Tokens initialized under Microsoft Windows

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Tokens initialized under Microsoft Windows

Hadmut
Hi,

when I initialize an Aladdin eToken under Linux, I can use
it under Windows. The opposite way doesn't work: If the Token is
initialized using the Microsoft CA and the Aladdin RTE, opensc
does not recognize it.

Someone from Aladdin told me, that the reason was that Microsoft is
not fully pkcs11 compliant. However, in reality by far most tokens
will be initialized that way and it is probably desirable to be able
to participate in a Microsoft Infrastructure with a Linux client.

Does anybody know what exactly the differences are and how to
cope with them?

regards
Hadmut
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows

Stef Hoeben
Hi,

if you personalise it with one tool (Alladin RTE or OpenSC's
pkcs15-init), it
will probably not be usable by the software from the other because it
doesn't
know where the keys, certs, .. are, with which PIN there are linked, etc...

Unless the follow the same convention for this, e.g. the pkcs15 standard
with which OpenSC is compliant (pkcs11 has nothing to do with it).

The only way out, would probably be to make a 'pkcs15 emulation driver'
for OpenSC so it known where to find what. But that's something you should
make, assuming you know where Alladin puts things...

Hope that clearifies things,
Stef


Hadmut Danisch wrote:

>Hi,
>
>when I initialize an Aladdin eToken under Linux, I can use
>it under Windows. The opposite way doesn't work: If the Token is
>initialized using the Microsoft CA and the Aladdin RTE, opensc
>does not recognize it.
>
>Someone from Aladdin told me, that the reason was that Microsoft is
>not fully pkcs11 compliant. However, in reality by far most tokens
>will be initialized that way and it is probably desirable to be able
>to participate in a Microsoft Infrastructure with a Linux client.
>
>Does anybody know what exactly the differences are and how to
>cope with them?
>
>regards
>Hadmut
>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>
>  
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows

Hadmut
On Wed, Aug 10, 2005 at 05:00:38PM +0200, Stef Hoeben wrote:
>
> But that's something you should
> make, assuming you know where Alladin puts things...

I do not have the slightest idea where they put it.
But the Aladdin person told me that they are not responsible for
that. The RTE would just handle access to the token. The file
structure was handled by the Microsoft software.

regards
Hadmut

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows

Stef Hoeben
Hadmut Danisch wrote:

>On Wed, Aug 10, 2005 at 05:00:38PM +0200, Stef Hoeben wrote:
>  
>
>>But that's something you should
>>make, assuming you know where Alladin puts things...
>>    
>>
>
>I do not have the slightest idea where they put it.
>But the Aladdin person told me that they are not responsible for
>that. The RTE would just handle access to the token. The file
>structure was handled by the Microsoft software.
>
Not sure if I get the complete picture, but AFAIK, MS software accesses
tokens only through a CSP, this is a DLL with a fixed API (Crypto-API)
and that is make by the card vendor (so Alladin in this case) and which is
probably part of the RTE you were referring to.

Cheers,
Stef


_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows

Alaric Dailey
Stef Hoeben wrote:

> Hadmut Danisch wrote:
>
>> On Wed, Aug 10, 2005 at 05:00:38PM +0200, Stef Hoeben wrote:
>>  
>>
>>> But that's something you should
>>> make, assuming you know where Alladin puts things...
>>>  
>>
>>
>> I do not have the slightest idea where they put it. But the Aladdin
>> person told me that they are not responsible for
>> that. The RTE would just handle access to the token. The file
>> structure was handled by the Microsoft software.
>>
> Not sure if I get the complete picture, but AFAIK, MS software accesses
> tokens only through a CSP
True, but only true for MS applications(windows and Office) most other
software like PGP uses PKCS#11, and Aladdin wants all new programs to be
written against the PKCS#11 not the CSP.  But regardless of what is
calling the interface DLL's or which interface the applicataion is using
the interfaces are provided by the card manufacturer or OpenSC.

> , this is a DLL with a fixed API (Crypto-API)
> and that is make by the card vendor (so Alladin in this case) and
> which is
> probably part of the RTE you were referring to.

RTE = Runtime Enviornment, it includes the drivers, CSP, PKCS#11 dll,
and admin apps.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel

smime.p7s (3K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows

Hadmut
In reply to this post by Stef Hoeben
Stef Hoeben wrote:
>
> Not sure if I get the complete picture, but AFAIK, MS software accesses
> tokens only through a CSP, this is a DLL with a fixed API (Crypto-API)
> and that is make by the card vendor (so Alladin in this case) and which is
> probably part of the RTE you were referring to.


I have no idea, I'm not familiar with the MS APIs. I was posting to this
list because I hoped to find someone who knows, not because I would know.

regards
Hadmut
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Tokens initialized under Microsoft Windows [u]

Andreas Jellinghaus-2
In reply to this post by Hadmut
On Wednesday 10 August 2005 13:12, Hadmut Danisch wrote:
> when I initialize an Aladdin eToken under Linux, I can use
> it under Windows. The opposite way doesn't work: If the Token is
> initialized using the Microsoft CA and the Aladdin RTE, opensc
> does not recognize it.

what they do is proprietory, incompatible, does not follow the
pkcs#15 standard and is nowhere documented. nothing we can
do about it.

[blame on microsoft]
a.e.t. has a csp and is pkcs#15 compliant. csp#11 works with
any pkcs#11 lib. id ally has a csp that works with opensc pkcs11
module. I'd like to here the details why three independent implemtor
can do it and they can't.

Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel