STARCOS 3.0 cards with SafeSign Identity Client

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

STARCOS 3.0 cards with SafeSign Identity Client

David Adam-2
Hello,

I've been issued a smart card by the Australian Health Insurance
Commission or Medicare Australia. These cards are for getting on to our
new national electronic health record system.

I would quite like to use it on Linux but haven't had a lot of luck with
pkcs15-tool so far.

I'm really mostly wondering whether the problem is with a lack of support
for the card operating system or an incompatibility between the OpenSC and
card PKCS#15 implementations.

I believe they run STARCOS 3.0 and are initialised with the SafeSign
Identity Client application, which I'm assure is PKCS#15 compliant.
However OpenSC complains that the card is not supported.

The ATR data is:
3b:bb:18:00:c0:10:31:fe:45:80:67:04:12:b0:03:03:00:00:81:05:3c

I have attached the logs from pkcs15-tool with both OpenCT and PCSC-Lite,
and can turn up the debugging further if that would help.

Thanks,

David Adam
[hidden email]
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

pkcs15-tool.openct (3K) Download Attachment
pkcs15-tool.pcsclite (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: STARCOS 3.0 cards with SafeSign Identity Client

Yonathan Randolph
Hi David. Sorry for the late reply; I was just searching my email for SafeSign and found yours. Coincidentally, I was testing a Crescendo C700 (3B:DF:18:FF:81:31:FE:45:80:59:01:80:48:49:44:43:37:30:30:73:00:01:1B:33) that was also initialized with SafeSign Identity Client. I couldn't figure out how to get it to work with pkcs15-tool, but I implemented my own reader in Java. Here's what I found when poking around and comparing it to the MyEID card:

- It doesn't support select by relative or absolute path, only select by name (PKCS15 AID) and then select by file id.

- The PIN is 4 to 15-byte 00-padded.

- There's no private key file, so you don't need to select it or give the file id to to MSE Set command.

- MSE Set data was picky (84 01 00 80 01 02); reversing the fields 84 and 80 caused it to fail.

I'm not sure how to modify pkcs15-tool to make it work, but I know it should be possible.

Yonathan
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: STARCOS 3.0 cards with SafeSign Identity Client

David Adam-2
On Mon, 10 Dec 2012, Yonathan Randolph wrote:

> Hi David. Sorry for the late reply; I was just searching my email for
> SafeSign and found yours. Coincidentally, I was testing a Crescendo C700
> (3B:DF:18:FF:81:31:FE:45:80:59:01:80:48:49:44:43:37:30:30:73:00:01:1B:33)
> that was also initialized with SafeSign Identity Client. I couldn't
> figure out how to get it to work with pkcs15-tool, but I implemented my
> own reader in Java. Here's what I found when poking around and comparing
> it to the MyEID card:
>
> - It doesn't support select by relative or absolute path, only select by
> name (PKCS15 AID) and then select by file id.
>
> - The PIN is 4 to 15-byte 00-padded.
>
> - There's no private key file, so you don't need to select it or give the file id to to MSE Set command.
>
> - MSE Set data was picky (84 01 00 80 01 02); reversing the fields 84 and 80 caused it to fail.
>
> I'm not sure how to modify pkcs15-tool to make it work, but I know it should be possible.

Hi Yonathon,

Thanks for letting me know. I was vaguely hoping to use my card on my
Linux machine, and the SafeSign webpage reckons there is a Linux client
but I don't think I'll have any luck getting it out of our government
office.

Interestingly the datasheet for SafeSign Identity Client lists PKCS#15
compatibility - I'm not really across the standard but is select by path a
required feature?

I wouldn't be much help in modifications to pkcs15-tool either but
could test any changes - may be able to provide a test
environment if required.

Thanks,

David Adam
[hidden email]
Ask Me About Our SLA!
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-devel