Supported USB Token

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Supported USB Token

Josef Windorfer
Hi All,


I am looking for an USB Token (Smart Card and Card Reader in one), which
is supported without a proprietary middleware.
I have bought the the Aladdin eToken 72k, but it runs only with the
middleware from Aladdin.

In the supported hardware lists I found only one token which is
interessting for me and thats the USB eSeal Token V2" from Gemalto. But
I don't know if it works, because only the USB Shell Token V2 is on the
list (http://pcsclite.alioth.debian.org/supported.html#0x08E60x3438).
This token is a USB Shell Token V2 and and the Smart Card TPC IM v2 in one.
Does someone know the Smart Card TPC IM is supprted
(http://www.mail-archive.com/opensc-devel@.../msg04404.html)?
The idea is if the Shell Token and the TPC once are supported, the
combination of the two parts is also supported.

I showed the hardware lists. Have someone experience with an USB token
which have the characteristics I write above?

Thank you for your answers!


Greets Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Supported USB Token

Andreas Jellinghaus-2
stay clear of everything labeled "GemSafe"! the idea of that is -
from my point of view - to "half" initialize a token, so the second
half requires the same software, and thus they can sell tokens/cards
and software.

also opensc support for such cards/tokens is quite limited:
you can "use" them, and maybe do little changes such as unblocking
a pin or changing it. but any bigger change such a key generation
or storing a certificate requires the original software.

good tokens are aladdin etoken pro 64 with cardos 4.2B
(except for the "secret" apdu command you need to enter once
to change the manufacturing start key from 00 to ff)
or -if still available- rainbow ikey 3000 with a starcos 2.3
in testing mode inside.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Logging APDU with opensc svn

Josef Windorfer
Hi all,

I can't log the apdus with pkcs15-tool or pkcs15-init, only by using
pkcs11-tool apdus will be logged. I'm using the svn version of opensc.

Is this intended? Can someone help me?

Greets Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Logging APDU with opensc svn

Martin Paljak-2
On Jun 14, 2010, at 23:43 , Josef Windorfer wrote:
> Hi all,
>
> I can't log the apdus with pkcs15-tool or pkcs15-init, only by using
> pkcs11-tool apdus will be logged. I'm using the svn version of opensc.

I suspect you have two different installations, one where the log is enabled (in /usr) and one where it is not enabled (in /usr/local) and pkcs11-tool by default uses the module in /usr, whereas tools use it in /usr/local/bin.

Please verify your setup and/or provide your opensc.conf and/or the output of ./configure and the commands you are using.

--
Martin Paljak
http://martin.paljak.pri.ee
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Logging APDU with opensc svn

Josef Windorfer

>> I can't log the apdus with pkcs15-tool or pkcs15-init, only by using
>> pkcs11-tool apdus will be logged. I'm using the svn version of opensc.
>
> I suspect you have two different installations, one where the log is enabled (in /usr) and one where it is not enabled (in /usr/local) and pkcs11-tool by default uses the module in /usr, whereas tools use it in /usr/local/bin.
>
> Please verify your setup and/or provide your opensc.conf and/or the output of ./configure and the commands you are using.

That's right, I have installed a former version of opensc.

In the ./configure I have set --sysconfdir=/etc.

There are existing two config files, one in /etc and one in /etc/opensc.
I'm sure that /etc/opensc is not in use, because i have entered two
different file names for the log-file.

I will give a example:

Command: pkcs15-tool -D
Logfile:

0xb778a6c0 09:00:28.805 [pkcs15-tool] ctx.c:743:sc_context_create:
===================================
0xb778a6c0 09:00:28.805 [pkcs15-tool] ctx.c:744:sc_context_create:
opensc version: 0.12.0-svn
0xb778a6c0 09:00:28.805 [pkcs15-tool] reader-pcsc.c:616:pcsc_init: PC/SC
options: connect_reset=1 connect_exclusive=0 transaction_reset=0
enable_pinpad=1
0xb778a6c0 09:00:28.806 [pkcs15-tool]
reader-pcsc.c:721:pcsc_detect_readers: called
0xb778a6c0 09:00:28.806 [pkcs15-tool]
reader-pcsc.c:728:pcsc_detect_readers: Probing pcsc readers
0xb778a6c0 09:00:28.806 [pkcs15-tool]
reader-pcsc.c:750:pcsc_detect_readers: Establish pcsc context
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:798:pcsc_detect_readers: Found new pcsc reader 'Cherry
ST1044U 00 00'
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:824:pcsc_detect_readers: Requesting reader features ...
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:830:pcsc_detect_readers: Cherry ST1044U 00
00:SCardConnect: 0x00000000
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:837:pcsc_detect_readers: Cherry ST1044U 00
00:SCardBeginTransaction: 0x00000000
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:862:pcsc_detect_readers: Reader feature 0a detected
0xb778a6c0 09:00:28.807 [pkcs15-tool]
reader-pcsc.c:913:pcsc_detect_readers: Reader does not have a display.
0xb778a6c0 09:00:28.809 [pkcs15-tool]
reader-pcsc.c:265:refresh_attributes: Cherry ST1044U 00 00 status check
0xb778a6c0 09:00:28.809 [pkcs15-tool]
reader-pcsc.c:284:refresh_attributes: event: 0x0022
0xb778a6c0 09:00:28.809 [pkcs15-tool]
reader-pcsc.c:285:refresh_attributes: state: 0x0000
0xb778a6c0 09:00:28.809 [pkcs15-tool]
reader-pcsc.c:295:refresh_attributes: card present
0xb778a6c0 09:00:28.810 [pkcs15-tool]
reader-pcsc.c:950:pcsc_detect_readers: returning with: 0


Kind Regards
Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

GET CHALLENGE command (MAC)

Josef Windorfer
In reply to this post by Martin Paljak-2
Hi,

i have a feitian pki smart card. I initialise the smart card with
pkcs15-init --create-pkcs15.
For all actions the computer sends the GET CHALLENGE command and the
card returns 8 bytes. After this the computer sends 4 bytes to the card.

The 8 Byte includes a MAC and a message. Where can I see with which key
is the MAC ciphered?
 From the example below, the first and the last outgoing apdu is the
same. The only difference is the last 4 bytes and this is the enciphered
MAC.

Am I right?


Thats a cutout (with my comments) from the log-file:

 >> MESSAGE (E0 Create File)
 >[pkcs15-init] card-entersafe.c:677:entersafe_create_mf: called
 >[pkcs15-init] card-entersafe.c:322:entersafe_transmit_apdu: called
 >[pkcs15-init] apdu.c:184:sc_apdu_log:
 >Outgoing APDU data [   46 bytes] =====================================
 >84 E0 00 00 29 3F 00 04 11 03 00 10 C0 10 C0 FC ....)?..........
 >67 00 FC 06 07 08 8F 08 6A 00 FF 00 00 00 01 02 g.......j.......
 >03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10       ..............
 >======================================================================
 >[pkcs15-init] card-entersafe.c:229:entersafe_mac_apdu: called
 >[pkcs15-init] card-entersafe.c:150:entersafe_gen_random: called
 >[pkcs15-init] apdu.c:516:sc_transmit_apdu: called
 >[pkcs15-init] card.c:285:sc_lock: called
 >[pkcs15-init] apdu.c:184:sc_apdu_log:
 >> GET CHALLENGE
 >Outgoing APDU data [    5 bytes] =====================================
 >00 84 00 00 08 .....
 >======================================================================
 >[pkcs15-init] reader-pcsc.c:161:pcsc_internal_transmit: called
 >[pkcs15-init] apdu.c:184:sc_apdu_log:
 >> 8 Byte MAC + message
 >Incoming APDU data [   10 bytes] =====================================
 >05 05 8B 83 AD 4F F8 16 90 00 .....O....
 >======================================================================
 >[pkcs15-init] card.c:312:sc_unlock: called
 >[pkcs15-init] card-entersafe.c:164:entersafe_gen_random: returning with: 0
 >[pkcs15-init] card-entersafe.c:310:entersafe_mac_apdu: returning with:0
 >[pkcs15-init] apdu.c:516:sc_transmit_apdu: called
 >[pkcs15-init] card.c:285:sc_lock: called
 >[pkcs15-init] apdu.c:184:sc_apdu_log:
 >> LAST 4 BYTES ENCIPHERED MAC
 >Outgoing APDU data [   50 bytes] =====================================
 >84 E0 00 00 2D 3F 00 04 11 03 00 10 C0 10 C0 FC ....-?..........
 >67 00 FC 06 07 08 8F 08 6A 00 FF 00 00 00 01 02 g.......j.......
 >03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F 10 DF D1 ................
 >A8 2A                                           .*
 >======================================================================
 >[pkcs15-init] reader-pcsc.c:161:pcsc_internal_transmit: called
 >[pkcs15-init] apdu.c:184:sc_apdu_log:
 >>OK
 >Incoming APDU data [    2 bytes] =====================================
 >90 00 ..
 >======================================================================


Greets Josef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user