giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add wiki snapshot. 

git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2413 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
aj 2005-07-17 19:50:01 +00:00
parent ed08122664
commit 49a3563cc4
52 changed files with 2589 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
doc/AladdinEtokenPro.html Normal file
View File

@ -0,0 +1,42 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>AladdinEtokenPro - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Aladdin eToken PRO</h1>
<p>
<a class="ext-link" title="http://www.ealladdin.com/" href="http://www.ealladdin.com/" shape="rect">Aladdin</a> offers the eToken PRO, an USB crypto token with 32k memory
and support for RSA keys up to 1024bit key length.
</p>
<p>
The eToken PRO is fully supported by OpenSC and is well tested.
</p>
<p>
The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system.
</p>
<p>
One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing
and decryption. OpenSC has implemented a workaround: software key generation and storing that
key twice, once marked as decryption key and once marked as signing key. To enable this workaround
specifiy "--split-key" on the command line, when creating the key.
</p>
<p>
Aladdin has there own software for windows and <a class="ext-link" title="ftp://ftp.ealaddin.com/pub/etoken/Linux" href="ftp://ftp.ealaddin.com/pub/etoken/Linux" shape="rect">linux</a>. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures.
</p>
<p>
Note that Aladdin is maybe the oldest player in the usb token field, and their software predates the PKCS#15 standard, so you can't blame them for not conforming to the standard. Note also that Aladdin sponsored an OpenSC workshop in 2003 by donating 30 Aladdin eToken PRO, thanks a lot!
</p>
<p>
There is a rare version of the Aladdin eToken PRO with a G&amp;D Starcos smart card inside. This version is not supported and never went into mass production as far as we know.
</p>
<p>
Aladdin has an SDK with Documentation on their ftp server for public download, but to implement the OpenSC driver further documentation was necessary (by Siemens and available only under NDA as far as we know).
</p>
<p>
Some people had problems buying a single Aladdin eToken PRO (bare, without any bundle or consulting etc.).
Please try bristol.de or coretech.at if you run into trouble.
</p>
<p>
<a class="ext-link" title="http://www.security-mart.com/product_info.php?cPath=7_701&amp;products_id=700005" href="http://www.security-mart.com/product_info.php?cPath=7_701&amp;products_id=700005" shape="rect">Security Mart</a> sells them at 47$ if you buy 10-99 pieces.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

46
doc/AutoVersions.html Normal file
View File

@ -0,0 +1,46 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>AutoVersions - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Versions of Auto Tools</h1>
<p>
OpenSC should work for every developer. One software is very tricky: autoconf, automake and libtool.
Which version can we require? Unfortunatly the only way we can find out is trial and error. To improve
the situation, we would like to gather which version everyone is using, so we can make sure even the
oldest version of these tools still in use works (and hope that newer versions work, too).
</p>
<div class="document">
<table border="1" class="docutils">
<colgroup span="1">
<col width="35%" span="1"></col>
<col width="22%" span="1"></col>
<col width="15%" span="1"></col>
<col width="15%" span="1"></col>
<col width="13%" span="1"></col>
</colgroup>
<tbody valign="top">
<tr><td rowspan="1" colspan="1">Name</td>
<td rowspan="1" colspan="1">Distribution</td>
<td rowspan="1" colspan="1">Autoconf</td>
<td rowspan="1" colspan="1">Automake</td>
<td rowspan="1" colspan="1">Libtool</td>
</tr>
<tr><td rowspan="1" colspan="1">Andreas Jellinghaus</td>
<td rowspan="1" colspan="1">Debian sarge</td>
<td rowspan="1" colspan="1">2.59</td>
<td rowspan="1" colspan="1">1.7.9</td>
<td rowspan="1" colspan="1">1.5.6</td>
</tr>
<tr><td rowspan="1" colspan="1">Ludovic Rousseau</td>
<td rowspan="1" colspan="1">Debian sarge</td>
<td rowspan="1" colspan="1">2.59</td>
<td rowspan="1" colspan="1">1.9.5</td>
<td rowspan="1" colspan="1">1.5.6</td>
</tr>
</tbody>
</table>
</div><p>
Ludovic Rousseau: Note that if you distribute the created <tt>.tar.gz</tt> file you should always use the latest autotools versions in order to support the newly added architectures/OS. That will greatly ease the life of your users.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

23
doc/BelgianEid.html Normal file
View File

@ -0,0 +1,23 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>BelgianEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Belgian Belpic</h1>
<p>
The belgian eid card is official using OpenSC for their software.
</p>
<p>
Currently please use the "belpic" software available from the belgian state.
</p>
<p>
Current releases do not include belpic support, but OpenSC is in the process of merging the software, the next release should support it.
</p>
<p>
FIXME:links,documentation,pointers.
</p>
<p>
Thanks to Belgium for chossing OpenSC as basis for their software and donating the full source code back to use under LGPL license.
Thanks to Zetes for their support of OpenSC.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

22
doc/CardOs.html Normal file
View File

@ -0,0 +1,22 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CardOs - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Siemens CardOS M4</h1>
<p>
Siemens CardOS M4 smart card should work fine with OpenSC.
</p>
<p>
Currently only the Aladdin eToken PRO is tested often (a usb crypto dongle that contains a card with this operating system). It works fine, so all other smart cards with the same card operating system should work fine, too.
</p>
<p>
Siemens CardOS M4 does not allow a key to be used for signing and decryption. OpenSC has a workaround for this restriction, you can generate or store a private key with the "--split-key" flag which will store the key twice, with different usage options, but hide this detailt.
</p>
<p>
Some documentation is available from Aladdin for their eToken PRO, but for an in-depth documentation you need the Siemens card manual, which requires signing an NDA.
</p>
<p>
FIXME: where to buy such a card? pricing?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

54
doc/CardReaders_CTAPI.html Normal file
View File

@ -0,0 +1,54 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CardReaders/CTAPI - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Using pinpad readers with CT-API</h1>
<p>
On Win32 a pinpad reader usually supplies a PC/SC driver and a CT-API driver, since pinpad usage with PC/SC currently is vendor specific. There are some rumours about pinpad standardisation for PC/SC drivers, but I guess this will still need some time till it is widely adopted. Another alternative would be to use the CCID specification for USB readers, but there still are (and IMHO will be for some time) lots of non-CCID compliant pinpad readers.
</p>
<p>
So till another standard finds its way into OpenSC you can try the somewhat less user friendly CT-API if you want to use your pinpad with OpenSC.
</p>
<h2>Configuring CT-API in opensc.conf</h2>
<p>
To activate the CT-API driver you have to add the token "ctapi" to the reader_drivers attribute of the app default section (or whatever app you are using).
Then the reader's parameters, that is the library and port number, have to be configured in the "reader_driver ctapi" secion.
</p>
<p>
Use this as an example:
</p>
<pre class="wiki" xml:space="preserve"> app default {
reader_drivers = ctapi;
reader_driver ctapi {
module c:\winnt\system32\CTRSCT32.DLL {
ports = 1;
}
}
# All the other OpenCT-Parameters...
.
.
.
}
</pre><p>
<strong>Notes</strong>
</p>
<ul><li>For some readers you can look up the module name in <a href="PinpadReaders.html" shape="rect">pinpad reader overview</a>.
</li></ul><ul><li>Some drivers use port number 0 for the first reader, others start counting with 1.
</li></ul><ul><li>You can use multiple readers. Just add more "module"-sections if they use other drivers or add port numbers with a comma for the same driver. You can even mix PC/SC drivers and CT-API drivers for different readers.
</li></ul><ul><li>The same approach should work with Unix if you can find the CT-API library for your reader.
</li></ul><p>
After this you can try "opensc-tool -l" and hope to see something like
</p>
<pre class="wiki" xml:space="preserve">C:\work\opensc\src\tools&gt;opensc-tool -l
Readers known about:
Nr. Driver Name
0 ctapi CT-API c:\winnt\system32\CTRSCT32.DLL, port 1
</pre><p>
If you are using a pinpad aware application (I still don't know any except my private pintest) you are ready. Some other applications (like the PKCS#11 plugin for Mozilla or the <a href="OpensslEngines.html" shape="rect">OpensslEngines</a>) will use the pinpad if you hit return after being asked for a PIN.
</p>
<p>
Note that up to date PIN modification or unblocking is not supported with CT-API driver, there still is some work to do... ;)
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

41
doc/CardReaders_SPR532.html Normal file
View File

@ -0,0 +1,41 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CardReaders/SPR532 - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>PinPad AKA SPR532 and OpenSC mini-howto</h1>
<p>
To get feedback as early as possible, here's a small tutorial how to get going with SPR532 and pinpad. There are other <a href="PinpadReaders.html" shape="rect">PinpadReaders</a> and other interfaces but the given interface makes use of <a class="ext-link" title="http://www.teletrust.de/down/ag2_ioctls_V1.14-2.zip" href="http://www.teletrust.de/down/ag2_ioctls_V1.14-2.zip" shape="rect">TeleTrust Class 2 reader IOCTL mechanism</a> that shall be part of <a class="ext-link" title="http://www.pcscworkgroup.com/specifications/overview.php" href="http://www.pcscworkgroup.com/specifications/overview.php" shape="rect">PC/SC version 2.0 spec</a> as Part 10. There is also part 10 of the new PC/SC spec but <a class="missing" href="/opensc/wiki/TeleTrust" shape="rect">TeleTrust?</a> interface requires no special features from the PC/SC middleware but from the given IFDHandler itself and thus can be deployed now - by introducing the needed support in reader drivers and application side (OpenSC in this case).
</p>
<p>
Things you need to try it out:
</p>
<ul><li>get yourself a SPR532 reader from www.scmmicro.com
</li><li>upgrade the firmware to the latest (5.05 version) using stuff from here: <a class="ext-link" title="http://martin.paljak.pri.ee/download/esteid/ccid/SCM-readers/SPR532/" href="http://martin.paljak.pri.ee/download/esteid/ccid/SCM-readers/SPR532/" shape="rect">http://martin.paljak.pri.ee/download/esteid/ccid/SCM-readers/SPR532/</a>
</li><li>install pcsc-lite from the tarball available here: <a class="ext-link" title="http://martin.paljak.pri.ee/download/esteid/pcsc-lite/" href="http://martin.paljak.pri.ee/download/esteid/pcsc-lite/" shape="rect">http://martin.paljak.pri.ee/download/esteid/pcsc-lite/</a>
</li><li>install the ccid driver from the tarball available there: <a class="ext-link" title="http://martin.paljak.pri.ee/download/esteid/ccid/" href="http://martin.paljak.pri.ee/download/esteid/ccid/" shape="rect">http://martin.paljak.pri.ee/download/esteid/ccid/</a>
</li><li>install opensc from snapshots that pop out here: <a class="ext-link" title="http://martin.paljak.pri.ee/download/esteid/opensc" href="http://martin.paljak.pri.ee/download/esteid/opensc" shape="rect">http://martin.paljak.pri.ee/download/esteid/opensc</a> and set the use_pinpad option in the config file.
</li></ul><p>
<i>NOTE: from the three download links above, directory <tt>test/</tt> contains the latest versions and thus might be better for the braves</i>.
</p>
<p>
Notes:
</p>
<ul><li>untill the needed changes get upstream, make sure that you have the versions from the locations mentioned before.
</li><li>the whole topic is hairy - see discussions on muscle and opensc-devel mailinglist:
<ul><li><a class="ext-link" title="http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0199.html" href="http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0199.html" shape="rect">http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0199.html</a>
</li><li><a class="ext-link" title="http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0221.html" href="http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0221.html" shape="rect">http://archives.neohapsis.com/archives/dev/muscle/2005-q1/0221.html</a>
</li><li><a class="ext-link" title="http://www.opensc.org/pipermail/opensc-devel/2005-March/005709.html" href="http://www.opensc.org/pipermail/opensc-devel/2005-March/005709.html" shape="rect">http://www.opensc.org/pipermail/opensc-devel/2005-March/005709.html</a>
</li></ul></li></ul><p>
What you can do:
</p>
<ol><li>test and provide feedback
</li><li>make the code of ccid library better. It seriously looks ugly when the SecurePIN functions come to play - though it works.
</li><li>help to argue how things should look like in different places and how we shall solve some issues - see <a href="DesignDiscussion.html" shape="rect">DesignDiscussion</a>
</li></ol><p>
Known issues:
</p>
<ol><li>It is known to work with SPR532 under Linux. In practice it should work without modifications on windows using the latest windows drivers available from the SCM specific download location above.
</li><li>Support is only for T=0 cards (as of now Estonian and Belgian eID cards have been tested on Linux). It might as well work with T=1 cards, but to try it out you must disable the check for active protocol in reader-pcsc.c. Write a note here if it works.
</li><li>Support for pinpad operations in general might lag behind your needs. Patches most welcome :)
</li></ol></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

39
doc/CardsAndTokens.html Normal file
View File

@ -0,0 +1,39 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CardsAndTokens - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Supported Cards and Tokens</h1>
<p>
OpenSC supports a number of national id cards, smart cards and usb crypto tokens.
</p>
<h2>National ID Cards</h2>
<ul><li><a href="FinnishEid.html" shape="rect">Finnish ID Card FINEID</a>
</li><li><a href="SwedishEid.html" shape="rect">Swedish Posten eID</a>
</li><li><a href="EstonianEid.html" shape="rect">Estonian ID Card EstEID</a>
</li><li><a href="ItalianEid.html" shape="rect">Italian Infocamere</a>
</li><li><a href="ItalianPostecert.html" shape="rect">Italian Postecert</a>
</li><li><a href="BelgianEid.html" shape="rect">Belgian eID</a>
</li><li><a href="SpanishEid.html" shape="rect">Spanish Ceres</a>
</li><li><a href="GermanEid.html" shape="rect">German TCOS</a>
</li><li><a href="TaiwanEid.html" shape="rect">Taiwan</a>
</li></ul><h2>Smart Cards</h2>
<ul><li><a href="Cryptoflex.html" shape="rect">Schlumberger/Axalto Cryptoflex</a>
</li><li><a href="Cyberflex.html" shape="rect">Schlumberger/Axalto Cyberflex</a>
</li><li><a href="GemplusGpk.html" shape="rect">Gemplus GPK</a>
</li><li><a class="missing" href="/opensc/wiki/Emv" shape="rect">EMV?</a>
</li><li><a href="CardOs.html" shape="rect">Siemens CardOS M4</a>
</li><li><a class="missing" href="/opensc/wiki/IbmJcop" shape="rect">IBM JCOP?</a>
</li><li><a class="missing" href="/opensc/wiki/Micardo" shape="rect">Micardo?</a>
</li><li><a class="missing" href="/opensc/wiki/OberThur" shape="rect">Oberthur?</a>
</li><li><a href="OpenPgp.html" shape="rect">OpenPGP</a>
</li><li><a class="missing" href="/opensc/wiki/RSA" shape="rect">RSA 5100 / 5200?</a>
</li><li><a class="missing" href="/opensc/wiki/SetCos" shape="rect">Setec Setcos?</a>
</li><li><a class="missing" href="/opensc/wiki/Starcos" shape="rect">Gieseke &amp; Devrient Starcos?</a>
</li><li><a href="TelseCos.html" shape="rect">Telesec TCOS</a>
</li></ul><h2>USB Tokens</h2>
<ul><li><a href="AladdinEtokenPro.html" shape="rect">Aladdin eToken Pro</a>
</li><li><a href="CryptoIdendityItsec.html" shape="rect">Eutron CryptoIdendity IT-SEC</a>
</li><li><a href="SchlumbergerEgate.html" shape="rect">Schlumberger/Axalto e-gate</a>
</li><li><a href="RainbowIkeyThree.html" shape="rect">Rainbow iKey 3000</a>
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

53
doc/CompatibilityIssues.html Normal file
View File

@ -0,0 +1,53 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CompatibilityIssues - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Software compatibility</h1>
<p>
In general all smart cards are incompatible. That is the sad truth.
</p>
<p>
First, every card has different commands. Some of them conform to the standard ISO 7816 Part 4 and higher, but
most cards have at least some commands, that are special, or the commands require a special data structure.
</p>
<p>
Second, even if the same card is used, two different software companies tend to use the card in incompatible
ways. However there is hope for this problem: <a class="ext-link" title="http://www.rsasecurity.com/rsalabs/node.asp?id=2141" href="http://www.rsasecurity.com/rsalabs/node.asp?id=2141" shape="rect">PKCS#15</a> is a standard designed to solve that issue.
</p>
<p>
OpenSC implements PKCS#15, so cards initialized with OpenSC should work with other software implementing
it and vice versa. Note however, that usualy a card can only be modified with the software that was used
for initializing it in the first place. In that case you can only read the data with the compatible software,
use the keys, and most likely change pin and puk numbers.
</p>
<p>
Sometimes it is possible to live side by side. Think of a cd or a disk drive, with a picture and a text
file on it. Your text application can only open and change the text, and your graphics application can
only open and change the graphic, but if the medium can hold both files, you can store both on it.
</p>
<p>
That happends for example with the "Aladdin eToken PRO" (a usb crypto token) and OpenSC and the Aladdin
Software. OpenSC creates the file "2f00" and the directory "5015" as per PKCS#15 standard, and fills
both with data/keys/certificates. Aladdin does the same in the directory "6666". Still no software knows
how to deal with the other ones data/keys/certificates.
</p>
<h1>Comaptible Software</h1>
<p>
But at least some software is compatible:
</p>
<p>
Gieseke and Devrient ship the <a class="ext-link" title="http://www.gi-de.com/portal/page?_pageid=42,54878&amp;_dad=portal&amp;_schema=PORTAL" href="http://www.gi-de.com/portal/page?_pageid=42,54878&amp;_dad=portal&amp;_schema=PORTAL" shape="rect">StarCOS</a>
smart card and usb tokens based on that card. The software bundled with both is called Starsign. That software implements
the PKCS#15 standard, too, so it should be fully compatible with OpenSC and vise versa. If there is any issue, please
let us know (the last test was quite a while in the past).
</p>
<p>
If you know other software implementing PKCS#15, please add a paragraph.
</p>
<h1>National ID cards</h1>
<p>
National ID cards often are a standard of their own. OpenSC has PKCS#15 emulations for these cards, so you can use
them anway. See <a class="missing" href="/opensc/wiki/NationalIdCards" shape="rect">NationalIdCards?</a> for a list of supported cards.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

6
doc/CompatiblityIssues.html Normal file
View File

@ -0,0 +1,6 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CompatiblityIssues - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

42
doc/CryptoIdendityItsec.html Normal file
View File

@ -0,0 +1,42 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>CryptoIdendityItsec - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Eutrom CryptoIdendity IT-SEC</h1>
<p>
<a class="ext-link" title="http://www.eutron.it/" href="http://www.eutron.it/" shape="rect">Eutron</a> offers the Crypto Idendity IT-SEC, an USB crypto token with 32k memory
and support for RSA keys up to 1024bit key length.
</p>
<p>
The Crypto Idendity IT-SEC is fully supported by OpenSC, but has not been tested for a while.
</p>
<p>
Note that Eutron also offers two other crypto tokens in the Crypto Idendity line, but those
are not supported at all (no documentation available).
</p>
<p>
The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system.
The driver is called "etoken" because this was the first device with that smart card. Only the usb
interface differs, the rest seems to be the same.
</p>
<p>
One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing
and decryption. OpenSC has implemented a workaround: software key generation and storing that
key twice, once marked as decryption key and once marked as signing key. To enable this workaround
specifiy "--split-key" on the command line, when creating the key.
</p>
<p>
Eutron has their own software for windows. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures.
</p>
<p>
Documentation was not necessary, as the driver for the smart card inside was already implemented.
</p>
<p>
However there is no tool to format a token (for example if you lock it up by accident), and the card
is slightly differently initialized than the Aladdin eToken PRO, so the scripts for that token do not work with the Eutron Crypto Idendity IT-SEC. A support email was not answered.
</p>
<p>
For price and availability, please contact Eutron directly.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

26
doc/Cryptoflex.html Normal file
View File

@ -0,0 +1,26 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Cryptoflex - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Schlumberger / Axalto Cryptoflex</h1>
<p>
All Cryptoflex are supported by OpenSC, tested very often and work fine.
</p>
<p>
Cryptoflex 8k cards however are too small, so the default profile does not fit on the card. Not even the small option is small enough to make it fit on the card. However you could edit the profile file to make it even smaller, then it should work again.
</p>
<p>
Documentation is available at [<a class="ext-link" title="http://www.cryptoflex.com/" href="http://www.cryptoflex.com/" shape="rect">http://www.cryptoflex.com/</a>].
</p>
<p>
Cards can be bought at [<a class="ext-link" title="http://www.scmegastore.com/" href="http://www.scmegastore.com/" shape="rect">http://www.scmegastore.com/</a>].
</p>
<p>
Sell also <a href="SchlumbergerEgate.html" shape="rect">SchlumbergerEgate</a> - a combination of the latest Cryptoflex card with a mechanical adapter to make the card speak usb.
</p>
<h2>Test Results</h2>
<p>
Works fine in smart acrd bundle 0.3rc2 on windows xp (cryptoflex 32k with plug in egate token adapter, driver 2.6.0).
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

21
doc/Cyberflex.html Normal file
View File

@ -0,0 +1,21 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Cyberflex - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Schlumberger / Axalto Cyberflex</h1>
<p>
Earlier versions of Cyberflex cards have the same or a very similiar filesystem interface like the Cryptoflex cards.
Those cards work well with OpenSC.
</p>
<p>
Newer versions however are pure <a class="missing" href="/opensc/wiki/JavaCards" shape="rect">JavaCards?</a> and will not work without a <a class="missing" href="/opensc/wiki/JavaApplet" shape="rect">JavaApplet?</a>. No such applet is currently supported by OpenSC.
</p>
<p>
<a class="ext-link" title="http://www.musclecard.com/" href="http://www.musclecard.com/" shape="rect">MuscleCard</a> is an open source software containing a <a class="missing" href="/opensc/wiki/JavaApplet" shape="rect">JavaApplet?</a> for Cryptoflex cards and has a pkcs<a href="/opensc/ticket/11" title="CLOSED : gcc4 build failure" shape="rect"><del>#11</del></a>
library for Unix/Linux and Windows.
</p>
<p>
FIXME:Did anyone test such a card recently?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

43
doc/DesignDiscussion.html Normal file
View File

@ -0,0 +1,43 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DesignDiscussion - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Design issues</h1>
<p>
Every change that is not a small fix or minor enhancement requires some kind of design. In order to discuss design decisions as much as possible and leave some kind of track about decisions made and design in place other than source code and comments and maybe even documentation, this sector of the wiki could be used. As always - feel free to comment (but please leave your name after your comment).
</p>
<h2>Pinpad functionality</h2>
<p>
(Martin)
Current state of secure pin entry methods in OpenSC is somewhat limited and hairy. Checks and features and functionality spans several component borders (application, library, card driver, reader, pkcs15 layer, etc). The target is to provide smooth pinpad support.
</p>
<p>
In theory different layers affect the total pinpad-oriented functioning:
</p>
<ol><li>Reader capabilities - actual reader capabilities detected and enabled by the reader (ctapi, pcsc, openct)
</li><li>Reader driver and how-if-what verify methods it implements (though the name <i>verify</i> is not correct if we talk about full pin operations)
</li><li>Card driver and if it implements the new pin command interface or if it is possible at all for the given card (maybe it uses some other method, maybe it uses non-numeric passwords)
</li><li>pkcs15 layer - what it thinks about underlying hardware capacities and if/how it makes use of it
</li><li>pkcs11 layer - exports PROTECTED_AUTHENTICATION_PATH to indicate 'secure authentication (aka pinpad)' and itself feeds data to pkcs15 layer.
</li><li>applications - how they interpret various parameters (like slot capabilities, pkcs11 features, etc), how/if they react or should react on empty pins etc.
</li><li>Library internal UI functionality - instead of asking for a pin who should notify the user to insert the pin to the pinpad and how?
</li></ol><p>
All these should be put to work for a common goal in a nice way.
</p>
<h3>Requirements</h3>
<ul><li>Slot flags must correctly state the capabilities of the slot and all functionality must strictly check this flag.
</li><li>A card driver should have a possibility to disable pinpad enabled functionality even if the slot tells it can do it - for reasons like character passwords
</li><li>It should be possible to disable pinpad functionality on reader(driver)/global layer as a configuration option - this will result the slot capabilities to be hidden
</li><li>It should be possible to disable pinpad functionality on a higher level - as a global option. This could result in different
</li><li>pkcs11 flag about secure authentication flag can be affected by any of the previous config options.
</li><li>One reader should support different verification methods (you can talk class2 via pcsc and you can talk ctbcs)
</li></ul><h3>Things to keep in mind</h3>
<ul><li>Backwards compatibility
</li><li>User interaction.
</li></ul><h3>Decisions</h3>
<ul><li>Implement pinpad functionality in a proper way (err, small decisions should be outlined now)
</li></ul><p>
... to be continued ...
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

20
doc/DesignDiscussion_UserInterface.html Normal file
View File

@ -0,0 +1,20 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>DesignDiscussion/UserInterface - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>User Interface</h1>
<p>
OpenSC is all about <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a>. <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a> are all about cryptography. Cryptography is something users don't care much about nor want to know about. At the same time - <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a> are usually tightly tied to the cardholder. So user interaction and <a class="missing" href="/opensc/wiki/UserInterface" shape="rect">UserInterface?</a> are actually important components of the overall solutions that <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a> provide.
</p>
<p>
To sum up where exactly and how user interaction takes place, can take place or should take place, we need to know what layers and standards affect this area. Then we can find the most convinient and optimal path so that the whole usage of smartcards can be somewhat hidden and convenient for the user. To be more precise: user interaction is everything that the user _must_ do in normal cases - so user _has_ to authenticate to the card somehow, but she must not start other interactions - some application can have the initiative. Information to the end user (errors etc) falls into this category too.
</p>
<h2>To be continued</h2>
<ul><li>pkcs11 defines login functions, what means user interaction is done by the application to get the pin
</li><li>pkcs11 also defines secure authentication path variable, what leaves the authentication process outside of the scope of pkcs11
</li><li>pkcs15 defines user consent attribute, that must result in user interaction.
</li><li>opensc includes ui* functions that should deal with some of the problems described here
</li><li>applications (utilities) deal with user interaction - this should happen in a unified manner
</li><li>help to fill in!
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

20
doc/EstonianEid.html Normal file
View File

@ -0,0 +1,20 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>EstonianEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Estonian EID</h1>
<p>
OpenSC is the official software for the Estonian eID card for non-WinCSP platforms.
</p>
<p>
The official home page for the Estonian eID card is <a class="ext-link" title="http://www.id.ee" href="http://www.id.ee" shape="rect">http://www.id.ee</a>.
</p>
<p>
Martin Paljak has more information and downloads: <a class="ext-link" title="http://ideelabor.ee/id-kaart" href="http://ideelabor.ee/id-kaart" shape="rect">http://ideelabor.ee/id-kaart</a>.
</p>
<p>
More users of the estonian id card:
</p>
<ul><li>[<a class="ext-link" title="http://www.ria.ee/atp/?id=1051" href="http://www.ria.ee/atp/?id=1051" shape="rect">http://www.ria.ee/atp/?id=1051</a>]
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

49
doc/FinnishEid.html Normal file
View File

@ -0,0 +1,49 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>FinnishEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><p>
<strong>= Finnish FINEID =</strong>
</p>
<p>
The finnish eid card should work fine.
Of course it can only be used, but not altered.
</p>
<p>
FIXME:pin changes?
</p>
<p>
FIXME:extra data?
</p>
<p>
FIXME:did anyone test lately?
</p>
<hr></hr>
<p>
<strong>Unlocking a FINEID electronic identity card</strong>
</p>
<p>
You can ask the police for advice on the use of electronic identity cards. You can also test your electronic identity card at police stations.
</p>
<p>
If your electronic identity card has become locked, you can unlock it at a police station. You must have the correct PUK number with you to unlock the PIN number.
</p>
<p>
If you have lost your PUK number, the police can on request order a new PUK number, which will be sent by mail to the address you provide. The new number can then be used to unlock your PIN number.
</p>
<p>
Fees:
Unlocking a PIN number EUR 10
New PUK number EUR 18
</p>
<p>
For additional information on electronic identity cards, go to:
</p>
<p>
<a class="ext-link" title="http://www.sahkoinenhenkilokortti.fi/" href="http://www.sahkoinenhenkilokortti.fi/" shape="rect">http://www.sahkoinenhenkilokortti.fi/</a>
</p>
<p>
<a class="ext-link" title="http://www.vaestorekisterikeskus.fi/indexen.htm/" href="http://www.vaestorekisterikeskus.fi/indexen.htm/" shape="rect">http://www.vaestorekisterikeskus.fi/indexen.htm/</a>
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

16
doc/GemplusGpk.html Normal file
View File

@ -0,0 +1,16 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>GemplusGpk - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Gemplus GPK 16k</h1>
<p>
Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested.
</p>
<p>
FIXME:Links,Documentation
</p>
<p>
FIXME:where to buy, price
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

20
doc/GermanEid.html Normal file
View File

@ -0,0 +1,20 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>GermanEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>German TCOS</h1>
<p>
German has several laws for smart cards, and to our knowledge all cards conforming to those laws are using the TCOS 2.0X card operating
system.
</p>
<p>
OpenSC has only some initial support for TCOS cards, but not enough to use those cards with OpenSC. Also there is some code for OpenSC that needs to be ported from an older version of OpenSC to the current, it contains some of the work necessary.
</p>
<p>
This does NOT mean, that you cannot use preformatted TCOS cards (i.e. <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4-cards) with OpenSC. You find more information about how to use <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4 card <a href="TelseCos.html" shape="rect">here</a>.
</p>
<p>
SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4-emulation might not work with this cards. If you have such a card and know the location of the certificates, keys and PINs, please post this information on the opensc-devel list.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

22
doc/ItalianEid.html Normal file
View File

@ -0,0 +1,22 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ItalianEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Italian Infocamere</h1>
<p>
Some versions of the italian infocamere card are supported by OpenSC.
</p>
<p>
FIXME:read-only?pin-changes?
</p>
<p>
FIXME:Add details
</p>
<p>
FIXME:did anyone test recently?
</p>
<p>
FIXME:documwentation, links....?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

19
doc/ItalianPostecert.html Normal file
View File

@ -0,0 +1,19 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ItalianPostecert - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Italian Postecert</h1>
<p>
Some versions of the italisn postecert card are supported by OpenSC.
</p>
<p>
FIXME:read-only? pin changes?
</p>
<p>
FIXME:did anyone test recently?
</p>
<p>
FIXME:documentation, pointers, etc.?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

40
doc/LinuxDistributions.html Normal file
View File

@ -0,0 +1,40 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>LinuxDistributions - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Linux Distributions</h1>
<p>
For GNU/Linux users the best solution is, if the distribution already includes recent packages
of OpenSC. Here is a survey of recent distributions. If you have additional infomation,
please add it.
</p>
<table class="wiki">
<tr><td rowspan="1" colspan="1">
</td></tr><tr><td rowspan="1" colspan="1"> Debian woody (old stable) </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://packages.debian.org/opensc" href="http://packages.debian.org/opensc" shape="rect">does not</a> contain OpenSC packages
</td></tr><tr><td rowspan="1" colspan="1"> Debian sarge (stable) </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://packages.debian.org/stable/utils/opensc" href="http://packages.debian.org/stable/utils/opensc" shape="rect">OpenSC 0.9.6 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Debian sid (development) </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://packages.debian.org/unstable/utils/opensc" href="http://packages.debian.org/unstable/utils/opensc" shape="rect">OpenSC 0.9.6 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Fedora Core 3 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://download.fedora.redhat.com/pub/fedora/linux/extras/3/i386/" href="http://download.fedora.redhat.com/pub/fedora/linux/extras/3/i386/" shape="rect">OpenSC 0.9.4 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Fedora Core 4 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/" href="http://download.fedora.redhat.com/pub/fedora/linux/extras/4/i386/" shape="rect">OpenSC 0.9.6 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Gentoo Portage </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://www.gentoo.org/cgi-bin/viewcvs.cgi/dev-libs/opensc/?root=gentoo-x86" href="http://www.gentoo.org/cgi-bin/viewcvs.cgi/dev-libs/opensc/?root=gentoo-x86" shape="rect">OpenSC 0.9.6 in dev-libs/opensc</a>
</td></tr><tr><td rowspan="1" colspan="1"> Mandrake </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/contrib-SPECS/opensc/" href="http://cvs.mandrakesoft.com/cgi-bin/cvsweb.cgi/contrib-SPECS/opensc/" shape="rect">OpenSC 0.8.1 in contrib</a>
</td></tr><tr><td rowspan="1" colspan="1"> Novell/SUSE LINUX Enterprise Server 9 for x86 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://www.novell.com/products/linuxpackages/enterpriseserver/i386/opensc.html" href="http://www.novell.com/products/linuxpackages/enterpriseserver/i386/opensc.html" shape="rect">OpenSC 0.8.0 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> OpenPKG </td><td rowspan="1" colspan="1"> <a class="ext-link" title="ftp://ftp.openpkg.org/current/SRC/" href="ftp://ftp.openpkg.org/current/SRC/" shape="rect">not included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Rock Linux </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://www.rocklinux.net/packages/opensc.html" href="http://www.rocklinux.net/packages/opensc.html" shape="rect">OpenSC 0.9.4 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Suse 9.3 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/" href="ftp://ftp.suse.com/pub/suse/i386/9.3/suse/i586/" shape="rect">OpenSC 0.9.4 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Suse 9.2 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="ftp://ftp.suse.com/pub/suse/i386/9.2/suse/i586/" href="ftp://ftp.suse.com/pub/suse/i386/9.2/suse/i586/" shape="rect">OpenSC 0.8.1 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> Suse 9.1 </td><td rowspan="1" colspan="1"> <a class="ext-link" title="ftp://ftp.suse.com/pub/suse/i386/9.1/suse/i586/" href="ftp://ftp.suse.com/pub/suse/i386/9.1/suse/i586/" shape="rect">OpenSC 0.8.0 included</a>
</td></tr></table>
<p>
<a class="ext-link" title="http://atrpms.net/name/opensc/" href="http://atrpms.net/name/opensc/" shape="rect">ATrpms</a> lists some RPM based distributions.
</p>
<p>
Other operating systems:
</p>
<table class="wiki">
<tr><td rowspan="1" colspan="1"> NetBSD </td><td rowspan="1" colspan="1"> <a class="ext-link" title="ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/README-all.html" href="ftp://ftp.netbsd.org/pub/NetBSD/packages/pkgsrc/README-all.html" shape="rect">not included</a>
</td></tr><tr><td rowspan="1" colspan="1"> FreeBSD </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/opensc/" href="http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/opensc/" shape="rect">OpenSC 0.9.4 included</a>
</td></tr><tr><td rowspan="1" colspan="1"> OpenBSD </td><td rowspan="1" colspan="1"> not included
</td></tr><tr><td rowspan="1" colspan="1"> fink / Mac OS X </td><td rowspan="1" colspan="1"> <a class="ext-link" title="http://fink.sourceforge.net/pdb/list.php" href="http://fink.sourceforge.net/pdb/list.php" shape="rect">not included</a>
</td></tr></table>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

66
doc/MacOsX.html Normal file
View File

@ -0,0 +1,66 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MacOsX - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Using OpenSC on Mac OS X</h1>
<p>
First you need Mac OS X Version 10.4 or later. Older version are supposed to not work well,
but if you try and have success, please report here.
I report!
it worked for me under 10.3.9 G4 1,2Ghz, and i can use my mpmanF50 again. Thanks.
reach me nicolasb at gmaildotcom. French tutorial here : <a class="ext-link" title="http://nicolasbizard.free.fr/blog" href="http://nicolasbizard.free.fr/blog" shape="rect">http://nicolasbizard.free.fr/blog</a>
</p>
<p>
Then you need a driver for your smart card reader. Hier is an examle for Axalto e-gate tokens:
* Download and install libusb. <a class="ext-link" title="http://libusb.sourceforge.net/" href="http://libusb.sourceforge.net/" shape="rect">http://libusb.sourceforge.net/</a>
* Download ifd-egate from <a class="ext-link" title="http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz" href="http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz" shape="rect">http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz</a>
</p>
<p>
To install libusb, you need to extract the files, configure it, make, make install:
</p>
<pre class="wiki" xml:space="preserve">wget http://switch.dl.sourceforge.net/sourceforge/libusb/libusb-0.1.10a.tar.gz
tar xfvz libusb-0.1.10a.tar.gz
cd libusb-0.1.10a
./configure --prefix=/opt/smartcard
make
make install
cd ..
</pre><p>
To install ifd-egate you need to extract the files, and use some environment variables to make sure it finds everything (or edit the
compile options in the Makefile directly):
</p>
<pre class="wiki" xml:space="preserve">wget http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz
tar xfvz ifd-egate-0.05-patched.tar.gz
cd ifd-egate-0.05
export USB_CFLAGS="-I/opt/smartcard/include -I/System/Library/Frameworks/PCSC.framework/Headers"
export USB_LDFLAGS="-L/opt/smartcard/lib -lusb -Wl,-framework -Wl,PCSC"
make -f Makefile-OSX clean
make -f Makefile-OSX
make -f Makefile-OSX install
export USB_CFLAGS=
export USB_LDFLAGS=
cd ..
</pre><p>
Last you need to download and install opensc. This is straight forward: download, extract, configure, make, make install.
</p>
<pre class="wiki" xml:space="preserve">wget http://www.opensc.org/files/opensc-0.9.6.tar.gz
tar xfvz opensc-0.9.6.tar.gz
cd opensc-0.9.6
./configure --prefix=/opt/smartcard --sysconfdir=/etc
make
make install
cd ..
</pre><h2>SSH with smartcard support</h2>
<p>
Mac OS X does include openssh, but unfortunatly compiled without smartcard support.
Here is how you can recompile openssh with it:
</p>
<pre class="wiki" xml:space="preserve">wget ftp://ftp.leo.org/pub/OpenBSD/OpenSSH/portable/openssh-4.1p1.tar.gz
tar xfvz openssh-4.1p1.tar.gz
cd openssh-4.1p1
./configure --prefix=/opt/smartcard --sysconfdir=/etc --with-opensc=/opt/smartcard
make
make install
cd ..
</pre></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

42
doc/Makefile.am Normal file
View File

@ -0,0 +1,42 @@
# Process this file with automake to create Makefile.in
MAINTAINERCLEANFILES = Makefile.in
EXTRA_DIST = README export-wiki.sh export-wiki.xsl $(HTML)
HTML= AladdinEtokenPro.html AutoVersions.html BelgianEid.html CardOs.html \
CardReaders_CTAPI.html CardReaders_SPR532.html CardsAndTokens.html \
CompatibilityIssues.html CompatiblityIssues.html \
CryptoIdendityItsec.html Cryptoflex.html Cyberflex.html \
DesignDiscussion.html DesignDiscussion_UserInterface.html \
EstonianEid.html FinnishEid.html GemplusGpk.html GermanEid.html \
ItalianEid.html ItalianPostecert.html LinuxDistributions.html \
MacOsX.html MartinBlog.html MartinBlogMuscle.html \
MartinBlogPlatform.html OpenPgp.html OpenSsh.html \
OpensslEngines.html PinpadReaders.html PuTTYcard.html \
RainbowIkeyThree.html RecentTestresults.html ReleaseHowto.html \
ReplacingCertificates.html RoadMap.html SchlumbergerEgate.html \
SmartCardApplications.html SpanishEid.html SubversionRepository.html \
SupportedHardware.html SwedishEid.html TaiwanEid.html TelseCos.html \
TroubleShooting.html WindowsCsp.html index.html pkcs11_keypair_gen.html
# OLD
XSLTPROC = xsltproc --xinclude
default:
@echo -e "The following make targets are available:\n"
@echo -e "\thtml\t\tA single HTML page\n"
@echo -e "\tman\t\tMan pages for all functions\n"
all: html man
clean:
rm -rf html man
html:
$(XSLTPROC) -o html/api.html src/api/html.xsl src/api/api.xml
man:
$(XSLTPROC) -o man/ src/api/man.xsl src/api/api.xml
.SILENT:

16
doc/MartinBlog.html Normal file
View File

@ -0,0 +1,16 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MartinBlog - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Smart Card Notes</h1>
<p>
I create this page to keep track of my activities on OpenSC hacking so that it would be easy for me to manage&amp;update and available for others who might be interested in the topic and so that somebody else could correct the mistakes I'm doing ;)
</p>
<p>
<a href="MartinBlogPlatform.html" shape="rect">MartinBlogPlatform</a> - description of personal setups i use for testing
</p>
<ul><li><a href="MartinBlogMuscle.html" shape="rect">MartinBlogMuscle</a> - How to use a <a class="missing" href="/opensc/wiki/JavaCard" shape="rect">JavaCard?</a> with MUSCLE project applet on it, how to use it via OpenSC
</li><li><a class="missing" href="/opensc/wiki/MartinBlogPinPad" shape="rect">MartinBlogPinPad?</a> - How to use <a href="PinpadReaders.html" shape="rect">PinpadReaders</a> with OpenSC / other programs
</li><li><a class="missing" href="/opensc/wiki/MartinBlogSmartCardWebProgramming" shape="rect">MartinBlogSmartCardWebProgramming?</a> - using <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a> in web environment.
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

47
doc/MartinBlogMuscle.html Normal file
View File

@ -0,0 +1,47 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MartinBlogMuscle - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>MUSCLE</h1>
<p>
##TODO## muscle info
</p>
<p>
What i have
</p>
<ul><li>USB e-gate token for Cyberflex cards
</li><li>Two Cyberflex 32k cards (one in token and one full size card)
</li></ul><p>
What i run on
</p>
<ul><li>WindowsXP SP2 (x86, free visual c toolkit, .net sdk, mingw setup)
</li><li>GNU/Linux (x86, kernel 2.6, mostly Debian/unstable)
</li><li>OS X 10.4 (Xcode et al, fink)
</li></ul><p>
How to access the e-gate USB token
</p>
<ul><li>Windows: <a class="ext-link" title="http://www.reflexreaders.com/Support/software.html" href="http://www.reflexreaders.com/Support/software.html" shape="rect">http://www.reflexreaders.com/Support/software.html</a> (works well)
</li><li>Linux:
<ul><li>OpenCT provides support directly to OpenSC, also a <a class="missing" href="/opensc/wiki/IfdHandler" shape="rect">IfdHandler?</a> for pcsc-lite (openct works, pcsc-lite integration needs to be checked, problems with the device file option in reader.conf)
</li><li>ifd-egate available here: <a class="ext-link" title="http://secure.netroedge.com/~phil/egate/" href="http://secure.netroedge.com/~phil/egate/" shape="rect">http://secure.netroedge.com/~phil/egate/</a> with minor modifications compiles cleanly and works well on linux)
</li></ul></li><li>OSX: openct and-or ifd-egate and-or normal supported reader?
</li></ul><p>
How to load the applet to the card
</p>
<ul><li><a class="ext-link" title="http://www.identityalliance.com/CardManagerClient-1.0.2.tar.gz" href="http://www.identityalliance.com/CardManagerClient-1.0.2.tar.gz" shape="rect">http://www.identityalliance.com/CardManagerClient-1.0.2.tar.gz</a> to use a card management server by identityalliance
<ul><li>compiled smoothly on linux and osx
</li><li>Did do something as well on Linux (Had to download the new certificate before). Procedure: select card, select applet, go! Very nice.
</li><li>use <a class="ext-link" title="http://archives.neohapsis.com/archives/dev/muscle/2005-q2/0241.html" href="http://archives.neohapsis.com/archives/dev/muscle/2005-q2/0241.html" shape="rect">http://archives.neohapsis.com/archives/dev/muscle/2005-q2/0241.html</a> as rootcert.pem
</li></ul></li></ul><p>
What to do with the card then?
</p>
<ul><li><a class="ext-link" title="http://www.musclecard.com/musclecard/files/mcardprot-1.2.1.pdf" href="http://www.musclecard.com/musclecard/files/mcardprot-1.2.1.pdf" shape="rect">http://www.musclecard.com/musclecard/files/mcardprot-1.2.1.pdf</a> - contains the card in terface that should be implemented in OpenSC
</li><li><a class="ext-link" title="http://www.linuxnet.com/musclecard/index.html" href="http://www.linuxnet.com/musclecard/index.html" shape="rect">http://www.linuxnet.com/musclecard/index.html</a> contains everything else needed too, hopefully
</li></ul><p>
Some notes
</p>
<ul><li>David: OpenSC PKCS<a href="/opensc/ticket/11" title="CLOSED : gcc4 build failure" shape="rect"><del>#11</del></a> needs to be updated to better support token initialization (<a class="missing" href="/opensc/wiki/InitToken" shape="rect">InitToken?</a>, InitPIN, <a class="missing" href="/opensc/wiki/CreateObject" shape="rect">CreateObject?</a>, .....)
</li><li>To be continued
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

23
doc/MartinBlogPlatform.html Normal file
View File

@ -0,0 +1,23 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>MartinBlogPlatform - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Platforms and hardware</h1>
<h3>CardReaders</h3>
<p>
I actively use these readers for testing purposes
</p>
<ul><li>SCM SCR 331
<ul><li>Cheap, well supported, distributed nation-wide by Estonian eID project
</li><li>Conforms to CCID standard
</li></ul></li><li>SCM SPR 532
<ul><li>Well supported, secure pinpad reader
</li><li>Conforms to CCID standard
</li></ul></li><li><a class="missing" href="/opensc/wiki/OmniKey" shape="rect">OmniKey?</a> Cardman 2020
<ul><li>Works well on Windows
</li><li>Has no well supported open-source drivers for Linux (Original driver is kernel module for 2.4)
</li></ul></li></ul><h3>Windows</h3>
<h3>Linux</h3>
<h3>OS X</h3>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

9
doc/OpenPgp.html Normal file
View File

@ -0,0 +1,9 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OpenPgp - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><p>
OpenPGP 1.0 cards work fine with OpenSC.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

58
doc/OpenSsh.html Normal file
View File

@ -0,0 +1,58 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OpenSsh - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>OpenSSH and OpenSC</h1>
<p>
OpenSSH contains support for opensc, if it was compiled with "--with-opensc".
Unfortunately the openssh version included in most distributions is not compiled
this way. You can recompile openssh yourself. Ready-to-use binary packages are
available here:
</p>
<table class="wiki">
<tr><td rowspan="1" colspan="1"> Distribution </td><td rowspan="1" colspan="1"> Download URL
</td></tr><tr><td rowspan="1" colspan="1"> Name </td><td rowspan="1" colspan="1"> ADD URL
</td></tr><tr><td rowspan="1" colspan="1"> Gentoo </td><td rowspan="1" colspan="1"> The USE-flag "smartcard" makes the openssh ebuild depend on opensc and apply appropriate patches. Add the USE-flag system-wide to /etc/make.conf or just for OpenSSH in /etc/portage/package.use and re-emerge openssh. <tt> USE=smartcard emerge openssh </tt> will still work but is discouraged by Gentoo.
</td></tr></table>
<p>
If you compile OpenSSH yourself: Please apply the patch in opensc-0.9.6/src/openssh/ask-for-pin.diff.
This patch fixes a small issue: openssh "ssh" command will not ask for a pin and thus not work well
with smart cards. Ssh-add will ask for a pin, and thus ssh plus ssh-agent will work well. This patch
adds code so that ssh will ask for the smartcard pin, too. This patch was not accepted upstream so
far, the openssh development team has a concept for a rewrite towards a cleaner solution, but this
is still pending. So for now the patch is our best option.
Seel also: <a class="ext-link" title="http://bugzilla.mindrot.org/show_bug.cgi?id=608" href="http://bugzilla.mindrot.org/show_bug.cgi?id=608" shape="rect">OpenSSH bug 608</a>
</p>
<h2>Using OpenSSH with a smartcard</h2>
<pre class="wiki" xml:space="preserve">ssh -I 0 root@somehost
</pre><p>
will use the smart card in reader 0 and private key 0x45 to authenticate as root on host somehost.
This will of course only work if root@somehost has a ".ssh/authorized_keys" file and the public key
related to this private key is in that file.
</p>
<pre class="wiki" xml:space="preserve">ssh-keygen -D 0
</pre><p>
will download the public key from your smart card and print it in ssh1 and ssh2 format. You only need
one of those two lines. Put it into ".ssh/authorized_keys" on the target host and account like you do
with a normal .ssh/id_rsa.pub file. You can add a space char and a comment at the end of the line,
I usually add something like " aj@smartcard" so I know this is the key from my smartcard.
</p>
<p>
Starting with the next OpenSC release you can also use pkcs15-tool to display a public key in openssh
format. To do this type
</p>
<pre class="wiki" xml:space="preserve">pkcs15-tool --read-ssh-key [--reader 0] [--id 45]
</pre><p>
the default reader is 0 and the default id is 45, so typically you don't need those options.
(This might be useful for windows, since putty/pageant currently has no equivalent of "ssh-keygen -D 0".)
</p>
<p>
The OpenSSH public key format is defined at
[<a class="ext-link" title="http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt" href="http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt" shape="rect">http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt</a>]
</p>
<p>
TODO: it would be propably nicer to have one --read-public-key parameter, and a second optional parameter
--format with possible values der, pem, ssh1, ssh2. A patch to implement this would be very welcome.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

20
doc/OpensslEngines.html Normal file
View File

@ -0,0 +1,20 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OpensslEngines - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>OpenSSL Engines</h1>
<p>
The <a class="ext-link" title="http://www.openssl.org" href="http://www.openssl.org" shape="rect">OpenSSL project</a> offers the possibility to source out cryptographic functionality to plugin modules called engines. Usually there is one of two reasons for doing this, performance and security.
</p>
<p>
The performance reason is rather obvious, specialized hardware can do cryptography much faster than a general purpose computer.
</p>
<p>
The reason for using the opensc-engine typically is a security reason. If you are storing your private keys on a harddisk there is a lot of things an administrator (or a virus with root privileges) can do to steal your key. If the key is on a smart card there is usually no way to export the private key, so if you pull the card from the reader noone can use your keys. And if you use a certified and sealed reader device you can even be reasonably sure that noone can steal your PIN.
</p>
<h2>Using OpenSC as a smart card engine for OpenSSL</h2>
<p>
Include the text from QUICKSTART here?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

39
doc/PinpadReaders.html Normal file
View File

@ -0,0 +1,39 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>PinpadReaders - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Pinpad Readers</h1>
<p>
Pinpad support with OpenCT is still under development. If you want to test it you'll have to use development snapshots of OpenSC and will most probably run into difficulties and/or outright bugs.
Reporting those bugs on the mailinglist may be a good way to get them fixed.
</p>
<p>
Currently Win32 and Unix versions follow quite different approaches, mainly due to availability of different drivers.
</p>
<p>
The Unix approach using CCID compliant readers is discribed in the <a href="CardReaders/SPR532.html" shape="rect">CardReaders/SPR532</a> document, I'll have a word about <a href="CardReaders/CTAPI.html" shape="rect">CT-API Readers</a> which are common on Win32 (if you have one on a Unix system please tell me!).
(martin: The 'ccid' in the spec is misleading - every ifdhandler can be changed to implement the teletrust spec - it uses a control block similar to CCID pin block but is _not_ pure ccid up to the lowest levels of the driver. And: the latest spr532 drivers for windows should follow the same spec and thus it _should_ work on windows. it is more tied to pcsc than it is tied to pure ccid)
</p>
<h2>Known and tested pinpad readers</h2>
<p>
Please feel free to add your hardware and experiences here.
</p>
<p>
Class 2 readers have a pinpad for secure pin entry. Sometimes they are plugged between computer and keyboard so they use the keyboard for pin entry but capture the keystrokes before they reach the computer.
</p>
<p>
Class 3 readers have pinpad and a display.
</p>
<table class="wiki">
<tr><td rowspan="1" colspan="1"> <strong>Reader</strong> </td><td rowspan="1" colspan="1"> <strong>OS</strong> </td><td rowspan="1" colspan="1"> <strong>Type</strong> </td><td rowspan="1" colspan="1"> <strong>CT-API library</strong> </td><td rowspan="1" colspan="1"> <strong>Comments </strong>
</td></tr><tr><td rowspan="1" colspan="1"> SCM STR 391 "CashMouse" </td><td rowspan="1" colspan="1"> Win32 </td><td rowspan="1" colspan="1"> Class 3 USB </td><td rowspan="1" colspan="1"> CTRSRW32.dll </td><td rowspan="1" colspan="1"> Works fine with Win32, no Unix support planned
</td></tr><tr><td rowspan="1" colspan="1"> Cherry G83-6700 Smartboard </td><td rowspan="1" colspan="1"> Win32 </td><td rowspan="1" colspan="1"> Class 2 PS/2 </td><td rowspan="1" colspan="1"> CTMGR.DLL </td><td rowspan="1" colspan="1"> A keyboard integrated reader which uses the keyboard for pin entry. Buggy CT-API driver, I got it working but not without patching OpenCT. No known Unix support
</td></tr><tr><td rowspan="1" colspan="1"> Reiner SCT cyberJack pinpad </td><td rowspan="1" colspan="1"> Win32 </td><td rowspan="1" colspan="1"> Class 2 USB </td><td rowspan="1" colspan="1"> CTRSCT32.DLL </td><td rowspan="1" colspan="1"> According to the manufacturer's website it should also run on Linux, but I haven't managed it.
</td></tr><tr><td rowspan="1" colspan="1"> Reiner SCT cyberJack keyboard </td><td rowspan="1" colspan="1"> Win32 </td><td rowspan="1" colspan="1"> Class 2 PS/2 </td><td rowspan="1" colspan="1"> CTRSCT32.DLL </td><td rowspan="1" colspan="1"> A cheap class 2 solution. It uses the keyboard for pin entry. No known Unix support.
</td></tr><tr><td rowspan="1" colspan="1"> SCM SPR 332, 532 "Chipdrive Pinpad" </td><td rowspan="1" colspan="1"> Win32 </td><td rowspan="1" colspan="1"> Class 2 USB </td><td rowspan="1" colspan="1"> CTPCSC32.dll </td><td rowspan="1" colspan="1"> A widely used CCID compliant reader. I also got it working on Linux following Martin's CardReaders/SPR532 suggestions
</td></tr></table>
<p>
Kobil and OmniKey also offer pinpad readers, if someone could test one of those with OpenSC feedback would be appreceated.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

251
doc/PuTTYcard.html Normal file
View File

@ -0,0 +1,251 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>PuTTYcard - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h2>PuTTYcard</h2>
<p>
PuTTYcard is an extension to PuTTY, the free SSH-client
from Simon Tatham. With this extension PuTTY can use
RSA-keys from external devices, ie. smart cards, usb-tokens.
</p>
<p>
If pageant is called with one argument, it will interpret
this argument as the name of a key-file. Pageant will then
load this ppk-file into its keylist, or if another instance of
Pageant is already running into the keylist of that instance.
</p>
<p>
The pageant-version from PuTTYcard-0.58-V1.2.zip (can be downloaded
from OpenSCs contrib area) will do exactly the same thing
with one exception. If the first line of the ppk-file
has the form:
</p>
<pre class="wiki" xml:space="preserve">PuTTYcard,&lt;path to DLL&gt;,&lt;arguments for the DLL&gt;
</pre><p>
then Pageant will NOT read the key from the ppk-file. Instead
it loads the DLL and calls a function from that DLL passing
the arguments from the ppk-file to this function.
</p>
<p>
The function may then fetch a public RSA key from any
source. Possbile choices are: files, smart cards, PKCS11
libraries, Cryptographic Service Providers, etc.
</p>
<p>
PuTTYcard-0.58-V1.2.zip contains PuTTYiso7816.dll. This
DLL will load an RSA key from any ISO-7816-8 compatible
smart card. PuTTYiso7816 need additional information
from the ppk-file, namely the location of the RSA key
on your specific smartcard.
</p>
<p>
This information is given as 4 hexadecimal numbers, i.e.
your ppk-file should look like
</p>
<pre class="wiki" xml:space="preserve">PuTTYcard,PuTTYiso7816.dll,&lt;path&gt;,AA,BB,CCCC
</pre><p>
&lt;path&gt; is the DF on your smart card that contains the RSA-key.
This must be specified as a 4,8,12 or 16digit hexadecimal
number. Do NOT prefix the path with 3F00.
AA is the key-reference of the private key, BB is the
pin-reference of the pin that protects your private key.
CCCC is the ID of a file on your card that contains your
public key. This file must either contain the public key
as two ASN1-encoded records or it must be a certificate file
from which the pulic key will be extracted.
</p>
<h3>How do I find the above mentiones numbers?</h3>
<p>
One of the first actions of PuTTYcard
is to change its working DF to the DF given by the
<strong>&lt;path&gt;</strong>-argument. The remaining information
(private and public key, PIN and maybe a certificate)
will then be read from that DF. Try <strong>pkcs15-tool -k</strong>
to list all of your keys and that should give you the
information you need.
</p>
<p>
Here's the output for my Netkey E4 card:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -k
Private RSA Key [Signatur-Schlüssel]
Com. Flags : 1
Usage : [0x204], sign, nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 128
Native : yes
Path : DF015331
Auth ID : 04
ID : 01
Private RSA Key [Authentifizierungs-Schlüssel]
Com. Flags : 1
Usage : [0x207], encrypt, decrypt, sign, nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 130
Native : yes
Path : DF015371
Auth ID : 04
ID : 02
Private RSA Key [Verschlüsselungs-Schlüssel]
Com. Flags : 1
Usage : [0x207], encrypt, decrypt, sign, nonRepudiation
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 1024
Key ref : 129
Native : yes
Path : DF0153B1
Auth ID : 03
ID : 03
</pre><p>
This card has three keys all of which are stored in DF <strong>DF01</strong>.
This is your &lt;path&gt;-value. Do not include the last component of the
path from the <strong>pkcs15-tool</strong>-output as this is the ID of the
private key itself.
</p>
<p>
The next information you need is the key reference. This value
is included as a decimal number in the above output (ie. 128, 130 and 129).
This value must be converted to a 2-digit hexadcimal number. Let's
use the second key, so your AA-value is 82.
</p>
<p>
Your private key is protected by a PIN and the <strong>pkcs15-tool -k</strong>-output
contains the Auth-ID of this PIN. Here it is 04. This is not
your PIN-reference. Use <strong>pkcs15-tool --list-pins</strong> to list all
your PINs and use the PIN-reference of the PIN that has the same Id
as the Auth-Id of your key.
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool --list-pins
PIN [globale PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x51], case-sensitive, initialized, unblockingPin
Length : min_len:6, max_len:16, stored_len:16
Pad char : 0x00
Reference : 0
Type : ascii-numeric
Path : 5000
Tries left: 3
PIN [globale PUK]
Com. Flags: 0x3
ID : 02
Flags : [0xD1], case-sensitive, initialized, unblockingPin, soPin
Length : min_len:8, max_len:16, stored_len:16
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Path : 5001
Tries left: 3
PIN [lokale PIN0]
Com. Flags: 0x3
ID : 03
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:6, max_len:16, stored_len:16
Pad char : 0x00
Reference : 128
Type : ascii-numeric
Path : DF015080
Tries left: 3
PIN [lokale PIN1]
Com. Flags: 0x3
ID : 04
Flags : [0xD3], case-sensitive, local, initialized, unblockingPin, soPin
Length : min_len:6, max_len:16, stored_len:16
Pad char : 0x00
Reference : 129
Type : ascii-numeric
Path : DF015081
Tries left: 3
</pre><p>
Again the PIN-reference is given in decimal (here it is 129) and must be
converted to a 2-digit hexdecimal number, namely 81. This is
your BB-value.
</p>
<p>
Finally you need the file-ID of the public key or a certificate file
from which he public key could be extracted.
</p>
<p>
So either use <strong>pkcs15-tool --list-public-keys</strong> or
<strong>pkcs15-tool -c</strong>. With my Netkey card <strong>pkcs15-tool --list-public-keys</strong>
does not show any keys. This is because my Netkey card
contains the public key, but it cannot be used for cryptographic
operations. From other sources (ie. card doku) I know that
the public key is stored in file DF01:4571, so one possible
CCCC-value is 4571.
</p>
<p>
If I list all my certificates I get:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -c
X.509 Certificate [Telesec Signatur Zertifikat]
Flags : 0
Authority: no
Path : DF01C000
ID : 01
X.509 Certificate [User Signatur Zertifikat 1]
Flags : 2
Authority: no
Path : DF014331
ID : 01
X.509 Certificate [User Signatur Zertifikat 2]
Flags : 2
Authority: no
Path : DF014332
ID : 01
X.509 Certificate [Telesec Authentifizierungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C100
ID : 02
X.509 Certificate [User Authentifizierungs Zertifikat 1]
Flags : 2
Authority: no
Path : DF014371
ID : 02
X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C200
ID : 03
X.509 Certificate [User Verschlüsselungs Zertifikat 1]
Flags : 2
Authority: no
Path : DF0143B1
ID : 03
</pre><p>
A certificate contains the right public key, if it has the
same ID as the private key (here 02). My card has two such
certificates namely DF01:C100 and DF01:4371 so two other
possible CCCC-values are C100 and 4371
</p>
<p>
On a Netkey card a private key may be protected by more than
one PIN. So instead of PIN-reference 81 (which references
local PIN1) I may alternatively use PIN-reference 00 (which
references global PIN0)
</p>
<p>
So all of the following six lines will work:
</p>
<pre class="wiki" xml:space="preserve">PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4571
PuTTYcard,PuTTYiso7816.dll,DF01,82,81,C100
PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4371
PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4571
PuTTYcard,PuTTYiso7816.dll,DF01,82,00,C100
PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4371
</pre></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

10
doc/README Normal file
View File

@ -0,0 +1,10 @@
This directory contains a snapshot of the OpenCT Wiki
=====================================================
The original wiki page is at http://www.opensc.org/openct/
and includes a bug tracker and source browser.
The wiki was transformed to html using the export-wiki shell
script and xsl style sheet. The original version is at
http://www.twdata.org/trac-howto/

31
doc/RainbowIkeyThree.html Normal file
View File

@ -0,0 +1,31 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>RainbowIkeyThree - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Rainbow iKey 3000</h1>
<p>
<a class="ext-link" title="http://www.rainbow.com/" href="http://www.rainbow.com/" shape="rect">Rainbow</a> offers the iKey 300, an USB crypto token with 32k memory
and support for RSA keys up to 1024bit key length.
</p>
<p>
The iKey 3000 is fully supported by OpenSC and is well tested.
</p>
<p>
The smart card inside is a starcos card by Gieseke and Devrient.
</p>
<p>
One minor feature of Starcos is that a pin can only be unblocked if it is blocked. For this reason the regression test pin0002 fails, but this is a harmless and known issue, so please ignore.
</p>
<p>
Rainbow iKey 3000 is bundled with <a class="missing" href="/opensc/wiki/StarSign" shape="rect">StarSign?</a> software by A.E.T. which follows the PKCS#15 standard. Thus key
can be initialized with either OpenSC or <a class="missing" href="/opensc/wiki/StarSign" shape="rect">StarSign?</a> and will work with both.
</p>
<p>
Documentation for the Starcos Smartcard is available to the public. Send those nice folks at G&amp;D an email
and they will send you the latest manual.
</p>
<p>
<a class="ext-link" title="http://www.cyprotect.com/" href="http://www.cyprotect.com/" shape="rect">Cyprotect</a> sells Rainbow iKey 3000 tokens at 68 Euro per piece.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

232
doc/RecentTestresults.html Normal file
View File

@ -0,0 +1,232 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>RecentTestresults - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Recent test results for various smart cards</h1>
<p>
Providing test results is a bit difficult, since a test includes
</p>
<ul><li>OpenSC (Version)
</li><li>Smart card (Name, Variant, blank or pre-initialized)
</li><li>Operating Sytem (Name, Version, Architecture)
</li><li>Smart card reader (Name, Modell, Firmware version)
</li><li>Software for the smart card reader driver (Name of the driver, version)
</li><li>Middleware (PC/SC-Lite? Version? Configuration?)
</li><li>opensc.conf configuration
</li></ul><p>
And of course the features that were tested. Here is a list:
</p>
<ul><li>src/test/regression test suite, run-all script.
</li><li>pkcs15-init (manual init, keygen, certificate store, cert+key store)
</li><li>pkcs11-tool (manual, "pkcs11-tool --test --login")
</li><li>openssl command line tool with opensc engine
</li><li>openssl command line tool with pkcs11 engine
</li><li>firefox with pkcs11 module (https authentication with a client certificate and key)
</li><li>thunderbird with pkcs11 module (email signing and decryption)
</li><li>mozilla with the same tests as firefox and thunderbird
</li><li>netscape with the same tests as firefox and thunderbird
</li><li>key generation and certificate store via some web site (e.g. thawte community)
</li><li>openssh with smart card authentication (or putty on windows)
</li><li>openssh agent with smart card authentication (or pageant on windows)
</li><li>login with pam module (with local .eid/authorized_certificates)
</li><li>login with pam module (with the certificate in an ldap server)
</li><li>free/open/stronswan vpn with x.509 certificate authentication using a smart card
</li><li>accessing a wireless lan protected with wpa, 802.1x, eap-tls using the wpa_supplicant, with a smart card
</li><li>testing the Identity Alliance CSP on windows with the opensc-pkcs11.dll: using internet explorer for client certificate authentication at some website.
</li><li>testing the Identity Alliance CSP on windows with the opensc-pkcs11.dll: using outlook to sign and decrypt emails.
</li><li>testing CSP <a href="/opensc/ticket/11" title="CLOSED : gcc4 build failure" shape="rect"><del>#11</del></a> on windows with the opensc-pkcs11.dll: using internet explorer for client certificate authentication at some website
</li><li>testing CSP <a href="/opensc/ticket/11" title="CLOSED : gcc4 build failure" shape="rect"><del>#11</del></a> on windows with the opensc-pkcs11.dll: using outlook to sign an decrypt emails.
</li></ul><p>
We can't test all combinations of OpenSC, card, Reader, driver software with all features.
</p>
<p>
So the basic regression tests (or pkcs11-tool for pre-initialized cards) is done with as many cards
as possible on at least one plattform. Once we know the cards work with OpenSC on this plattform, the next test is
to test as many features as possible on many plattforms, but it is ok to test only with a few or only once card.
</p>
<p>
Which cards passed the src/test/regression/run-all test suite?
</p>
<div class="document">
<table border="1" class="docutils">
<colgroup span="1">
<col width="19%" span="1"></col>
<col width="6%" span="1"></col>
<col width="11%" span="1"></col>
<col width="19%" span="1"></col>
<col width="15%" span="1"></col>
<col width="8%" span="1"></col>
<col width="22%" span="1"></col>
</colgroup>
<tbody valign="top">
<tr><td rowspan="1" colspan="1">Card Name</td>
<td rowspan="1" colspan="1">OpenSC</td>
<td rowspan="1" colspan="1">Date</td>
<td rowspan="1" colspan="1">Reader</td>
<td rowspan="1" colspan="1">Reader driver</td>
<td rowspan="1" colspan="1">Result</td>
<td rowspan="1" colspan="1">Tester</td>
</tr>
<tr><td rowspan="1" colspan="1">Aladdin eToken PRO</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">2005-01-13</td>
<td rowspan="1" colspan="1">Aladdin eToken PRO</td>
<td rowspan="1" colspan="1">OpenCT 0.6.3</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Cryptoflex 32k</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">2005-01-13</td>
<td rowspan="1" colspan="1">eGate Token</td>
<td rowspan="1" colspan="1">OpenCT 0.6.3</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Rainbow iKey 3000</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">2005-01-13</td>
<td rowspan="1" colspan="1">Rainbow iKey 3000</td>
<td rowspan="1" colspan="1">OpenCT 0.6.3</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
</tbody>
</table>
</div><p>
Note that Rainbow iKey 3000 has a Starcos SPK 2.3 operating system, and thus the pin0002 test will
fail, but this is ok as the Starcos SPK 2.3 implementation of the ISO 7816 RESET RETRY COUNTER command
is not ISO compliant.
</p>
<p>
Which cards passed the "pkcs11-tool --test --login" test? (Only for pre-initialized cards)
</p>
<div class="document">
<table border="1" class="docutils">
<colgroup span="1">
<col width="19%" span="1"></col>
<col width="6%" span="1"></col>
<col width="11%" span="1"></col>
<col width="19%" span="1"></col>
<col width="15%" span="1"></col>
<col width="8%" span="1"></col>
<col width="22%" span="1"></col>
</colgroup>
<tbody valign="top">
<tr><td rowspan="1" colspan="1">Card Name</td>
<td rowspan="1" colspan="1">OpenSC</td>
<td rowspan="1" colspan="1">Date</td>
<td rowspan="1" colspan="1">Reader</td>
<td rowspan="1" colspan="1">Reader driver</td>
<td rowspan="1" colspan="1">Result</td>
<td rowspan="1" colspan="1">Tester</td>
</tr>
<tr><td rowspan="1" colspan="1">Signtrust TCOS</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">2005-03-04</td>
<td rowspan="1" colspan="1">Towitoko Serial</td>
<td rowspan="1" colspan="1">OpenCT 0.6.3</td>
<td rowspan="1" colspan="1">???</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
</tbody>
</table>
</div><p>
Which operating system works fine with OpenSC? Add one line for every feature that works or not.
</p>
<div class="document">
<table border="1" class="docutils">
<colgroup span="1">
<col width="18%" span="1"></col>
<col width="12%" span="1"></col>
<col width="18%" span="1"></col>
<col width="13%" span="1"></col>
<col width="11%" span="1"></col>
<col width="10%" span="1"></col>
<col width="18%" span="1"></col>
</colgroup>
<tbody valign="top">
<tr><td rowspan="1" colspan="1">Operating System</td>
<td rowspan="1" colspan="1">Version</td>
<td rowspan="1" colspan="1">Architecture</td>
<td rowspan="1" colspan="1">OpenSC</td>
<td rowspan="1" colspan="1">Feature</td>
<td rowspan="1" colspan="1">Result</td>
<td rowspan="1" colspan="1">Tester</td>
</tr>
<tr><td rowspan="1" colspan="1">Windows XP</td>
<td rowspan="1" colspan="1">PRO SP2</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5+winfixes</td>
<td rowspan="1" colspan="1">pkcs15-init</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Windows XP</td>
<td rowspan="1" colspan="1">PRO SP2</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5+winfixes</td>
<td rowspan="1" colspan="1">pkcs11-tool</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Windows XP</td>
<td rowspan="1" colspan="1">PRO SP2</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5+winfixes</td>
<td rowspan="1" colspan="1">putty</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Windows XP</td>
<td rowspan="1" colspan="1">PRO SP2</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5+winfixes</td>
<td rowspan="1" colspan="1">firefox</td>
<td rowspan="1" colspan="1">Crashes.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Debian GNU/Linux</td>
<td rowspan="1" colspan="1">Sarge</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">pkcs15-init</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Debian GNU/Linux</td>
<td rowspan="1" colspan="1">Sarge</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">pkcs15-init</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Debian GNU/Linux</td>
<td rowspan="1" colspan="1">Sarge</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">pkcs15-init</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
<tr><td rowspan="1" colspan="1">Debian GNU/Linux</td>
<td rowspan="1" colspan="1">Sarge</td>
<td rowspan="1" colspan="1">i386</td>
<td rowspan="1" colspan="1">0.9.5</td>
<td rowspan="1" colspan="1">pkcs15-init</td>
<td rowspan="1" colspan="1">All ok.</td>
<td rowspan="1" colspan="1">Andreas Jellinghaus</td>
</tr>
</tbody>
</table>
</div><p>
After you have tested some hardware, please let us know by adding a line.
If something does not work as expected, please also open a new ticket
with a detailed bug report.
</p>
<p>
Note: adding your name as tester is optional. I think it might be nice so one can ask more details if necessary.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

36
doc/ReleaseHowto.html Normal file
View File

@ -0,0 +1,36 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ReleaseHowto - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>OpenSC Release Howto</h1>
<p>
Announcement
</p>
<ul><li>Write announcement. Write short version (600 bytes) for freshmeat.
</li><li>find someone to proofread announcement
</li></ul><p>
The OpenSC version must be updated in these files:
</p>
<ul><li>configure.in
</li><li>win32/version.rc
</li><li>src/include/winversion.h
</li><li>docs/doxygen.conf
</li></ul><p>
The News file needs to be edited: put in Name and Date.
</p>
<p>
The library version must be updated in these files:
</p>
<ul><li>configure.in
</li><li>src/pkcs11/pkcs11-global.c
</li></ul><p>
Announce:
</p>
<ul><li>change LATEST file in svn/web/trunk
</li><li>add file to svn/web/trunk/news/
</li><li>via mail to opensc-announce,users,devel
</li><li>update freshmeat entry
</li><li>(root@opensc): trac-admin /home/trac/opensc version add 0.X.Y
</li><li>(root@opensc): edit /home/trac/opensc/conf/trac.ini change default_version
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

75
doc/ReplacingCertificates.html Normal file
View File

@ -0,0 +1,75 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>ReplacingCertificates - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Replacing a certificate on a card</h1>
<p>
Unfortunatly not all cards allow to replace a certificate with a new one.
Here is a small HOWTO for Aladdin eToken PRO (should work with any cardos card).
</p>
<p>
1. Create a new certificate. If it's a self signed certificate, don't forget to add the -days attribute, else you'll have to do this process very often.
</p>
<p>
2. If you have the certificate PEM encoded (this is very likely if you use the default settings of openssl) then convert it to DER encoded:
</p>
<pre class="wiki" xml:space="preserve">$ openssl x509 -in mycert.pem -outform DER -out mycert.der
</pre><p>
3. Now get the path of the certificate:
</p>
<pre class="wiki" xml:space="preserve"> $ pkcs15-tool -c
X.509 Certificate [Certificate]
Flags : 2
Authority: no
Path : 3F0050154301
ID : 45
</pre><p>
The path here is: 3F0050154301
</p>
<p>
4. open up opensc-explorer
</p>
<pre class="wiki" xml:space="preserve">OpenSC &gt; cd 5015
</pre><p>
5. present the valid key for the certificate file, usually the normal pin. You can get info about wich pin to use by executing:
</p>
<pre class="wiki" xml:space="preserve">OpenSC &gt; info [EF]
</pre><p>
where [EF] is the name of the cert EF (in the above example 4301)
</p>
<p>
You'll need the key in hexadecimal format, an example how to convert it:
</p>
<pre class="wiki" xml:space="preserve"> $ export HISTFILE=
$ php -r 'echo bin2hex("pssword")."\n";'
707373776f7264
</pre><p>
You'll have to add the colons manually. If your password is shorter than 8 characters, fill it up with 00-s. So with the above example you enter at the opensc-explorer:
</p>
<pre class="wiki" xml:space="preserve">OpenSC &gt; verify CHV3 70:73:73:77:6f:72:64:00
</pre><p>
Code correct.
</p>
<p>
6. Now you can load the data from the DER encoded file into the EF on the card:
</p>
<pre class="wiki" xml:space="preserve">OpenSC &gt; put 4301 mycert.der
</pre><p>
If you get no errors, then you're done.
</p>
<p>
Remarks:
</p>
<ul><li>This isn't the preferred way for everyday users to replace the certificates. Maybe this isn't even for the user's mailing list, but I couldn't find any description how to solve this dangerous yet very urging problem.
</li></ul><ul><li>This may not work on some cards.
</li></ul><ul><li>Since the key isn't changed, after replacing the old certificate you
</li></ul><p>
_won't_ need to replace your .eid/authorized_certificates, or .ssh/authorized_keys files.
</p>
<ul><li>I had to delete the contents of the .eid/cache/ directory for Mozilla to see the new certificate correctly.
</li></ul><p>
Thanks to Attila Nagy for this information.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

24
doc/RoadMap.html Normal file
View File

@ -0,0 +1,24 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>RoadMap - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Roadmap for OpenSC</h1>
<p>
This page should be a place for discussions about future developments of OpenSC in free form untill something clear comes out so that a reference to the Roadmap module and an exact ticket can be made. Issues not directly concerning OpenSC go here too. Feel free to add comments (also state your name in parentheses after your comment!) and ideas for others to digest. This way the targets can be analysed, grouped etc. <a href="DesignDiscussion.html" shape="rect">DesignDiscussion</a> complements this page.
</p>
<hr></hr>
<p>
Some assumptions/facts by martin:
</p>
<ul><li>There are two main card oriented interests in OpenSC
<ol><li>Pure pkcs15
</li><li>Everything else - mostly read-only, (pkcs15 emulation) <a class="missing" href="/opensc/wiki/NationalIdCards" shape="rect">NationalIdCards?</a>
</li></ol></li><li>Whataver the case - most used component is pkcs11 module
</li><li>Though there are several different <a class="missing" href="/opensc/wiki/SmartCards" shape="rect">SmartCards?</a> popping into the wallets of people lately - the biggest userbase will be (is?) <a class="missing" href="/opensc/wiki/NationalIdCards" shape="rect">NationalIdCards?</a> owners
</li></ul><p>
Based on those assumptions, I'd suggest to focus the efforts on these aspects:
</p>
<ul><li>Improve, test (upgrade to pkcs11 v2.20?) the pkcs11 implementation. Who wins: most users. For 'normal people' and majority of applications this is the only useful interface to the library.
</li><li>Improve security - secure pin operations, <a class="missing" href="/opensc/wiki/UserConsent" shape="rect">UserConsent?</a> style issues (CKA_ALWAYS_AUTHENTICATE flag in pkcs11 v2.20) etc. Who wins: everybody, especially <a class="missing" href="/opensc/wiki/DigitalSignature" shape="rect">DigitalSignature?</a> functionality users of various <a class="missing" href="/opensc/wiki/NationalIdCards" shape="rect">NationalIdCards?</a>. After we have pretty solid support for different cards and different usages, it is about time to focus on security - one reason smartcards exist in the first place.
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

28
doc/SchlumbergerEgate.html Normal file
View File

@ -0,0 +1,28 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SchlumbergerEgate - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Schlumberger / Axalto e-gate</h1>
<p>
<a class="ext-link" title="http://www.scmegastore.com/" href="http://www.scmegastore.com/" shape="rect">Schlumberger/Axalto</a> offers the e-gate adapter, an USB adapter for Schlumberger / Axalto
Cryptoflex and Cyberflex cards.
</p>
<p>
The combination of Cryptoflex egate 32k with plug and e-gate token adapter is very well tested and works perfectly.
</p>
<p>
The Cyberflex 32k is currently not supported - you would need a javacard applet first and then OpenSC support for that applet.
</p>
<p>
Documentation for Cryptoflex cards are available for public download at [<a class="ext-link" title="http://www.cryptoflex.com/" href="http://www.cryptoflex.com/" shape="rect">http://www.cryptoflex.com/</a>].
</p>
<p>
Cards and adapter are directly sold by the manufacturer at [<a class="ext-link" title="http://www.scmegastore.com/" href="http://www.scmegastore.com/" shape="rect">http://www.scmegastore.com/</a>] (cards in packs of 5 only),
five cards and adapters are sold for 150 US$.
</p>
<h2>Test Results</h2>
<p>
Smart card bundle 0.3rc2 works fine on Windows XP (cryptoflex card, pkcs11-tool --test ...)
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

12
doc/SmartCardApplications.html Normal file
View File

@ -0,0 +1,12 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SmartCardApplications - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Smart Card Applications</h1>
<p>
OpenSC comes with a bunch of utilities to test, debug and initialize smartcards. In addition to these smart card targeted utilities other applications can be made 'smartcard aware' using:
</p>
<ul><li>OpenSC PKCS#11 module opensc-pkcs11 (or pkcs11-spy if one has to debug PKCS#11 issues). This is the preferred interface.
</li><li>OpenSSL engine - engine_pkcs11 (together with a/the PKCS#11 module) and engine_opensc (deprecated). This can be used in scripts via the openssl utility or existing OpenSSL based applications can be extended to support dynamic openssl engines.
</li></ul></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

17
doc/SpanishEid.html Normal file
View File

@ -0,0 +1,17 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SpanishEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Spanish Ceres</h1>
<p>
The spanish ceres cards are using OpenSC for their official software.
</p>
<p>
To use ceres cards however you need to use the official software, which consists of OpenSC and an additional binary only module.
OpenSC is licensed under LGPL license and allowes to do this.
</p>
<p>
More details are available at [<a class="ext-link" title="http://opensc-ceres.software-libre.org/" href="http://opensc-ceres.software-libre.org/" shape="rect">http://opensc-ceres.software-libre.org/</a>].
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

55
doc/SubversionRepository.html Normal file
View File

@ -0,0 +1,55 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SubversionRepository - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Subversion Repository</h1>
<p>
OpenSC is using subversion as version control system. You can find out more about subversion at
</p>
<ul><li>[<a class="ext-link" title="http://subversion.tigris.org/" href="http://subversion.tigris.org/" shape="rect">http://subversion.tigris.org/</a>] is the official home for subversion.
</li><li>[<a class="ext-link" title="http://svnbook.red-bean.com/" href="http://svnbook.red-bean.com/" shape="rect">http://svnbook.red-bean.com/</a>] has the book "Version Control with Subversion"
</li></ul><p>
In our subversion repository we have
</p>
<ul><li><tt>trunk/</tt> contains the current development code
</li><li><tt>branches/opensc-0.9</tt> contains the 0.9 maintenance branch
</li><li><tt>releases/opensc-0.x.y</tt> contains the opensc 0.x.y release code.
</li></ul><p>
You can checkout these with the subversion commands
</p>
<pre class="wiki" xml:space="preserve">svn co http://www.opensc.org/svn/opensc/trunk/
svn co http://www.opensc.org/svn/opensc/branches/opensc-0.9/
svn co http://www.opensc.org/svn/opensc/releases/opensc-0.9.4/
</pre><p>
Note that the subversion repository only contains development files.
Before compiling the code you need to run the "<tt>./bootstrap</tt>" script
to create many files like "<tt>configure</tt>" and "<tt>Makefile.in</tt>". You need to have
<tt>autoconf</tt>, <tt>automake</tt> and <tt>libtool</tt> installed on your system to do that (see <a href="AutoVersions.html" shape="rect">AutoVersions</a>)
</p>
<p>
Some people have reported problems with some http proxies. If you find some problem,
you can maybe solve it by using https instead. Try to checkout the repository
like this:
</p>
<pre class="wiki" xml:space="preserve">svn co --non-interactive https://www.opensc.org/svn/opensc/trunk/
svn co --non-interactive https://www.opensc.org/svn/opensc/branches/opensc-0.9/
svn co --non-interactive https://www.opensc.org/svn/opensc/opensc-0.9.4/
</pre><h1>Write access for developers</h1>
<p>
Developers with write access usualy access the repository via https with authentication
using ssl client certificates. You might want to put something like this into your
<tt>~/.subversion/server</tt> file to point subversion to your client certificate:
</p>
<pre class="wiki" xml:space="preserve">[groups]
opensc = www.opensc.org
[opensc]
ssl-client-cert-file=/home/aj/.subversion/aj.p12
</pre><p>
You can access the repositories:
</p>
<pre class="wiki" xml:space="preserve">svn co https://www.opensc.org/svn/opensc/trunk/
svn co https://www.opensc.org/svn/opensc/branches/opensc-0.9/
svn co https://www.opensc.org/svn/opensc/opensc-0.9.4/
</pre></div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

37
doc/SupportedHardware.html Normal file
View File

@ -0,0 +1,37 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SupportedHardware - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Supported Hardware</h1>
<p>
There are two flavors of hardware support: The first one is "use-only", it's a bit like read-only:
You can use the keys (if you know the pin), and read the public information from the card, but you
cannot alter it. This kind of support is typical for national ID cards. The second type is the
full support including initializiation. That means you can buy a blank card, then create the
pkcs#15 structures, generate key, store certificates and so on.
</p>
<h2>Read-Only supported cards</h2>
<ul><li>Finnish FINEID (SetCOS)
</li><li>Swedish Posten eID (SetCOS)
</li><li>USB tokens based on CardOS/M4, such as Aladdin eToken PRO, etc.
</li><li>MioCOS 1.1
</li><li>TCOS 2.0
</li><li>Starcos SPK 2.3 (e.g. Rainbow iKey 3000)
</li><li>Micardo 2.1
</li><li>Oberthur AuthentIC
</li><li>OpenPGP 1.0
</li><li>JCOP 31bio
</li><li>Estonian ID card, EstEID (Micardo 2.1)
</li></ul><h2>Fully supported cards</h2>
<ul><li><a class="missing" href="/opensc/wiki/CryptoFlex" shape="rect">CryptoFlex?</a> 8K, 16K
</li><li><a href="GemplusGpk.html" shape="rect">GemplusGpk</a> Gemplus GPK 4K, 8K, 16K
</li><li>CardOS M4.00, M4.01a
</li><li>Starcos SPK 2.3
</li><li>JCOP 31bio
</li><li>MioCOS 1.1
</li></ul><h2>Readers</h2>
<p>
For some supported SmartCard readers have a look at the <a href="PinpadReaders.html" shape="rect">PinpadReaders</a> page.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

22
doc/SwedishEid.html Normal file
View File

@ -0,0 +1,22 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>SwedishEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Swedish ePosten card</h1>
<p>
The swedish eposten card is supported by OpenSC.
</p>
<p>
It can only be used, not altered.
</p>
<p>
FIXME:Pin changes?
</p>
<p>
FIXME:Did anyone test recently?
</p>
<p>
FIXME:Documentation etc?
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

16
doc/TaiwanEid.html Normal file
View File

@ -0,0 +1,16 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TaiwanEid - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Taiwan</h1>
<p>
<a class="ext-link" title="http://www.gi-de.com/portal/page?_pageid=44,91483&amp;_dad=portal&amp;_schema=PORTAL" href="http://www.gi-de.com/portal/page?_pageid=44,91483&amp;_dad=portal&amp;_schema=PORTAL" shape="rect">Gieseke and Devrient</a> tell us Taiwan is using <a class="missing" href="/opensc/wiki/StarSign" shape="rect">StarSign?</a> based tokens for a nation-wide PKI project.
</p>
<p>
OpenSC supports Starcos, but I don't know what <a class="missing" href="/opensc/wiki/StarSign" shape="rect">StarSign?</a> exactly is and if it will be compatible. If anyone has links to technical documents or news, please add them here.
</p>
<p>
If anyone knows how to contact them (this far no luck) let us know too.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

81
doc/TelseCos.html Normal file
View File

@ -0,0 +1,81 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TelseCos - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>NetKey E4 cards</h1>
<p>
<img src="http://www.opensc.org/opensc/attachment/wiki/TelseCos/NetkeyE4-card.jpg?format=raw" alt="http://www.opensc.org/opensc/attachment/wiki/TelseCos/NetkeyE4-card.jpg?format=raw"></img>
</p>
<p>
Telesec is a german company that sells <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4 cards. These cards have a TCOS 2.02 operationg system and an almost PKCS<a href="/opensc/ticket/15" title="NEW : opensc 0.9.6: --with-openssl doesn't work right" shape="rect">#15*</a> compatible file-layout. OpenSC has read-only support for these kind of cards.
</p>
<p>
If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a PKCS<a href="/opensc/ticket/15" title="NEW : opensc 0.9.6: --with-openssl doesn't work right" shape="rect">#15*</a> filesystem. This is not possible right now. You have the same problem, if you own a blank TCOS card.
</p>
<p>
The good news are: With the help of an emulation layer OpenSC can use cards that are almost PKCS<a href="/opensc/ticket/15" title="NEW : opensc 0.9.6: --with-openssl doesn't work right" shape="rect">#15*</a> compatible. For <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4-cards such an emulation layer exists. The emulation cannot store certificates, keys or pins on the card, but you can use whatever is visible through the emulation layer.
</p>
<p>
SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4-emulation might not work with these cards. If you have such a card and are willing to help, please post information on the mailing list. You might also send "opensc-tool -r" output to <a class="ext-link" title="mail:pk_opensc@web.de" href="mail:pk_opensc@web.de" shape="rect">me</a>, maybe I can extend the Netkey-emulation such that other preformatted TCOS cards work as well.
</p>
<h2>NetKey E4 filesystem layout</h2>
<p>
<a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4 cards contain different directories with different applications. Only one of these (i.e. directory DF01) is made visible through the <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> emulation layer. This directory contains 3 private keys, 3 public keys, 3 read only certificates, 6 empty certificate files, 2 local PINs and one signature-counter.
</p>
<pre class="wiki" xml:space="preserve"> pkcs15-tool -c
</pre><p>
will list all certificates. It will not list the empty certificate files. Here's the output for a new <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> E4 card:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -c
X.509 Certificate [Telesec Signatur Zertifikat]
Flags : 0
Authority: no
Path : DF01C000
ID : 01
X.509 Certificate [Telesec Authentifizierungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C100
ID : 02
X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
Flags : 0
Authority: no
Path : DF01C200
ID : 03
</pre><p>
The read-only certificates are signed by a certificate of german Telekom AG and all have the same CN. Here's some output that shows one of them:
</p>
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -r 01 | openssl x509 -noout -text -certopt no_pubkey,no_sigdump
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 13356238 (0xcbccce)
Signature Algorithm: ripemd160WithRSA
Issuer: C=DE, O=Deutsche Telekom AG/0.2.262.1.10.7.20=1, CN=NKS CA 21:PN
Validity
Not Before: Jan 31 08:43:51 2003 GMT
Not After : Jan 31 08:43:51 2006 GMT
Subject: C=DE/0.2.262.1.10.7.20=1, CN=NKS 03 A 02707
X509v3 extensions:
X509v3 Key Usage: critical
Digital Signature, Non Repudiation
</pre><p>
The public-keys are record-based transparent files and cannot be used for cryptographic operations. They are on the card for convenience only. OpenSC extracts the public keys from the certificates and does not use the public key files.
</p>
<h2>How do I store additional certificates into the above mentioned empty certificate-files?</h2>
<p>
You (and OpenSC) dont see the empty certificate files through the emulation layer. One consequence of this is, that you cannot store your own certificates into these files with pkcs11-tool or pkcs15-init.
</p>
<p>
You must use opensc-explorer and store the certificate directly into the right position or use netkey-tool, a small program, that I wrote exactly for that purpose.
</p>
<p>
In general (and in particular with TCOS-cards) it's a lot more complicated to create a new file on a smartcard than updating an existing one. That's the reason why there are empty certificate files on a <a class="missing" href="/opensc/wiki/NetKey" shape="rect">NetKey?</a> card. They contain 1536 0xFF-bytes and you can overwrite them with your own certificate (if your certificate has at most 1536 bytes).
</p>
<p>
netkey-tool can do other NetKey-card specific things as well. In particular it will display your initial PUK value and all certificates (including the emtpy ones, which are invisible to pkcs15-tool). As of this writing (June 2005) netkey-tool is included in the CVS-version only.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

64
doc/TroubleShooting.html Normal file
View File

@ -0,0 +1,64 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>TroubleShooting - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>Debugging OpenSC</h1>
<pre class="wiki" xml:space="preserve">opensc-tool -l
</pre><p>
will give you a list of readers opensc has found. If your reader isn't listed, you have
a problem with that reader. For OpenCT see [<a class="ext-link" title="http://www.opensc.org/openct/wiki/TroubleShooting" href="http://www.opensc.org/openct/wiki/TroubleShooting" shape="rect">http://www.opensc.org/openct/wiki/TroubleShooting</a>] for details.
For PCSC/Lite see it's documentation (FIXME: a link would be nice). For CT-API readers, edit the
opensc.conf and make sure the reader is properly configured. If it still doesn't help, increase
debugging to level 5 or higher in opensc.conf, run "opensc-tool -l" again and send a debug log
to the mailing list (see <a class="missing" href="/opensc/wiki/ContactInfo" shape="rect">ContactInfo?</a> for details).
</p>
<p>
FIXME: more help for debugging opensc.
</p>
<h2>Unsupported INS byte in APDU</h2>
<p>
This is a common error message. The best translation is:
</p>
<pre class="wiki" xml:space="preserve">Sorry, we don't know that card.
</pre><p>
Each card is identified by it so called ATR ("Answer to reset").
You can get this identification code by running
</p>
<pre class="wiki" xml:space="preserve">opensc-tool --atr
</pre><p>
OpenSC contains a compiled in list of atr it knows in each card driver.
To check if any card driver knows about your card, please run
</p>
<pre class="wiki" xml:space="preserve">opensc-tool --name
</pre><p>
So if that name is "Default driver for unknown cards" then either your card
is not supported at all, or it is a brand new version of an old and supported
card, and if it is compatible with the older version it might work.
</p>
<p>
In case it is only a new version, but still compatible, you can edit opensc.conf
and configure some driver to also accept this new atr. opensc.conf already contains
a configuration example, you only need to change the atr and driver and enable it.
Here is that example code:
</p>
<pre class="wiki" xml:space="preserve"> # GPK card driver additional ATR entry:
card_driver gpk {
atr = 00:11:22;
}
</pre><p>
Replace "gpk" with the card driver of your card and "00:11:22" with the atr
printed by "opensc-tool --atr". WARNING: this can damage your card and render
it useless (in case the driver is not compatible with your card). So don't do
this, unless you are absolutely sure of what you are doing. If you are not
sure, please contact the OpenSC Team (see <a class="missing" href="/opensc/wiki/ContactInfo" shape="rect">ContactInfo?</a> for details).
</p>
<p>
Also note: more and more drivers have internal flags, for example for subtypes
of cards or for certain properties, like whether or nor a card can generate
keys (very old smartcards can't do that). Currently it is not possible to set
those flags in the config file, so often it might be necessary to edit OpenSC
source code and recompile OpenSC.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

13
doc/WindowsCsp.html Normal file
View File

@ -0,0 +1,13 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>WindowsCsp - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>PKCS#11 and Windows CryptoAPI</h1>
<p>
OpenSC implements a PKCS#11 v2.11 module that can be combined with addition software such as CSP11 or Identity Alliance CSP to allow Windows applications (IE, Outlook, login etc) access to smartcards supported by OpenSC.
</p>
<p>
TODO: Fill in the details.
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

34
doc/export-wiki.sh Normal file
View File

@ -0,0 +1,34 @@
#!/bin/bash
set -e
export SERVER=http://www.opensc.org
export WIKI=opensc/wiki
export XSL=export-wiki.xsl
test -f `basename $0`
rm -rf *.html *.css
wget $SERVER/$WIKI/TitleIndex -O TitleIndex.tmp
grep "\"/$WIKI/[^\"]*\"" TitleIndex.tmp \
|sed -e "s#.*\"/$WIKI/\([^\"]*\)\".*#\1#g" \
> WikiWords.tmp
sed -e /^Trac/d -e /^Wiki/d -e /^TitleIndex/d -e /^RecentChanges/d \
-e /^CamelCase/d -e /^SandBox/d -i WikiWords.tmp
for A in WikiStart `cat WikiWords.tmp`
do
F=`echo $A|sed -e 's/\//_/g'`
wget $SERVER/$WIKI/$A -O $F.tmp
xsltproc --output $F.html $XSL $F.tmp
sed -e "s#<a href=\"/$WIKI/\([^\"]*\)\"#<a href=\"\1.html\"#g" \
-i $F.html
done
mv WikiStart.html index.html
wget http://www.opensc.org/trac/css/trac.css
rm *.tmp

58
doc/export-wiki.xsl Normal file
View File

@ -0,0 +1,58 @@
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
xmlns="http://www.w3.org/1999/xhtml"
xmlns:html="http://www.w3.org/1999/xhtml">
<xsl:output method="html" indent="yes"/>
<xsl:template match="/">
<xsl:apply-templates />
</xsl:template>
<xsl:template match="/html:html">
<html>
<head>
<title><xsl:value-of select="/html:html/html:head/html:title" /></title>
<style type="text/css">
@import url(trac.css);
</style>
</head>
<body>
<xsl:apply-templates select="//html:div[@class='wikipage']" />
<div class="footer">
<hr />
<p><a href="index.html">Back to Index</a></p>
</div>
</body>
</html>
</xsl:template>
<xsl:template match="/pages">
<html>
<head>
<title>Wiki Index</title>
<style type="text/css">
@import url(trac.css);
</style>
</head>
<body>
<h1>Index of Wiki Pages</h1>
<ul>
<xsl:apply-templates select="page" />
</ul>
</body>
</html>
</xsl:template>
<xsl:template match="page">
<li><a href="{.}.html"><xsl:value-of select="." /></a></li>
</xsl:template>
<xsl:template match="node()|@*" priority="-1">
<xsl:copy>
<xsl:apply-templates select="@*|node()"/>
</xsl:copy>
</xsl:template>
</xsl:stylesheet>

121
doc/index.html Normal file
View File

@ -0,0 +1,121 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><h1>OpenSC</h1>
<p>
OpenSC provides a set of libraries and utilities to access smart
cards. Its main focus is on cards that support cryptographic operations,
and facilitate their use in security applications such as mail encryption,
authentication, and digital signature. OpenSC implements the PKCS#11 API
so applications supporting this API such as Mozilla Firefox and Thunderbird
can use it. OpenSC implements the PKCS#15 standard and aims to be compatible
with every software that does so, too.
</p>
<h2>Card Support</h2>
<p>
<a href="CardsAndTokens.html" shape="rect">CardsAndTokens</a> has the full list of all smart cards and tokens.
</p>
<p>
Each release is tested with a subset of the supported cards, and users provide
additional test results. These are collected in <a href="RecentTestresults.html" shape="rect">RecentTestresults</a>.
</p>
<h2>Operating Systems</h2>
<p>
OpenSC runs on Windows, <a href="MacOsX.html" shape="rect">Mac OS X</a> and several other Unix and Bsd flavors.
It is even shipped as integral part of some <a href="LinuxDistributions.html" shape="rect">LinuxDistributions</a>.
</p>
<p>
OpenSC can be integrated with OS-centric cryptography frameworks such as <a href="WindowsCsp.html" shape="rect">WindowsCsp</a>.
</p>
<h2>Card Readers</h2>
<p>
To use OpenSC you need a driver for your smart card reader. This can either be a driver
in CT-API format, or an <a class="missing" href="/opensc/wiki/IfdHandler" shape="rect">IfdHandler?</a> driver in combination with <a class="missing" href="/opensc/wiki/PcscLite" shape="rect">PcscLite?</a>, or <a class="missing" href="/opensc/wiki/OpenCt" shape="rect">OpenCt?</a>.
Most developers use OpenCT in direct combination, i.e. not using the OpenCT CT-API
driver nor the OpenCT ifdhandler with PC/SC-Lite. However those alternatives should
work fine, too.
</p>
<p>
On Win32 platforms you usually get a PC/SC driver. Most <a href="PinpadReaders.html" shape="rect">Pinpad readers</a> (aka Class 2+ readers) also supply a CT-API driver. Though both drivers can be used with OpenSC you are currently limited to the CT-API driver if you want to use the reader's pinpad.
</p>
<h2>Features</h2>
<p>
* <a href="ReplacingCertificates.html" shape="rect">ReplacingCertificates</a>
</p>
<h2>Application Support</h2>
<p>
OpenSC comes with a bundle of tools for testing, debugging and initialization.
In addition it contains two <a href="OpensslEngines.html" shape="rect">OpensslEngines</a> that can be combined with OpenSSL to use
the normal OpenSSL commands while using a smart card hardware to do the crypto operations.
</p>
<p>
OpenSC contains a <a class="missing" href="/opensc/wiki/PamModule" shape="rect">PamModule?</a> for authentication/login via smart card. That pam module however
has a few minor bugs. But there is also a new pam module
<a class="ext-link" title="http://oasis.dit.upm.es/~jantonio/pam-pkcs11/" href="http://oasis.dit.upm.es/~jantonio/pam-pkcs11/" shape="rect">for PKCS!#11</a> libaries.
</p>
<p>
OpenSC contains a PKCS#11 library called opensc-pkcs11.so. This library can be used
with <a class="missing" href="/opensc/wiki/MozillaFirebird" shape="rect">MozillaFirebird?</a>, <a class="missing" href="/opensc/wiki/MozillaThunderbird" shape="rect">MozillaThunderbird?</a> or plain Mozilla to login to websites using
certificates from the smart card, or to sign and decrypt eMails or authenticate
to your mail server with your certificate. Keypair generation, certificate request
and writing the requested cert through an on-line CA should also be <a href="pkcs11_keypair_gen.html" shape="rect">possible</a>.
</p>
<p>
<a class="missing" href="/opensc/wiki/FreeSwan/StrongSwan/OpenSwan" shape="rect">FreeSwan/StrongSwan/OpenSwan?</a> can be compiled with OpenSC support and thus be used
to authenticate a VPN connection using a smart card.
</p>
<p>
OpenSSH can be compiled with OpenSC support and thus use the smart card for
authenticating at a remote ssh server. See <a href="OpenSsh.html" shape="rect">OpenSsh</a> for details.
</p>
<p>
On Windows there is a patched version of Putty with support for PKCS#11 libraries
such as OpenSC. See the <a class="ext-link" title="http://www.opensc.org/scb/" href="http://www.opensc.org/scb/" shape="rect">Smart Card Bundle</a> for a binary
package with installer containing OpenSSL, OpenSC and Putty for Windows.
</p>
<p>
<a class="missing" href="/opensc/wiki/GnuPg" shape="rect">GnuPg?</a> contains support for OpenSC in the experimental 1.9 branch.
</p>
<p>
There is a patch for <a class="missing" href="/opensc/wiki/WpaSupplicant" shape="rect">WpaSupplicant?</a> to allow authentication to access points using
smart cards.
</p>
<p>
<a class="ext-link" title="http://sourceforge.net/projects/gdigidoc" href="http://sourceforge.net/projects/gdigidoc" shape="rect">Gdigidoc</a> uses <a class="ext-link" title="http://www.openxades.org/" href="http://www.openxades.org/" shape="rect">OpenXAdES</a> library what in turn can make use of OpenSC PKCS#11 module or CSP on windows.
</p>
<p>
<a href="PuTTYcard.html" shape="rect">Here's a Wikipage</a> that has some information about PuTTYcard, an extension to Simon Tathams PuTTY.
PuTTYcard let you use your Smartcards RSA keys with Pageant.exe.
</p>
<p>
<a class="ext-link" title="http://www.libchipcard.de" href="http://www.libchipcard.de" shape="rect">LibChipcard</a> is a library and tools to use all kind of chipcards like HBCI chip cards and german medical cards.
It is used by many online banking applications. The latest development snapshot for version 2 now includes
support for using opensc reader layer. great new!
</p>
<p>
<a href="TroubleShooting.html" shape="rect">TroubleShooting</a> explains the most common problems and how to solve the,
</p>
<h2>Getting OpenSC</h2>
<p>
You can either download OpenSC releases from our <a class="ext-link" title="http://www.opensc.org/files/" href="http://www.opensc.org/files/" shape="rect">File Archive</a>
or access our <a href="SubversionRepository.html" shape="rect">SubversionRepository</a>.
</p>
<h2>Links</h2>
<p>
* <a class="ext-link" title="http://csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf" href="http://csrc.nist.gov/publications/fips/fips201/FIPS-201-022505.pdf" shape="rect">NIST</a> has a document about personal identity verification cards.
</p>
<h2>Developers Corner</h2>
<p>
We would like to gather some information on developers to make it easier for all of us.
New pages: <a class="missing" href="/opensc/wiki/DeveloperHardware" shape="rect">DeveloperHardware?</a> (donations welcome!), <a href="AutoVersions.html" shape="rect">AutoVersions</a>.
</p>
<p>
<a href="ReleaseHowto.html" shape="rect">ReleaseHowto</a> documents our release process.
</p>
<p>
For interoperability with other smart card projects, mostly national id cards, there is a mailing
list at [<a class="ext-link" title="http://www.gol.grosseto.it/mailman/listinfo/interopeid" href="http://www.gol.grosseto.it/mailman/listinfo/interopeid" shape="rect">http://www.gol.grosseto.it/mailman/listinfo/interopeid</a>]
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

28
doc/pkcs11_keypair_gen.html Normal file
View File

@ -0,0 +1,28 @@
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>pkcs11_keypair_gen - OpenSC - Trac</title><style type="text/css">
@import url(trac.css);
</style></head><body><div class="wikipage">
<div id="searchable"><p>
<strong>PKCS11 Keypair generation, certificate request and writing the requested cert to the card</strong>
</p>
<p>
You can use the the pkcs11 library (<i>opensc-pkcs11.so</i> or <i>opensc-pkcs11.dll</i>) with Mozilla/Firefox/Netscape to go to an on-line CA (Certificate Authority). In this case, the browser will:
</p>
<ul><li>ask the pkcs11 lib to generate a keypair on your card,
</li><li>create a certificate request,
</li><li>ask the pkcs11 lib to sign the cert request,
</li><li>send the cert request to the CA,
</li><li>(at a later time, when the CA is done) download the requested cert,
</li><li>and ask the pkcs11 lib to store the cert on your card.
</li></ul><p>
However in order to work:
</p>
<ul><li>you have to format your card with the "onepin" profile option:
<ul><li> <i>pkcs15-init -E</i>
</li><li> <i>pkcs15-init -C -p pkcs15+onepin --pin xxxx --puk yyyy</i>
</li></ul></li><li>you have set <i>cache_pins</i> should to <i>true</i> in <i>opensc.conf</i>
</li></ul><p>
Currently, only 1 certificate can be requested this way. The reason is that Mozilla changes the ID of the key and cert into a hash of 20 bytes, and this confuses our pkcs15init library (used to 1-byte IDs) who will attempt to create a new key on the place of the first key (which fails)...
</p>
</div>
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>

360
doc/trac.css Normal file
View File

@ -0,0 +1,360 @@
/* Trac CSS */
body {
background: #fff;
color: #000;
margin: 10px;
}
body, th, td {
font: normal 13px verdana,arial,'Bitstream Vera Sans',helvetica,sans-serif;
}
h1, h2, h3, h4 {
font-family: arial,verdana,'Bitstream Vera Sans',helvetica,sans-serif;
font-weight: bold;
letter-spacing: -0.018em;
}
h1 { font-size: 19px; margin: .15em 1em 0 0 }
h2 { font-size: 16px }
h3 { font-size: 14px }
hr { border: none; border-top: 1px solid #ccb; margin: 2em 0 }
address { font-style: normal }
img { border: none }
.underline { text-decoration: underline; }
ol.loweralpha { list-style-type: lower-alpha }
ol.upperalpha { list-style-type: upper-alpha }
ol.lowerroman { list-style-type: lower-roman }
ol.upperroman { list-style-type: upper-roman }
ol.arabic { list-style-type: decimal }
/* Link styles */
:link, :visited {
text-decoration: none;
color: #b00;
border-bottom: 1px dotted #bbb;
}
:link:hover, :visited:hover {
background-color: #eee;
color: #555;
}
h1 :link, h1 :visited ,h2 :link, h2 :visited, h3 :link, h3 :visited,
h4 :link, h4 :visited, h5 :link, h5 :visited, h6 :link, h6 :visited {
color: inherit;
}
.ext-link { background: url(../extlink.gif) no-repeat 0 58%; padding-left: 16px }
* html .ext-link { background-position: 0 .35em } /* IE hack, see #937 */
/* Forms */
input, textarea, select { margin: 2px }
input, select { vertical-align: middle }
input[type=submit], input[type=reset] {
background: #eee;
color: #222;
border: 1px outset #ccc;
padding: .1em .5em;
}
input[type=submit]:hover, input[type=reset]:hover { background: #ccb }
input[type=text], input.textwidget, textarea {
background: #fff;
color: #000;
border: 1px solid #d7d7d7;
}
input[type=text], input.textwidget { padding: .25em .5em }
input[type=text]:focus, textarea:focus { border: 1px solid #886 }
option { border-bottom: 1px dotted #d7d7d7 }
fieldset { border: 1px solid #d7d7d7; padding: .5em; margin: 0 }
fieldset.iefix { border: none; padding: 0; margin: 0 }
* html fieldset.iefix { width: 98% }
fieldset.iefix p { margin: 0 }
legend { color: #999; padding: 0 .25em; font-size: 90%; font-weight: bold }
label.disabled { color: #d7d7d7 }
.buttons { margin: .5em .5em .5em 0 }
.buttons form, .buttons form div { display: inline }
.buttons input { margin: 1em .5em .1em 0 }
/* Header */
#header hr { display: none }
#header img { border: none; margin: 0 0 -3em }
#header :link, #header :visited, #header :link:hover, #header :visited:hover {
background: transparent;
margin-bottom: 2px;
border: none;
}
/* Quick search */
#search {
clear: both;
font-size: 10px;
height: 2.2em;
margin: 0 0 1em;
text-align: right;
}
#search input { font-size: 10px }
#search label { display: none }
/* Navigation */
.nav h2, .nav hr { display: none }
.nav ul { font-size: 10px; list-style: none; margin: 0; text-align: right }
.nav li {
border-right: 1px solid #d7d7d7;
display: inline;
padding: 0 .75em;
white-space: nowrap;
}
.nav li.last { border-right: none }
/* Main navigation bar */
#mainnav {
background: #f7f7f7 url(../topbar_gradient.png) 0 0;
border: 1px solid #000;
font: normal 10px verdana,'Bitstream Vera Sans',helvetica,arial,sans-serif;
margin: .66em 0 .33em;
padding: .2em 0;
}
#mainnav li { border-right: none; padding: .25em 0 }
#mainnav :link, #mainnav :visited {
background: url(../dots.gif) 0 0 no-repeat;
border-right: 1px solid #fff;
border-bottom: none;
border-left: 1px solid #555;
color: #000;
padding: .2em 20px;
}
* html #mainnav :link, * html #mainnav :visited { background-position: 1px 0 }
#mainnav :link:hover, #mainnav :visited:hover {
background-color: #ccc;
border-right: 1px solid #ddd;
}
#mainnav .active:link, #mainnav .active:visited {
background: #333 url(../topbar_gradient2.png) 0 0 repeat-x;
border-top: none;
border-right: 1px solid #000;
color: #eee;
font-weight: bold;
}
#mainnav .active:link:hover, #mainnav .active:visited:hover {
border-right: 1px solid #000;
}
/* Context-dependent navigation links */
#ctxtnav { height: 1em }
#ctxtnav li ul {
background: #f7f7f7;
color: #ccc;
border: 1px solid;
padding: 0;
display: inline;
margin: 0;
}
#ctxtnav li li { padding: 0; }
#ctxtnav li li :link, #ctxtnav li li :visited { padding: 0 1em }
#ctxtnav li li :link:hover, #ctxtnav li li :visited:hover {
background: #bba;
color: #fff;
}
/* Alternate links */
#altlinks { clear: both; text-align: center }
#altlinks h3 { font-size: 12px; letter-spacing: normal; margin: 0 }
#altlinks ul { list-style: none; margin: 0; padding: 0 0 1em }
#altlinks li {
border-right: 1px solid #d7d7d7;
display: inline;
font-size: 11px;
line-height: 16px;
padding: 0 1em;
white-space: nowrap;
}
#altlinks li.last { border-right: none }
#altlinks li :link, #altlinks li :visited {
background-position: 0 -1px;
background-repeat: no-repeat;
border: none;
}
#altlinks li a.ics { background-image: url(../ics.png); padding-left: 22px }
#altlinks li a.rss { background-image: url(../xml.png); padding-left: 42px }
/* Footer */
#footer {
clear: both;
color: #bbb;
font-size: 10px;
border-top: 1px solid;
height: 31px;
padding: .25em 0;
}
#footer :link, #footer :visited { color: #bbb; }
#footer hr { display: none }
#footer #tracpowered { border: 0; float: left }
#footer #tracpowered:hover { background: transparent }
#footer p { margin: 0 }
#footer p.left {
float: left;
margin-left: 1em;
padding: 0 1em;
border-left: 1px solid #d7d7d7;
border-right: 1px solid #d7d7d7;
}
#footer p.right {
float: right;
text-align: right;
}
#content { padding-bottom: 2em; position: relative }
#help {
clear: both;
color: #999;
font-size: 90%;
margin: 1em;
text-align: right;
}
#help :link, #help :visited { cursor: help }
#help hr { display: none }
/* Page preferences form */
#prefs {
background: #f7f7f0;
border: 1px outset #998;
float: right;
font-size: 9px;
padding: .8em;
position: relative;
margin: 0 1em 1em;
}
* html #prefs { width: 26em } /* Set width only for IE */
#prefs input, #prefs select { font-size: 9px; vertical-align: middle }
#prefs fieldset { border: none; margin: .5em; padding: 0 }
#prefs fieldset legend {
background: transparent;
color: #000;
font-size: 9px;
font-weight: normal;
margin: 0 0 0 -1.5em;
padding: 0;
}
#prefs .buttons { text-align: right }
/* Wiki */
a.missing:link,a.missing:visited { background: #fafaf0; color: #998 }
a.missing:hover { color: #000; }
#content.wiki { line-height: 140% }
.wikitoolbar {
border: solid #d7d7d7;
border-width: 1px 1px 1px 0;
float: left;
height: 18px;
}
.wikitoolbar :link, .wikitoolbar :visited {
background: transparent url(../edit_toolbar.png) no-repeat;
border: 1px solid #fff;
border-left-color: #d7d7d7;
cursor: default;
display: block;
float: left;
width: 24px;
height: 16px;
}
.wikitoolbar :link:hover, .wikitoolbar :visited:hover {
background-color: transparent;
border: 1px solid #fb2;
}
.wikitoolbar a#em { background-position: 0 0 }
.wikitoolbar a#strong { background-position: 0 -16px }
.wikitoolbar a#heading { background-position: 0 -32px }
.wikitoolbar a#link { background-position: 0 -48px }
.wikitoolbar a#code { background-position: 0 -64px }
.wikitoolbar a#hr { background-position: 0 -80px }
/* Styles for the form for adding attachments. */
#attachment .field { margin-top: 1.3em }
#attachment label { padding-left: .2em }
#attachment fieldset { margin-top: 2em }
#attachment fieldset .field { float: left; margin: 0 1em .5em 0 }
#attachment br { clear: left }
/* Styles for tabular listings such as those used for displaying directory
contents and report results. */
table.listing {
clear: both;
border-bottom: 1px solid #d7d7d7;
border-collapse: collapse;
border-spacing: 0;
margin-top: 1em;
width: 100%;
}
table.listing th { text-align: left; padding: 0 1em .1em 0; font-size: 12px }
table.listing thead { background: #f7f7f0 }
table.listing thead th {
border: 1px solid #d7d7d7;
border-bottom-color: #999;
font-size: 11px;
font-weight: bold;
padding: 2px .5em;
vertical-align: bottom;
}
table.listing thead th :link:hover, table.listing thead th :visited:hover {
background-color: transparent;
}
table.listing thead th a { border: none; padding-right: 12px }
table.listing th.asc a, table.listing th.desc a { font-weight: bold }
table.listing th.asc a, table.listing th.desc a {
background-position: 100% 50%;
background-repeat: no-repeat;
}
table.listing th.asc a { background-image: url(../asc.png) }
table.listing th.desc a { background-image: url(../desc.png) }
table.listing tbody td, table.listing tbody th {
border: 1px dotted #ddd;
padding: .33em .5em;
vertical-align: top;
}
table.listing tbody td a:hover, table.listing tbody th a:hover {
background-color: transparent;
}
table.listing tbody tr { border-top: 1px solid #ddd }
table.listing tbody tr.even { background-color: #fcfcfc }
table.listing tbody tr.odd { background-color: #f7f7f7 }
table.listing tbody tr:hover { background: #eed !important }
.wikipage p { margin-left: 1em }
pre.wiki, pre.literal-block {
background: #f7f7f7;
border: 1px solid #d7d7d7;
margin: 1em 1.75em;
padding: .25em;
overflow: auto;
}
table.wiki {
border: 2px solid #ccc;
border-collapse: collapse;
border-spacing: 0;
}
table.wiki td { border: 1px solid #ccc; padding: .1em .25em; }
/* Styles for the error page (and rst errors) */
#content.error .message, div.system-message {
background: #fdc;
border: 2px solid #d00;
color: #500;
padding: .5em;
margin: 1em 0;
}
#content.error pre, div.system-message pre { margin-left: 1em; overflow: auto }
div.system-message p { margin: 0; }
div.system-message p.system-message-title { font-weight: bold; }
/* Styles for search word highlighting */
@media screen {
.searchword0 { background: #ff9 }
.searchword1 { background: #cfc }
.searchword2 { background: #cff }
.searchword3 { background: #ccf }
.searchword4 { background: #fcf }
}
@media print {
#header, #altlinks, #footer { display: none }
.nav, form, .buttons form { display: none }
}