Re: cryptomate64 support

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Re: cryptomate64 support

Carsten
>>On 24.04.2015, Pierre LADEN wrote:
>>
>>Hi,
>>
>>Just wanted to let you know the end of the story, it might help other "lost" users.
>>
>>ACS send us a "Linux client kit" which provide PKCS11 lib for their tokens.
>>The provided admin tool works quite well with Linux, allowing to manage the tokens.
>>Ssh client, or pkcs11 compliant browser are working too, with that same lib.
>>
>>Unfortunately the library (libacospkcs11.so) is not opensource, and ACS does not seem to provide a full opensource opensc module.
>>
>>Regards,
>>Pierre


Hi all,
the existence of a "Linux client kit" is good news for me, another "lost" user.
I tried to implement an "acos5_64"-driver for CryptoMate64 with some success, but I'm stuck finishing that.
What I can do and did, is implementing any functionality the reference manual exposes (except secure messaging so far), but don't know any more how to integrate that into the opensc framework.
After many hours of spare time spent on this open source project, I'm at the point to decide, either to give up and buy, or continue with substantiell help/co-working/take-over from/by somebody interested.


As an example of what is working (opensc-tool seems complete, opensc-explorer seems read-only complete), a listing of pkcs11-tool:
(The contents of my usb token have been set up based on an initialization with my employers windows client kit, populated/extended manually with 4 RSA keys, ODF, AODF, PrKDF, PuKDF, CDF (experimentell, self-signed), the pkcs#15-structure seems to be readable by opensc):

carsten@tux:~$ pkcs11-tool --module=/usr/lib/pkcs11/pkcs11-spy.so -lt
Using slot 1 with a present token (0x1)
Logging in to "(unknown) (Basic PIN)".
Please enter User PIN:  
C_SeedRandom() and C_GenerateRandom():
 seeding (C_SeedRandom) not supported
 seems to be OK
Digests:
 all 4 digest functions seem to work
 MD5: OK
 SHA-1: OK
 RIPEMD160: OK
Signatures (currently only RSA signatures)
 testing key 0 (DecryptSignenL)  
 all 4 signature functions seem to work
 testing signature mechanisms:
   RSA-X-509: OK
   RSA-PKCS: OK
   SHA1-RSA-PKCS: OK
   SHA256-RSA-PKCS: OK
 testing key 1 (1790 bits, label=DecryptSignenS) with 1 signature mechanism
 testing key 2 (4096 bits, label=Decrypten) with 1 signature mechanism -- can't be used to sign/verify, skipping
 testing key 3 (4095 bits, label=Signen) with 1 signature mechanism
Verify (currently only for RSA):
 testing key 0 (DecryptSignenL)
   RSA-X-509: OK
   RSA-PKCS: OK
   SHA1-RSA-PKCS: OK
 testing key 1 (DecryptSignenS) with 1 mechanism
   RSA-X-509: OK
 testing key 2 (Decrypten) with 1 mechanism
-- can't be used to sign/verify, skipping
 testing key 3 (Signen) with 1 mechanism
   RSA-X-509:   ERR: verification failed  ERR: C_Verify() returned CKR_SIGNATURE_INVALID (0xc0)
Unwrap: not implemented
Decryption (RSA)
 testing key 0 (DecryptSignenL)  
   RSA-X-509: OK
   RSA-PKCS: OK
 testing key 1 (DecryptSignenS)  
   RSA-X-509: OK
   RSA-PKCS: OK
 testing key 2 (Decrypten)  
   RSA-X-509: OK
   RSA-PKCS: OK
 testing key 3 (Signen)  -- can't be used to decrypt, skipping
2 errors

Surprisingly, the first real word application, using openssh with the token, now suddenly does work, maybe due to upgrading to Ubuntu 15.04.
carsten@tux:~$ ssh-add -L
The agent has no identities.
carsten@tux:~$ ssh-add -s /usr/lib/pkcs11/opensc-pkcs11.so
Enter passphrase for PKCS#11:  
Card added: /usr/lib/pkcs11/opensc-pkcs11.so
carsten@tux:~$ ssh-add -l
4095 0b:b5:ce:fe:ec:b9:c9:41:49:b2:a8:10:6f:ae:83:b0 /usr/lib/pkcs11/opensc-pkcs11.so (RSA)
4095 3f:a8:b8:ed:90:04:98:2b:00:d6:10:dc:ce:a3:ec:2c /usr/lib/pkcs11/opensc-pkcs11.so (RSA)
1790 f6:da:8c:a3:cd:72:fb:6b:da:8c:51:d5:b9:c5:70:d9 /usr/lib/pkcs11/opensc-pkcs11.so (RSA)
4096 d9:37:92:15:0b:41:50:0d:25:a1:ef:04:41:d8:73:a0 /usr/lib/pkcs11/opensc-pkcs11.so (RSA)


carsten@tux:~$ opensc-tool -D  
Configured card drivers:
 cardos           Siemens CardOS
 ...
 acos5            ACS ACOS5 card
 acos5_64         ACS ACOS5-64 Cryptographic USB/Card
 ...


Any comments are highly appreciated.

Regards,

Carsten

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: cryptomate64 support

Carsten
Hi all,

there is a new fork now, dedicated to an ACS acos5_64-driver (CryptoMate64):

https://github.com/carblue/OpenSC/tree/master/src

It's current status is:
The function 'acos5_64_compute_signature', called when a priv. key usage is sign only, is known not to work properly.
Secure Messaging is not implemented.
Changing contents on the card is not implemented.
If reading the card only, many usage scenarios should work, for example:
Konsole output
ssh-add -e /usr/lib/pkcs11/opensc-pkcs11.so

The procedure to compile/install is as described in
https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors
with 1 amendment: I didn't install the acsccid package (libccid seems to be sufficiant).
(Replacing 'sudo make install' by 'sudo checkinstall' might be an option for easy removal lateron.)

Feel free to contact me, if You want write access on this fork.

Regards,
Carsten

------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: cryptomate64 support

Douglas E Engert
When you go to implement SM, please have a look at existing SM code in OpenSC such as the cwa14589.c and related files used by the card-dnie.c driver.


On 5/4/2015 9:50 AM, Carsten Blüggel wrote:

> Hi all,
>
> there is a new fork now, dedicated to an ACS acos5_64-driver (CryptoMate64):
>
> https://github.com/carblue/OpenSC/tree/master/src
>
> It's current status is:
> The function 'acos5_64_compute_signature', called when a priv. key usage is sign only, is known not to work properly.
> Secure Messaging is not implemented.
> Changing contents on the card is not implemented.
> If reading the card only, many usage scenarios should work, for example:
> Konsole output
> ssh-add -e /usr/lib/pkcs11/opensc-pkcs11.so
>
> The procedure to compile/install is as described in
> https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-OpenSC-on-Unix-flavors
> with 1 amendment: I didn't install the acsccid package (libccid seems to be sufficiant).
> (Replacing 'sudo make install' by 'sudo checkinstall' might be an option for easy removal lateron.)
>
> Feel free to contact me, if You want write access on this fork.
>
> Regards,
> Carsten
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel