diff --git a/doc/AladdinEtokenPro.html b/doc/AladdinEtokenPro.html new file mode 100644 index 00000000..2642f1b6 --- /dev/null +++ b/doc/AladdinEtokenPro.html @@ -0,0 +1,42 @@ + +AladdinEtokenPro - OpenSC - Trac
+

Aladdin eToken PRO

+

+Aladdin offers the eToken PRO, an USB crypto token with 32k memory +and support for RSA keys up to 1024bit key length. +

+

+The eToken PRO is fully supported by OpenSC and is well tested. +

+

+The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system. +

+

+One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing +and decryption. OpenSC has implemented a workaround: software key generation and storing that +key twice, once marked as decryption key and once marked as signing key. To enable this workaround +specifiy "--split-key" on the command line, when creating the key. +

+

+Aladdin has there own software for windows and linux. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures. +

+

+Note that Aladdin is maybe the oldest player in the usb token field, and their software predates the PKCS#15 standard, so you can't blame them for not conforming to the standard. Note also that Aladdin sponsored an OpenSC workshop in 2003 by donating 30 Aladdin eToken PRO, thanks a lot! +

+

+There is a rare version of the Aladdin eToken PRO with a G&D Starcos smart card inside. This version is not supported and never went into mass production as far as we know. +

+

+Aladdin has an SDK with Documentation on their ftp server for public download, but to implement the OpenSC driver further documentation was necessary (by Siemens and available only under NDA as far as we know). +

+

+Some people had problems buying a single Aladdin eToken PRO (bare, without any bundle or consulting etc.). +Please try bristol.de or coretech.at if you run into trouble. +

+

+Security Mart sells them at 47$ if you buy 10-99 pieces. +

+
+

Back to Index

diff --git a/doc/AutoVersions.html b/doc/AutoVersions.html new file mode 100644 index 00000000..e4ddefcf --- /dev/null +++ b/doc/AutoVersions.html @@ -0,0 +1,46 @@ + +AutoVersions - OpenSC - Trac
+

Versions of Auto Tools

+

+OpenSC should work for every developer. One software is very tricky: autoconf, automake and libtool. +Which version can we require? Unfortunatly the only way we can find out is trial and error. To improve +the situation, we would like to gather which version everyone is using, so we can make sure even the +oldest version of these tools still in use works (and hope that newer versions work, too). +

+
+ +++++++ + + + + + + + + + + + + + + + + + + + + +
NameDistributionAutoconfAutomakeLibtool
Andreas JellinghausDebian sarge2.591.7.91.5.6
Ludovic RousseauDebian sarge2.591.9.51.5.6
+

+Ludovic Rousseau: Note that if you distribute the created .tar.gz file you should always use the latest autotools versions in order to support the newly added architectures/OS. That will greatly ease the life of your users. +

+
+

Back to Index

diff --git a/doc/BelgianEid.html b/doc/BelgianEid.html new file mode 100644 index 00000000..d1537283 --- /dev/null +++ b/doc/BelgianEid.html @@ -0,0 +1,23 @@ + +BelgianEid - OpenSC - Trac
+

Belgian Belpic

+

+The belgian eid card is official using OpenSC for their software. +

+

+Currently please use the "belpic" software available from the belgian state. +

+

+Current releases do not include belpic support, but OpenSC is in the process of merging the software, the next release should support it. +

+

+FIXME:links,documentation,pointers. +

+

+Thanks to Belgium for chossing OpenSC as basis for their software and donating the full source code back to use under LGPL license. +Thanks to Zetes for their support of OpenSC. +

+
+

Back to Index

diff --git a/doc/CardOs.html b/doc/CardOs.html new file mode 100644 index 00000000..a2da701c --- /dev/null +++ b/doc/CardOs.html @@ -0,0 +1,22 @@ + +CardOs - OpenSC - Trac
+

Siemens CardOS M4

+

+Siemens CardOS M4 smart card should work fine with OpenSC. +

+

+Currently only the Aladdin eToken PRO is tested often (a usb crypto dongle that contains a card with this operating system). It works fine, so all other smart cards with the same card operating system should work fine, too. +

+

+Siemens CardOS M4 does not allow a key to be used for signing and decryption. OpenSC has a workaround for this restriction, you can generate or store a private key with the "--split-key" flag which will store the key twice, with different usage options, but hide this detailt. +

+

+Some documentation is available from Aladdin for their eToken PRO, but for an in-depth documentation you need the Siemens card manual, which requires signing an NDA. +

+

+FIXME: where to buy such a card? pricing? +

+
+

Back to Index

diff --git a/doc/CardReaders_CTAPI.html b/doc/CardReaders_CTAPI.html new file mode 100644 index 00000000..b2ad8cce --- /dev/null +++ b/doc/CardReaders_CTAPI.html @@ -0,0 +1,54 @@ + +CardReaders/CTAPI - OpenSC - Trac
+

Using pinpad readers with CT-API

+

+On Win32 a pinpad reader usually supplies a PC/SC driver and a CT-API driver, since pinpad usage with PC/SC currently is vendor specific. There are some rumours about pinpad standardisation for PC/SC drivers, but I guess this will still need some time till it is widely adopted. Another alternative would be to use the CCID specification for USB readers, but there still are (and IMHO will be for some time) lots of non-CCID compliant pinpad readers. +

+

+So till another standard finds its way into OpenSC you can try the somewhat less user friendly CT-API if you want to use your pinpad with OpenSC. +

+

Configuring CT-API in opensc.conf

+

+To activate the CT-API driver you have to add the token "ctapi" to the reader_drivers attribute of the app default section (or whatever app you are using). +Then the reader's parameters, that is the library and port number, have to be configured in the "reader_driver ctapi" secion. +

+

+Use this as an example: +

+
  app default {
+    reader_drivers = ctapi;
+    reader_driver ctapi {
+      module c:\winnt\system32\CTRSCT32.DLL {
+        ports = 1;
+      }
+    }
+
+  # All the other OpenCT-Parameters...
+  .
+  .
+  .
+  }
+

+Notes +

+

+After this you can try "opensc-tool -l" and hope to see something like +

+
C:\work\opensc\src\tools>opensc-tool -l
+Readers known about:
+Nr.    Driver     Name
+0      ctapi      CT-API c:\winnt\system32\CTRSCT32.DLL, port 1
+

+If you are using a pinpad aware application (I still don't know any except my private pintest) you are ready. Some other applications (like the PKCS#11 plugin for Mozilla or the OpensslEngines) will use the pinpad if you hit return after being asked for a PIN. +

+

+Note that up to date PIN modification or unblocking is not supported with CT-API driver, there still is some work to do... ;) +

+
+

Back to Index

diff --git a/doc/CardReaders_SPR532.html b/doc/CardReaders_SPR532.html new file mode 100644 index 00000000..f2179ef7 --- /dev/null +++ b/doc/CardReaders_SPR532.html @@ -0,0 +1,41 @@ + +CardReaders/SPR532 - OpenSC - Trac
+

PinPad AKA SPR532 and OpenSC mini-howto

+

+To get feedback as early as possible, here's a small tutorial how to get going with SPR532 and pinpad. There are other PinpadReaders and other interfaces but the given interface makes use of TeleTrust Class 2 reader IOCTL mechanism that shall be part of PC/SC version 2.0 spec as Part 10. There is also part 10 of the new PC/SC spec but TeleTrust? interface requires no special features from the PC/SC middleware but from the given IFDHandler itself and thus can be deployed now - by introducing the needed support in reader drivers and application side (OpenSC in this case). +

+

+Things you need to try it out: +

+

+NOTE: from the three download links above, directory test/ contains the latest versions and thus might be better for the braves. +

+

+Notes: +

+

+What you can do: +

+
  1. test and provide feedback +
  2. make the code of ccid library better. It seriously looks ugly when the SecurePIN functions come to play - though it works. +
  3. help to argue how things should look like in different places and how we shall solve some issues - see DesignDiscussion +

+Known issues: +

+
  1. It is known to work with SPR532 under Linux. In practice it should work without modifications on windows using the latest windows drivers available from the SCM specific download location above. +
  2. Support is only for T=0 cards (as of now Estonian and Belgian eID cards have been tested on Linux). It might as well work with T=1 cards, but to try it out you must disable the check for active protocol in reader-pcsc.c. Write a note here if it works. +
  3. Support for pinpad operations in general might lag behind your needs. Patches most welcome :) +
+

Back to Index

diff --git a/doc/CardsAndTokens.html b/doc/CardsAndTokens.html new file mode 100644 index 00000000..0c68be0f --- /dev/null +++ b/doc/CardsAndTokens.html @@ -0,0 +1,39 @@ + +CardsAndTokens - OpenSC - Trac
+

Supported Cards and Tokens

+

+OpenSC supports a number of national id cards, smart cards and usb crypto tokens. +

+

National ID Cards

+

Smart Cards

+

USB Tokens

+
+

Back to Index

diff --git a/doc/CompatibilityIssues.html b/doc/CompatibilityIssues.html new file mode 100644 index 00000000..c2737ff9 --- /dev/null +++ b/doc/CompatibilityIssues.html @@ -0,0 +1,53 @@ + +CompatibilityIssues - OpenSC - Trac
+

Software compatibility

+

+In general all smart cards are incompatible. That is the sad truth. +

+

+First, every card has different commands. Some of them conform to the standard ISO 7816 Part 4 and higher, but +most cards have at least some commands, that are special, or the commands require a special data structure. +

+

+Second, even if the same card is used, two different software companies tend to use the card in incompatible +ways. However there is hope for this problem: PKCS#15 is a standard designed to solve that issue. +

+

+OpenSC implements PKCS#15, so cards initialized with OpenSC should work with other software implementing +it and vice versa. Note however, that usualy a card can only be modified with the software that was used +for initializing it in the first place. In that case you can only read the data with the compatible software, +use the keys, and most likely change pin and puk numbers. +

+

+Sometimes it is possible to live side by side. Think of a cd or a disk drive, with a picture and a text +file on it. Your text application can only open and change the text, and your graphics application can +only open and change the graphic, but if the medium can hold both files, you can store both on it. +

+

+That happends for example with the "Aladdin eToken PRO" (a usb crypto token) and OpenSC and the Aladdin +Software. OpenSC creates the file "2f00" and the directory "5015" as per PKCS#15 standard, and fills +both with data/keys/certificates. Aladdin does the same in the directory "6666". Still no software knows +how to deal with the other ones data/keys/certificates. +

+

Comaptible Software

+

+But at least some software is compatible: +

+

+Gieseke and Devrient ship the StarCOS +smart card and usb tokens based on that card. The software bundled with both is called Starsign. That software implements +the PKCS#15 standard, too, so it should be fully compatible with OpenSC and vise versa. If there is any issue, please +let us know (the last test was quite a while in the past). +

+

+If you know other software implementing PKCS#15, please add a paragraph. +

+

National ID cards

+

+National ID cards often are a standard of their own. OpenSC has PKCS#15 emulations for these cards, so you can use +them anway. See NationalIdCards? for a list of supported cards. +

+
+

Back to Index

diff --git a/doc/CompatiblityIssues.html b/doc/CompatiblityIssues.html new file mode 100644 index 00000000..48d22167 --- /dev/null +++ b/doc/CompatiblityIssues.html @@ -0,0 +1,6 @@ + +CompatiblityIssues - OpenSC - Trac
+
+

Back to Index

diff --git a/doc/CryptoIdendityItsec.html b/doc/CryptoIdendityItsec.html new file mode 100644 index 00000000..5bc48ef6 --- /dev/null +++ b/doc/CryptoIdendityItsec.html @@ -0,0 +1,42 @@ + +CryptoIdendityItsec - OpenSC - Trac
+

Eutrom CryptoIdendity IT-SEC

+

+Eutron offers the Crypto Idendity IT-SEC, an USB crypto token with 32k memory +and support for RSA keys up to 1024bit key length. +

+

+The Crypto Idendity IT-SEC is fully supported by OpenSC, but has not been tested for a while. +

+

+Note that Eutron also offers two other crypto tokens in the Crypto Idendity line, but those +are not supported at all (no documentation available). +

+

+The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system. +The driver is called "etoken" because this was the first device with that smart card. Only the usb +interface differs, the rest seems to be the same. +

+

+One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing +and decryption. OpenSC has implemented a workaround: software key generation and storing that +key twice, once marked as decryption key and once marked as signing key. To enable this workaround +specifiy "--split-key" on the command line, when creating the key. +

+

+Eutron has their own software for windows. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures. +

+

+Documentation was not necessary, as the driver for the smart card inside was already implemented. +

+

+However there is no tool to format a token (for example if you lock it up by accident), and the card +is slightly differently initialized than the Aladdin eToken PRO, so the scripts for that token do not work with the Eutron Crypto Idendity IT-SEC. A support email was not answered. +

+

+For price and availability, please contact Eutron directly. +

+
+

Back to Index

diff --git a/doc/Cryptoflex.html b/doc/Cryptoflex.html new file mode 100644 index 00000000..7770a686 --- /dev/null +++ b/doc/Cryptoflex.html @@ -0,0 +1,26 @@ + +Cryptoflex - OpenSC - Trac
+

Schlumberger / Axalto Cryptoflex

+

+All Cryptoflex are supported by OpenSC, tested very often and work fine. +

+

+Cryptoflex 8k cards however are too small, so the default profile does not fit on the card. Not even the small option is small enough to make it fit on the card. However you could edit the profile file to make it even smaller, then it should work again. +

+

+Documentation is available at [http://www.cryptoflex.com/]. +

+

+Cards can be bought at [http://www.scmegastore.com/]. +

+

+Sell also SchlumbergerEgate - a combination of the latest Cryptoflex card with a mechanical adapter to make the card speak usb. +

+

Test Results

+

+Works fine in smart acrd bundle 0.3rc2 on windows xp (cryptoflex 32k with plug in egate token adapter, driver 2.6.0). +

+
+

Back to Index

diff --git a/doc/Cyberflex.html b/doc/Cyberflex.html new file mode 100644 index 00000000..aee40516 --- /dev/null +++ b/doc/Cyberflex.html @@ -0,0 +1,21 @@ + +Cyberflex - OpenSC - Trac
+

Schlumberger / Axalto Cyberflex

+

+Earlier versions of Cyberflex cards have the same or a very similiar filesystem interface like the Cryptoflex cards. +Those cards work well with OpenSC. +

+

+Newer versions however are pure JavaCards? and will not work without a JavaApplet?. No such applet is currently supported by OpenSC. +

+

+MuscleCard is an open source software containing a JavaApplet? for Cryptoflex cards and has a pkcs#11 +library for Unix/Linux and Windows. +

+

+FIXME:Did anyone test such a card recently? +

+
+

Back to Index

diff --git a/doc/DesignDiscussion.html b/doc/DesignDiscussion.html new file mode 100644 index 00000000..498139c1 --- /dev/null +++ b/doc/DesignDiscussion.html @@ -0,0 +1,43 @@ + +DesignDiscussion - OpenSC - Trac
+

Design issues

+

+Every change that is not a small fix or minor enhancement requires some kind of design. In order to discuss design decisions as much as possible and leave some kind of track about decisions made and design in place other than source code and comments and maybe even documentation, this sector of the wiki could be used. As always - feel free to comment (but please leave your name after your comment). +

+

Pinpad functionality

+

+(Martin) +Current state of secure pin entry methods in OpenSC is somewhat limited and hairy. Checks and features and functionality spans several component borders (application, library, card driver, reader, pkcs15 layer, etc). The target is to provide smooth pinpad support. +

+

+In theory different layers affect the total pinpad-oriented functioning: +

+
  1. Reader capabilities - actual reader capabilities detected and enabled by the reader (ctapi, pcsc, openct) +
  2. Reader driver and how-if-what verify methods it implements (though the name verify is not correct if we talk about full pin operations) +
  3. Card driver and if it implements the new pin command interface or if it is possible at all for the given card (maybe it uses some other method, maybe it uses non-numeric passwords) +
  4. pkcs15 layer - what it thinks about underlying hardware capacities and if/how it makes use of it +
  5. pkcs11 layer - exports PROTECTED_AUTHENTICATION_PATH to indicate 'secure authentication (aka pinpad)' and itself feeds data to pkcs15 layer. +
  6. applications - how they interpret various parameters (like slot capabilities, pkcs11 features, etc), how/if they react or should react on empty pins etc. +
  7. Library internal UI functionality - instead of asking for a pin who should notify the user to insert the pin to the pinpad and how? +

+All these should be put to work for a common goal in a nice way. +

+

Requirements

+

Things to keep in mind

+

Decisions

+

+... to be continued ... +

+
+

Back to Index

diff --git a/doc/DesignDiscussion_UserInterface.html b/doc/DesignDiscussion_UserInterface.html new file mode 100644 index 00000000..5d4c280b --- /dev/null +++ b/doc/DesignDiscussion_UserInterface.html @@ -0,0 +1,20 @@ + +DesignDiscussion/UserInterface - OpenSC - Trac
+

User Interface

+

+OpenSC is all about SmartCards?. SmartCards? are all about cryptography. Cryptography is something users don't care much about nor want to know about. At the same time - SmartCards? are usually tightly tied to the cardholder. So user interaction and UserInterface? are actually important components of the overall solutions that SmartCards? provide. +

+

+To sum up where exactly and how user interaction takes place, can take place or should take place, we need to know what layers and standards affect this area. Then we can find the most convinient and optimal path so that the whole usage of smartcards can be somewhat hidden and convenient for the user. To be more precise: user interaction is everything that the user _must_ do in normal cases - so user _has_ to authenticate to the card somehow, but she must not start other interactions - some application can have the initiative. Information to the end user (errors etc) falls into this category too. +

+

To be continued

+
+

Back to Index

diff --git a/doc/EstonianEid.html b/doc/EstonianEid.html new file mode 100644 index 00000000..b98d698c --- /dev/null +++ b/doc/EstonianEid.html @@ -0,0 +1,20 @@ + +EstonianEid - OpenSC - Trac
+

Estonian EID

+

+OpenSC is the official software for the Estonian eID card for non-WinCSP platforms. +

+

+The official home page for the Estonian eID card is http://www.id.ee. +

+

+Martin Paljak has more information and downloads: http://ideelabor.ee/id-kaart. +

+

+More users of the estonian id card: +

+
+

Back to Index

diff --git a/doc/FinnishEid.html b/doc/FinnishEid.html new file mode 100644 index 00000000..7825dd39 --- /dev/null +++ b/doc/FinnishEid.html @@ -0,0 +1,49 @@ + +FinnishEid - OpenSC - Trac
+

+= Finnish FINEID = +

+

+The finnish eid card should work fine. +Of course it can only be used, but not altered. +

+

+FIXME:pin changes? +

+

+FIXME:extra data? +

+

+FIXME:did anyone test lately? +

+
+

+Unlocking a FINEID electronic identity card +

+

+You can ask the police for advice on the use of electronic identity cards. You can also test your electronic identity card at police stations. +

+

+If your electronic identity card has become locked, you can unlock it at a police station. You must have the correct PUK number with you to unlock the PIN number. +

+

+If you have lost your PUK number, the police can on request order a new PUK number, which will be sent by mail to the address you provide. The new number can then be used to unlock your PIN number. +

+

+Fees: +Unlocking a PIN number EUR 10 +New PUK number EUR 18 +

+

+For additional information on electronic identity cards, go to: +

+

+http://www.sahkoinenhenkilokortti.fi/ +

+

+http://www.vaestorekisterikeskus.fi/indexen.htm/ +

+
+

Back to Index

diff --git a/doc/GemplusGpk.html b/doc/GemplusGpk.html new file mode 100644 index 00000000..dd70d652 --- /dev/null +++ b/doc/GemplusGpk.html @@ -0,0 +1,16 @@ + +GemplusGpk - OpenSC - Trac
+

Gemplus GPK 16k

+

+Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested. +

+

+FIXME:Links,Documentation +

+

+FIXME:where to buy, price +

+
+

Back to Index

diff --git a/doc/GermanEid.html b/doc/GermanEid.html new file mode 100644 index 00000000..38d0bf91 --- /dev/null +++ b/doc/GermanEid.html @@ -0,0 +1,20 @@ + +GermanEid - OpenSC - Trac
+

German TCOS

+

+German has several laws for smart cards, and to our knowledge all cards conforming to those laws are using the TCOS 2.0X card operating +system. +

+

+OpenSC has only some initial support for TCOS cards, but not enough to use those cards with OpenSC. Also there is some code for OpenSC that needs to be ported from an older version of OpenSC to the current, it contains some of the work necessary. +

+

+This does NOT mean, that you cannot use preformatted TCOS cards (i.e. NetKey? E4-cards) with OpenSC. You find more information about how to use NetKey? E4 card here. +

+

+SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the NetKey? E4-emulation might not work with this cards. If you have such a card and know the location of the certificates, keys and PINs, please post this information on the opensc-devel list. +

+
+

Back to Index

diff --git a/doc/ItalianEid.html b/doc/ItalianEid.html new file mode 100644 index 00000000..030ae5fd --- /dev/null +++ b/doc/ItalianEid.html @@ -0,0 +1,22 @@ + +ItalianEid - OpenSC - Trac
+

Italian Infocamere

+

+Some versions of the italian infocamere card are supported by OpenSC. +

+

+FIXME:read-only?pin-changes? +

+

+FIXME:Add details +

+

+FIXME:did anyone test recently? +

+

+FIXME:documwentation, links....? +

+
+

Back to Index

diff --git a/doc/ItalianPostecert.html b/doc/ItalianPostecert.html new file mode 100644 index 00000000..76261a18 --- /dev/null +++ b/doc/ItalianPostecert.html @@ -0,0 +1,19 @@ + +ItalianPostecert - OpenSC - Trac
+

Italian Postecert

+

+Some versions of the italisn postecert card are supported by OpenSC. +

+

+FIXME:read-only? pin changes? +

+

+FIXME:did anyone test recently? +

+

+FIXME:documentation, pointers, etc.? +

+
+

Back to Index

diff --git a/doc/LinuxDistributions.html b/doc/LinuxDistributions.html new file mode 100644 index 00000000..3923e3ab --- /dev/null +++ b/doc/LinuxDistributions.html @@ -0,0 +1,40 @@ + +LinuxDistributions - OpenSC - Trac
+

Linux Distributions

+

+For GNU/Linux users the best solution is, if the distribution already includes recent packages +of OpenSC. Here is a survey of recent distributions. If you have additional infomation, +please add it. +

+ +
+
Debian woody (old stable) does not contain OpenSC packages +
Debian sarge (stable) OpenSC 0.9.6 included +
Debian sid (development) OpenSC 0.9.6 included +
Fedora Core 3 OpenSC 0.9.4 included +
Fedora Core 4 OpenSC 0.9.6 included +
Gentoo Portage OpenSC 0.9.6 in dev-libs/opensc +
Mandrake OpenSC 0.8.1 in contrib +
Novell/SUSE LINUX Enterprise Server 9 for x86 OpenSC 0.8.0 included +
OpenPKG not included +
Rock Linux OpenSC 0.9.4 included +
Suse 9.3 OpenSC 0.9.4 included +
Suse 9.2 OpenSC 0.8.1 included +
Suse 9.1 OpenSC 0.8.0 included +
+

+ATrpms lists some RPM based distributions. +

+

+Other operating systems: +

+ +
NetBSD not included +
FreeBSD OpenSC 0.9.4 included +
OpenBSD not included +
fink / Mac OS X not included +
+
+

Back to Index

diff --git a/doc/MacOsX.html b/doc/MacOsX.html new file mode 100644 index 00000000..9638c749 --- /dev/null +++ b/doc/MacOsX.html @@ -0,0 +1,66 @@ + +MacOsX - OpenSC - Trac
+

Using OpenSC on Mac OS X

+

+First you need Mac OS X Version 10.4 or later. Older version are supposed to not work well, +but if you try and have success, please report here. +I report! +it worked for me under 10.3.9 G4 1,2Ghz, and i can use my mpmanF50 again. Thanks. +reach me nicolasb at gmaildotcom. French tutorial here : http://nicolasbizard.free.fr/blog +

+

+Then you need a driver for your smart card reader. Hier is an examle for Axalto e-gate tokens: +* Download and install libusb. http://libusb.sourceforge.net/ +* Download ifd-egate from http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz +

+

+To install libusb, you need to extract the files, configure it, make, make install: +

+
wget http://switch.dl.sourceforge.net/sourceforge/libusb/libusb-0.1.10a.tar.gz
+tar xfvz libusb-0.1.10a.tar.gz
+cd libusb-0.1.10a
+./configure --prefix=/opt/smartcard
+make
+make install
+cd ..
+

+To install ifd-egate you need to extract the files, and use some environment variables to make sure it finds everything (or edit the +compile options in the Makefile directly): +

+
wget http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz
+tar xfvz ifd-egate-0.05-patched.tar.gz
+cd ifd-egate-0.05
+export USB_CFLAGS="-I/opt/smartcard/include -I/System/Library/Frameworks/PCSC.framework/Headers"
+export USB_LDFLAGS="-L/opt/smartcard/lib -lusb -Wl,-framework -Wl,PCSC"
+make -f Makefile-OSX clean
+make -f Makefile-OSX 
+make -f Makefile-OSX install
+export USB_CFLAGS=
+export USB_LDFLAGS=
+cd ..
+

+Last you need to download and install opensc. This is straight forward: download, extract, configure, make, make install. +

+
wget http://www.opensc.org/files/opensc-0.9.6.tar.gz
+tar xfvz opensc-0.9.6.tar.gz
+cd  opensc-0.9.6
+./configure --prefix=/opt/smartcard --sysconfdir=/etc
+make
+make install
+cd ..
+

SSH with smartcard support

+

+Mac OS X does include openssh, but unfortunatly compiled without smartcard support. +Here is how you can recompile openssh with it: +

+
wget ftp://ftp.leo.org/pub/OpenBSD/OpenSSH/portable/openssh-4.1p1.tar.gz 
+tar xfvz openssh-4.1p1.tar.gz
+cd  openssh-4.1p1
+./configure --prefix=/opt/smartcard --sysconfdir=/etc --with-opensc=/opt/smartcard
+make
+make install
+cd ..
+
+

Back to Index

diff --git a/doc/Makefile.am b/doc/Makefile.am new file mode 100644 index 00000000..3cda9b72 --- /dev/null +++ b/doc/Makefile.am @@ -0,0 +1,42 @@ +# Process this file with automake to create Makefile.in + +MAINTAINERCLEANFILES = Makefile.in + +EXTRA_DIST = README export-wiki.sh export-wiki.xsl $(HTML) + +HTML= AladdinEtokenPro.html AutoVersions.html BelgianEid.html CardOs.html \ + CardReaders_CTAPI.html CardReaders_SPR532.html CardsAndTokens.html \ + CompatibilityIssues.html CompatiblityIssues.html \ + CryptoIdendityItsec.html Cryptoflex.html Cyberflex.html \ + DesignDiscussion.html DesignDiscussion_UserInterface.html \ + EstonianEid.html FinnishEid.html GemplusGpk.html GermanEid.html \ + ItalianEid.html ItalianPostecert.html LinuxDistributions.html \ + MacOsX.html MartinBlog.html MartinBlogMuscle.html \ + MartinBlogPlatform.html OpenPgp.html OpenSsh.html \ + OpensslEngines.html PinpadReaders.html PuTTYcard.html \ + RainbowIkeyThree.html RecentTestresults.html ReleaseHowto.html \ + ReplacingCertificates.html RoadMap.html SchlumbergerEgate.html \ + SmartCardApplications.html SpanishEid.html SubversionRepository.html \ + SupportedHardware.html SwedishEid.html TaiwanEid.html TelseCos.html \ + TroubleShooting.html WindowsCsp.html index.html pkcs11_keypair_gen.html + +# OLD +XSLTPROC = xsltproc --xinclude + +default: + @echo -e "The following make targets are available:\n" + @echo -e "\thtml\t\tA single HTML page\n" + @echo -e "\tman\t\tMan pages for all functions\n" + +all: html man + +clean: + rm -rf html man + +html: + $(XSLTPROC) -o html/api.html src/api/html.xsl src/api/api.xml + +man: + $(XSLTPROC) -o man/ src/api/man.xsl src/api/api.xml + +.SILENT: diff --git a/doc/MartinBlog.html b/doc/MartinBlog.html new file mode 100644 index 00000000..e311fd6d --- /dev/null +++ b/doc/MartinBlog.html @@ -0,0 +1,16 @@ + +MartinBlog - OpenSC - Trac
+

Smart Card Notes

+

+I create this page to keep track of my activities on OpenSC hacking so that it would be easy for me to manage&update and available for others who might be interested in the topic and so that somebody else could correct the mistakes I'm doing ;) +

+

+MartinBlogPlatform - description of personal setups i use for testing +

+
+

Back to Index

diff --git a/doc/MartinBlogMuscle.html b/doc/MartinBlogMuscle.html new file mode 100644 index 00000000..e8109ed3 --- /dev/null +++ b/doc/MartinBlogMuscle.html @@ -0,0 +1,47 @@ + +MartinBlogMuscle - OpenSC - Trac
+

MUSCLE

+

+##TODO## muscle info +

+

+What i have +

+

+What i run on +

+

+How to access the e-gate USB token +

+

+ +How to load the applet to the card +

+

+What to do with the card then? +

+

+Some notes +

+
+

Back to Index

diff --git a/doc/MartinBlogPlatform.html b/doc/MartinBlogPlatform.html new file mode 100644 index 00000000..39ec0922 --- /dev/null +++ b/doc/MartinBlogPlatform.html @@ -0,0 +1,23 @@ + +MartinBlogPlatform - OpenSC - Trac
+

Platforms and hardware

+

CardReaders

+

+I actively use these readers for testing purposes +

+

Windows

+

Linux

+

OS X

+
+

Back to Index

diff --git a/doc/OpenPgp.html b/doc/OpenPgp.html new file mode 100644 index 00000000..1c23b5ab --- /dev/null +++ b/doc/OpenPgp.html @@ -0,0 +1,9 @@ + +OpenPgp - OpenSC - Trac
+

+OpenPGP 1.0 cards work fine with OpenSC. +

+
+

Back to Index

diff --git a/doc/OpenSsh.html b/doc/OpenSsh.html new file mode 100644 index 00000000..2077b7ab --- /dev/null +++ b/doc/OpenSsh.html @@ -0,0 +1,58 @@ + +OpenSsh - OpenSC - Trac
+

OpenSSH and OpenSC

+

+OpenSSH contains support for opensc, if it was compiled with "--with-opensc". +Unfortunately the openssh version included in most distributions is not compiled +this way. You can recompile openssh yourself. Ready-to-use binary packages are +available here: +

+ +
Distribution Download URL +
Name ADD URL +
Gentoo The USE-flag "smartcard" makes the openssh ebuild depend on opensc and apply appropriate patches. Add the USE-flag system-wide to /etc/make.conf or just for OpenSSH in /etc/portage/package.use and re-emerge openssh. USE=smartcard emerge openssh will still work but is discouraged by Gentoo. +
+

+If you compile OpenSSH yourself: Please apply the patch in opensc-0.9.6/src/openssh/ask-for-pin.diff. +This patch fixes a small issue: openssh "ssh" command will not ask for a pin and thus not work well +with smart cards. Ssh-add will ask for a pin, and thus ssh plus ssh-agent will work well. This patch +adds code so that ssh will ask for the smartcard pin, too. This patch was not accepted upstream so +far, the openssh development team has a concept for a rewrite towards a cleaner solution, but this +is still pending. So for now the patch is our best option. +Seel also: OpenSSH bug 608 +

+

Using OpenSSH with a smartcard

+
ssh -I 0 root@somehost
+

+will use the smart card in reader 0 and private key 0x45 to authenticate as root on host somehost. +This will of course only work if root@somehost has a ".ssh/authorized_keys" file and the public key +related to this private key is in that file. +

+
ssh-keygen -D 0 
+

+will download the public key from your smart card and print it in ssh1 and ssh2 format. You only need +one of those two lines. Put it into ".ssh/authorized_keys" on the target host and account like you do +with a normal .ssh/id_rsa.pub file. You can add a space char and a comment at the end of the line, +I usually add something like " aj@smartcard" so I know this is the key from my smartcard. +

+

+Starting with the next OpenSC release you can also use pkcs15-tool to display a public key in openssh +format. To do this type +

+
pkcs15-tool --read-ssh-key [--reader 0] [--id 45]
+

+the default reader is 0 and the default id is 45, so typically you don't need those options. +(This might be useful for windows, since putty/pageant currently has no equivalent of "ssh-keygen -D 0".) +

+

+The OpenSSH public key format is defined at +[http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt] +

+

+TODO: it would be propably nicer to have one --read-public-key parameter, and a second optional parameter +--format with possible values der, pem, ssh1, ssh2. A patch to implement this would be very welcome. +

+
+

Back to Index

diff --git a/doc/OpensslEngines.html b/doc/OpensslEngines.html new file mode 100644 index 00000000..8edaa236 --- /dev/null +++ b/doc/OpensslEngines.html @@ -0,0 +1,20 @@ + +OpensslEngines - OpenSC - Trac
+

OpenSSL Engines

+

+The OpenSSL project offers the possibility to source out cryptographic functionality to plugin modules called engines. Usually there is one of two reasons for doing this, performance and security. +

+

+The performance reason is rather obvious, specialized hardware can do cryptography much faster than a general purpose computer. +

+

+The reason for using the opensc-engine typically is a security reason. If you are storing your private keys on a harddisk there is a lot of things an administrator (or a virus with root privileges) can do to steal your key. If the key is on a smart card there is usually no way to export the private key, so if you pull the card from the reader noone can use your keys. And if you use a certified and sealed reader device you can even be reasonably sure that noone can steal your PIN. +

+

Using OpenSC as a smart card engine for OpenSSL

+

+Include the text from QUICKSTART here? +

+
+

Back to Index

diff --git a/doc/PinpadReaders.html b/doc/PinpadReaders.html new file mode 100644 index 00000000..67658f53 --- /dev/null +++ b/doc/PinpadReaders.html @@ -0,0 +1,39 @@ + +PinpadReaders - OpenSC - Trac
+

Pinpad Readers

+

+Pinpad support with OpenCT is still under development. If you want to test it you'll have to use development snapshots of OpenSC and will most probably run into difficulties and/or outright bugs. +Reporting those bugs on the mailinglist may be a good way to get them fixed. +

+

+Currently Win32 and Unix versions follow quite different approaches, mainly due to availability of different drivers. +

+

+The Unix approach using CCID compliant readers is discribed in the CardReaders/SPR532 document, I'll have a word about CT-API Readers which are common on Win32 (if you have one on a Unix system please tell me!). +(martin: The 'ccid' in the spec is misleading - every ifdhandler can be changed to implement the teletrust spec - it uses a control block similar to CCID pin block but is _not_ pure ccid up to the lowest levels of the driver. And: the latest spr532 drivers for windows should follow the same spec and thus it _should_ work on windows. it is more tied to pcsc than it is tied to pure ccid) +

+

Known and tested pinpad readers

+

+Please feel free to add your hardware and experiences here. +

+

+Class 2 readers have a pinpad for secure pin entry. Sometimes they are plugged between computer and keyboard so they use the keyboard for pin entry but capture the keystrokes before they reach the computer. +

+

+Class 3 readers have pinpad and a display. +

+ +
Reader OS Type CT-API library Comments +
SCM STR 391 "CashMouse" Win32 Class 3 USB CTRSRW32.dll Works fine with Win32, no Unix support planned +
Cherry G83-6700 Smartboard Win32 Class 2 PS/2 CTMGR.DLL A keyboard integrated reader which uses the keyboard for pin entry. Buggy CT-API driver, I got it working but not without patching OpenCT. No known Unix support +
Reiner SCT cyberJack pinpad Win32 Class 2 USB CTRSCT32.DLL According to the manufacturer's website it should also run on Linux, but I haven't managed it. +
Reiner SCT cyberJack keyboard Win32 Class 2 PS/2 CTRSCT32.DLL A cheap class 2 solution. It uses the keyboard for pin entry. No known Unix support. +
SCM SPR 332, 532 "Chipdrive Pinpad" Win32 Class 2 USB CTPCSC32.dll A widely used CCID compliant reader. I also got it working on Linux following Martin's CardReaders/SPR532 suggestions +
+

+Kobil and OmniKey also offer pinpad readers, if someone could test one of those with OpenSC feedback would be appreceated. +

+
+

Back to Index

diff --git a/doc/PuTTYcard.html b/doc/PuTTYcard.html new file mode 100644 index 00000000..3f406948 --- /dev/null +++ b/doc/PuTTYcard.html @@ -0,0 +1,251 @@ + +PuTTYcard - OpenSC - Trac
+

PuTTYcard

+

+PuTTYcard is an extension to PuTTY, the free SSH-client +from Simon Tatham. With this extension PuTTY can use +RSA-keys from external devices, ie. smart cards, usb-tokens. +

+

+If pageant is called with one argument, it will interpret +this argument as the name of a key-file. Pageant will then +load this ppk-file into its keylist, or if another instance of +Pageant is already running into the keylist of that instance. +

+

+The pageant-version from PuTTYcard-0.58-V1.2.zip (can be downloaded +from OpenSCs contrib area) will do exactly the same thing +with one exception. If the first line of the ppk-file +has the form: +

+
PuTTYcard,<path to DLL>,<arguments for the DLL>
+

+then Pageant will NOT read the key from the ppk-file. Instead +it loads the DLL and calls a function from that DLL passing +the arguments from the ppk-file to this function. +

+

+The function may then fetch a public RSA key from any +source. Possbile choices are: files, smart cards, PKCS11 +libraries, Cryptographic Service Providers, etc. +

+

+PuTTYcard-0.58-V1.2.zip contains PuTTYiso7816.dll. This +DLL will load an RSA key from any ISO-7816-8 compatible +smart card. PuTTYiso7816 need additional information +from the ppk-file, namely the location of the RSA key +on your specific smartcard. +

+

+This information is given as 4 hexadecimal numbers, i.e. +your ppk-file should look like +

+
PuTTYcard,PuTTYiso7816.dll,<path>,AA,BB,CCCC
+

+<path> is the DF on your smart card that contains the RSA-key. +This must be specified as a 4,8,12 or 16digit hexadecimal +number. Do NOT prefix the path with 3F00. +AA is the key-reference of the private key, BB is the +pin-reference of the pin that protects your private key. +CCCC is the ID of a file on your card that contains your +public key. This file must either contain the public key +as two ASN1-encoded records or it must be a certificate file +from which the pulic key will be extracted. +

+

How do I find the above mentiones numbers?

+

+One of the first actions of PuTTYcard +is to change its working DF to the DF given by the +<path>-argument. The remaining information +(private and public key, PIN and maybe a certificate) +will then be read from that DF. Try pkcs15-tool -k +to list all of your keys and that should give you the +information you need. +

+

+Here's the output for my Netkey E4 card: +

+
$ pkcs15-tool -k
+Private RSA Key [Signatur-Schlüssel]
+        Com. Flags  : 1
+        Usage       : [0x204], sign, nonRepudiation
+        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
+        ModLength   : 1024
+        Key ref     : 128
+        Native      : yes
+        Path        : DF015331
+        Auth ID     : 04
+        ID          : 01
+
+Private RSA Key [Authentifizierungs-Schlüssel]
+        Com. Flags  : 1
+        Usage       : [0x207], encrypt, decrypt, sign, nonRepudiation
+        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
+        ModLength   : 1024
+        Key ref     : 130
+        Native      : yes
+        Path        : DF015371
+        Auth ID     : 04
+        ID          : 02
+
+Private RSA Key [Verschlüsselungs-Schlüssel]
+        Com. Flags  : 1
+        Usage       : [0x207], encrypt, decrypt, sign, nonRepudiation
+        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
+        ModLength   : 1024
+        Key ref     : 129
+        Native      : yes
+        Path        : DF0153B1
+        Auth ID     : 03
+        ID          : 03
+

+This card has three keys all of which are stored in DF DF01. +This is your <path>-value. Do not include the last component of the +path from the pkcs15-tool-output as this is the ID of the +private key itself. +

+

+The next information you need is the key reference. This value +is included as a decimal number in the above output (ie. 128, 130 and 129). +This value must be converted to a 2-digit hexadcimal number. Let's +use the second key, so your AA-value is 82. +

+

+Your private key is protected by a PIN and the pkcs15-tool -k-output +contains the Auth-ID of this PIN. Here it is 04. This is not +your PIN-reference. Use pkcs15-tool --list-pins to list all +your PINs and use the PIN-reference of the PIN that has the same Id +as the Auth-Id of your key. +

+
$ pkcs15-tool --list-pins
+PIN [globale PIN]
+        Com. Flags: 0x3
+        ID        : 01
+        Flags     : [0x51], case-sensitive, initialized, unblockingPin
+        Length    : min_len:6, max_len:16, stored_len:16
+        Pad char  : 0x00
+        Reference : 0
+        Type      : ascii-numeric
+        Path      : 5000
+        Tries left: 3
+
+PIN [globale PUK]
+        Com. Flags: 0x3
+        ID        : 02
+        Flags     : [0xD1], case-sensitive, initialized, unblockingPin, soPin
+        Length    : min_len:8, max_len:16, stored_len:16
+        Pad char  : 0x00
+        Reference : 1
+        Type      : ascii-numeric
+        Path      : 5001
+        Tries left: 3
+
+PIN [lokale PIN0]
+        Com. Flags: 0x3
+        ID        : 03
+        Flags     : [0x13], case-sensitive, local, initialized
+        Length    : min_len:6, max_len:16, stored_len:16
+        Pad char  : 0x00
+        Reference : 128
+        Type      : ascii-numeric
+        Path      : DF015080
+        Tries left: 3
+
+PIN [lokale PIN1]
+        Com. Flags: 0x3
+        ID        : 04
+        Flags     : [0xD3], case-sensitive, local, initialized, unblockingPin, soPin
+        Length    : min_len:6, max_len:16, stored_len:16
+        Pad char  : 0x00
+        Reference : 129
+        Type      : ascii-numeric
+        Path      : DF015081
+        Tries left: 3
+

+Again the PIN-reference is given in decimal (here it is 129) and must be +converted to a 2-digit hexdecimal number, namely 81. This is +your BB-value. +

+

+Finally you need the file-ID of the public key or a certificate file +from which he public key could be extracted. +

+

+So either use pkcs15-tool --list-public-keys or +pkcs15-tool -c. With my Netkey card pkcs15-tool --list-public-keys +does not show any keys. This is because my Netkey card +contains the public key, but it cannot be used for cryptographic +operations. From other sources (ie. card doku) I know that +the public key is stored in file DF01:4571, so one possible +CCCC-value is 4571. +

+

+If I list all my certificates I get: +

+
$ pkcs15-tool -c                
+X.509 Certificate [Telesec Signatur Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C000
+        ID       : 01
+
+X.509 Certificate [User Signatur Zertifikat 1]
+        Flags    : 2
+        Authority: no
+        Path     : DF014331
+        ID       : 01
+
+X.509 Certificate [User Signatur Zertifikat 2]
+        Flags    : 2
+        Authority: no
+        Path     : DF014332
+        ID       : 01
+
+X.509 Certificate [Telesec Authentifizierungs Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C100
+        ID       : 02
+
+X.509 Certificate [User Authentifizierungs Zertifikat 1]
+        Flags    : 2
+        Authority: no
+        Path     : DF014371
+        ID       : 02
+
+X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C200
+        ID       : 03
+
+X.509 Certificate [User Verschlüsselungs Zertifikat 1]
+        Flags    : 2
+        Authority: no
+        Path     : DF0143B1
+        ID       : 03
+

+A certificate contains the right public key, if it has the +same ID as the private key (here 02). My card has two such +certificates namely DF01:C100 and DF01:4371 so two other +possible CCCC-values are C100 and 4371 +

+

+On a Netkey card a private key may be protected by more than +one PIN. So instead of PIN-reference 81 (which references +local PIN1) I may alternatively use PIN-reference 00 (which +references global PIN0) +

+

+So all of the following six lines will work: +

+
PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4571
+PuTTYcard,PuTTYiso7816.dll,DF01,82,81,C100
+PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4371
+PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4571
+PuTTYcard,PuTTYiso7816.dll,DF01,82,00,C100
+PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4371
+
+

Back to Index

diff --git a/doc/README b/doc/README new file mode 100644 index 00000000..3f49ee26 --- /dev/null +++ b/doc/README @@ -0,0 +1,10 @@ +This directory contains a snapshot of the OpenCT Wiki +===================================================== + +The original wiki page is at http://www.opensc.org/openct/ +and includes a bug tracker and source browser. + +The wiki was transformed to html using the export-wiki shell +script and xsl style sheet. The original version is at + http://www.twdata.org/trac-howto/ + diff --git a/doc/RainbowIkeyThree.html b/doc/RainbowIkeyThree.html new file mode 100644 index 00000000..22353d23 --- /dev/null +++ b/doc/RainbowIkeyThree.html @@ -0,0 +1,31 @@ + +RainbowIkeyThree - OpenSC - Trac
+

Rainbow iKey 3000

+

+Rainbow offers the iKey 300, an USB crypto token with 32k memory +and support for RSA keys up to 1024bit key length. +

+

+The iKey 3000 is fully supported by OpenSC and is well tested. +

+

+The smart card inside is a starcos card by Gieseke and Devrient. +

+

+One minor feature of Starcos is that a pin can only be unblocked if it is blocked. For this reason the regression test pin0002 fails, but this is a harmless and known issue, so please ignore. +

+

+Rainbow iKey 3000 is bundled with StarSign? software by A.E.T. which follows the PKCS#15 standard. Thus key +can be initialized with either OpenSC or StarSign? and will work with both. +

+

+Documentation for the Starcos Smartcard is available to the public. Send those nice folks at G&D an email +and they will send you the latest manual. +

+

+Cyprotect sells Rainbow iKey 3000 tokens at 68 Euro per piece. +

+
+

Back to Index

diff --git a/doc/RecentTestresults.html b/doc/RecentTestresults.html new file mode 100644 index 00000000..03f0da9a --- /dev/null +++ b/doc/RecentTestresults.html @@ -0,0 +1,232 @@ + +RecentTestresults - OpenSC - Trac
+

Recent test results for various smart cards

+

+Providing test results is a bit difficult, since a test includes +

+

+And of course the features that were tested. Here is a list: +

+

+We can't test all combinations of OpenSC, card, Reader, driver software with all features. +

+

+So the basic regression tests (or pkcs11-tool for pre-initialized cards) is done with as many cards +as possible on at least one plattform. Once we know the cards work with OpenSC on this plattform, the next test is +to test as many features as possible on many plattforms, but it is ok to test only with a few or only once card. +

+

+Which cards passed the src/test/regression/run-all test suite? +

+
+ +++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Card NameOpenSCDateReaderReader driverResultTester
Aladdin eToken PRO0.9.52005-01-13Aladdin eToken PROOpenCT 0.6.3All ok.Andreas Jellinghaus
Cryptoflex 32k0.9.52005-01-13eGate TokenOpenCT 0.6.3All ok.Andreas Jellinghaus
Rainbow iKey 30000.9.52005-01-13Rainbow iKey 3000OpenCT 0.6.3All ok.Andreas Jellinghaus
+

+Note that Rainbow iKey 3000 has a Starcos SPK 2.3 operating system, and thus the pin0002 test will +fail, but this is ok as the Starcos SPK 2.3 implementation of the ISO 7816 RESET RETRY COUNTER command +is not ISO compliant. +

+

+Which cards passed the "pkcs11-tool --test --login" test? (Only for pre-initialized cards) +

+
+ +++++++++ + + + + + + + + + + + + + + + + + + +
Card NameOpenSCDateReaderReader driverResultTester
Signtrust TCOS0.9.52005-03-04Towitoko SerialOpenCT 0.6.3???Andreas Jellinghaus
+

+Which operating system works fine with OpenSC? Add one line for every feature that works or not. +

+
+ +++++++++ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
Operating SystemVersionArchitectureOpenSCFeatureResultTester
Windows XPPRO SP2i3860.9.5+winfixespkcs15-initAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixespkcs11-toolAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixesputtyAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixesfirefoxCrashes.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
+

+After you have tested some hardware, please let us know by adding a line. +If something does not work as expected, please also open a new ticket +with a detailed bug report. +

+

+Note: adding your name as tester is optional. I think it might be nice so one can ask more details if necessary. +

+
+

Back to Index

diff --git a/doc/ReleaseHowto.html b/doc/ReleaseHowto.html new file mode 100644 index 00000000..4edb35e2 --- /dev/null +++ b/doc/ReleaseHowto.html @@ -0,0 +1,36 @@ + +ReleaseHowto - OpenSC - Trac
+

OpenSC Release Howto

+

+Announcement +

+

+The OpenSC version must be updated in these files: +

+

+The News file needs to be edited: put in Name and Date. +

+

+The library version must be updated in these files: +

+

+Announce: +

+
+

Back to Index

diff --git a/doc/ReplacingCertificates.html b/doc/ReplacingCertificates.html new file mode 100644 index 00000000..7298cdaf --- /dev/null +++ b/doc/ReplacingCertificates.html @@ -0,0 +1,75 @@ + +ReplacingCertificates - OpenSC - Trac
+

Replacing a certificate on a card

+

+Unfortunatly not all cards allow to replace a certificate with a new one. +Here is a small HOWTO for Aladdin eToken PRO (should work with any cardos card). +

+

+1. Create a new certificate. If it's a self signed certificate, don't forget to add the -days attribute, else you'll have to do this process very often. +

+

+2. If you have the certificate PEM encoded (this is very likely if you use the default settings of openssl) then convert it to DER encoded: +

+
$ openssl x509 -in mycert.pem -outform DER -out mycert.der
+

+3. Now get the path of the certificate: +

+
 $ pkcs15-tool -c
+X.509 Certificate [Certificate]
+        Flags    : 2
+        Authority: no
+        Path     : 3F0050154301
+        ID       : 45
+
+

+The path here is: 3F0050154301 +

+

+4. open up opensc-explorer +

+
OpenSC > cd 5015
+

+5. present the valid key for the certificate file, usually the normal pin. You can get info about wich pin to use by executing: +

+
OpenSC > info [EF]
+

+where [EF] is the name of the cert EF (in the above example 4301) +

+

+You'll need the key in hexadecimal format, an example how to convert it: +

+
 $ export HISTFILE=
+ $ php -r 'echo bin2hex("pssword")."\n";'
+707373776f7264
+

+You'll have to add the colons manually. If your password is shorter than 8 characters, fill it up with 00-s. So with the above example you enter at the opensc-explorer: +

+
OpenSC > verify CHV3 70:73:73:77:6f:72:64:00
+

+Code correct. +

+

+6. Now you can load the data from the DER encoded file into the EF on the card: +

+
OpenSC > put 4301 mycert.der
+

+If you get no errors, then you're done. +

+

+Remarks: +

+

+_won't_ need to replace your .eid/authorized_certificates, or .ssh/authorized_keys files. +

+

+Thanks to Attila Nagy for this information. +

+
+

Back to Index

diff --git a/doc/RoadMap.html b/doc/RoadMap.html new file mode 100644 index 00000000..15e560f3 --- /dev/null +++ b/doc/RoadMap.html @@ -0,0 +1,24 @@ + +RoadMap - OpenSC - Trac
+

Roadmap for OpenSC

+

+This page should be a place for discussions about future developments of OpenSC in free form untill something clear comes out so that a reference to the Roadmap module and an exact ticket can be made. Issues not directly concerning OpenSC go here too. Feel free to add comments (also state your name in parentheses after your comment!) and ideas for others to digest. This way the targets can be analysed, grouped etc. DesignDiscussion complements this page. +

+
+

+Some assumptions/facts by martin: +

+

+Based on those assumptions, I'd suggest to focus the efforts on these aspects: +

+
+

Back to Index

diff --git a/doc/SchlumbergerEgate.html b/doc/SchlumbergerEgate.html new file mode 100644 index 00000000..4cb36f3b --- /dev/null +++ b/doc/SchlumbergerEgate.html @@ -0,0 +1,28 @@ + +SchlumbergerEgate - OpenSC - Trac
+

Schlumberger / Axalto e-gate

+

+Schlumberger/Axalto offers the e-gate adapter, an USB adapter for Schlumberger / Axalto +Cryptoflex and Cyberflex cards. +

+

+The combination of Cryptoflex egate 32k with plug and e-gate token adapter is very well tested and works perfectly. +

+

+The Cyberflex 32k is currently not supported - you would need a javacard applet first and then OpenSC support for that applet. +

+

+Documentation for Cryptoflex cards are available for public download at [http://www.cryptoflex.com/]. +

+

+Cards and adapter are directly sold by the manufacturer at [http://www.scmegastore.com/] (cards in packs of 5 only), +five cards and adapters are sold for 150 US$. +

+

Test Results

+

+Smart card bundle 0.3rc2 works fine on Windows XP (cryptoflex card, pkcs11-tool --test ...) +

+
+

Back to Index

diff --git a/doc/SmartCardApplications.html b/doc/SmartCardApplications.html new file mode 100644 index 00000000..e39abd79 --- /dev/null +++ b/doc/SmartCardApplications.html @@ -0,0 +1,12 @@ + +SmartCardApplications - OpenSC - Trac
+

Smart Card Applications

+

+OpenSC comes with a bunch of utilities to test, debug and initialize smartcards. In addition to these smart card targeted utilities other applications can be made 'smartcard aware' using: +

+
+

Back to Index

diff --git a/doc/SpanishEid.html b/doc/SpanishEid.html new file mode 100644 index 00000000..b754df3c --- /dev/null +++ b/doc/SpanishEid.html @@ -0,0 +1,17 @@ + +SpanishEid - OpenSC - Trac
+

Spanish Ceres

+

+The spanish ceres cards are using OpenSC for their official software. +

+

+To use ceres cards however you need to use the official software, which consists of OpenSC and an additional binary only module. +OpenSC is licensed under LGPL license and allowes to do this. +

+

+More details are available at [http://opensc-ceres.software-libre.org/]. +

+
+

Back to Index

diff --git a/doc/SubversionRepository.html b/doc/SubversionRepository.html new file mode 100644 index 00000000..b6ec429b --- /dev/null +++ b/doc/SubversionRepository.html @@ -0,0 +1,55 @@ + +SubversionRepository - OpenSC - Trac
+

Subversion Repository

+

+OpenSC is using subversion as version control system. You can find out more about subversion at +

+

+In our subversion repository we have +

+

+You can checkout these with the subversion commands +

+
svn co http://www.opensc.org/svn/opensc/trunk/
+svn co http://www.opensc.org/svn/opensc/branches/opensc-0.9/
+svn co http://www.opensc.org/svn/opensc/releases/opensc-0.9.4/
+

+Note that the subversion repository only contains development files. +Before compiling the code you need to run the "./bootstrap" script +to create many files like "configure" and "Makefile.in". You need to have +autoconf, automake and libtool installed on your system to do that (see AutoVersions) +

+

+Some people have reported problems with some http proxies. If you find some problem, +you can maybe solve it by using https instead. Try to checkout the repository +like this: +

+
svn co --non-interactive https://www.opensc.org/svn/opensc/trunk/
+svn co --non-interactive https://www.opensc.org/svn/opensc/branches/opensc-0.9/
+svn co --non-interactive https://www.opensc.org/svn/opensc/opensc-0.9.4/
+

Write access for developers

+

+Developers with write access usualy access the repository via https with authentication +using ssl client certificates. You might want to put something like this into your +~/.subversion/server file to point subversion to your client certificate: +

+
[groups]
+opensc = www.opensc.org
+
+[opensc]
+ssl-client-cert-file=/home/aj/.subversion/aj.p12  
+

+You can access the repositories: +

+
svn co https://www.opensc.org/svn/opensc/trunk/
+svn co https://www.opensc.org/svn/opensc/branches/opensc-0.9/
+svn co https://www.opensc.org/svn/opensc/opensc-0.9.4/
+
+

Back to Index

diff --git a/doc/SupportedHardware.html b/doc/SupportedHardware.html new file mode 100644 index 00000000..0920b390 --- /dev/null +++ b/doc/SupportedHardware.html @@ -0,0 +1,37 @@ + +SupportedHardware - OpenSC - Trac
+

Supported Hardware

+

+There are two flavors of hardware support: The first one is "use-only", it's a bit like read-only: +You can use the keys (if you know the pin), and read the public information from the card, but you +cannot alter it. This kind of support is typical for national ID cards. The second type is the +full support including initializiation. That means you can buy a blank card, then create the +pkcs#15 structures, generate key, store certificates and so on. +

+

Read-Only supported cards

+

Fully supported cards

+

Readers

+

+For some supported SmartCard readers have a look at the PinpadReaders page. +

+
+

Back to Index

diff --git a/doc/SwedishEid.html b/doc/SwedishEid.html new file mode 100644 index 00000000..2ad1ddd5 --- /dev/null +++ b/doc/SwedishEid.html @@ -0,0 +1,22 @@ + +SwedishEid - OpenSC - Trac
+

Swedish ePosten card

+

+The swedish eposten card is supported by OpenSC. +

+

+It can only be used, not altered. +

+

+FIXME:Pin changes? +

+

+FIXME:Did anyone test recently? +

+

+FIXME:Documentation etc? +

+
+

Back to Index

diff --git a/doc/TaiwanEid.html b/doc/TaiwanEid.html new file mode 100644 index 00000000..980adbfd --- /dev/null +++ b/doc/TaiwanEid.html @@ -0,0 +1,16 @@ + +TaiwanEid - OpenSC - Trac
+

Taiwan

+

+Gieseke and Devrient tell us Taiwan is using StarSign? based tokens for a nation-wide PKI project. +

+

+OpenSC supports Starcos, but I don't know what StarSign? exactly is and if it will be compatible. If anyone has links to technical documents or news, please add them here. +

+

+If anyone knows how to contact them (this far no luck) let us know too. +

+
+

Back to Index

diff --git a/doc/TelseCos.html b/doc/TelseCos.html new file mode 100644 index 00000000..e616b9cc --- /dev/null +++ b/doc/TelseCos.html @@ -0,0 +1,81 @@ + +TelseCos - OpenSC - Trac
+

NetKey E4 cards

+

+http://www.opensc.org/opensc/attachment/wiki/TelseCos/NetkeyE4-card.jpg?format=raw +

+

+Telesec is a german company that sells NetKey? E4 cards. These cards have a TCOS 2.02 operationg system and an almost PKCS#15* compatible file-layout. OpenSC has read-only support for these kind of cards. +

+

+If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a PKCS#15* filesystem. This is not possible right now. You have the same problem, if you own a blank TCOS card. +

+

+The good news are: With the help of an emulation layer OpenSC can use cards that are almost PKCS#15* compatible. For NetKey? E4-cards such an emulation layer exists. The emulation cannot store certificates, keys or pins on the card, but you can use whatever is visible through the emulation layer. +

+

+SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the NetKey? E4-emulation might not work with these cards. If you have such a card and are willing to help, please post information on the mailing list. You might also send "opensc-tool -r" output to me, maybe I can extend the Netkey-emulation such that other preformatted TCOS cards work as well. +

+

NetKey E4 filesystem layout

+

+NetKey? E4 cards contain different directories with different applications. Only one of these (i.e. directory DF01) is made visible through the NetKey? emulation layer. This directory contains 3 private keys, 3 public keys, 3 read only certificates, 6 empty certificate files, 2 local PINs and one signature-counter. +

+
  pkcs15-tool -c
+

+will list all certificates. It will not list the empty certificate files. Here's the output for a new NetKey? E4 card: +

+
$ pkcs15-tool -c
+X.509 Certificate [Telesec Signatur Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C000
+        ID       : 01
+
+X.509 Certificate [Telesec Authentifizierungs Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C100
+        ID       : 02
+
+X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
+        Flags    : 0
+        Authority: no
+        Path     : DF01C200
+        ID       : 03
+

+The read-only certificates are signed by a certificate of german Telekom AG and all have the same CN. Here's some output that shows one of them: +

+
$ pkcs15-tool -r 01 | openssl x509 -noout -text -certopt no_pubkey,no_sigdump
+Certificate:
+    Data:
+        Version: 3 (0x2)
+        Serial Number: 13356238 (0xcbccce)
+        Signature Algorithm: ripemd160WithRSA
+        Issuer: C=DE, O=Deutsche Telekom AG/0.2.262.1.10.7.20=1, CN=NKS CA 21:PN
+        Validity
+            Not Before: Jan 31 08:43:51 2003 GMT
+            Not After : Jan 31 08:43:51 2006 GMT
+        Subject: C=DE/0.2.262.1.10.7.20=1, CN=NKS 03 A 02707
+        X509v3 extensions:
+            X509v3 Key Usage: critical
+                Digital Signature, Non Repudiation
+

+The public-keys are record-based transparent files and cannot be used for cryptographic operations. They are on the card for convenience only. OpenSC extracts the public keys from the certificates and does not use the public key files. +

+

How do I store additional certificates into the above mentioned empty certificate-files?

+

+You (and OpenSC) dont see the empty certificate files through the emulation layer. One consequence of this is, that you cannot store your own certificates into these files with pkcs11-tool or pkcs15-init. +

+

+You must use opensc-explorer and store the certificate directly into the right position or use netkey-tool, a small program, that I wrote exactly for that purpose. +

+

+In general (and in particular with TCOS-cards) it's a lot more complicated to create a new file on a smartcard than updating an existing one. That's the reason why there are empty certificate files on a NetKey? card. They contain 1536 0xFF-bytes and you can overwrite them with your own certificate (if your certificate has at most 1536 bytes). +

+

+netkey-tool can do other NetKey-card specific things as well. In particular it will display your initial PUK value and all certificates (including the emtpy ones, which are invisible to pkcs15-tool). As of this writing (June 2005) netkey-tool is included in the CVS-version only. +

+
+

Back to Index

diff --git a/doc/TroubleShooting.html b/doc/TroubleShooting.html new file mode 100644 index 00000000..fad58b98 --- /dev/null +++ b/doc/TroubleShooting.html @@ -0,0 +1,64 @@ + +TroubleShooting - OpenSC - Trac
+

Debugging OpenSC

+
opensc-tool -l
+

+will give you a list of readers opensc has found. If your reader isn't listed, you have +a problem with that reader. For OpenCT see [http://www.opensc.org/openct/wiki/TroubleShooting] for details. +For PCSC/Lite see it's documentation (FIXME: a link would be nice). For CT-API readers, edit the +opensc.conf and make sure the reader is properly configured. If it still doesn't help, increase +debugging to level 5 or higher in opensc.conf, run "opensc-tool -l" again and send a debug log +to the mailing list (see ContactInfo? for details). +

+

+FIXME: more help for debugging opensc. +

+

Unsupported INS byte in APDU

+

+This is a common error message. The best translation is: +

+
Sorry, we don't know that card.
+

+Each card is identified by it so called ATR ("Answer to reset"). +You can get this identification code by running +

+
opensc-tool --atr
+

+OpenSC contains a compiled in list of atr it knows in each card driver. +To check if any card driver knows about your card, please run +

+
opensc-tool --name
+

+So if that name is "Default driver for unknown cards" then either your card +is not supported at all, or it is a brand new version of an old and supported +card, and if it is compatible with the older version it might work. +

+

+In case it is only a new version, but still compatible, you can edit opensc.conf +and configure some driver to also accept this new atr. opensc.conf already contains +a configuration example, you only need to change the atr and driver and enable it. +Here is that example code: +

+
        # GPK card driver additional ATR entry:
+        card_driver gpk {
+                atr = 00:11:22;
+        }
+
+

+Replace "gpk" with the card driver of your card and "00:11:22" with the atr +printed by "opensc-tool --atr". WARNING: this can damage your card and render +it useless (in case the driver is not compatible with your card). So don't do +this, unless you are absolutely sure of what you are doing. If you are not +sure, please contact the OpenSC Team (see ContactInfo? for details). +

+

+Also note: more and more drivers have internal flags, for example for subtypes +of cards or for certain properties, like whether or nor a card can generate +keys (very old smartcards can't do that). Currently it is not possible to set +those flags in the config file, so often it might be necessary to edit OpenSC +source code and recompile OpenSC. +

+
+

Back to Index

diff --git a/doc/WindowsCsp.html b/doc/WindowsCsp.html new file mode 100644 index 00000000..c170d265 --- /dev/null +++ b/doc/WindowsCsp.html @@ -0,0 +1,13 @@ + +WindowsCsp - OpenSC - Trac
+

PKCS#11 and Windows CryptoAPI

+

+OpenSC implements a PKCS#11 v2.11 module that can be combined with addition software such as CSP11 or Identity Alliance CSP to allow Windows applications (IE, Outlook, login etc) access to smartcards supported by OpenSC. +

+

+TODO: Fill in the details. +

+
+

Back to Index

diff --git a/doc/export-wiki.sh b/doc/export-wiki.sh new file mode 100644 index 00000000..5faaad3a --- /dev/null +++ b/doc/export-wiki.sh @@ -0,0 +1,34 @@ +#!/bin/bash + +set -e + +export SERVER=http://www.opensc.org +export WIKI=opensc/wiki +export XSL=export-wiki.xsl + +test -f `basename $0` + +rm -rf *.html *.css + +wget $SERVER/$WIKI/TitleIndex -O TitleIndex.tmp + +grep "\"/$WIKI/[^\"]*\"" TitleIndex.tmp \ + |sed -e "s#.*\"/$WIKI/\([^\"]*\)\".*#\1#g" \ + > WikiWords.tmp +sed -e /^Trac/d -e /^Wiki/d -e /^TitleIndex/d -e /^RecentChanges/d \ + -e /^CamelCase/d -e /^SandBox/d -i WikiWords.tmp + +for A in WikiStart `cat WikiWords.tmp` +do + F=`echo $A|sed -e 's/\//_/g'` + wget $SERVER/$WIKI/$A -O $F.tmp + xsltproc --output $F.html $XSL $F.tmp + sed -e "s# + + + + + + + + + + + <xsl:value-of select="/html:html/html:head/html:title" /> + + + + +
+
+

Back to Index

+
+ + + + + + + + Wiki Index + + + +

Index of Wiki Pages

+ + + + + + +
    • +     + + + + + + + + + diff --git a/doc/index.html b/doc/index.html new file mode 100644 index 00000000..e3f95fe2 --- /dev/null +++ b/doc/index.html @@ -0,0 +1,121 @@ + +OpenSC - Trac
    +

    OpenSC

    +

    +OpenSC provides a set of libraries and utilities to access smart +cards. Its main focus is on cards that support cryptographic operations, +and facilitate their use in security applications such as mail encryption, +authentication, and digital signature. OpenSC implements the PKCS#11 API +so applications supporting this API such as Mozilla Firefox and Thunderbird +can use it. OpenSC implements the PKCS#15 standard and aims to be compatible +with every software that does so, too. +

    +

    Card Support

    +

    +CardsAndTokens has the full list of all smart cards and tokens. +

    +

    +Each release is tested with a subset of the supported cards, and users provide +additional test results. These are collected in RecentTestresults. +

    +

    Operating Systems

    +

    +OpenSC runs on Windows, Mac OS X and several other Unix and Bsd flavors. +It is even shipped as integral part of some LinuxDistributions. +

    +

    +OpenSC can be integrated with OS-centric cryptography frameworks such as WindowsCsp. +

    +

    Card Readers

    +

    +To use OpenSC you need a driver for your smart card reader. This can either be a driver +in CT-API format, or an IfdHandler? driver in combination with PcscLite?, or OpenCt?. +Most developers use OpenCT in direct combination, i.e. not using the OpenCT CT-API +driver nor the OpenCT ifdhandler with PC/SC-Lite. However those alternatives should +work fine, too. +

    +

    +On Win32 platforms you usually get a PC/SC driver. Most Pinpad readers (aka Class 2+ readers) also supply a CT-API driver. Though both drivers can be used with OpenSC you are currently limited to the CT-API driver if you want to use the reader's pinpad. +

    +

    Features

    +

    +* ReplacingCertificates +

    +

    Application Support

    +

    +OpenSC comes with a bundle of tools for testing, debugging and initialization. +In addition it contains two OpensslEngines that can be combined with OpenSSL to use +the normal OpenSSL commands while using a smart card hardware to do the crypto operations. +

    +

    +OpenSC contains a PamModule? for authentication/login via smart card. That pam module however +has a few minor bugs. But there is also a new pam module +for PKCS!#11 libaries. +

    +

    +OpenSC contains a PKCS#11 library called opensc-pkcs11.so. This library can be used +with MozillaFirebird?, MozillaThunderbird? or plain Mozilla to login to websites using +certificates from the smart card, or to sign and decrypt eMails or authenticate +to your mail server with your certificate. Keypair generation, certificate request +and writing the requested cert through an on-line CA should also be possible. +

    +

    +FreeSwan/StrongSwan/OpenSwan? can be compiled with OpenSC support and thus be used +to authenticate a VPN connection using a smart card. +

    +

    +OpenSSH can be compiled with OpenSC support and thus use the smart card for +authenticating at a remote ssh server. See OpenSsh for details. +

    +

    +On Windows there is a patched version of Putty with support for PKCS#11 libraries +such as OpenSC. See the Smart Card Bundle for a binary +package with installer containing OpenSSL, OpenSC and Putty for Windows. +

    +

    +GnuPg? contains support for OpenSC in the experimental 1.9 branch. +

    +

    +There is a patch for WpaSupplicant? to allow authentication to access points using +smart cards. +

    +

    +Gdigidoc uses OpenXAdES library what in turn can make use of OpenSC PKCS#11 module or CSP on windows. +

    +

    +Here's a Wikipage that has some information about PuTTYcard, an extension to Simon Tathams PuTTY. +PuTTYcard let you use your Smartcards RSA keys with Pageant.exe. +

    +

    +LibChipcard is a library and tools to use all kind of chipcards like HBCI chip cards and german medical cards. +It is used by many online banking applications. The latest development snapshot for version 2 now includes +support for using opensc reader layer. great new! +

    +

    +TroubleShooting explains the most common problems and how to solve the, +

    +

    Getting OpenSC

    +

    +You can either download OpenSC releases from our File Archive +or access our SubversionRepository. +

    +

    Links

    +

    +* NIST has a document about personal identity verification cards. +

    +

    Developers Corner

    +

    +We would like to gather some information on developers to make it easier for all of us. +New pages: DeveloperHardware? (donations welcome!), AutoVersions. +

    +

    +ReleaseHowto documents our release process. +

    +

    +For interoperability with other smart card projects, mostly national id cards, there is a mailing +list at [http://www.gol.grosseto.it/mailman/listinfo/interopeid] +

    +
    +

    Back to Index

    diff --git a/doc/pkcs11_keypair_gen.html b/doc/pkcs11_keypair_gen.html new file mode 100644 index 00000000..52a5774a --- /dev/null +++ b/doc/pkcs11_keypair_gen.html @@ -0,0 +1,28 @@ + +pkcs11_keypair_gen - OpenSC - Trac
    +

    +PKCS11 Keypair generation, certificate request and writing the requested cert to the card +

    +

    +You can use the the pkcs11 library (opensc-pkcs11.so or opensc-pkcs11.dll) with Mozilla/Firefox/Netscape to go to an on-line CA (Certificate Authority). In this case, the browser will: +

    +

    +However in order to work: +

    +

    +Currently, only 1 certificate can be requested this way. The reason is that Mozilla changes the ID of the key and cert into a hash of 20 bytes, and this confuses our pkcs15init library (used to 1-byte IDs) who will attempt to create a new key on the place of the first key (which fails)... +

    +
    +

    Back to Index

    diff --git a/doc/trac.css b/doc/trac.css new file mode 100644 index 00000000..8d9604d5 --- /dev/null +++ b/doc/trac.css @@ -0,0 +1,360 @@ +/* Trac CSS */ +body { + background: #fff; + color: #000; + margin: 10px; +} +body, th, td { + font: normal 13px verdana,arial,'Bitstream Vera Sans',helvetica,sans-serif; +} +h1, h2, h3, h4 { + font-family: arial,verdana,'Bitstream Vera Sans',helvetica,sans-serif; + font-weight: bold; + letter-spacing: -0.018em; +} +h1 { font-size: 19px; margin: .15em 1em 0 0 } +h2 { font-size: 16px } +h3 { font-size: 14px } +hr { border: none; border-top: 1px solid #ccb; margin: 2em 0 } +address { font-style: normal } +img { border: none } + +.underline { text-decoration: underline; } +ol.loweralpha { list-style-type: lower-alpha } +ol.upperalpha { list-style-type: upper-alpha } +ol.lowerroman { list-style-type: lower-roman } +ol.upperroman { list-style-type: upper-roman } +ol.arabic { list-style-type: decimal } + +/* Link styles */ +:link, :visited { + text-decoration: none; + color: #b00; + border-bottom: 1px dotted #bbb; +} +:link:hover, :visited:hover { + background-color: #eee; + color: #555; +} +h1 :link, h1 :visited ,h2 :link, h2 :visited, h3 :link, h3 :visited, +h4 :link, h4 :visited, h5 :link, h5 :visited, h6 :link, h6 :visited { + color: inherit; +} + +.ext-link { background: url(../extlink.gif) no-repeat 0 58%; padding-left: 16px } +* html .ext-link { background-position: 0 .35em } /* IE hack, see #937 */ + +/* Forms */ +input, textarea, select { margin: 2px } +input, select { vertical-align: middle } +input[type=submit], input[type=reset] { + background: #eee; + color: #222; + border: 1px outset #ccc; + padding: .1em .5em; +} +input[type=submit]:hover, input[type=reset]:hover { background: #ccb } +input[type=text], input.textwidget, textarea { + background: #fff; + color: #000; + border: 1px solid #d7d7d7; +} +input[type=text], input.textwidget { padding: .25em .5em } +input[type=text]:focus, textarea:focus { border: 1px solid #886 } +option { border-bottom: 1px dotted #d7d7d7 } +fieldset { border: 1px solid #d7d7d7; padding: .5em; margin: 0 } +fieldset.iefix { border: none; padding: 0; margin: 0 } +* html fieldset.iefix { width: 98% } +fieldset.iefix p { margin: 0 } +legend { color: #999; padding: 0 .25em; font-size: 90%; font-weight: bold } +label.disabled { color: #d7d7d7 } +.buttons { margin: .5em .5em .5em 0 } +.buttons form, .buttons form div { display: inline } +.buttons input { margin: 1em .5em .1em 0 } + +/* Header */ +#header hr { display: none } +#header img { border: none; margin: 0 0 -3em } +#header :link, #header :visited, #header :link:hover, #header :visited:hover { + background: transparent; + margin-bottom: 2px; + border: none; +} + +/* Quick search */ +#search { + clear: both; + font-size: 10px; + height: 2.2em; + margin: 0 0 1em; + text-align: right; +} +#search input { font-size: 10px } +#search label { display: none } + +/* Navigation */ +.nav h2, .nav hr { display: none } +.nav ul { font-size: 10px; list-style: none; margin: 0; text-align: right } +.nav li { + border-right: 1px solid #d7d7d7; + display: inline; + padding: 0 .75em; + white-space: nowrap; +} +.nav li.last { border-right: none } + +/* Main navigation bar */ +#mainnav { + background: #f7f7f7 url(../topbar_gradient.png) 0 0; + border: 1px solid #000; + font: normal 10px verdana,'Bitstream Vera Sans',helvetica,arial,sans-serif; + margin: .66em 0 .33em; + padding: .2em 0; +} +#mainnav li { border-right: none; padding: .25em 0 } +#mainnav :link, #mainnav :visited { + background: url(../dots.gif) 0 0 no-repeat; + border-right: 1px solid #fff; + border-bottom: none; + border-left: 1px solid #555; + color: #000; + padding: .2em 20px; +} +* html #mainnav :link, * html #mainnav :visited { background-position: 1px 0 } +#mainnav :link:hover, #mainnav :visited:hover { + background-color: #ccc; + border-right: 1px solid #ddd; +} +#mainnav .active:link, #mainnav .active:visited { + background: #333 url(../topbar_gradient2.png) 0 0 repeat-x; + border-top: none; + border-right: 1px solid #000; + color: #eee; + font-weight: bold; +} +#mainnav .active:link:hover, #mainnav .active:visited:hover { + border-right: 1px solid #000; +} + +/* Context-dependent navigation links */ +#ctxtnav { height: 1em } +#ctxtnav li ul { + background: #f7f7f7; + color: #ccc; + border: 1px solid; + padding: 0; + display: inline; + margin: 0; +} +#ctxtnav li li { padding: 0; } +#ctxtnav li li :link, #ctxtnav li li :visited { padding: 0 1em } +#ctxtnav li li :link:hover, #ctxtnav li li :visited:hover { + background: #bba; + color: #fff; +} + +/* Alternate links */ +#altlinks { clear: both; text-align: center } +#altlinks h3 { font-size: 12px; letter-spacing: normal; margin: 0 } +#altlinks ul { list-style: none; margin: 0; padding: 0 0 1em } +#altlinks li { + border-right: 1px solid #d7d7d7; + display: inline; + font-size: 11px; + line-height: 16px; + padding: 0 1em; + white-space: nowrap; +} +#altlinks li.last { border-right: none } +#altlinks li :link, #altlinks li :visited { + background-position: 0 -1px; + background-repeat: no-repeat; + border: none; +} +#altlinks li a.ics { background-image: url(../ics.png); padding-left: 22px } +#altlinks li a.rss { background-image: url(../xml.png); padding-left: 42px } + +/* Footer */ +#footer { + clear: both; + color: #bbb; + font-size: 10px; + border-top: 1px solid; + height: 31px; + padding: .25em 0; +} +#footer :link, #footer :visited { color: #bbb; } +#footer hr { display: none } +#footer #tracpowered { border: 0; float: left } +#footer #tracpowered:hover { background: transparent } +#footer p { margin: 0 } +#footer p.left { + float: left; + margin-left: 1em; + padding: 0 1em; + border-left: 1px solid #d7d7d7; + border-right: 1px solid #d7d7d7; +} +#footer p.right { + float: right; + text-align: right; +} + +#content { padding-bottom: 2em; position: relative } + +#help { + clear: both; + color: #999; + font-size: 90%; + margin: 1em; + text-align: right; +} +#help :link, #help :visited { cursor: help } +#help hr { display: none } + +/* Page preferences form */ +#prefs { + background: #f7f7f0; + border: 1px outset #998; + float: right; + font-size: 9px; + padding: .8em; + position: relative; + margin: 0 1em 1em; +} +* html #prefs { width: 26em } /* Set width only for IE */ +#prefs input, #prefs select { font-size: 9px; vertical-align: middle } +#prefs fieldset { border: none; margin: .5em; padding: 0 } +#prefs fieldset legend { + background: transparent; + color: #000; + font-size: 9px; + font-weight: normal; + margin: 0 0 0 -1.5em; + padding: 0; +} +#prefs .buttons { text-align: right } + +/* Wiki */ +a.missing:link,a.missing:visited { background: #fafaf0; color: #998 } +a.missing:hover { color: #000; } + +#content.wiki { line-height: 140% } +.wikitoolbar { + border: solid #d7d7d7; + border-width: 1px 1px 1px 0; + float: left; + height: 18px; +} +.wikitoolbar :link, .wikitoolbar :visited { + background: transparent url(../edit_toolbar.png) no-repeat; + border: 1px solid #fff; + border-left-color: #d7d7d7; + cursor: default; + display: block; + float: left; + width: 24px; + height: 16px; +} +.wikitoolbar :link:hover, .wikitoolbar :visited:hover { + background-color: transparent; + border: 1px solid #fb2; +} +.wikitoolbar a#em { background-position: 0 0 } +.wikitoolbar a#strong { background-position: 0 -16px } +.wikitoolbar a#heading { background-position: 0 -32px } +.wikitoolbar a#link { background-position: 0 -48px } +.wikitoolbar a#code { background-position: 0 -64px } +.wikitoolbar a#hr { background-position: 0 -80px } + +/* Styles for the form for adding attachments. */ +#attachment .field { margin-top: 1.3em } +#attachment label { padding-left: .2em } +#attachment fieldset { margin-top: 2em } +#attachment fieldset .field { float: left; margin: 0 1em .5em 0 } +#attachment br { clear: left } + +/* Styles for tabular listings such as those used for displaying directory + contents and report results. */ +table.listing { + clear: both; + border-bottom: 1px solid #d7d7d7; + border-collapse: collapse; + border-spacing: 0; + margin-top: 1em; + width: 100%; +} +table.listing th { text-align: left; padding: 0 1em .1em 0; font-size: 12px } +table.listing thead { background: #f7f7f0 } +table.listing thead th { + border: 1px solid #d7d7d7; + border-bottom-color: #999; + font-size: 11px; + font-weight: bold; + padding: 2px .5em; + vertical-align: bottom; +} +table.listing thead th :link:hover, table.listing thead th :visited:hover { + background-color: transparent; +} +table.listing thead th a { border: none; padding-right: 12px } +table.listing th.asc a, table.listing th.desc a { font-weight: bold } +table.listing th.asc a, table.listing th.desc a { + background-position: 100% 50%; + background-repeat: no-repeat; +} +table.listing th.asc a { background-image: url(../asc.png) } +table.listing th.desc a { background-image: url(../desc.png) } +table.listing tbody td, table.listing tbody th { + border: 1px dotted #ddd; + padding: .33em .5em; + vertical-align: top; +} +table.listing tbody td a:hover, table.listing tbody th a:hover { + background-color: transparent; +} +table.listing tbody tr { border-top: 1px solid #ddd } +table.listing tbody tr.even { background-color: #fcfcfc } +table.listing tbody tr.odd { background-color: #f7f7f7 } +table.listing tbody tr:hover { background: #eed !important } + +.wikipage p { margin-left: 1em } +pre.wiki, pre.literal-block { + background: #f7f7f7; + border: 1px solid #d7d7d7; + margin: 1em 1.75em; + padding: .25em; + overflow: auto; +} +table.wiki { + border: 2px solid #ccc; + border-collapse: collapse; + border-spacing: 0; +} +table.wiki td { border: 1px solid #ccc; padding: .1em .25em; } + +/* Styles for the error page (and rst errors) */ +#content.error .message, div.system-message { + background: #fdc; + border: 2px solid #d00; + color: #500; + padding: .5em; + margin: 1em 0; +} +#content.error pre, div.system-message pre { margin-left: 1em; overflow: auto } +div.system-message p { margin: 0; } +div.system-message p.system-message-title { font-weight: bold; } + +/* Styles for search word highlighting */ +@media screen { + .searchword0 { background: #ff9 } + .searchword1 { background: #cfc } + .searchword2 { background: #cff } + .searchword3 { background: #ccf } + .searchword4 { background: #fcf } +} + +@media print { + #header, #altlinks, #footer { display: none } + .nav, form, .buttons form { display: none } +}