left=138, depth 0
>>>>>       2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>>>       2012-07-02 22:06:20.340  called, left=135, depth 1
>>>>>       2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>>>       2012-07-02 22:06:20.340  decoding 'modulus'
>>>>>       2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>>>       2012-07-02 22:06:20.340  decoding 'exponent'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 Looking for 'extensions', tag 0x21000003, OPTIONAL
>>>>>       2012-07-02 22:06:20.340  decoding 'extensions'
>>>>>       2012-07-02 22:06:20.340   called, left=328, depth 2
>>>>>       2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340   decoding 'x509v3'
>>>>>       2012-07-02 22:06:20.340    called, left=324, depth 3
>>>>>       2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>>>       2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>>>       2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>>>       2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010, OPTIONAL
>>>>>       2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag 0x1000010
>>>>>       2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>>>       2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>       2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>       2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5, OPTIONAL
>>>>>       2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>>>       2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>>>       2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>>>>       2012-07-02 22:06:20.340 length of encoded item=18
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>>>       2012-07-02 22:06:20.340 X.509 certificate not found
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15.c:969:sc_pkcs15_unbind: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:548:pcsc_unlock: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:242:sc_disconnect_card: called
>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] reader-pcsc.c:498:pcsc_disconnect: called
>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool] card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool] ctx.c:738:sc_release_context: called
>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool] reader-pcsc.c:736:pcsc_finish: called
>>>>>
>>>>>       Obviously I can't used the sc_pkcs15_read_certificate. My card does not support pkcs15.
>>>>>       Or did i misunderstand the whole pkcs#15 emulator concept?
>>>>>
>>>>>       -galoh
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> opensc-devel mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>>
>>
>> --
>>
>>    Douglas E. Engert  <[hidden email]>
>>    Argonne National Laboratory
>>    9700 South Cass Avenue
>>    Argonne, Illinois  60439
>>    (630) 252-5444
>>
>>
>> _______________________________________________
>> opensc-devel mailing list
>> [hidden email]
>> http://www.opensc-project.org/mailman/listinfo/opensc-devel

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Galoh Haron
I will work on it this week.

Between, how do you test your minidriver besides the command certutil -scinfo?
Card Minidriver Certification Kit?

Thanks Douglas.




On Wed, Jul 11, 2012 at 11:27 PM, Douglas E. Engert <[hidden email]> wrote:

>
>
> On 7/10/2012 8:19 PM, Galoh Haron wrote:
>>
>> Douglas,
>>
>> here is the changes list that i have made for the opensc-minidrver.inf
>> and .minidriver-westcos.reg
>>
>> .inf
>>
>> [Minidriver.NTamd64]
>> + %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_7320006C009000
>> - %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>
>> [Minidriver.NTx86]
>> + %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_7320006C009000
>> - %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>
>> [Minidriver.NTamd64.6.1]
>> + %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_7320006C009000
>> - %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>
>> [AddRegWOW64]
>> + HKLM,
>> %SmartCardNameWOW64%,"ATR",0x00000001,3b,67,00,00,73,20,00,6c,00,90,00
>> - HKLM,
>> %SmartCardNameWOW64%,"ATR",0x00000001,3f,69,00,00,00,64,01,00,00,00,80,90,00
>> - HKLM,
>> %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>
>> [Strings]
>> +SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>> - SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Cev
>> Westcos"
>>
>> +SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>> -
>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Cev
>> Westcos"
>>
>> .reg
>> Windows Registry Editor Version 5.00
>>
>> +
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD]
>> -
>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CEV
>> WESTCOS]
>> + "ATR"=hex:3b,67,00,00,73,20,00,6c,00,90,00
>> - "ATR"=hex:3f,69,00,00,00,64,01,00,00,00,80,90,00
>> - "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>
>> I have attached the cardmod.log if you required it.
>>
>
> In line 85 of the trace:
>
> P:13632 T:14000 pCardData:0048E4D8 CardReadFile
> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
> *ppbData=0
> check_reader_status
> pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
> check_reader_status r=5 flags 0x00000005
> sc_pkcs15_read_certificate return 0
>
> There is no cmapfile returned, and shortly after, the CardDeleteContext
> is called.
>
>
> In my version that may be out of date from 5/26/2011,
> when I last  looked at this code, a cmapfile is returned,
> My trace was from  a smart card login, and not from certutil.exe
>
> P:816 T:820 pCardData:00F15700 CardReadFile
>
> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
> *ppbData=0
> check_reader_status
> pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001
>
> check_reader_status r=5 flags 0x00000005
> sc_pkcs15_read_certificate return 0
> Guid={31323334-3536-3738-390c-075480510916}
> cmapfile entry 0 --- 00F1FB68:86
>  0000  7B003300 31003300 32003300 33003300  34002D00 33003500 33003600
> 2D003300
>  0020  37003300 38002D00 33003900 30006300  2D003000 37003500 34003800
> 30003500
>
> After this things progress to passing he certificate back.
>
> So it looks like some of the minidriver is not creating the cmapfile,
> maybe because it can not find something form your card.
>
>
> Look at line 832 in minidriver.c (opensc-0.12.2 version)
>  if(pubkey->algorithm == SC_ALGORITHM_RSA)
> is true.
>
>
>
>> Thank you.
>>
>>
>>
>> On Tue, Jul 10, 2012 at 9:20 PM, Douglas E. Engert <[hidden email]>
>> wrote:
>>>
>>>
>>>
>>> On 7/10/2012 3:35 AM, Galoh Haron wrote:
>>>>
>>>> hello all,
>>>>
>>>> I found errors in running certutil -scinfo
>>>> 1) Can't open the AT_SIGNATURE key for reader
>>>> 2) Can't open the At_KEYEXCHANGE key for reader
>>>> 3) Cannot open the key for reader
>>>>
>>>> A pops dialog show .." A smart card was detected but is not the one
>>>> required for the current operation. The smart card you are using may
>>>> be missing required driver software or a required certificate".
>>>
>>>
>>> Sounds like  the MS code is having problems using the minidriver.
>>> This could be because your registry is not configured correctly
>>> or you code is doing something that does not work under the minidriver.
>>> The minidriver may be called during login by more then one process,
>>> and by more then one thread. Depending on how your code is written this
>>> may
>>> cause problems.  The minidriver may stay loaded by more then one process
>>> for long times. During login, there is no HKLU registry as there is no
>>> current user. This also implies that access to files is limited.
>>>
>>>>
>>>> i can view the certificate in mozilla web browser.
>>>>
>>>> to minidrive everything
>>>> 1) I configure the registry as per minidriver-westcost.reg
>>>
>>>    Send your changes to the list.
>>>
>>>> 2) I configure the opensc-minidriver.inf and change the device ID
>>>> according to the historical atr bytes
>>>> 3) install the inf accordingly
>>>
>>>
>>> Send the inf changes to the list.
>>>
>>>>
>>>> what else should i do.?
>>>
>>>
>>> You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
>>> See minidriver.c around line 100. Its only for debugging.
>>> You will need to create the C:\tmp\cardmod.log and make it writable
>>> by everyone.
>>>
>>>
>>>>
>>>>
>>>> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov
>>>> <[hidden email]> wrote:
>>>>>
>>>>> Hello,
>>>>>
>>>>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>>>>>
>>>>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>>>>
>>>>>> 1) I have created pkcs15-thecard.c and work on
>>>>>> sc_pks15emu-thecard_init_ex
>>>>>> 2) With some code's modification, the command  of opensc-tool -i,
>>>>>> opensc-tool -a opensc -s work.
>>>>>> 3) Any other steps missing for the emulator to work or perhaps a tiny
>>>>>> miny write up for developers to work on the emulator ?
>>>>>
>>>>>
>>>>>
>>>>> I would start from implementing the card driver with the basic
>>>>> 'sc_card_operations' handlers
>>>>> and testing all the stuff with the opensc-explorer .
>>>>>
>>>>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys,
>>>>> certs, data) that you wish to see exposed with the libopensc/pkcs15 API as
>>>>> the PKCS#15 objects.
>>>>>
>>>>> After that take as example some existing emulator to see how to prepare
>>>>> data before calling the 'sc_pkcs15emu_add_**' functions
>>>>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>>>>
>>>>> Then your can start the testing with the pkcs15-* tools, and finally
>>>>> minidriver.
>>>>>
>>>>>
>>>>>>
>>>>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>>>>> Thank you.
>>>>>
>>>>>
>>>>> Kind regards,
>>>>> Viktor.
>>>>>
>>>>>
>>>>>>
>>>>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email]
>>>>>> <mailto:[hidden email]>> wrote:
>>>>>>
>>>>>>       Hello,
>>>>>>
>>>>>>       I am trying to emulate a non pkcs#15  smart card with no support
>>>>>> for MF selection.
>>>>>>       How to test the emulation works?
>>>>>>       Because when i tried to run command pkcs15-tool -r 00, i
>>>>>> received
>>>>>>       "Certificate read failed: Invalid ASN.1 object"
>>>>>>
>>>>>>       Based on the log,
>>>>>>
>>>>>>       2012-07-02 22:06:20.293 [pkcs15-tool]
>>>>>> reader-pcsc.c:176:pcsc_internal_transmit: called
>>>>>>       2012-07-02 22:06:20.340
>>>>>>       Incoming APDU data [   17 bytes]
>>>>>> =====================================
>>>>>>       84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>>>>>       00                                              .
>>>>>>
>>>>>> ======================================================================
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>> called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> card-mykad.c:506:mykad_check_sw: called
>>>>>>       2012-07-02 22:06:20.340 certificate size is 1035
>>>>>>       2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>>>>       2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag
>>>>>> 0x1000010
>>>>>>       2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>>>>       2012-07-02 22:06:20.340  called, left=880, depth 1
>>>>>>       2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000,
>>>>>> OPTIONAL
>>>>>>       2012-07-02 22:06:20.340  decoding 'version'
>>>>>>       2012-07-02 22:06:20.340   called, left=3, depth 2
>>>>>>       2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>>>>       2012-07-02 22:06:20.340   decoding 'version'
>>>>>>       2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>>>>       2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>>>>>       2012-07-02 22:06:20.340  decoding 'signature'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>>>>       2012-07-02 22:06:20.340  decoding 'issuer'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>>>>       2012-07-02 22:06:20.340  decoding 'validity'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>>>>       2012-07-02 22:06:20.340  decoding 'subject'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag
>>>>>> 0x1000010
>>>>>>       2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>>>>       2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>>>>>       2012-07-02 22:06:20.340 called, left=157, depth 0
>>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>>>>>       2012-07-02 22:06:20.340 decoding 'algorithm'
>>>>>>       2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>       2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>> OPTIONAL
>>>>>>       2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>>>>>       2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>>>>       2012-07-02 22:06:20.340 called, left=138, depth 0
>>>>>>       2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag
>>>>>> 0x1000010, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>>>>       2012-07-02 22:06:20.340  called, left=135, depth 1
>>>>>>       2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>>>>       2012-07-02 22:06:20.340  decoding 'modulus'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>>>>       2012-07-02 22:06:20.340  decoding 'exponent'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 Looking for 'extensions', tag
>>>>>> 0x21000003, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340  decoding 'extensions'
>>>>>>       2012-07-02 22:06:20.340   called, left=328, depth 2
>>>>>>       2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010,
>>>>>> OPTIONAL
>>>>>>       2012-07-02 22:06:20.340   decoding 'x509v3'
>>>>>>       2012-07-02 22:06:20.340    called, left=324, depth 3
>>>>>>       2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag
>>>>>> 0x1000010, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag
>>>>>> 0x1000010, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag
>>>>>> 0x1000010, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier',
>>>>>> tag 0x1000010, OPTIONAL
>>>>>>       2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010,
>>>>>> OPTIONAL
>>>>>>       2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag
>>>>>> 0x1000010
>>>>>>       2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>>>>       2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>       2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>       2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>       2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>> OPTIONAL
>>>>>>       2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>>>>       2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>> returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>>>>       2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>>>>>       2012-07-02 22:06:20.340 length of encoded item=18
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>> called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>>>>       2012-07-02 22:06:20.340 X.509 certificate not found
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> pkcs15.c:969:sc_pkcs15_unbind: called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>> called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> reader-pcsc.c:548:pcsc_unlock: called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> card.c:242:sc_disconnect_card: called
>>>>>>       2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>> reader-pcsc.c:498:pcsc_disconnect: called
>>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>> card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>> ctx.c:738:sc_release_context: called
>>>>>>       2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>> reader-pcsc.c:736:pcsc_finish: called
>>>>>>
>>>>>>       Obviously I can't used the sc_pkcs15_read_certificate. My card
>>>>>> does not support pkcs15.
>>>>>>       Or did i misunderstand the whole pkcs#15 emulator concept?
>>>>>>
>>>>>>       -galoh
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>
>>>>>
>>>> _______________________________________________
>>>> opensc-devel mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>
>>>>
>>>
>>> --
>>>
>>>    Douglas E. Engert  <[hidden email]>
>>>    Argonne National Laboratory
>>>    9700 South Cass Avenue
>>>    Argonne, Illinois  60439
>>>    (630) 252-5444
>>>
>>>
>>> _______________________________________________
>>> opensc-devel mailing list
>>> [hidden email]
>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Douglas E. Engert


On 7/12/2012 4:26 AM, Galoh Haron wrote:
> I will work on it this week.
>
> Between, how do you test your minidriver besides the command certutil -scinfo?
> Card Minidriver Certification Kit?

(1) IE to a web site supporting SSL client SSL certs. The cert can be on the smartcard.

(2) AD Domain login is the most complicated, and requires the PC to be a member
of the domain, and have AD setup to accept smartcard login. 2003 requires
the certificate to have the msUPN otherName, and the smartcard login extension.
The runas command has a /smartcard option which makes testing login easier.

(2a) You could also use the runas /netonly /smartcard on a PC that is not
a member of the domain, and could also use a Kerberos KDC setup to use
PKINIT. (We use AD as our Kerberos KDCs, so have not tried this.)

(3) Outlook to sign and encrypt E-mail (although I don't use outlook.)

(4) Thunderbird can be built with the nsscapi.dll that will let Thunderbird
use the Microsoft certificate store, and thus the minidriver. TB has some problems
with using the trusted certs in the cert store, and this is not production code.

Since Windows 7 has a built in driver for the PIV card, (the only card I am
interested in) I don't use the minidriver much. But since I had the above environment
to test the minidriver on Vista last year, I got involved with making sure
the mindriver would work with login, and thus added the CARDMOD_LOW_LEVEL_DEBUG
to trace processes, threads, DLLs and OpenSC interactions, especially during login.

>
> Thanks Douglas.
>
>
>
>
> On Wed, Jul 11, 2012 at 11:27 PM, Douglas E. Engert <[hidden email]> wrote:
>>
>>
>> On 7/10/2012 8:19 PM, Galoh Haron wrote:
>>>
>>> Douglas,
>>>
>>> here is the changes list that i have made for the opensc-minidrver.inf
>>> and .minidriver-westcos.reg
>>>
>>> .inf
>>>
>>> [Minidriver.NTamd64]
>>> + %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_7320006C009000
>>> - %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [Minidriver.NTx86]
>>> + %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_7320006C009000
>>> - %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [Minidriver.NTamd64.6.1]
>>> + %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_7320006C009000
>>> - %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>>
>>> [AddRegWOW64]
>>> + HKLM,
>>> %SmartCardNameWOW64%,"ATR",0x00000001,3b,67,00,00,73,20,00,6c,00,90,00
>>> - HKLM,
>>> %SmartCardNameWOW64%,"ATR",0x00000001,3f,69,00,00,00,64,01,00,00,00,80,90,00
>>> - HKLM,
>>> %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>>
>>> [Strings]
>>> +SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>>> - SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Cev
>>> Westcos"
>>>
>>> +SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>>> -
>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Cev
>>> Westcos"
>>>
>>> .reg
>>> Windows Registry Editor Version 5.00
>>>
>>> +
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD]
>>> -
>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CEV
>>> WESTCOS]
>>> + "ATR"=hex:3b,67,00,00,73,20,00,6c,00,90,00
>>> - "ATR"=hex:3f,69,00,00,00,64,01,00,00,00,80,90,00
>>> - "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>>
>>> I have attached the cardmod.log if you required it.
>>>
>>
>> In line 85 of the trace:
>>
>> P:13632 T:14000 pCardData:0048E4D8 CardReadFile
>> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
>> *ppbData=0
>> check_reader_status
>> pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
>> check_reader_status r=5 flags 0x00000005
>> sc_pkcs15_read_certificate return 0
>>
>> There is no cmapfile returned, and shortly after, the CardDeleteContext
>> is called.
>>
>>
>> In my version that may be out of date from 5/26/2011,
>> when I last  looked at this code, a cmapfile is returned,
>> My trace was from  a smart card login, and not from certutil.exe
>>
>> P:816 T:820 pCardData:00F15700 CardReadFile
>>
>> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
>> *ppbData=0
>> check_reader_status
>> pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001
>>
>> check_reader_status r=5 flags 0x00000005
>> sc_pkcs15_read_certificate return 0
>> Guid={31323334-3536-3738-390c-075480510916}
>> cmapfile entry 0 --- 00F1FB68:86
>>   0000  7B003300 31003300 32003300 33003300  34002D00 33003500 33003600
>> 2D003300
>>   0020  37003300 38002D00 33003900 30006300  2D003000 37003500 34003800
>> 30003500
>>
>> After this things progress to passing he certificate back.
>>
>> So it looks like some of the minidriver is not creating the cmapfile,
>> maybe because it can not find something form your card.
>>
>>
>> Look at line 832 in minidriver.c (opensc-0.12.2 version)
>>   if(pubkey->algorithm == SC_ALGORITHM_RSA)
>> is true.
>>
>>
>>
>>> Thank you.
>>>
>>>
>>>
>>> On Tue, Jul 10, 2012 at 9:20 PM, Douglas E. Engert <[hidden email]>
>>> wrote:
>>>>
>>>>
>>>>
>>>> On 7/10/2012 3:35 AM, Galoh Haron wrote:
>>>>>
>>>>> hello all,
>>>>>
>>>>> I found errors in running certutil -scinfo
>>>>> 1) Can't open the AT_SIGNATURE key for reader
>>>>> 2) Can't open the At_KEYEXCHANGE key for reader
>>>>> 3) Cannot open the key for reader
>>>>>
>>>>> A pops dialog show .." A smart card was detected but is not the one
>>>>> required for the current operation. The smart card you are using may
>>>>> be missing required driver software or a required certificate".
>>>>
>>>>
>>>> Sounds like  the MS code is having problems using the minidriver.
>>>> This could be because your registry is not configured correctly
>>>> or you code is doing something that does not work under the minidriver.
>>>> The minidriver may be called during login by more then one process,
>>>> and by more then one thread. Depending on how your code is written this
>>>> may
>>>> cause problems.  The minidriver may stay loaded by more then one process
>>>> for long times. During login, there is no HKLU registry as there is no
>>>> current user. This also implies that access to files is limited.
>>>>
>>>>>
>>>>> i can view the certificate in mozilla web browser.
>>>>>
>>>>> to minidrive everything
>>>>> 1) I configure the registry as per minidriver-westcost.reg
>>>>
>>>>     Send your changes to the list.
>>>>
>>>>> 2) I configure the opensc-minidriver.inf and change the device ID
>>>>> according to the historical atr bytes
>>>>> 3) install the inf accordingly
>>>>
>>>>
>>>> Send the inf changes to the list.
>>>>
>>>>>
>>>>> what else should i do.?
>>>>
>>>>
>>>> You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
>>>> See minidriver.c around line 100. Its only for debugging.
>>>> You will need to create the C:\tmp\cardmod.log and make it writable
>>>> by everyone.
>>>>
>>>>
>>>>>
>>>>>
>>>>> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov
>>>>> <[hidden email]> wrote:
>>>>>>
>>>>>> Hello,
>>>>>>
>>>>>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>>>>>>
>>>>>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>>>>>
>>>>>>> 1) I have created pkcs15-thecard.c and work on
>>>>>>> sc_pks15emu-thecard_init_ex
>>>>>>> 2) With some code's modification, the command  of opensc-tool -i,
>>>>>>> opensc-tool -a opensc -s work.
>>>>>>> 3) Any other steps missing for the emulator to work or perhaps a tiny
>>>>>>> miny write up for developers to work on the emulator ?
>>>>>>
>>>>>>
>>>>>>
>>>>>> I would start from implementing the card driver with the basic
>>>>>> 'sc_card_operations' handlers
>>>>>> and testing all the stuff with the opensc-explorer .
>>>>>>
>>>>>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys,
>>>>>> certs, data) that you wish to see exposed with the libopensc/pkcs15 API as
>>>>>> the PKCS#15 objects.
>>>>>>
>>>>>> After that take as example some existing emulator to see how to prepare
>>>>>> data before calling the 'sc_pkcs15emu_add_**' functions
>>>>>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>>>>>
>>>>>> Then your can start the testing with the pkcs15-* tools, and finally
>>>>>> minidriver.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>>>>>> Thank you.
>>>>>>
>>>>>>
>>>>>> Kind regards,
>>>>>> Viktor.
>>>>>>
>>>>>>
>>>>>>>
>>>>>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email]
>>>>>>> <mailto:[hidden email]>> wrote:
>>>>>>>
>>>>>>>        Hello,
>>>>>>>
>>>>>>>        I am trying to emulate a non pkcs#15  smart card with no support
>>>>>>> for MF selection.
>>>>>>>        How to test the emulation works?
>>>>>>>        Because when i tried to run command pkcs15-tool -r 00, i
>>>>>>> received
>>>>>>>        "Certificate read failed: Invalid ASN.1 object"
>>>>>>>
>>>>>>>        Based on the log,
>>>>>>>
>>>>>>>        2012-07-02 22:06:20.293 [pkcs15-tool]
>>>>>>> reader-pcsc.c:176:pcsc_internal_transmit: called
>>>>>>>        2012-07-02 22:06:20.340
>>>>>>>        Incoming APDU data [   17 bytes]
>>>>>>> =====================================
>>>>>>>        84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90 ..l..|.5....7N..
>>>>>>>        00                                              .
>>>>>>>
>>>>>>> ======================================================================
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>> called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> card-mykad.c:506:mykad_check_sw: called
>>>>>>>        2012-07-02 22:06:20.340 certificate size is 1035
>>>>>>>        2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag
>>>>>>> 0x1000010
>>>>>>>        2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>>>>>        2012-07-02 22:06:20.340  called, left=880, depth 1
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'version', tag 0x21000000,
>>>>>>> OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340  decoding 'version'
>>>>>>>        2012-07-02 22:06:20.340   called, left=3, depth 2
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>>>>>        2012-07-02 22:06:20.340   decoding 'version'
>>>>>>>        2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>>>>>        2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signature', tag 0x1000010
>>>>>>>        2012-07-02 22:06:20.340  decoding 'signature'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>>>>>        2012-07-02 22:06:20.340  decoding 'issuer'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>>>>>        2012-07-02 22:06:20.340  decoding 'validity'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>>>>>        2012-07-02 22:06:20.340  decoding 'subject'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo', tag
>>>>>>> 0x1000010
>>>>>>>        2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>>>>>        2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki 013C1CEF:157
>>>>>>>        2012-07-02 22:06:20.340 called, left=157, depth 0
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x1000010
>>>>>>>        2012-07-02 22:06:20.340 decoding 'algorithm'
>>>>>>>        2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>>        2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>>> OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag 0x3
>>>>>>>        2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>>>>>        2012-07-02 22:06:20.340 called, left=138, depth 0
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients', tag
>>>>>>> 0x1000010, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>>>>>        2012-07-02 22:06:20.340  called, left=135, depth 1
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>>>>>        2012-07-02 22:06:20.340  decoding 'modulus'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>>>>>        2012-07-02 22:06:20.340  decoding 'exponent'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'extensions', tag
>>>>>>> 0x21000003, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340  decoding 'extensions'
>>>>>>>        2012-07-02 22:06:20.340   called, left=328, depth 2
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010,
>>>>>>> OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340   decoding 'x509v3'
>>>>>>>        2012-07-02 22:06:20.340    called, left=324, depth 3
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'certificatePolicies', tag
>>>>>>> 0x1000010, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier', tag
>>>>>>> 0x1000010, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints', tag
>>>>>>> 0x1000010, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier',
>>>>>>> tag 0x1000010, OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'keyUsage', tag 0x1000010,
>>>>>>> OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag
>>>>>>> 0x1000010
>>>>>>>        2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>>>>>        2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>>        2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>>> OPTIONAL
>>>>>>>        2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>>>>>        2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] asn1.c:1394:asn1_decode:
>>>>>>> returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>>>>>        2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380, len=16
>>>>>>>        2012-07-02 22:06:20.340 length of encoded item=18
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>> called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>>>>>        2012-07-02 22:06:20.340 X.509 certificate not found
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> pkcs15.c:969:sc_pkcs15_unbind: called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>> called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> reader-pcsc.c:548:pcsc_unlock: called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> card.c:242:sc_disconnect_card: called
>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>> reader-pcsc.c:498:pcsc_disconnect: called
>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>> card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>> ctx.c:738:sc_release_context: called
>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>> reader-pcsc.c:736:pcsc_finish: called
>>>>>>>
>>>>>>>        Obviously I can't used the sc_pkcs15_read_certificate. My card
>>>>>>> does not support pkcs15.
>>>>>>>        Or did i misunderstand the whole pkcs#15 emulator concept?
>>>>>>>
>>>>>>>        -galoh
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> _______________________________________________
>>>>>>> opensc-devel mailing list
>>>>>>> [hidden email]
>>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>>
>>>>>>
>>>>> _______________________________________________
>>>>> opensc-devel mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>
>>>>>
>>>>
>>>> --
>>>>
>>>>     Douglas E. Engert  <[hidden email]>
>>>>     Argonne National Laboratory
>>>>     9700 South Cass Avenue
>>>>     Argonne, Illinois  60439
>>>>     (630) 252-5444
>>>>
>>>>
>>>> _______________________________________________
>>>> opensc-devel mailing list
>>>> [hidden email]
>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>
>>
>> --
>>
>>   Douglas E. Engert  <[hidden email]>
>>   Argonne National Laboratory
>>   9700 South Cass Avenue
>>   Argonne, Illinois  60439
>>   (630) 252-5444
>>
>>
>
>

--

  Douglas E. Engert  <[hidden email]>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: PKCS#15 Emulator

Galoh Haron
Thank you, Douglas... i got it.

I have run certutil -scinfo, from there i have installed the
certificates to the internet explorer. Previous problem is caused by
an error in creating the unique GUID. The length that i have provided
is only limited to the smart card serial number.

Now the next focus is to ask the computer to read the certificates
automatically every time i insert the smart card to the reader.
Probably i will start reading on how to turn on the cng card api to
enable the smart card propagation service.

The current status, looks like my smart card is feeling numb with IE,
in contrast with Mozilla web browser.

You point to the right error code. :)




On Thu, Jul 12, 2012 at 7:56 PM, Douglas E. Engert <[hidden email]> wrote:

>
>
> On 7/12/2012 4:26 AM, Galoh Haron wrote:
>>
>> I will work on it this week.
>>
>> Between, how do you test your minidriver besides the command certutil
>> -scinfo?
>> Card Minidriver Certification Kit?
>
>
> (1) IE to a web site supporting SSL client SSL certs. The cert can be on the
> smartcard.
>
> (2) AD Domain login is the most complicated, and requires the PC to be a
> member
> of the domain, and have AD setup to accept smartcard login. 2003 requires
> the certificate to have the msUPN otherName, and the smartcard login
> extension.
> The runas command has a /smartcard option which makes testing login easier.
>
> (2a) You could also use the runas /netonly /smartcard on a PC that is not
> a member of the domain, and could also use a Kerberos KDC setup to use
> PKINIT. (We use AD as our Kerberos KDCs, so have not tried this.)
>
> (3) Outlook to sign and encrypt E-mail (although I don't use outlook.)
>
> (4) Thunderbird can be built with the nsscapi.dll that will let Thunderbird
> use the Microsoft certificate store, and thus the minidriver. TB has some
> problems
> with using the trusted certs in the cert store, and this is not production
> code.
>
> Since Windows 7 has a built in driver for the PIV card, (the only card I am
> interested in) I don't use the minidriver much. But since I had the above
> environment
> to test the minidriver on Vista last year, I got involved with making sure
> the mindriver would work with login, and thus added the
> CARDMOD_LOW_LEVEL_DEBUG
> to trace processes, threads, DLLs and OpenSC interactions, especially during
> login.
>
>
>>
>> Thanks Douglas.
>>
>>
>>
>>
>> On Wed, Jul 11, 2012 at 11:27 PM, Douglas E. Engert <[hidden email]>
>> wrote:
>>>
>>>
>>>
>>> On 7/10/2012 8:19 PM, Galoh Haron wrote:
>>>>
>>>>
>>>> Douglas,
>>>>
>>>> here is the changes list that i have made for the opensc-minidrver.inf
>>>> and .minidriver-westcos.reg
>>>>
>>>> .inf
>>>>
>>>> [Minidriver.NTamd64]
>>>> + %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_7320006C009000
>>>> - %CardDeviceName%=Minidriver64_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTx86]
>>>> + %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_7320006C009000
>>>> - %CardDeviceName%=Minidriver32_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [Minidriver.NTamd64.6.1]
>>>> + %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_7320006C009000
>>>> -
>>>> %CardDeviceName%=Minidriver64_61_Install,SCFILTER\CID_00640181010c829000
>>>>
>>>> [AddRegWOW64]
>>>> + HKLM,
>>>> %SmartCardNameWOW64%,"ATR",0x00000001,3b,67,00,00,73,20,00,6c,00,90,00
>>>> - HKLM,
>>>>
>>>> %SmartCardNameWOW64%,"ATR",0x00000001,3f,69,00,00,00,64,01,00,00,00,80,90,00
>>>> - HKLM,
>>>>
>>>> %SmartCardNameWOW64%,"ATRMask",0x00000001,ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>>>
>>>> [Strings]
>>>> +SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>>>> - SmartCardName="SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\Cev
>>>> Westcos"
>>>>
>>>>
>>>> +SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\MyKAD"
>>>> -
>>>>
>>>> SmartCardNameWOW64="SOFTWARE\Wow6432Node\Microsoft\Cryptography\Calais\SmartCards\Cev
>>>> Westcos"
>>>>
>>>> .reg
>>>> Windows Registry Editor Version 5.00
>>>>
>>>> +
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\MyKAD]
>>>> -
>>>>
>>>> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Calais\SmartCards\CEV
>>>> WESTCOS]
>>>> + "ATR"=hex:3b,67,00,00,73,20,00,6c,00,90,00
>>>> - "ATR"=hex:3f,69,00,00,00,64,01,00,00,00,80,90,00
>>>> - "ATRMask"=hex:ff,ff,ff,ff,ff,ff,ff,00,00,00,f0,ff,ff
>>>>
>>>> I have attached the cardmod.log if you required it.
>>>>
>>>
>>> In line 85 of the trace:
>>>
>>> P:13632 T:14000 pCardData:0048E4D8 CardReadFile
>>> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
>>> *ppbData=0
>>> check_reader_status
>>> pCardData->hSCardCtx:0xCD010002 hScard:0xEA020000
>>> check_reader_status r=5 flags 0x00000005
>>> sc_pkcs15_read_certificate return 0
>>>
>>> There is no cmapfile returned, and shortly after, the CardDeleteContext
>>> is called.
>>>
>>>
>>> In my version that may be out of date from 5/26/2011,
>>> when I last  looked at this code, a cmapfile is returned,
>>> My trace was from  a smart card login, and not from certutil.exe
>>>
>>> P:816 T:820 pCardData:00F15700 CardReadFile
>>>
>>> pszDirectoryName = mscp, pszFileName = cmapfile, dwFlags = 0, pcbData=0,
>>> *ppbData=0
>>> check_reader_status
>>> pCardData->hSCardCtx:0xCD010002 hScard:0xEA010001
>>>
>>> check_reader_status r=5 flags 0x00000005
>>> sc_pkcs15_read_certificate return 0
>>> Guid={31323334-3536-3738-390c-075480510916}
>>> cmapfile entry 0 --- 00F1FB68:86
>>>   0000  7B003300 31003300 32003300 33003300  34002D00 33003500 33003600
>>> 2D003300
>>>   0020  37003300 38002D00 33003900 30006300  2D003000 37003500 34003800
>>> 30003500
>>>
>>> After this things progress to passing he certificate back.
>>>
>>> So it looks like some of the minidriver is not creating the cmapfile,
>>> maybe because it can not find something form your card.
>>>
>>>
>>> Look at line 832 in minidriver.c (opensc-0.12.2 version)
>>>   if(pubkey->algorithm == SC_ALGORITHM_RSA)
>>> is true.
>>>
>>>
>>>
>>>> Thank you.
>>>>
>>>>
>>>>
>>>> On Tue, Jul 10, 2012 at 9:20 PM, Douglas E. Engert <[hidden email]>
>>>> wrote:
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 7/10/2012 3:35 AM, Galoh Haron wrote:
>>>>>>
>>>>>>
>>>>>> hello all,
>>>>>>
>>>>>> I found errors in running certutil -scinfo
>>>>>> 1) Can't open the AT_SIGNATURE key for reader
>>>>>> 2) Can't open the At_KEYEXCHANGE key for reader
>>>>>> 3) Cannot open the key for reader
>>>>>>
>>>>>> A pops dialog show .." A smart card was detected but is not the one
>>>>>> required for the current operation. The smart card you are using may
>>>>>> be missing required driver software or a required certificate".
>>>>>
>>>>>
>>>>>
>>>>> Sounds like  the MS code is having problems using the minidriver.
>>>>> This could be because your registry is not configured correctly
>>>>> or you code is doing something that does not work under the minidriver.
>>>>> The minidriver may be called during login by more then one process,
>>>>> and by more then one thread. Depending on how your code is written this
>>>>> may
>>>>> cause problems.  The minidriver may stay loaded by more then one
>>>>> process
>>>>> for long times. During login, there is no HKLU registry as there is no
>>>>> current user. This also implies that access to files is limited.
>>>>>
>>>>>>
>>>>>> i can view the certificate in mozilla web browser.
>>>>>>
>>>>>> to minidrive everything
>>>>>> 1) I configure the registry as per minidriver-westcost.reg
>>>>>
>>>>>
>>>>>     Send your changes to the list.
>>>>>
>>>>>> 2) I configure the opensc-minidriver.inf and change the device ID
>>>>>> according to the historical atr bytes
>>>>>> 3) install the inf accordingly
>>>>>
>>>>>
>>>>>
>>>>> Send the inf changes to the list.
>>>>>
>>>>>>
>>>>>> what else should i do.?
>>>>>
>>>>>
>>>>>
>>>>> You could compile the mindriver with the CARDMOD_LOW_LEVEL_DEBUG
>>>>> See minidriver.c around line 100. Its only for debugging.
>>>>> You will need to create the C:\tmp\cardmod.log and make it writable
>>>>> by everyone.
>>>>>
>>>>>
>>>>>>
>>>>>>
>>>>>> On Wed, Jul 4, 2012 at 6:20 PM, Viktor Tarasov
>>>>>> <[hidden email]> wrote:
>>>>>>>
>>>>>>>
>>>>>>> Hello,
>>>>>>>
>>>>>>> Le 04/07/2012 03:16, Galoh Haron a écrit :
>>>>>>>>
>>>>>>>>
>>>>>>>> I guess i need to clarify the question on pkcs#15 emulator again.
>>>>>>>>
>>>>>>>> 1) I have created pkcs15-thecard.c and work on
>>>>>>>> sc_pks15emu-thecard_init_ex
>>>>>>>> 2) With some code's modification, the command  of opensc-tool -i,
>>>>>>>> opensc-tool -a opensc -s work.
>>>>>>>> 3) Any other steps missing for the emulator to work or perhaps a
>>>>>>>> tiny
>>>>>>>> miny write up for developers to work on the emulator ?
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> I would start from implementing the card driver with the basic
>>>>>>> 'sc_card_operations' handlers
>>>>>>> and testing all the stuff with the opensc-explorer .
>>>>>>>
>>>>>>> Then make a list of the pre-existing objects (PINs, Pub/Priv keys,
>>>>>>> certs, data) that you wish to see exposed with the libopensc/pkcs15
>>>>>>> API as
>>>>>>> the PKCS#15 objects.
>>>>>>>
>>>>>>> After that take as example some existing emulator to see how to
>>>>>>> prepare
>>>>>>> data before calling the 'sc_pkcs15emu_add_**' functions
>>>>>>> and host to register your 'init_ex' procedure in pkcs15-syn.c .
>>>>>>>
>>>>>>> Then your can start the testing with the pkcs15-* tools, and finally
>>>>>>> minidriver.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> I am trying to get the minidriver to work with the pkcs#15 emulator.
>>>>>>>> Thank you.
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Kind regards,
>>>>>>> Viktor.
>>>>>>>
>>>>>>>
>>>>>>>>
>>>>>>>> On Mon, Jul 2, 2012 at 10:11 PM, Galoh Haron <[hidden email]
>>>>>>>> <mailto:[hidden email]>> wrote:
>>>>>>>>
>>>>>>>>        Hello,
>>>>>>>>
>>>>>>>>        I am trying to emulate a non pkcs#15  smart card with no
>>>>>>>> support
>>>>>>>> for MF selection.
>>>>>>>>        How to test the emulation works?
>>>>>>>>        Because when i tried to run command pkcs15-tool -r 00, i
>>>>>>>> received
>>>>>>>>        "Certificate read failed: Invalid ASN.1 object"
>>>>>>>>
>>>>>>>>        Based on the log,
>>>>>>>>
>>>>>>>>        2012-07-02 22:06:20.293 [pkcs15-tool]
>>>>>>>> reader-pcsc.c:176:pcsc_internal_transmit: called
>>>>>>>>        2012-07-02 22:06:20.340
>>>>>>>>        Incoming APDU data [   17 bytes]
>>>>>>>> =====================================
>>>>>>>>        84 E4 6C BA 08 7C 97 35 05 07 F1 DA 37 4E B2 90
>>>>>>>> ..l..|.5....7N..
>>>>>>>>        00                                              .
>>>>>>>>
>>>>>>>>
>>>>>>>> ======================================================================
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>>> called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> card-mykad.c:506:mykad_check_sw: called
>>>>>>>>        2012-07-02 22:06:20.340 certificate size is 1035
>>>>>>>>        2012-07-02 22:06:20.340 called, left=1031, depth 0
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'tbsCertificate', tag
>>>>>>>> 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'tbsCertificate'
>>>>>>>>        2012-07-02 22:06:20.340  called, left=880, depth 1
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'version', tag
>>>>>>>> 0x21000000,
>>>>>>>> OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'version'
>>>>>>>>        2012-07-02 22:06:20.340   called, left=3, depth 2
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'version', tag 0x2
>>>>>>>>        2012-07-02 22:06:20.340   decoding 'version'
>>>>>>>>        2012-07-02 22:06:20.340   decoding 'version' returned 2
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'serialNumber', tag 0x2
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'serialNumber'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signature', tag
>>>>>>>> 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'signature'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'issuer', tag 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'issuer'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'validity', tag 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'validity'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subject', tag 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'subject'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectPublicKeyInfo',
>>>>>>>> tag
>>>>>>>> 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'subjectPublicKeyInfo'
>>>>>>>>        2012-07-02 22:06:20.340 sc_pkcs15_pubkey_from_spki
>>>>>>>> 013C1CEF:157
>>>>>>>>        2012-07-02 22:06:20.340 called, left=157, depth 0
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag
>>>>>>>> 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'algorithm'
>>>>>>>>        2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>>>> OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectPublicKey', tag
>>>>>>>> 0x3
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'subjectPublicKey'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 DEE pk_alg.algorithm=0
>>>>>>>>        2012-07-02 22:06:20.340 called, left=138, depth 0
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'publicKeyCoefficients',
>>>>>>>> tag
>>>>>>>> 0x1000010, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'publicKeyCoefficients'
>>>>>>>>        2012-07-02 22:06:20.340  called, left=135, depth 1
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'modulus', tag 0x2
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'modulus'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'exponent', tag 0x2
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'exponent'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'extensions', tag
>>>>>>>> 0x21000003, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'extensions'
>>>>>>>>        2012-07-02 22:06:20.340   called, left=328, depth 2
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'x509v3', tag 0x1000010,
>>>>>>>> OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340   decoding 'x509v3'
>>>>>>>>        2012-07-02 22:06:20.340    called, left=324, depth 3
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'certificatePolicies',
>>>>>>>> tag
>>>>>>>> 0x1000010, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340    decoding 'certificatePolicies'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'subjectKeyIdentifier',
>>>>>>>> tag
>>>>>>>> 0x1000010, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340    decoding 'subjectKeyIdentifier'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'crlDistributionPoints',
>>>>>>>> tag
>>>>>>>> 0x1000010, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340    decoding 'crlDistributionPoints'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'authorityKeyIdentifier',
>>>>>>>> tag 0x1000010, OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340    decoding 'authorityKeyIdentifier'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'keyUsage', tag
>>>>>>>> 0x1000010,
>>>>>>>> OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340    decoding 'keyUsage'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signatureAlgorithm', tag
>>>>>>>> 0x1000010
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'signatureAlgorithm'
>>>>>>>>        2012-07-02 22:06:20.340  called, left=13, depth 1
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'algorithm', tag 0x6
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'algorithm'
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'nullParam', tag 0x5,
>>>>>>>> OPTIONAL
>>>>>>>>        2012-07-02 22:06:20.340  decoding 'nullParam'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 Looking for 'signatureValue', tag 0x3
>>>>>>>>        2012-07-02 22:06:20.340 decoding 'signatureValue'
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> asn1.c:1394:asn1_decode:
>>>>>>>> returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 encoding 'serialNumber'
>>>>>>>>        2012-07-02 22:06:20.340 type=4, tag=0x02, parm=013C0380,
>>>>>>>> len=16
>>>>>>>>        2012-07-02 22:06:20.340 length of encoded item=18
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>>> called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> pkcs15.c:959:sc_pkcs15_bind: returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> pkcs15-cert.c:156:sc_pkcs15_read_certificate: called
>>>>>>>>        2012-07-02 22:06:20.340 X.509 certificate not found
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> pkcs15.c:969:sc_pkcs15_unbind: called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> pkcs15-pin.c:596:sc_pkcs15_pincache_clear: called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool] card.c:330:sc_unlock:
>>>>>>>> called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> reader-pcsc.c:548:pcsc_unlock: called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> card.c:242:sc_disconnect_card: called
>>>>>>>>        2012-07-02 22:06:20.340 [pkcs15-tool]
>>>>>>>> reader-pcsc.c:498:pcsc_disconnect: called
>>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>>> card.c:258:sc_disconnect_card: returning with: 0 (Success)
>>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>>> ctx.c:738:sc_release_context: called
>>>>>>>>        2012-07-02 22:06:20.542 [pkcs15-tool]
>>>>>>>> reader-pcsc.c:736:pcsc_finish: called
>>>>>>>>
>>>>>>>>        Obviously I can't used the sc_pkcs15_read_certificate. My
>>>>>>>> card
>>>>>>>> does not support pkcs15.
>>>>>>>>        Or did i misunderstand the whole pkcs#15 emulator concept?
>>>>>>>>
>>>>>>>>        -galoh
>>>>>>>>
>>>>>>>>
>>>>>>>>
>>>>>>>> _______________________________________________
>>>>>>>> opensc-devel mailing list
>>>>>>>> [hidden email]
>>>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>> _______________________________________________
>>>>>> opensc-devel mailing list
>>>>>> [hidden email]
>>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>>>>
>>>>>>
>>>>>
>>>>> --
>>>>>
>>>>>     Douglas E. Engert  <[hidden email]>
>>>>>     Argonne National Laboratory
>>>>>     9700 South Cass Avenue
>>>>>     Argonne, Illinois  60439
>>>>>     (630) 252-5444
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> opensc-devel mailing list
>>>>> [hidden email]
>>>>> http://www.opensc-project.org/mailman/listinfo/opensc-devel
>>>
>>>
>>>
>>> --
>>>
>>>   Douglas E. Engert  <[hidden email]>
>>>   Argonne National Laboratory
>>>   9700 South Cass Avenue
>>>   Argonne, Illinois  60439
>>>   (630) 252-5444
>>>
>>>
>>
>>
>
> --
>
>  Douglas E. Engert  <[hidden email]>
>  Argonne National Laboratory
>  9700 South Cass Avenue
>  Argonne, Illinois  60439
>  (630) 252-5444
>
>
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel