From 9c12242fc80256d0ac3f59769b262331a4fe7ad0 Mon Sep 17 00:00:00 2001 From: aj Date: Thu, 1 Sep 2005 13:59:41 +0000 Subject: [PATCH] big documentation update. remove html from svn. git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@2526 c6295689-39f2-0310-b995-f0e70906c6a9 --- doc/AladdinEtokenPro.html | 42 - doc/AutoVersions.html | 46 - doc/BelgianEid.html | 23 - doc/CardOs.html | 22 - doc/CardReaders_CTAPI.html | 54 - doc/CardReaders_SPR532.html | 41 - doc/CardsAndTokens.html | 39 - doc/CompatibilityIssues.html | 53 - doc/CompatiblityIssues.html | 6 - doc/CryptoIdendityItsec.html | 42 - doc/Cryptoflex.html | 26 - doc/Cyberflex.html | 21 - doc/DesignDiscussion.html | 43 - doc/DesignDiscussion_UserInterface.html | 20 - doc/EstonianEid.html | 20 - doc/FinnishEid.html | 49 - doc/GemplusGpk.html | 16 - doc/GermanEid.html | 20 - doc/ItalianEid.html | 22 - doc/ItalianPostecert.html | 19 - doc/LinuxDistributions.html | 40 - doc/MacOsX.html | 66 - doc/Makefile.am | 17 +- doc/MartinBlog.html | 16 - doc/MartinBlogMuscle.html | 47 - doc/MartinBlogPlatform.html | 23 - doc/OpenPgp.html | 9 - doc/OpenSsh.html | 58 - doc/OpensslEngines.html | 20 - doc/PinpadReaders.html | 39 - doc/PuTTYcard.html | 251 -- doc/RainbowIkeyThree.html | 31 - doc/RecentTestresults.html | 232 -- doc/ReleaseHowto.html | 36 - doc/ReplacingCertificates.html | 75 - doc/RoadMap.html | 24 - doc/SchlumbergerEgate.html | 28 - doc/SmartCardApplications.html | 12 - doc/SpanishEid.html | 17 - doc/SubversionRepository.html | 55 - doc/SupportedHardware.html | 37 - doc/SwedishEid.html | 22 - doc/TaiwanEid.html | 16 - doc/TelseCos.html | 81 - doc/TroubleShooting.html | 64 - doc/WindowsCsp.html | 13 - doc/export-wiki.sh | 39 +- doc/index.html | 121 - doc/old/Makefile.am | 13 +- doc/old/opensc-es.html | 2051 -------------- doc/old/opensc.html | 3246 ----------------------- doc/pkcs11_keypair_gen.html | 28 - 52 files changed, 29 insertions(+), 7422 deletions(-) delete mode 100644 doc/AladdinEtokenPro.html delete mode 100644 doc/AutoVersions.html delete mode 100644 doc/BelgianEid.html delete mode 100644 doc/CardOs.html delete mode 100644 doc/CardReaders_CTAPI.html delete mode 100644 doc/CardReaders_SPR532.html delete mode 100644 doc/CardsAndTokens.html delete mode 100644 doc/CompatibilityIssues.html delete mode 100644 doc/CompatiblityIssues.html delete mode 100644 doc/CryptoIdendityItsec.html delete mode 100644 doc/Cryptoflex.html delete mode 100644 doc/Cyberflex.html delete mode 100644 doc/DesignDiscussion.html delete mode 100644 doc/DesignDiscussion_UserInterface.html delete mode 100644 doc/EstonianEid.html delete mode 100644 doc/FinnishEid.html delete mode 100644 doc/GemplusGpk.html delete mode 100644 doc/GermanEid.html delete mode 100644 doc/ItalianEid.html delete mode 100644 doc/ItalianPostecert.html delete mode 100644 doc/LinuxDistributions.html delete mode 100644 doc/MacOsX.html delete mode 100644 doc/MartinBlog.html delete mode 100644 doc/MartinBlogMuscle.html delete mode 100644 doc/MartinBlogPlatform.html delete mode 100644 doc/OpenPgp.html delete mode 100644 doc/OpenSsh.html delete mode 100644 doc/OpensslEngines.html delete mode 100644 doc/PinpadReaders.html delete mode 100644 doc/PuTTYcard.html delete mode 100644 doc/RainbowIkeyThree.html delete mode 100644 doc/RecentTestresults.html delete mode 100644 doc/ReleaseHowto.html delete mode 100644 doc/ReplacingCertificates.html delete mode 100644 doc/RoadMap.html delete mode 100644 doc/SchlumbergerEgate.html delete mode 100644 doc/SmartCardApplications.html delete mode 100644 doc/SpanishEid.html delete mode 100644 doc/SubversionRepository.html delete mode 100644 doc/SupportedHardware.html delete mode 100644 doc/SwedishEid.html delete mode 100644 doc/TaiwanEid.html delete mode 100644 doc/TelseCos.html delete mode 100644 doc/TroubleShooting.html delete mode 100644 doc/WindowsCsp.html delete mode 100644 doc/index.html delete mode 100644 doc/old/opensc-es.html delete mode 100644 doc/old/opensc.html delete mode 100644 doc/pkcs11_keypair_gen.html diff --git a/doc/AladdinEtokenPro.html b/doc/AladdinEtokenPro.html deleted file mode 100644 index 2642f1b6..00000000 --- a/doc/AladdinEtokenPro.html +++ /dev/null @@ -1,42 +0,0 @@ - -AladdinEtokenPro - OpenSC - Trac
-

Aladdin eToken PRO

-

-Aladdin offers the eToken PRO, an USB crypto token with 32k memory -and support for RSA keys up to 1024bit key length. -

-

-The eToken PRO is fully supported by OpenSC and is well tested. -

-

-The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system. -

-

-One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing -and decryption. OpenSC has implemented a workaround: software key generation and storing that -key twice, once marked as decryption key and once marked as signing key. To enable this workaround -specifiy "--split-key" on the command line, when creating the key. -

-

-Aladdin has there own software for windows and linux. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures. -

-

-Note that Aladdin is maybe the oldest player in the usb token field, and their software predates the PKCS#15 standard, so you can't blame them for not conforming to the standard. Note also that Aladdin sponsored an OpenSC workshop in 2003 by donating 30 Aladdin eToken PRO, thanks a lot! -

-

-There is a rare version of the Aladdin eToken PRO with a G&D Starcos smart card inside. This version is not supported and never went into mass production as far as we know. -

-

-Aladdin has an SDK with Documentation on their ftp server for public download, but to implement the OpenSC driver further documentation was necessary (by Siemens and available only under NDA as far as we know). -

-

-Some people had problems buying a single Aladdin eToken PRO (bare, without any bundle or consulting etc.). -Please try bristol.de or coretech.at if you run into trouble. -

-

-Security Mart sells them at 47$ if you buy 10-99 pieces. -

-
-

Back to Index

diff --git a/doc/AutoVersions.html b/doc/AutoVersions.html deleted file mode 100644 index e4ddefcf..00000000 --- a/doc/AutoVersions.html +++ /dev/null @@ -1,46 +0,0 @@ - -AutoVersions - OpenSC - Trac
-

Versions of Auto Tools

-

-OpenSC should work for every developer. One software is very tricky: autoconf, automake and libtool. -Which version can we require? Unfortunatly the only way we can find out is trial and error. To improve -the situation, we would like to gather which version everyone is using, so we can make sure even the -oldest version of these tools still in use works (and hope that newer versions work, too). -

-
- ------- - - - - - - - - - - - - - - - - - - - - -
NameDistributionAutoconfAutomakeLibtool
Andreas JellinghausDebian sarge2.591.7.91.5.6
Ludovic RousseauDebian sarge2.591.9.51.5.6
-

-Ludovic Rousseau: Note that if you distribute the created .tar.gz file you should always use the latest autotools versions in order to support the newly added architectures/OS. That will greatly ease the life of your users. -

-
-

Back to Index

diff --git a/doc/BelgianEid.html b/doc/BelgianEid.html deleted file mode 100644 index d1537283..00000000 --- a/doc/BelgianEid.html +++ /dev/null @@ -1,23 +0,0 @@ - -BelgianEid - OpenSC - Trac
-

Belgian Belpic

-

-The belgian eid card is official using OpenSC for their software. -

-

-Currently please use the "belpic" software available from the belgian state. -

-

-Current releases do not include belpic support, but OpenSC is in the process of merging the software, the next release should support it. -

-

-FIXME:links,documentation,pointers. -

-

-Thanks to Belgium for chossing OpenSC as basis for their software and donating the full source code back to use under LGPL license. -Thanks to Zetes for their support of OpenSC. -

-
-

Back to Index

diff --git a/doc/CardOs.html b/doc/CardOs.html deleted file mode 100644 index a2da701c..00000000 --- a/doc/CardOs.html +++ /dev/null @@ -1,22 +0,0 @@ - -CardOs - OpenSC - Trac
-

Siemens CardOS M4

-

-Siemens CardOS M4 smart card should work fine with OpenSC. -

-

-Currently only the Aladdin eToken PRO is tested often (a usb crypto dongle that contains a card with this operating system). It works fine, so all other smart cards with the same card operating system should work fine, too. -

-

-Siemens CardOS M4 does not allow a key to be used for signing and decryption. OpenSC has a workaround for this restriction, you can generate or store a private key with the "--split-key" flag which will store the key twice, with different usage options, but hide this detailt. -

-

-Some documentation is available from Aladdin for their eToken PRO, but for an in-depth documentation you need the Siemens card manual, which requires signing an NDA. -

-

-FIXME: where to buy such a card? pricing? -

-
-

Back to Index

diff --git a/doc/CardReaders_CTAPI.html b/doc/CardReaders_CTAPI.html deleted file mode 100644 index b2ad8cce..00000000 --- a/doc/CardReaders_CTAPI.html +++ /dev/null @@ -1,54 +0,0 @@ - -CardReaders/CTAPI - OpenSC - Trac
-

Using pinpad readers with CT-API

-

-On Win32 a pinpad reader usually supplies a PC/SC driver and a CT-API driver, since pinpad usage with PC/SC currently is vendor specific. There are some rumours about pinpad standardisation for PC/SC drivers, but I guess this will still need some time till it is widely adopted. Another alternative would be to use the CCID specification for USB readers, but there still are (and IMHO will be for some time) lots of non-CCID compliant pinpad readers. -

-

-So till another standard finds its way into OpenSC you can try the somewhat less user friendly CT-API if you want to use your pinpad with OpenSC. -

-

Configuring CT-API in opensc.conf

-

-To activate the CT-API driver you have to add the token "ctapi" to the reader_drivers attribute of the app default section (or whatever app you are using). -Then the reader's parameters, that is the library and port number, have to be configured in the "reader_driver ctapi" secion. -

-

-Use this as an example: -

-
  app default {
-    reader_drivers = ctapi;
-    reader_driver ctapi {
-      module c:\winnt\system32\CTRSCT32.DLL {
-        ports = 1;
-      }
-    }
-
-  # All the other OpenCT-Parameters...
-  .
-  .
-  .
-  }
-

-Notes -

-
  • Some drivers use port number 0 for the first reader, others start counting with 1. -
  • You can use multiple readers. Just add more "module"-sections if they use other drivers or add port numbers with a comma for the same driver. You can even mix PC/SC drivers and CT-API drivers for different readers. -
  • The same approach should work with Unix if you can find the CT-API library for your reader. -

-After this you can try "opensc-tool -l" and hope to see something like -

-
C:\work\opensc\src\tools>opensc-tool -l
-Readers known about:
-Nr.    Driver     Name
-0      ctapi      CT-API c:\winnt\system32\CTRSCT32.DLL, port 1
-

-If you are using a pinpad aware application (I still don't know any except my private pintest) you are ready. Some other applications (like the PKCS#11 plugin for Mozilla or the OpensslEngines) will use the pinpad if you hit return after being asked for a PIN. -

-

-Note that up to date PIN modification or unblocking is not supported with CT-API driver, there still is some work to do... ;) -

-
-

Back to Index

diff --git a/doc/CardReaders_SPR532.html b/doc/CardReaders_SPR532.html deleted file mode 100644 index f2179ef7..00000000 --- a/doc/CardReaders_SPR532.html +++ /dev/null @@ -1,41 +0,0 @@ - -CardReaders/SPR532 - OpenSC - Trac
-

PinPad AKA SPR532 and OpenSC mini-howto

-

-To get feedback as early as possible, here's a small tutorial how to get going with SPR532 and pinpad. There are other PinpadReaders and other interfaces but the given interface makes use of TeleTrust Class 2 reader IOCTL mechanism that shall be part of PC/SC version 2.0 spec as Part 10. There is also part 10 of the new PC/SC spec but TeleTrust? interface requires no special features from the PC/SC middleware but from the given IFDHandler itself and thus can be deployed now - by introducing the needed support in reader drivers and application side (OpenSC in this case). -

-

-Things you need to try it out: -

-

-NOTE: from the three download links above, directory test/ contains the latest versions and thus might be better for the braves. -

-

-Notes: -

-

-What you can do: -

-
  1. test and provide feedback -
  2. make the code of ccid library better. It seriously looks ugly when the SecurePIN functions come to play - though it works. -
  3. help to argue how things should look like in different places and how we shall solve some issues - see DesignDiscussion -

-Known issues: -

-
  1. It is known to work with SPR532 under Linux. In practice it should work without modifications on windows using the latest windows drivers available from the SCM specific download location above. -
  2. Support is only for T=0 cards (as of now Estonian and Belgian eID cards have been tested on Linux). It might as well work with T=1 cards, but to try it out you must disable the check for active protocol in reader-pcsc.c. Write a note here if it works. -
  3. Support for pinpad operations in general might lag behind your needs. Patches most welcome :) -
-

Back to Index

diff --git a/doc/CardsAndTokens.html b/doc/CardsAndTokens.html deleted file mode 100644 index 0c68be0f..00000000 --- a/doc/CardsAndTokens.html +++ /dev/null @@ -1,39 +0,0 @@ - -CardsAndTokens - OpenSC - Trac
- -

Back to Index

diff --git a/doc/CompatibilityIssues.html b/doc/CompatibilityIssues.html deleted file mode 100644 index c2737ff9..00000000 --- a/doc/CompatibilityIssues.html +++ /dev/null @@ -1,53 +0,0 @@ - -CompatibilityIssues - OpenSC - Trac
-

Software compatibility

-

-In general all smart cards are incompatible. That is the sad truth. -

-

-First, every card has different commands. Some of them conform to the standard ISO 7816 Part 4 and higher, but -most cards have at least some commands, that are special, or the commands require a special data structure. -

-

-Second, even if the same card is used, two different software companies tend to use the card in incompatible -ways. However there is hope for this problem: PKCS#15 is a standard designed to solve that issue. -

-

-OpenSC implements PKCS#15, so cards initialized with OpenSC should work with other software implementing -it and vice versa. Note however, that usualy a card can only be modified with the software that was used -for initializing it in the first place. In that case you can only read the data with the compatible software, -use the keys, and most likely change pin and puk numbers. -

-

-Sometimes it is possible to live side by side. Think of a cd or a disk drive, with a picture and a text -file on it. Your text application can only open and change the text, and your graphics application can -only open and change the graphic, but if the medium can hold both files, you can store both on it. -

-

-That happends for example with the "Aladdin eToken PRO" (a usb crypto token) and OpenSC and the Aladdin -Software. OpenSC creates the file "2f00" and the directory "5015" as per PKCS#15 standard, and fills -both with data/keys/certificates. Aladdin does the same in the directory "6666". Still no software knows -how to deal with the other ones data/keys/certificates. -

-

Comaptible Software

-

-But at least some software is compatible: -

-

-Gieseke and Devrient ship the StarCOS -smart card and usb tokens based on that card. The software bundled with both is called Starsign. That software implements -the PKCS#15 standard, too, so it should be fully compatible with OpenSC and vise versa. If there is any issue, please -let us know (the last test was quite a while in the past). -

-

-If you know other software implementing PKCS#15, please add a paragraph. -

-

National ID cards

-

-National ID cards often are a standard of their own. OpenSC has PKCS#15 emulations for these cards, so you can use -them anway. See NationalIdCards? for a list of supported cards. -

-
-

Back to Index

diff --git a/doc/CompatiblityIssues.html b/doc/CompatiblityIssues.html deleted file mode 100644 index 48d22167..00000000 --- a/doc/CompatiblityIssues.html +++ /dev/null @@ -1,6 +0,0 @@ - -CompatiblityIssues - OpenSC - Trac
-
-

Back to Index

diff --git a/doc/CryptoIdendityItsec.html b/doc/CryptoIdendityItsec.html deleted file mode 100644 index 5bc48ef6..00000000 --- a/doc/CryptoIdendityItsec.html +++ /dev/null @@ -1,42 +0,0 @@ - -CryptoIdendityItsec - OpenSC - Trac
-

Eutrom CryptoIdendity IT-SEC

-

-Eutron offers the Crypto Idendity IT-SEC, an USB crypto token with 32k memory -and support for RSA keys up to 1024bit key length. -

-

-The Crypto Idendity IT-SEC is fully supported by OpenSC, but has not been tested for a while. -

-

-Note that Eutron also offers two other crypto tokens in the Crypto Idendity line, but those -are not supported at all (no documentation available). -

-

-The smart card inside is an Infineon Chip with the Siemens CardOS M4 smart card operating system. -The driver is called "etoken" because this was the first device with that smart card. Only the usb -interface differs, the rest seems to be the same. -

-

-One minor feature of the Siemens CardOS M4 is, that a rsa key cannot be used for both signing -and decryption. OpenSC has implemented a workaround: software key generation and storing that -key twice, once marked as decryption key and once marked as signing key. To enable this workaround -specifiy "--split-key" on the command line, when creating the key. -

-

-Eutron has their own software for windows. This software does not implement PKCS#15 and thus is not compatible with OpenSC. As long as the card has memory, you can initialize the card with both software packages, and thus install files and keys side by side - each software can only handle their own structures. -

-

-Documentation was not necessary, as the driver for the smart card inside was already implemented. -

-

-However there is no tool to format a token (for example if you lock it up by accident), and the card -is slightly differently initialized than the Aladdin eToken PRO, so the scripts for that token do not work with the Eutron Crypto Idendity IT-SEC. A support email was not answered. -

-

-For price and availability, please contact Eutron directly. -

-
-

Back to Index

diff --git a/doc/Cryptoflex.html b/doc/Cryptoflex.html deleted file mode 100644 index 7770a686..00000000 --- a/doc/Cryptoflex.html +++ /dev/null @@ -1,26 +0,0 @@ - -Cryptoflex - OpenSC - Trac
-

Schlumberger / Axalto Cryptoflex

-

-All Cryptoflex are supported by OpenSC, tested very often and work fine. -

-

-Cryptoflex 8k cards however are too small, so the default profile does not fit on the card. Not even the small option is small enough to make it fit on the card. However you could edit the profile file to make it even smaller, then it should work again. -

-

-Documentation is available at [http://www.cryptoflex.com/]. -

-

-Cards can be bought at [http://www.scmegastore.com/]. -

-

-Sell also SchlumbergerEgate - a combination of the latest Cryptoflex card with a mechanical adapter to make the card speak usb. -

-

Test Results

-

-Works fine in smart acrd bundle 0.3rc2 on windows xp (cryptoflex 32k with plug in egate token adapter, driver 2.6.0). -

-
-

Back to Index

diff --git a/doc/Cyberflex.html b/doc/Cyberflex.html deleted file mode 100644 index aee40516..00000000 --- a/doc/Cyberflex.html +++ /dev/null @@ -1,21 +0,0 @@ - -Cyberflex - OpenSC - Trac
-

Schlumberger / Axalto Cyberflex

-

-Earlier versions of Cyberflex cards have the same or a very similiar filesystem interface like the Cryptoflex cards. -Those cards work well with OpenSC. -

-

-Newer versions however are pure JavaCards? and will not work without a JavaApplet?. No such applet is currently supported by OpenSC. -

-

-MuscleCard is an open source software containing a JavaApplet? for Cryptoflex cards and has a pkcs#11 -library for Unix/Linux and Windows. -

-

-FIXME:Did anyone test such a card recently? -

-
-

Back to Index

diff --git a/doc/DesignDiscussion.html b/doc/DesignDiscussion.html deleted file mode 100644 index 498139c1..00000000 --- a/doc/DesignDiscussion.html +++ /dev/null @@ -1,43 +0,0 @@ - -DesignDiscussion - OpenSC - Trac
-

Design issues

-

-Every change that is not a small fix or minor enhancement requires some kind of design. In order to discuss design decisions as much as possible and leave some kind of track about decisions made and design in place other than source code and comments and maybe even documentation, this sector of the wiki could be used. As always - feel free to comment (but please leave your name after your comment). -

-

Pinpad functionality

-

-(Martin) -Current state of secure pin entry methods in OpenSC is somewhat limited and hairy. Checks and features and functionality spans several component borders (application, library, card driver, reader, pkcs15 layer, etc). The target is to provide smooth pinpad support. -

-

-In theory different layers affect the total pinpad-oriented functioning: -

-
  1. Reader capabilities - actual reader capabilities detected and enabled by the reader (ctapi, pcsc, openct) -
  2. Reader driver and how-if-what verify methods it implements (though the name verify is not correct if we talk about full pin operations) -
  3. Card driver and if it implements the new pin command interface or if it is possible at all for the given card (maybe it uses some other method, maybe it uses non-numeric passwords) -
  4. pkcs15 layer - what it thinks about underlying hardware capacities and if/how it makes use of it -
  5. pkcs11 layer - exports PROTECTED_AUTHENTICATION_PATH to indicate 'secure authentication (aka pinpad)' and itself feeds data to pkcs15 layer. -
  6. applications - how they interpret various parameters (like slot capabilities, pkcs11 features, etc), how/if they react or should react on empty pins etc. -
  7. Library internal UI functionality - instead of asking for a pin who should notify the user to insert the pin to the pinpad and how? -

-All these should be put to work for a common goal in a nice way. -

-

Requirements

-
  • Slot flags must correctly state the capabilities of the slot and all functionality must strictly check this flag. -
  • A card driver should have a possibility to disable pinpad enabled functionality even if the slot tells it can do it - for reasons like character passwords -
  • It should be possible to disable pinpad functionality on reader(driver)/global layer as a configuration option - this will result the slot capabilities to be hidden -
  • It should be possible to disable pinpad functionality on a higher level - as a global option. This could result in different -
  • pkcs11 flag about secure authentication flag can be affected by any of the previous config options. -
  • One reader should support different verification methods (you can talk class2 via pcsc and you can talk ctbcs) -

Things to keep in mind

-
  • Backwards compatibility -
  • User interaction. -

Decisions

-
  • Implement pinpad functionality in a proper way (err, small decisions should be outlined now) -

-... to be continued ... -

-
-

Back to Index

diff --git a/doc/DesignDiscussion_UserInterface.html b/doc/DesignDiscussion_UserInterface.html deleted file mode 100644 index 5d4c280b..00000000 --- a/doc/DesignDiscussion_UserInterface.html +++ /dev/null @@ -1,20 +0,0 @@ - -DesignDiscussion/UserInterface - OpenSC - Trac
-

User Interface

-

-OpenSC is all about SmartCards?. SmartCards? are all about cryptography. Cryptography is something users don't care much about nor want to know about. At the same time - SmartCards? are usually tightly tied to the cardholder. So user interaction and UserInterface? are actually important components of the overall solutions that SmartCards? provide. -

-

-To sum up where exactly and how user interaction takes place, can take place or should take place, we need to know what layers and standards affect this area. Then we can find the most convinient and optimal path so that the whole usage of smartcards can be somewhat hidden and convenient for the user. To be more precise: user interaction is everything that the user _must_ do in normal cases - so user _has_ to authenticate to the card somehow, but she must not start other interactions - some application can have the initiative. Information to the end user (errors etc) falls into this category too. -

-

To be continued

-
  • pkcs11 defines login functions, what means user interaction is done by the application to get the pin -
  • pkcs11 also defines secure authentication path variable, what leaves the authentication process outside of the scope of pkcs11 -
  • pkcs15 defines user consent attribute, that must result in user interaction. -
  • opensc includes ui* functions that should deal with some of the problems described here -
  • applications (utilities) deal with user interaction - this should happen in a unified manner -
  • help to fill in! -
-

Back to Index

diff --git a/doc/EstonianEid.html b/doc/EstonianEid.html deleted file mode 100644 index b98d698c..00000000 --- a/doc/EstonianEid.html +++ /dev/null @@ -1,20 +0,0 @@ - -EstonianEid - OpenSC - Trac
-

Estonian EID

-

-OpenSC is the official software for the Estonian eID card for non-WinCSP platforms. -

-

-The official home page for the Estonian eID card is http://www.id.ee. -

-

-Martin Paljak has more information and downloads: http://ideelabor.ee/id-kaart. -

-

-More users of the estonian id card: -

-
-

Back to Index

diff --git a/doc/FinnishEid.html b/doc/FinnishEid.html deleted file mode 100644 index 7825dd39..00000000 --- a/doc/FinnishEid.html +++ /dev/null @@ -1,49 +0,0 @@ - -FinnishEid - OpenSC - Trac
-

-= Finnish FINEID = -

-

-The finnish eid card should work fine. -Of course it can only be used, but not altered. -

-

-FIXME:pin changes? -

-

-FIXME:extra data? -

-

-FIXME:did anyone test lately? -

-
-

-Unlocking a FINEID electronic identity card -

-

-You can ask the police for advice on the use of electronic identity cards. You can also test your electronic identity card at police stations. -

-

-If your electronic identity card has become locked, you can unlock it at a police station. You must have the correct PUK number with you to unlock the PIN number. -

-

-If you have lost your PUK number, the police can on request order a new PUK number, which will be sent by mail to the address you provide. The new number can then be used to unlock your PIN number. -

-

-Fees: -Unlocking a PIN number EUR 10 -New PUK number EUR 18 -

-

-For additional information on electronic identity cards, go to: -

-

-http://www.sahkoinenhenkilokortti.fi/ -

-

-http://www.vaestorekisterikeskus.fi/indexen.htm/ -

-
-

Back to Index

diff --git a/doc/GemplusGpk.html b/doc/GemplusGpk.html deleted file mode 100644 index dd70d652..00000000 --- a/doc/GemplusGpk.html +++ /dev/null @@ -1,16 +0,0 @@ - -GemplusGpk - OpenSC - Trac
-

Gemplus GPK 16k

-

-Gemplus GPK 16k cards are fully supported by OpenSC and regularly tested. -

-

-FIXME:Links,Documentation -

-

-FIXME:where to buy, price -

-
-

Back to Index

diff --git a/doc/GermanEid.html b/doc/GermanEid.html deleted file mode 100644 index 38d0bf91..00000000 --- a/doc/GermanEid.html +++ /dev/null @@ -1,20 +0,0 @@ - -GermanEid - OpenSC - Trac
-

German TCOS

-

-German has several laws for smart cards, and to our knowledge all cards conforming to those laws are using the TCOS 2.0X card operating -system. -

-

-OpenSC has only some initial support for TCOS cards, but not enough to use those cards with OpenSC. Also there is some code for OpenSC that needs to be ported from an older version of OpenSC to the current, it contains some of the work necessary. -

-

-This does NOT mean, that you cannot use preformatted TCOS cards (i.e. NetKey? E4-cards) with OpenSC. You find more information about how to use NetKey? E4 card here. -

-

-SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the NetKey? E4-emulation might not work with this cards. If you have such a card and know the location of the certificates, keys and PINs, please post this information on the opensc-devel list. -

-
-

Back to Index

diff --git a/doc/ItalianEid.html b/doc/ItalianEid.html deleted file mode 100644 index 030ae5fd..00000000 --- a/doc/ItalianEid.html +++ /dev/null @@ -1,22 +0,0 @@ - -ItalianEid - OpenSC - Trac
-

Italian Infocamere

-

-Some versions of the italian infocamere card are supported by OpenSC. -

-

-FIXME:read-only?pin-changes? -

-

-FIXME:Add details -

-

-FIXME:did anyone test recently? -

-

-FIXME:documwentation, links....? -

-
-

Back to Index

diff --git a/doc/ItalianPostecert.html b/doc/ItalianPostecert.html deleted file mode 100644 index 76261a18..00000000 --- a/doc/ItalianPostecert.html +++ /dev/null @@ -1,19 +0,0 @@ - -ItalianPostecert - OpenSC - Trac
-

Italian Postecert

-

-Some versions of the italisn postecert card are supported by OpenSC. -

-

-FIXME:read-only? pin changes? -

-

-FIXME:did anyone test recently? -

-

-FIXME:documentation, pointers, etc.? -

-
-

Back to Index

diff --git a/doc/LinuxDistributions.html b/doc/LinuxDistributions.html deleted file mode 100644 index 3923e3ab..00000000 --- a/doc/LinuxDistributions.html +++ /dev/null @@ -1,40 +0,0 @@ - -LinuxDistributions - OpenSC - Trac
-

Linux Distributions

-

-For GNU/Linux users the best solution is, if the distribution already includes recent packages -of OpenSC. Here is a survey of recent distributions. If you have additional infomation, -please add it. -

- -
-
Debian woody (old stable) does not contain OpenSC packages -
Debian sarge (stable) OpenSC 0.9.6 included -
Debian sid (development) OpenSC 0.9.6 included -
Fedora Core 3 OpenSC 0.9.4 included -
Fedora Core 4 OpenSC 0.9.6 included -
Gentoo Portage OpenSC 0.9.6 in dev-libs/opensc -
Mandrake OpenSC 0.8.1 in contrib -
Novell/SUSE LINUX Enterprise Server 9 for x86 OpenSC 0.8.0 included -
OpenPKG not included -
Rock Linux OpenSC 0.9.4 included -
Suse 9.3 OpenSC 0.9.4 included -
Suse 9.2 OpenSC 0.8.1 included -
Suse 9.1 OpenSC 0.8.0 included -
-

-ATrpms lists some RPM based distributions. -

-

-Other operating systems: -

- -
NetBSD not included -
FreeBSD OpenSC 0.9.4 included -
OpenBSD not included -
fink / Mac OS X not included -
-
-

Back to Index

diff --git a/doc/MacOsX.html b/doc/MacOsX.html deleted file mode 100644 index 9638c749..00000000 --- a/doc/MacOsX.html +++ /dev/null @@ -1,66 +0,0 @@ - -MacOsX - OpenSC - Trac
-

Using OpenSC on Mac OS X

-

-First you need Mac OS X Version 10.4 or later. Older version are supposed to not work well, -but if you try and have success, please report here. -I report! -it worked for me under 10.3.9 G4 1,2Ghz, and i can use my mpmanF50 again. Thanks. -reach me nicolasb at gmaildotcom. French tutorial here : http://nicolasbizard.free.fr/blog -

-

-Then you need a driver for your smart card reader. Hier is an examle for Axalto e-gate tokens: -* Download and install libusb. http://libusb.sourceforge.net/ -* Download ifd-egate from http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz -

-

-To install libusb, you need to extract the files, configure it, make, make install: -

-
wget http://switch.dl.sourceforge.net/sourceforge/libusb/libusb-0.1.10a.tar.gz
-tar xfvz libusb-0.1.10a.tar.gz
-cd libusb-0.1.10a
-./configure --prefix=/opt/smartcard
-make
-make install
-cd ..
-

-To install ifd-egate you need to extract the files, and use some environment variables to make sure it finds everything (or edit the -compile options in the Makefile directly): -

-
wget http://www.luusa.org/~wbx/sc/ifd-egate-0.05-patched.tar.gz
-tar xfvz ifd-egate-0.05-patched.tar.gz
-cd ifd-egate-0.05
-export USB_CFLAGS="-I/opt/smartcard/include -I/System/Library/Frameworks/PCSC.framework/Headers"
-export USB_LDFLAGS="-L/opt/smartcard/lib -lusb -Wl,-framework -Wl,PCSC"
-make -f Makefile-OSX clean
-make -f Makefile-OSX 
-make -f Makefile-OSX install
-export USB_CFLAGS=
-export USB_LDFLAGS=
-cd ..
-

-Last you need to download and install opensc. This is straight forward: download, extract, configure, make, make install. -

-
wget http://www.opensc.org/files/opensc-0.9.6.tar.gz
-tar xfvz opensc-0.9.6.tar.gz
-cd  opensc-0.9.6
-./configure --prefix=/opt/smartcard --sysconfdir=/etc
-make
-make install
-cd ..
-

SSH with smartcard support

-

-Mac OS X does include openssh, but unfortunatly compiled without smartcard support. -Here is how you can recompile openssh with it: -

-
wget ftp://ftp.leo.org/pub/OpenBSD/OpenSSH/portable/openssh-4.1p1.tar.gz 
-tar xfvz openssh-4.1p1.tar.gz
-cd  openssh-4.1p1
-./configure --prefix=/opt/smartcard --sysconfdir=/etc --with-opensc=/opt/smartcard
-make
-make install
-cd ..
-
-

Back to Index

diff --git a/doc/Makefile.am b/doc/Makefile.am index 0991b899..718d23fe 100644 --- a/doc/Makefile.am +++ b/doc/Makefile.am @@ -6,19 +6,4 @@ MAINTAINERCLEANFILES = Makefile.in EXTRA_DIST = README export-wiki.sh export-wiki.xsl $(HTML) -HTML= AladdinEtokenPro.html AutoVersions.html BelgianEid.html CardOs.html \ - CardReaders_CTAPI.html CardReaders_SPR532.html CardsAndTokens.html \ - CompatibilityIssues.html CompatiblityIssues.html \ - CryptoIdendityItsec.html Cryptoflex.html Cyberflex.html \ - DesignDiscussion.html DesignDiscussion_UserInterface.html \ - EstonianEid.html FinnishEid.html GemplusGpk.html GermanEid.html \ - ItalianEid.html ItalianPostecert.html LinuxDistributions.html \ - MacOsX.html MartinBlog.html MartinBlogMuscle.html \ - MartinBlogPlatform.html OpenPgp.html OpenSsh.html \ - OpensslEngines.html PinpadReaders.html PuTTYcard.html \ - RainbowIkeyThree.html RecentTestresults.html ReleaseHowto.html \ - ReplacingCertificates.html RoadMap.html SchlumbergerEgate.html \ - SmartCardApplications.html SpanishEid.html SubversionRepository.html \ - SupportedHardware.html SwedishEid.html TaiwanEid.html TelseCos.html \ - TroubleShooting.html WindowsCsp.html index.html pkcs11_keypair_gen.html - +HTML= $(shell ls $(srcdir)/*.html $(srcdir)/*.css) diff --git a/doc/MartinBlog.html b/doc/MartinBlog.html deleted file mode 100644 index e311fd6d..00000000 --- a/doc/MartinBlog.html +++ /dev/null @@ -1,16 +0,0 @@ - -MartinBlog - OpenSC - Trac
-

Smart Card Notes

-

-I create this page to keep track of my activities on OpenSC hacking so that it would be easy for me to manage&update and available for others who might be interested in the topic and so that somebody else could correct the mistakes I'm doing ;) -

-

-MartinBlogPlatform - description of personal setups i use for testing -

-
-

Back to Index

diff --git a/doc/MartinBlogMuscle.html b/doc/MartinBlogMuscle.html deleted file mode 100644 index e8109ed3..00000000 --- a/doc/MartinBlogMuscle.html +++ /dev/null @@ -1,47 +0,0 @@ - -MartinBlogMuscle - OpenSC - Trac
-

MUSCLE

-

-##TODO## muscle info -

-

-What i have -

-
  • USB e-gate token for Cyberflex cards -
  • Two Cyberflex 32k cards (one in token and one full size card) -

-What i run on -

-
  • WindowsXP SP2 (x86, free visual c toolkit, .net sdk, mingw setup) -
  • GNU/Linux (x86, kernel 2.6, mostly Debian/unstable) -
  • OS X 10.4 (Xcode et al, fink) -

-How to access the e-gate USB token -

-

- -How to load the applet to the card -

-

-What to do with the card then? -

-

-Some notes -

-
  • David: OpenSC PKCS#11 needs to be updated to better support token initialization (InitToken?, InitPIN, CreateObject?, .....) -
  • To be continued -
-

Back to Index

diff --git a/doc/MartinBlogPlatform.html b/doc/MartinBlogPlatform.html deleted file mode 100644 index 39ec0922..00000000 --- a/doc/MartinBlogPlatform.html +++ /dev/null @@ -1,23 +0,0 @@ - -MartinBlogPlatform - OpenSC - Trac
-

Platforms and hardware

-

CardReaders

-

-I actively use these readers for testing purposes -

-
  • SCM SCR 331 -
    • Cheap, well supported, distributed nation-wide by Estonian eID project -
    • Conforms to CCID standard -
  • SCM SPR 532 -
    • Well supported, secure pinpad reader -
    • Conforms to CCID standard -
  • OmniKey? Cardman 2020 -
    • Works well on Windows -
    • Has no well supported open-source drivers for Linux (Original driver is kernel module for 2.4) -

Windows

-

Linux

-

OS X

-
-

Back to Index

diff --git a/doc/OpenPgp.html b/doc/OpenPgp.html deleted file mode 100644 index 1c23b5ab..00000000 --- a/doc/OpenPgp.html +++ /dev/null @@ -1,9 +0,0 @@ - -OpenPgp - OpenSC - Trac
-

-OpenPGP 1.0 cards work fine with OpenSC. -

-
-

Back to Index

diff --git a/doc/OpenSsh.html b/doc/OpenSsh.html deleted file mode 100644 index 2077b7ab..00000000 --- a/doc/OpenSsh.html +++ /dev/null @@ -1,58 +0,0 @@ - -OpenSsh - OpenSC - Trac
-

OpenSSH and OpenSC

-

-OpenSSH contains support for opensc, if it was compiled with "--with-opensc". -Unfortunately the openssh version included in most distributions is not compiled -this way. You can recompile openssh yourself. Ready-to-use binary packages are -available here: -

- -
Distribution Download URL -
Name ADD URL -
Gentoo The USE-flag "smartcard" makes the openssh ebuild depend on opensc and apply appropriate patches. Add the USE-flag system-wide to /etc/make.conf or just for OpenSSH in /etc/portage/package.use and re-emerge openssh. USE=smartcard emerge openssh will still work but is discouraged by Gentoo. -
-

-If you compile OpenSSH yourself: Please apply the patch in opensc-0.9.6/src/openssh/ask-for-pin.diff. -This patch fixes a small issue: openssh "ssh" command will not ask for a pin and thus not work well -with smart cards. Ssh-add will ask for a pin, and thus ssh plus ssh-agent will work well. This patch -adds code so that ssh will ask for the smartcard pin, too. This patch was not accepted upstream so -far, the openssh development team has a concept for a rewrite towards a cleaner solution, but this -is still pending. So for now the patch is our best option. -Seel also: OpenSSH bug 608 -

-

Using OpenSSH with a smartcard

-
ssh -I 0 root@somehost
-

-will use the smart card in reader 0 and private key 0x45 to authenticate as root on host somehost. -This will of course only work if root@somehost has a ".ssh/authorized_keys" file and the public key -related to this private key is in that file. -

-
ssh-keygen -D 0 
-

-will download the public key from your smart card and print it in ssh1 and ssh2 format. You only need -one of those two lines. Put it into ".ssh/authorized_keys" on the target host and account like you do -with a normal .ssh/id_rsa.pub file. You can add a space char and a comment at the end of the line, -I usually add something like " aj@smartcard" so I know this is the key from my smartcard. -

-

-Starting with the next OpenSC release you can also use pkcs15-tool to display a public key in openssh -format. To do this type -

-
pkcs15-tool --read-ssh-key [--reader 0] [--id 45]
-

-the default reader is 0 and the default id is 45, so typically you don't need those options. -(This might be useful for windows, since putty/pageant currently has no equivalent of "ssh-keygen -D 0".) -

-

-The OpenSSH public key format is defined at -[http://www.ietf.org/internet-drafts/draft-ietf-secsh-publickeyfile-08.txt] -

-

-TODO: it would be propably nicer to have one --read-public-key parameter, and a second optional parameter ---format with possible values der, pem, ssh1, ssh2. A patch to implement this would be very welcome. -

-
-

Back to Index

diff --git a/doc/OpensslEngines.html b/doc/OpensslEngines.html deleted file mode 100644 index 8edaa236..00000000 --- a/doc/OpensslEngines.html +++ /dev/null @@ -1,20 +0,0 @@ - -OpensslEngines - OpenSC - Trac
-

OpenSSL Engines

-

-The OpenSSL project offers the possibility to source out cryptographic functionality to plugin modules called engines. Usually there is one of two reasons for doing this, performance and security. -

-

-The performance reason is rather obvious, specialized hardware can do cryptography much faster than a general purpose computer. -

-

-The reason for using the opensc-engine typically is a security reason. If you are storing your private keys on a harddisk there is a lot of things an administrator (or a virus with root privileges) can do to steal your key. If the key is on a smart card there is usually no way to export the private key, so if you pull the card from the reader noone can use your keys. And if you use a certified and sealed reader device you can even be reasonably sure that noone can steal your PIN. -

-

Using OpenSC as a smart card engine for OpenSSL

-

-Include the text from QUICKSTART here? -

-
-

Back to Index

diff --git a/doc/PinpadReaders.html b/doc/PinpadReaders.html deleted file mode 100644 index 67658f53..00000000 --- a/doc/PinpadReaders.html +++ /dev/null @@ -1,39 +0,0 @@ - -PinpadReaders - OpenSC - Trac
-

Pinpad Readers

-

-Pinpad support with OpenCT is still under development. If you want to test it you'll have to use development snapshots of OpenSC and will most probably run into difficulties and/or outright bugs. -Reporting those bugs on the mailinglist may be a good way to get them fixed. -

-

-Currently Win32 and Unix versions follow quite different approaches, mainly due to availability of different drivers. -

-

-The Unix approach using CCID compliant readers is discribed in the CardReaders/SPR532 document, I'll have a word about CT-API Readers which are common on Win32 (if you have one on a Unix system please tell me!). -(martin: The 'ccid' in the spec is misleading - every ifdhandler can be changed to implement the teletrust spec - it uses a control block similar to CCID pin block but is _not_ pure ccid up to the lowest levels of the driver. And: the latest spr532 drivers for windows should follow the same spec and thus it _should_ work on windows. it is more tied to pcsc than it is tied to pure ccid) -

-

Known and tested pinpad readers

-

-Please feel free to add your hardware and experiences here. -

-

-Class 2 readers have a pinpad for secure pin entry. Sometimes they are plugged between computer and keyboard so they use the keyboard for pin entry but capture the keystrokes before they reach the computer. -

-

-Class 3 readers have pinpad and a display. -

- -
Reader OS Type CT-API library Comments -
SCM STR 391 "CashMouse" Win32 Class 3 USB CTRSRW32.dll Works fine with Win32, no Unix support planned -
Cherry G83-6700 Smartboard Win32 Class 2 PS/2 CTMGR.DLL A keyboard integrated reader which uses the keyboard for pin entry. Buggy CT-API driver, I got it working but not without patching OpenCT. No known Unix support -
Reiner SCT cyberJack pinpad Win32 Class 2 USB CTRSCT32.DLL According to the manufacturer's website it should also run on Linux, but I haven't managed it. -
Reiner SCT cyberJack keyboard Win32 Class 2 PS/2 CTRSCT32.DLL A cheap class 2 solution. It uses the keyboard for pin entry. No known Unix support. -
SCM SPR 332, 532 "Chipdrive Pinpad" Win32 Class 2 USB CTPCSC32.dll A widely used CCID compliant reader. I also got it working on Linux following Martin's CardReaders/SPR532 suggestions -
-

-Kobil and OmniKey also offer pinpad readers, if someone could test one of those with OpenSC feedback would be appreceated. -

-
-

Back to Index

diff --git a/doc/PuTTYcard.html b/doc/PuTTYcard.html deleted file mode 100644 index 3f406948..00000000 --- a/doc/PuTTYcard.html +++ /dev/null @@ -1,251 +0,0 @@ - -PuTTYcard - OpenSC - Trac
-

PuTTYcard

-

-PuTTYcard is an extension to PuTTY, the free SSH-client -from Simon Tatham. With this extension PuTTY can use -RSA-keys from external devices, ie. smart cards, usb-tokens. -

-

-If pageant is called with one argument, it will interpret -this argument as the name of a key-file. Pageant will then -load this ppk-file into its keylist, or if another instance of -Pageant is already running into the keylist of that instance. -

-

-The pageant-version from PuTTYcard-0.58-V1.2.zip (can be downloaded -from OpenSCs contrib area) will do exactly the same thing -with one exception. If the first line of the ppk-file -has the form: -

-
PuTTYcard,<path to DLL>,<arguments for the DLL>
-

-then Pageant will NOT read the key from the ppk-file. Instead -it loads the DLL and calls a function from that DLL passing -the arguments from the ppk-file to this function. -

-

-The function may then fetch a public RSA key from any -source. Possbile choices are: files, smart cards, PKCS11 -libraries, Cryptographic Service Providers, etc. -

-

-PuTTYcard-0.58-V1.2.zip contains PuTTYiso7816.dll. This -DLL will load an RSA key from any ISO-7816-8 compatible -smart card. PuTTYiso7816 need additional information -from the ppk-file, namely the location of the RSA key -on your specific smartcard. -

-

-This information is given as 4 hexadecimal numbers, i.e. -your ppk-file should look like -

-
PuTTYcard,PuTTYiso7816.dll,<path>,AA,BB,CCCC
-

-<path> is the DF on your smart card that contains the RSA-key. -This must be specified as a 4,8,12 or 16digit hexadecimal -number. Do NOT prefix the path with 3F00. -AA is the key-reference of the private key, BB is the -pin-reference of the pin that protects your private key. -CCCC is the ID of a file on your card that contains your -public key. This file must either contain the public key -as two ASN1-encoded records or it must be a certificate file -from which the pulic key will be extracted. -

-

How do I find the above mentiones numbers?

-

-One of the first actions of PuTTYcard -is to change its working DF to the DF given by the -<path>-argument. The remaining information -(private and public key, PIN and maybe a certificate) -will then be read from that DF. Try pkcs15-tool -k -to list all of your keys and that should give you the -information you need. -

-

-Here's the output for my Netkey E4 card: -

-
$ pkcs15-tool -k
-Private RSA Key [Signatur-Schlüssel]
-        Com. Flags  : 1
-        Usage       : [0x204], sign, nonRepudiation
-        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
-        ModLength   : 1024
-        Key ref     : 128
-        Native      : yes
-        Path        : DF015331
-        Auth ID     : 04
-        ID          : 01
-
-Private RSA Key [Authentifizierungs-Schlüssel]
-        Com. Flags  : 1
-        Usage       : [0x207], encrypt, decrypt, sign, nonRepudiation
-        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
-        ModLength   : 1024
-        Key ref     : 130
-        Native      : yes
-        Path        : DF015371
-        Auth ID     : 04
-        ID          : 02
-
-Private RSA Key [Verschlüsselungs-Schlüssel]
-        Com. Flags  : 1
-        Usage       : [0x207], encrypt, decrypt, sign, nonRepudiation
-        Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
-        ModLength   : 1024
-        Key ref     : 129
-        Native      : yes
-        Path        : DF0153B1
-        Auth ID     : 03
-        ID          : 03
-

-This card has three keys all of which are stored in DF DF01. -This is your <path>-value. Do not include the last component of the -path from the pkcs15-tool-output as this is the ID of the -private key itself. -

-

-The next information you need is the key reference. This value -is included as a decimal number in the above output (ie. 128, 130 and 129). -This value must be converted to a 2-digit hexadcimal number. Let's -use the second key, so your AA-value is 82. -

-

-Your private key is protected by a PIN and the pkcs15-tool -k-output -contains the Auth-ID of this PIN. Here it is 04. This is not -your PIN-reference. Use pkcs15-tool --list-pins to list all -your PINs and use the PIN-reference of the PIN that has the same Id -as the Auth-Id of your key. -

-
$ pkcs15-tool --list-pins
-PIN [globale PIN]
-        Com. Flags: 0x3
-        ID        : 01
-        Flags     : [0x51], case-sensitive, initialized, unblockingPin
-        Length    : min_len:6, max_len:16, stored_len:16
-        Pad char  : 0x00
-        Reference : 0
-        Type      : ascii-numeric
-        Path      : 5000
-        Tries left: 3
-
-PIN [globale PUK]
-        Com. Flags: 0x3
-        ID        : 02
-        Flags     : [0xD1], case-sensitive, initialized, unblockingPin, soPin
-        Length    : min_len:8, max_len:16, stored_len:16
-        Pad char  : 0x00
-        Reference : 1
-        Type      : ascii-numeric
-        Path      : 5001
-        Tries left: 3
-
-PIN [lokale PIN0]
-        Com. Flags: 0x3
-        ID        : 03
-        Flags     : [0x13], case-sensitive, local, initialized
-        Length    : min_len:6, max_len:16, stored_len:16
-        Pad char  : 0x00
-        Reference : 128
-        Type      : ascii-numeric
-        Path      : DF015080
-        Tries left: 3
-
-PIN [lokale PIN1]
-        Com. Flags: 0x3
-        ID        : 04
-        Flags     : [0xD3], case-sensitive, local, initialized, unblockingPin, soPin
-        Length    : min_len:6, max_len:16, stored_len:16
-        Pad char  : 0x00
-        Reference : 129
-        Type      : ascii-numeric
-        Path      : DF015081
-        Tries left: 3
-

-Again the PIN-reference is given in decimal (here it is 129) and must be -converted to a 2-digit hexdecimal number, namely 81. This is -your BB-value. -

-

-Finally you need the file-ID of the public key or a certificate file -from which he public key could be extracted. -

-

-So either use pkcs15-tool --list-public-keys or -pkcs15-tool -c. With my Netkey card pkcs15-tool --list-public-keys -does not show any keys. This is because my Netkey card -contains the public key, but it cannot be used for cryptographic -operations. From other sources (ie. card doku) I know that -the public key is stored in file DF01:4571, so one possible -CCCC-value is 4571. -

-

-If I list all my certificates I get: -

-
$ pkcs15-tool -c                
-X.509 Certificate [Telesec Signatur Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C000
-        ID       : 01
-
-X.509 Certificate [User Signatur Zertifikat 1]
-        Flags    : 2
-        Authority: no
-        Path     : DF014331
-        ID       : 01
-
-X.509 Certificate [User Signatur Zertifikat 2]
-        Flags    : 2
-        Authority: no
-        Path     : DF014332
-        ID       : 01
-
-X.509 Certificate [Telesec Authentifizierungs Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C100
-        ID       : 02
-
-X.509 Certificate [User Authentifizierungs Zertifikat 1]
-        Flags    : 2
-        Authority: no
-        Path     : DF014371
-        ID       : 02
-
-X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C200
-        ID       : 03
-
-X.509 Certificate [User Verschlüsselungs Zertifikat 1]
-        Flags    : 2
-        Authority: no
-        Path     : DF0143B1
-        ID       : 03
-

-A certificate contains the right public key, if it has the -same ID as the private key (here 02). My card has two such -certificates namely DF01:C100 and DF01:4371 so two other -possible CCCC-values are C100 and 4371 -

-

-On a Netkey card a private key may be protected by more than -one PIN. So instead of PIN-reference 81 (which references -local PIN1) I may alternatively use PIN-reference 00 (which -references global PIN0) -

-

-So all of the following six lines will work: -

-
PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4571
-PuTTYcard,PuTTYiso7816.dll,DF01,82,81,C100
-PuTTYcard,PuTTYiso7816.dll,DF01,82,81,4371
-PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4571
-PuTTYcard,PuTTYiso7816.dll,DF01,82,00,C100
-PuTTYcard,PuTTYiso7816.dll,DF01,82,00,4371
-
-

Back to Index

diff --git a/doc/RainbowIkeyThree.html b/doc/RainbowIkeyThree.html deleted file mode 100644 index 22353d23..00000000 --- a/doc/RainbowIkeyThree.html +++ /dev/null @@ -1,31 +0,0 @@ - -RainbowIkeyThree - OpenSC - Trac
-

Rainbow iKey 3000

-

-Rainbow offers the iKey 300, an USB crypto token with 32k memory -and support for RSA keys up to 1024bit key length. -

-

-The iKey 3000 is fully supported by OpenSC and is well tested. -

-

-The smart card inside is a starcos card by Gieseke and Devrient. -

-

-One minor feature of Starcos is that a pin can only be unblocked if it is blocked. For this reason the regression test pin0002 fails, but this is a harmless and known issue, so please ignore. -

-

-Rainbow iKey 3000 is bundled with StarSign? software by A.E.T. which follows the PKCS#15 standard. Thus key -can be initialized with either OpenSC or StarSign? and will work with both. -

-

-Documentation for the Starcos Smartcard is available to the public. Send those nice folks at G&D an email -and they will send you the latest manual. -

-

-Cyprotect sells Rainbow iKey 3000 tokens at 68 Euro per piece. -

-
-

Back to Index

diff --git a/doc/RecentTestresults.html b/doc/RecentTestresults.html deleted file mode 100644 index 03f0da9a..00000000 --- a/doc/RecentTestresults.html +++ /dev/null @@ -1,232 +0,0 @@ - -RecentTestresults - OpenSC - Trac
-

Recent test results for various smart cards

-

-Providing test results is a bit difficult, since a test includes -

-
  • OpenSC (Version) -
  • Smart card (Name, Variant, blank or pre-initialized) -
  • Operating Sytem (Name, Version, Architecture) -
  • Smart card reader (Name, Modell, Firmware version) -
  • Software for the smart card reader driver (Name of the driver, version) -
  • Middleware (PC/SC-Lite? Version? Configuration?) -
  • opensc.conf configuration -

-And of course the features that were tested. Here is a list: -

-
  • src/test/regression test suite, run-all script. -
  • pkcs15-init (manual init, keygen, certificate store, cert+key store) -
  • pkcs11-tool (manual, "pkcs11-tool --test --login") -
  • openssl command line tool with opensc engine -
  • openssl command line tool with pkcs11 engine -
  • firefox with pkcs11 module (https authentication with a client certificate and key) -
  • thunderbird with pkcs11 module (email signing and decryption) -
  • mozilla with the same tests as firefox and thunderbird -
  • netscape with the same tests as firefox and thunderbird -
  • key generation and certificate store via some web site (e.g. thawte community) -
  • openssh with smart card authentication (or putty on windows) -
  • openssh agent with smart card authentication (or pageant on windows) -
  • login with pam module (with local .eid/authorized_certificates) -
  • login with pam module (with the certificate in an ldap server) -
  • free/open/stronswan vpn with x.509 certificate authentication using a smart card -
  • accessing a wireless lan protected with wpa, 802.1x, eap-tls using the wpa_supplicant, with a smart card -
  • testing the Identity Alliance CSP on windows with the opensc-pkcs11.dll: using internet explorer for client certificate authentication at some website. -
  • testing the Identity Alliance CSP on windows with the opensc-pkcs11.dll: using outlook to sign and decrypt emails. -
  • testing CSP #11 on windows with the opensc-pkcs11.dll: using internet explorer for client certificate authentication at some website -
  • testing CSP #11 on windows with the opensc-pkcs11.dll: using outlook to sign an decrypt emails. -

-We can't test all combinations of OpenSC, card, Reader, driver software with all features. -

-

-So the basic regression tests (or pkcs11-tool for pre-initialized cards) is done with as many cards -as possible on at least one plattform. Once we know the cards work with OpenSC on this plattform, the next test is -to test as many features as possible on many plattforms, but it is ok to test only with a few or only once card. -

-

-Which cards passed the src/test/regression/run-all test suite? -

-
- --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Card NameOpenSCDateReaderReader driverResultTester
Aladdin eToken PRO0.9.52005-01-13Aladdin eToken PROOpenCT 0.6.3All ok.Andreas Jellinghaus
Cryptoflex 32k0.9.52005-01-13eGate TokenOpenCT 0.6.3All ok.Andreas Jellinghaus
Rainbow iKey 30000.9.52005-01-13Rainbow iKey 3000OpenCT 0.6.3All ok.Andreas Jellinghaus
-

-Note that Rainbow iKey 3000 has a Starcos SPK 2.3 operating system, and thus the pin0002 test will -fail, but this is ok as the Starcos SPK 2.3 implementation of the ISO 7816 RESET RETRY COUNTER command -is not ISO compliant. -

-

-Which cards passed the "pkcs11-tool --test --login" test? (Only for pre-initialized cards) -

-
- --------- - - - - - - - - - - - - - - - - - - -
Card NameOpenSCDateReaderReader driverResultTester
Signtrust TCOS0.9.52005-03-04Towitoko SerialOpenCT 0.6.3???Andreas Jellinghaus
-

-Which operating system works fine with OpenSC? Add one line for every feature that works or not. -

-
- --------- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Operating SystemVersionArchitectureOpenSCFeatureResultTester
Windows XPPRO SP2i3860.9.5+winfixespkcs15-initAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixespkcs11-toolAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixesputtyAll ok.Andreas Jellinghaus
Windows XPPRO SP2i3860.9.5+winfixesfirefoxCrashes.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
Debian GNU/LinuxSargei3860.9.5pkcs15-initAll ok.Andreas Jellinghaus
-

-After you have tested some hardware, please let us know by adding a line. -If something does not work as expected, please also open a new ticket -with a detailed bug report. -

-

-Note: adding your name as tester is optional. I think it might be nice so one can ask more details if necessary. -

-
-

Back to Index

diff --git a/doc/ReleaseHowto.html b/doc/ReleaseHowto.html deleted file mode 100644 index 4edb35e2..00000000 --- a/doc/ReleaseHowto.html +++ /dev/null @@ -1,36 +0,0 @@ - -ReleaseHowto - OpenSC - Trac
-

OpenSC Release Howto

-

-Announcement -

-
  • Write announcement. Write short version (600 bytes) for freshmeat. -
  • find someone to proofread announcement -

-The OpenSC version must be updated in these files: -

-
  • configure.in -
  • win32/version.rc -
  • src/include/winversion.h -
  • docs/doxygen.conf -

-The News file needs to be edited: put in Name and Date. -

-

-The library version must be updated in these files: -

-
  • configure.in -
  • src/pkcs11/pkcs11-global.c -

-Announce: -

-
  • change LATEST file in svn/web/trunk -
  • add file to svn/web/trunk/news/ -
  • via mail to opensc-announce,users,devel -
  • update freshmeat entry -
  • (root@opensc): trac-admin /home/trac/opensc version add 0.X.Y -
  • (root@opensc): edit /home/trac/opensc/conf/trac.ini change default_version -
-

Back to Index

diff --git a/doc/ReplacingCertificates.html b/doc/ReplacingCertificates.html deleted file mode 100644 index 7298cdaf..00000000 --- a/doc/ReplacingCertificates.html +++ /dev/null @@ -1,75 +0,0 @@ - -ReplacingCertificates - OpenSC - Trac
-

Replacing a certificate on a card

-

-Unfortunatly not all cards allow to replace a certificate with a new one. -Here is a small HOWTO for Aladdin eToken PRO (should work with any cardos card). -

-

-1. Create a new certificate. If it's a self signed certificate, don't forget to add the -days attribute, else you'll have to do this process very often. -

-

-2. If you have the certificate PEM encoded (this is very likely if you use the default settings of openssl) then convert it to DER encoded: -

-
$ openssl x509 -in mycert.pem -outform DER -out mycert.der
-

-3. Now get the path of the certificate: -

-
 $ pkcs15-tool -c
-X.509 Certificate [Certificate]
-        Flags    : 2
-        Authority: no
-        Path     : 3F0050154301
-        ID       : 45
-
-

-The path here is: 3F0050154301 -

-

-4. open up opensc-explorer -

-
OpenSC > cd 5015
-

-5. present the valid key for the certificate file, usually the normal pin. You can get info about wich pin to use by executing: -

-
OpenSC > info [EF]
-

-where [EF] is the name of the cert EF (in the above example 4301) -

-

-You'll need the key in hexadecimal format, an example how to convert it: -

-
 $ export HISTFILE=
- $ php -r 'echo bin2hex("pssword")."\n";'
-707373776f7264
-

-You'll have to add the colons manually. If your password is shorter than 8 characters, fill it up with 00-s. So with the above example you enter at the opensc-explorer: -

-
OpenSC > verify CHV3 70:73:73:77:6f:72:64:00
-

-Code correct. -

-

-6. Now you can load the data from the DER encoded file into the EF on the card: -

-
OpenSC > put 4301 mycert.der
-

-If you get no errors, then you're done. -

-

-Remarks: -

-
  • This isn't the preferred way for everyday users to replace the certificates. Maybe this isn't even for the user's mailing list, but I couldn't find any description how to solve this dangerous yet very urging problem. -
  • This may not work on some cards. -
  • Since the key isn't changed, after replacing the old certificate you -

-_won't_ need to replace your .eid/authorized_certificates, or .ssh/authorized_keys files. -

-
  • I had to delete the contents of the .eid/cache/ directory for Mozilla to see the new certificate correctly. -

-Thanks to Attila Nagy for this information. -

-
-

Back to Index

diff --git a/doc/RoadMap.html b/doc/RoadMap.html deleted file mode 100644 index 15e560f3..00000000 --- a/doc/RoadMap.html +++ /dev/null @@ -1,24 +0,0 @@ - -RoadMap - OpenSC - Trac
-

Roadmap for OpenSC

-

-This page should be a place for discussions about future developments of OpenSC in free form untill something clear comes out so that a reference to the Roadmap module and an exact ticket can be made. Issues not directly concerning OpenSC go here too. Feel free to add comments (also state your name in parentheses after your comment!) and ideas for others to digest. This way the targets can be analysed, grouped etc. DesignDiscussion complements this page. -

-
-

-Some assumptions/facts by martin: -

-
  • There are two main card oriented interests in OpenSC -
    1. Pure pkcs15 -
    2. Everything else - mostly read-only, (pkcs15 emulation) NationalIdCards? -
  • Whataver the case - most used component is pkcs11 module -
  • Though there are several different SmartCards? popping into the wallets of people lately - the biggest userbase will be (is?) NationalIdCards? owners -

-Based on those assumptions, I'd suggest to focus the efforts on these aspects: -

-
  • Improve, test (upgrade to pkcs11 v2.20?) the pkcs11 implementation. Who wins: most users. For 'normal people' and majority of applications this is the only useful interface to the library. -
  • Improve security - secure pin operations, UserConsent? style issues (CKA_ALWAYS_AUTHENTICATE flag in pkcs11 v2.20) etc. Who wins: everybody, especially DigitalSignature? functionality users of various NationalIdCards?. After we have pretty solid support for different cards and different usages, it is about time to focus on security - one reason smartcards exist in the first place. -
-

Back to Index

diff --git a/doc/SchlumbergerEgate.html b/doc/SchlumbergerEgate.html deleted file mode 100644 index 4cb36f3b..00000000 --- a/doc/SchlumbergerEgate.html +++ /dev/null @@ -1,28 +0,0 @@ - -SchlumbergerEgate - OpenSC - Trac
-

Schlumberger / Axalto e-gate

-

-Schlumberger/Axalto offers the e-gate adapter, an USB adapter for Schlumberger / Axalto -Cryptoflex and Cyberflex cards. -

-

-The combination of Cryptoflex egate 32k with plug and e-gate token adapter is very well tested and works perfectly. -

-

-The Cyberflex 32k is currently not supported - you would need a javacard applet first and then OpenSC support for that applet. -

-

-Documentation for Cryptoflex cards are available for public download at [http://www.cryptoflex.com/]. -

-

-Cards and adapter are directly sold by the manufacturer at [http://www.scmegastore.com/] (cards in packs of 5 only), -five cards and adapters are sold for 150 US$. -

-

Test Results

-

-Smart card bundle 0.3rc2 works fine on Windows XP (cryptoflex card, pkcs11-tool --test ...) -

-
-

Back to Index

diff --git a/doc/SmartCardApplications.html b/doc/SmartCardApplications.html deleted file mode 100644 index e39abd79..00000000 --- a/doc/SmartCardApplications.html +++ /dev/null @@ -1,12 +0,0 @@ - -SmartCardApplications - OpenSC - Trac
-

Smart Card Applications

-

-OpenSC comes with a bunch of utilities to test, debug and initialize smartcards. In addition to these smart card targeted utilities other applications can be made 'smartcard aware' using: -

-
  • OpenSC PKCS#11 module opensc-pkcs11 (or pkcs11-spy if one has to debug PKCS#11 issues). This is the preferred interface. -
  • OpenSSL engine - engine_pkcs11 (together with a/the PKCS#11 module) and engine_opensc (deprecated). This can be used in scripts via the openssl utility or existing OpenSSL based applications can be extended to support dynamic openssl engines. -
-

Back to Index

diff --git a/doc/SpanishEid.html b/doc/SpanishEid.html deleted file mode 100644 index b754df3c..00000000 --- a/doc/SpanishEid.html +++ /dev/null @@ -1,17 +0,0 @@ - -SpanishEid - OpenSC - Trac
-

Spanish Ceres

-

-The spanish ceres cards are using OpenSC for their official software. -

-

-To use ceres cards however you need to use the official software, which consists of OpenSC and an additional binary only module. -OpenSC is licensed under LGPL license and allowes to do this. -

-

-More details are available at [http://opensc-ceres.software-libre.org/]. -

-
-

Back to Index

diff --git a/doc/SubversionRepository.html b/doc/SubversionRepository.html deleted file mode 100644 index b6ec429b..00000000 --- a/doc/SubversionRepository.html +++ /dev/null @@ -1,55 +0,0 @@ - -SubversionRepository - OpenSC - Trac
-

Subversion Repository

-

-OpenSC is using subversion as version control system. You can find out more about subversion at -

-

-In our subversion repository we have -

-
  • trunk/ contains the current development code -
  • branches/opensc-0.9 contains the 0.9 maintenance branch -
  • releases/opensc-0.x.y contains the opensc 0.x.y release code. -

-You can checkout these with the subversion commands -

-
svn co http://www.opensc.org/svn/opensc/trunk/
-svn co http://www.opensc.org/svn/opensc/branches/opensc-0.9/
-svn co http://www.opensc.org/svn/opensc/releases/opensc-0.9.4/
-

-Note that the subversion repository only contains development files. -Before compiling the code you need to run the "./bootstrap" script -to create many files like "configure" and "Makefile.in". You need to have -autoconf, automake and libtool installed on your system to do that (see AutoVersions) -

-

-Some people have reported problems with some http proxies. If you find some problem, -you can maybe solve it by using https instead. Try to checkout the repository -like this: -

-
svn co --non-interactive https://www.opensc.org/svn/opensc/trunk/
-svn co --non-interactive https://www.opensc.org/svn/opensc/branches/opensc-0.9/
-svn co --non-interactive https://www.opensc.org/svn/opensc/opensc-0.9.4/
-

Write access for developers

-

-Developers with write access usualy access the repository via https with authentication -using ssl client certificates. You might want to put something like this into your -~/.subversion/server file to point subversion to your client certificate: -

-
[groups]
-opensc = www.opensc.org
-
-[opensc]
-ssl-client-cert-file=/home/aj/.subversion/aj.p12  
-

-You can access the repositories: -

-
svn co https://www.opensc.org/svn/opensc/trunk/
-svn co https://www.opensc.org/svn/opensc/branches/opensc-0.9/
-svn co https://www.opensc.org/svn/opensc/opensc-0.9.4/
-
-

Back to Index

diff --git a/doc/SupportedHardware.html b/doc/SupportedHardware.html deleted file mode 100644 index 0920b390..00000000 --- a/doc/SupportedHardware.html +++ /dev/null @@ -1,37 +0,0 @@ - -SupportedHardware - OpenSC - Trac
-

Supported Hardware

-

-There are two flavors of hardware support: The first one is "use-only", it's a bit like read-only: -You can use the keys (if you know the pin), and read the public information from the card, but you -cannot alter it. This kind of support is typical for national ID cards. The second type is the -full support including initializiation. That means you can buy a blank card, then create the -pkcs#15 structures, generate key, store certificates and so on. -

-

Read-Only supported cards

-
  • Finnish FINEID (SetCOS) -
  • Swedish Posten eID (SetCOS) -
  • USB tokens based on CardOS/M4, such as Aladdin eToken PRO, etc. -
  • MioCOS 1.1 -
  • TCOS 2.0 -
  • Starcos SPK 2.3 (e.g. Rainbow iKey 3000) -
  • Micardo 2.1 -
  • Oberthur AuthentIC -
  • OpenPGP 1.0 -
  • JCOP 31bio -
  • Estonian ID card, EstEID (Micardo 2.1) -

Fully supported cards

-
  • CryptoFlex? 8K, 16K -
  • GemplusGpk Gemplus GPK 4K, 8K, 16K -
  • CardOS M4.00, M4.01a -
  • Starcos SPK 2.3 -
  • JCOP 31bio -
  • MioCOS 1.1 -

Readers

-

-For some supported SmartCard readers have a look at the PinpadReaders page. -

-
-

Back to Index

diff --git a/doc/SwedishEid.html b/doc/SwedishEid.html deleted file mode 100644 index 2ad1ddd5..00000000 --- a/doc/SwedishEid.html +++ /dev/null @@ -1,22 +0,0 @@ - -SwedishEid - OpenSC - Trac
-

Swedish ePosten card

-

-The swedish eposten card is supported by OpenSC. -

-

-It can only be used, not altered. -

-

-FIXME:Pin changes? -

-

-FIXME:Did anyone test recently? -

-

-FIXME:Documentation etc? -

-
-

Back to Index

diff --git a/doc/TaiwanEid.html b/doc/TaiwanEid.html deleted file mode 100644 index 980adbfd..00000000 --- a/doc/TaiwanEid.html +++ /dev/null @@ -1,16 +0,0 @@ - -TaiwanEid - OpenSC - Trac
-

Taiwan

-

-Gieseke and Devrient tell us Taiwan is using StarSign? based tokens for a nation-wide PKI project. -

-

-OpenSC supports Starcos, but I don't know what StarSign? exactly is and if it will be compatible. If anyone has links to technical documents or news, please add them here. -

-

-If anyone knows how to contact them (this far no luck) let us know too. -

-
-

Back to Index

diff --git a/doc/TelseCos.html b/doc/TelseCos.html deleted file mode 100644 index e616b9cc..00000000 --- a/doc/TelseCos.html +++ /dev/null @@ -1,81 +0,0 @@ - -TelseCos - OpenSC - Trac
-

NetKey E4 cards

-

-http://www.opensc.org/opensc/attachment/wiki/TelseCos/NetkeyE4-card.jpg?format=raw -

-

-Telesec is a german company that sells NetKey? E4 cards. These cards have a TCOS 2.02 operationg system and an almost PKCS#15* compatible file-layout. OpenSC has read-only support for these kind of cards. -

-

-If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a PKCS#15* filesystem. This is not possible right now. You have the same problem, if you own a blank TCOS card. -

-

-The good news are: With the help of an emulation layer OpenSC can use cards that are almost PKCS#15* compatible. For NetKey? E4-cards such an emulation layer exists. The emulation cannot store certificates, keys or pins on the card, but you can use whatever is visible through the emulation layer. -

-

-SignTrust- and German EId-cards are also TCOS based but might have a different layout, so the NetKey? E4-emulation might not work with these cards. If you have such a card and are willing to help, please post information on the mailing list. You might also send "opensc-tool -r" output to me, maybe I can extend the Netkey-emulation such that other preformatted TCOS cards work as well. -

-

NetKey E4 filesystem layout

-

-NetKey? E4 cards contain different directories with different applications. Only one of these (i.e. directory DF01) is made visible through the NetKey? emulation layer. This directory contains 3 private keys, 3 public keys, 3 read only certificates, 6 empty certificate files, 2 local PINs and one signature-counter. -

-
  pkcs15-tool -c
-

-will list all certificates. It will not list the empty certificate files. Here's the output for a new NetKey? E4 card: -

-
$ pkcs15-tool -c
-X.509 Certificate [Telesec Signatur Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C000
-        ID       : 01
-
-X.509 Certificate [Telesec Authentifizierungs Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C100
-        ID       : 02
-
-X.509 Certificate [Telesec Verschlüsselungs Zertifikat]
-        Flags    : 0
-        Authority: no
-        Path     : DF01C200
-        ID       : 03
-

-The read-only certificates are signed by a certificate of german Telekom AG and all have the same CN. Here's some output that shows one of them: -

-
$ pkcs15-tool -r 01 | openssl x509 -noout -text -certopt no_pubkey,no_sigdump
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number: 13356238 (0xcbccce)
-        Signature Algorithm: ripemd160WithRSA
-        Issuer: C=DE, O=Deutsche Telekom AG/0.2.262.1.10.7.20=1, CN=NKS CA 21:PN
-        Validity
-            Not Before: Jan 31 08:43:51 2003 GMT
-            Not After : Jan 31 08:43:51 2006 GMT
-        Subject: C=DE/0.2.262.1.10.7.20=1, CN=NKS 03 A 02707
-        X509v3 extensions:
-            X509v3 Key Usage: critical
-                Digital Signature, Non Repudiation
-

-The public-keys are record-based transparent files and cannot be used for cryptographic operations. They are on the card for convenience only. OpenSC extracts the public keys from the certificates and does not use the public key files. -

-

How do I store additional certificates into the above mentioned empty certificate-files?

-

-You (and OpenSC) dont see the empty certificate files through the emulation layer. One consequence of this is, that you cannot store your own certificates into these files with pkcs11-tool or pkcs15-init. -

-

-You must use opensc-explorer and store the certificate directly into the right position or use netkey-tool, a small program, that I wrote exactly for that purpose. -

-

-In general (and in particular with TCOS-cards) it's a lot more complicated to create a new file on a smartcard than updating an existing one. That's the reason why there are empty certificate files on a NetKey? card. They contain 1536 0xFF-bytes and you can overwrite them with your own certificate (if your certificate has at most 1536 bytes). -

-

-netkey-tool can do other NetKey-card specific things as well. In particular it will display your initial PUK value and all certificates (including the emtpy ones, which are invisible to pkcs15-tool). As of this writing (June 2005) netkey-tool is included in the CVS-version only. -

-
-

Back to Index

diff --git a/doc/TroubleShooting.html b/doc/TroubleShooting.html deleted file mode 100644 index fad58b98..00000000 --- a/doc/TroubleShooting.html +++ /dev/null @@ -1,64 +0,0 @@ - -TroubleShooting - OpenSC - Trac
-

Debugging OpenSC

-
opensc-tool -l
-

-will give you a list of readers opensc has found. If your reader isn't listed, you have -a problem with that reader. For OpenCT see [http://www.opensc.org/openct/wiki/TroubleShooting] for details. -For PCSC/Lite see it's documentation (FIXME: a link would be nice). For CT-API readers, edit the -opensc.conf and make sure the reader is properly configured. If it still doesn't help, increase -debugging to level 5 or higher in opensc.conf, run "opensc-tool -l" again and send a debug log -to the mailing list (see ContactInfo? for details). -

-

-FIXME: more help for debugging opensc. -

-

Unsupported INS byte in APDU

-

-This is a common error message. The best translation is: -

-
Sorry, we don't know that card.
-

-Each card is identified by it so called ATR ("Answer to reset"). -You can get this identification code by running -

-
opensc-tool --atr
-

-OpenSC contains a compiled in list of atr it knows in each card driver. -To check if any card driver knows about your card, please run -

-
opensc-tool --name
-

-So if that name is "Default driver for unknown cards" then either your card -is not supported at all, or it is a brand new version of an old and supported -card, and if it is compatible with the older version it might work. -

-

-In case it is only a new version, but still compatible, you can edit opensc.conf -and configure some driver to also accept this new atr. opensc.conf already contains -a configuration example, you only need to change the atr and driver and enable it. -Here is that example code: -

-
        # GPK card driver additional ATR entry:
-        card_driver gpk {
-                atr = 00:11:22;
-        }
-
-

-Replace "gpk" with the card driver of your card and "00:11:22" with the atr -printed by "opensc-tool --atr". WARNING: this can damage your card and render -it useless (in case the driver is not compatible with your card). So don't do -this, unless you are absolutely sure of what you are doing. If you are not -sure, please contact the OpenSC Team (see ContactInfo? for details). -

-

-Also note: more and more drivers have internal flags, for example for subtypes -of cards or for certain properties, like whether or nor a card can generate -keys (very old smartcards can't do that). Currently it is not possible to set -those flags in the config file, so often it might be necessary to edit OpenSC -source code and recompile OpenSC. -

-
-

Back to Index

diff --git a/doc/WindowsCsp.html b/doc/WindowsCsp.html deleted file mode 100644 index c170d265..00000000 --- a/doc/WindowsCsp.html +++ /dev/null @@ -1,13 +0,0 @@ - -WindowsCsp - OpenSC - Trac
-

PKCS#11 and Windows CryptoAPI

-

-OpenSC implements a PKCS#11 v2.11 module that can be combined with addition software such as CSP11 or Identity Alliance CSP to allow Windows applications (IE, Outlook, login etc) access to smartcards supported by OpenSC. -

-

-TODO: Fill in the details. -

-
-

Back to Index

diff --git a/doc/export-wiki.sh b/doc/export-wiki.sh index 5faaad3a..04304bd2 100644 --- a/doc/export-wiki.sh +++ b/doc/export-wiki.sh @@ -6,29 +6,42 @@ export SERVER=http://www.opensc.org export WIKI=opensc/wiki export XSL=export-wiki.xsl -test -f `basename $0` +SRCDIR=. -rm -rf *.html *.css +if test -n "$1" +then + SRCDIR="$1" +fi -wget $SERVER/$WIKI/TitleIndex -O TitleIndex.tmp +test -f "$SRCDIR"/`basename $0` -grep "\"/$WIKI/[^\"]*\"" TitleIndex.tmp \ +if ! test -w "$SRCDIR" +then + exit 0 +fi + +rm -rf "$SRCDIR"/*.html "$SRCDIR"/*.css + +wget --non-verbose $SERVER/$WIKI/TitleIndex -O "$SRCDIR"/TitleIndex.tmp + +grep "\"/$WIKI/[^\"]*\"" "$SRCDIR"/TitleIndex.tmp \ |sed -e "s#.*\"/$WIKI/\([^\"]*\)\".*#\1#g" \ - > WikiWords.tmp + > "$SRCDIR"/WikiWords.tmp sed -e /^Trac/d -e /^Wiki/d -e /^TitleIndex/d -e /^RecentChanges/d \ - -e /^CamelCase/d -e /^SandBox/d -i WikiWords.tmp + -e /^CamelCase/d -e /^SandBox/d -i "$SRCDIR"/WikiWords.tmp -for A in WikiStart `cat WikiWords.tmp` +for A in WikiStart `cat "$SRCDIR"/WikiWords.tmp` do F=`echo $A|sed -e 's/\//_/g'` - wget $SERVER/$WIKI/$A -O $F.tmp - xsltproc --output $F.html $XSL $F.tmp + wget --non-verbose $SERVER/$WIKI/$A -O "$SRCDIR"/$F.tmp + xsltproc --output "$SRCDIR"/$F.html "$SRCDIR"/$XSL "$SRCDIR"/$F.tmp sed -e "s# -OpenSC - Trac
-

OpenSC

-

-OpenSC provides a set of libraries and utilities to access smart -cards. Its main focus is on cards that support cryptographic operations, -and facilitate their use in security applications such as mail encryption, -authentication, and digital signature. OpenSC implements the PKCS#11 API -so applications supporting this API such as Mozilla Firefox and Thunderbird -can use it. OpenSC implements the PKCS#15 standard and aims to be compatible -with every software that does so, too. -

-

Card Support

-

-CardsAndTokens has the full list of all smart cards and tokens. -

-

-Each release is tested with a subset of the supported cards, and users provide -additional test results. These are collected in RecentTestresults. -

-

Operating Systems

-

-OpenSC runs on Windows, Mac OS X and several other Unix and Bsd flavors. -It is even shipped as integral part of some LinuxDistributions. -

-

-OpenSC can be integrated with OS-centric cryptography frameworks such as WindowsCsp. -

-

Card Readers

-

-To use OpenSC you need a driver for your smart card reader. This can either be a driver -in CT-API format, or an IfdHandler? driver in combination with PcscLite?, or OpenCt?. -Most developers use OpenCT in direct combination, i.e. not using the OpenCT CT-API -driver nor the OpenCT ifdhandler with PC/SC-Lite. However those alternatives should -work fine, too. -

-

-On Win32 platforms you usually get a PC/SC driver. Most Pinpad readers (aka Class 2+ readers) also supply a CT-API driver. Though both drivers can be used with OpenSC you are currently limited to the CT-API driver if you want to use the reader's pinpad. -

-

Features

-

-* ReplacingCertificates -

-

Application Support

-

-OpenSC comes with a bundle of tools for testing, debugging and initialization. -In addition it contains two OpensslEngines that can be combined with OpenSSL to use -the normal OpenSSL commands while using a smart card hardware to do the crypto operations. -

-

-OpenSC contains a PamModule? for authentication/login via smart card. That pam module however -has a few minor bugs. But there is also a new pam module -for PKCS!#11 libaries. -

-

-OpenSC contains a PKCS#11 library called opensc-pkcs11.so. This library can be used -with MozillaFirebird?, MozillaThunderbird? or plain Mozilla to login to websites using -certificates from the smart card, or to sign and decrypt eMails or authenticate -to your mail server with your certificate. Keypair generation, certificate request -and writing the requested cert through an on-line CA should also be possible. -

-

-FreeSwan/StrongSwan/OpenSwan? can be compiled with OpenSC support and thus be used -to authenticate a VPN connection using a smart card. -

-

-OpenSSH can be compiled with OpenSC support and thus use the smart card for -authenticating at a remote ssh server. See OpenSsh for details. -

-

-On Windows there is a patched version of Putty with support for PKCS#11 libraries -such as OpenSC. See the Smart Card Bundle for a binary -package with installer containing OpenSSL, OpenSC and Putty for Windows. -

-

-GnuPg? contains support for OpenSC in the experimental 1.9 branch. -

-

-There is a patch for WpaSupplicant? to allow authentication to access points using -smart cards. -

-

-Gdigidoc uses OpenXAdES library what in turn can make use of OpenSC PKCS#11 module or CSP on windows. -

-

-Here's a Wikipage that has some information about PuTTYcard, an extension to Simon Tathams PuTTY. -PuTTYcard let you use your Smartcards RSA keys with Pageant.exe. -

-

-LibChipcard is a library and tools to use all kind of chipcards like HBCI chip cards and german medical cards. -It is used by many online banking applications. The latest development snapshot for version 2 now includes -support for using opensc reader layer. great new! -

-

-TroubleShooting explains the most common problems and how to solve the, -

-

Getting OpenSC

-

-You can either download OpenSC releases from our File Archive -or access our SubversionRepository. -

-

Links

-

-* NIST has a document about personal identity verification cards. -

-

Developers Corner

-

-We would like to gather some information on developers to make it easier for all of us. -New pages: DeveloperHardware? (donations welcome!), AutoVersions. -

-

-ReleaseHowto documents our release process. -

-

-For interoperability with other smart card projects, mostly national id cards, there is a mailing -list at [http://www.gol.grosseto.it/mailman/listinfo/interopeid] -

-
-

Back to Index

diff --git a/doc/old/Makefile.am b/doc/old/Makefile.am index e5b5fe03..02255a05 100644 --- a/doc/old/Makefile.am +++ b/doc/old/Makefile.am @@ -3,18 +3,9 @@ XSLTPROC = @XSLTPROC@ HTMLFILES = opensc.html opensc.css opensc-es.html XMLFILES = opensc.xml opensc.xsl opensc-es.xml +STYLESHEET = opensc.xsl MAINTAINERCLEANFILES = Makefile.in -noinst_DATA = $(HTMLFILES) -EXTRA_DIST = pkcs-15v1_1.asn $(XMLFILES) $(HTMLFILES) doxygen.conf +EXTRA_DIST = pkcs-15v1_1.asn $(XMLFILES) $(HTMLFILES) $(STYLESHEET) doxygen.conf generate.sh -STYLESHEET = opensc.xsl - -%.html: %.xml -if HAVE_DOCBOOK - $(XSLTPROC) -o $@ $(STYLESHEET) $< - tidy -im -utf8 -xml $@ || true -else - @echo "Docbook support disabled, not building $@" >&2 -endif diff --git a/doc/old/opensc-es.html b/doc/old/opensc-es.html deleted file mode 100644 index 72ff1b7b..00000000 --- a/doc/old/opensc-es.html +++ /dev/null @@ -1,2051 +0,0 @@ - - - - - - Manual de OpenSC - - - - -
-
-
-
-

- Manual de OpenSC

-
-
-
-

- -
-
-
-
-

- -
-
-
-
-
-
-

- Tabla de contenidos -

-
-
- - 1. Introducción - -
-
- - 2. Autores y - Colaboradores - -
-
-
-
- - - Agradecimientos - -
-
-
-
- - 3. Licencia. Copyright - -
-
- - 4. Introducción - -
-
-
-
- - Estructura de - OpenSC - -
-
- - El módulo - lector - -
-
-
-
- - 5. Compilación e - Instalación de libopensc - -
-
-
-
- - Linux - -
-
- - Windows - -
-
- - Windows - con soporte OpenSSL - -
-
-
-
- - 6. Estado del desarrollo - -
-
-
-
- - Tarjetas - -
-
- - Windows - -
-
- - Módulo PKCS #11 - en Netscape y Mozilla - -
-
-
-
- - 7. Uso de OpenSC - -
-
-
-
- - OpenSC y - Netscape - -
-
- - OpenSC y - Mozilla - -
-
- - OpenSC y - OpenSSL - -
-
- - OpenSC y - OpenSSH - -
-
- - Pluggable - Authentication Module - -
-
-
-
- - eid based - authentication - -
-
- - - Autenticación basada en LDAP - -
-
-
-
-
-
- - 8. The OpenSC PKCS #11 - library - -
-
-
-
- - Qué es PKCS - #11 - -
-
- - Slots - Virtuales - -
-
-
-
- - 9. Seguridad - -
-
-
-
- - Ordenes desde línea de - Comandos - -
-
- - Acceso a la card - -
-
- - Protegiendo tarjetas con - la utilidad pkcs15-init - -
-
- - Protección de los ficheros - de configuración, profiles, y caché - -
-
- - Acceso como administrador - (root) - -
-
-
-
- - 10. Tareas pendientes de - desarrollo - -
-
-
-
- - General - -
-
- - Windows - -
-
-
-
- - 11. Resolución de - problemas - -
-
- - 12. Recursos y enlaces - -
-
- - 13. Modulo de firmado - -
-
-
-
- - Compilando e - instalando el Módulo signer - -
-
-
-
- - 14. Notas sobre DocBook - -
-
-
-
-
-
-
-

- Capítulo 1. - Introducción

-
-
-
-

libopensc es una biblioteca de acceso a dispositivos - tipo Tarjeta Inteligente (smart cards). Cualquier tarjeta - que soporte el estandard ISO 7816-4 deberia poder ser - utilizada para las funcionalidades básicas ( manejo de - ficheros ). Si además la tarjeta es compatible con el - standard PKCS#15, la biblioteca ofrece a estas tarjetas el - soporte de diversas funciones criptográficas

-
-
-
-
-
-

- Capítulo 2. Autores y - Colaboradores

-
-
-
-
-

- Tabla de contenidos -

-
-
- - - Agradecimientos - -
-
-
-

Se adjunta la lista de todos los autores y colaboradores - de OpenSC en orden alfabético

-
- -
-
-
-
-
-

- - Agradecimientos

-
-
-
-

Las siguientes personas an aportado ideas, apoyo y/o - información para el desarrollo de OpenSC

-
- -
-

OpenSC no ha inventado la rueda ni escrito el código - desde cero. Se ha usado código de otros proyectos, - principalmente para desarrollar el interfaz con éstos. - Los autores originales son:

-
- -
-
-
-
-
-
-
-

- Capítulo 3. Licencia. - Copyright

-
-
-
- - - - -
- 
-OpenSC smart card library
-Copyright (C) OpenSC developers 
-
-This library is free software; you can redistribute it and/or
-modify it under the terms of the GNU Lesser General Public
-License as published by the Free Software Foundation; either
-version 2.1 of the License, or (at your option) any later version.
-
-This library is distributed in the hope that it will be useful,
-but WITHOUT ANY WARRANTY; without even the implied warranty of
-MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
-Lesser General Public License for more details.
-
-You should have received a copy of the GNU Lesser General Public
-License along with this library; if not, write to the Free Software
-Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 
-02111-1307  USA
-
-
-
-
-
-
-
-

- Capítulo 4. - Introducción

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Estructura de - OpenSC - -
-
- - El módulo - lector - -
-
-
-

OpenSC está basado en diversos componentes. El principal - es la biblioteca OpenSC, a su vez dividida en tres capas, - cada una con diversos drivers Otros componentes son: la - biblioteca PKCS#11, el módulo PAM, diversos plugins para - OpenSSL... Adicionalmente, se incluyen diversas utilidades - y aplicaciones de test que usan estas bibliotecas

-

El objetivo de este capítulo es proporcionar información - sobre el funcionamiento interno de la biblioteca OpenSC, - cómo funciona, y finalmente qué ofrecen las utilidades. - Cada una de éstas, así como las bibliotecas, tienen su - propia pagina de manual, y su sección en este documento

-
-
-
-
-

- Estructura de - OpenSC

-
-
-
-

La biblioteca básica de OpenSC es libopensc. Ofrece - tanto funcionalidades básicas para la comunicación con - las tarjetas inteligentes, como avanzadas, (eg. generar - claves RSA en una tarjeta)

-

Para ello, libopensc está estructurado en diversas - capas, a su vez implementadas mediante uno o más drivers. - Estas capas son:

-
-
-
- Lector -
-
OpenSc necesita poder enlazar con los diversos - manejadores de lectores de tarjetas. Dado que cada - uno tiene su propio software (CT-api, PC/SC, etc), - OpenSC provee un módulo específico para cada uno
-
- Tarjetas -
-
Idealmente, todas las tarjetas inteligentes, de - berían implementar el standard ISO 7816 de la misma - forma, y aceptar y generar los mismos comandos y - respuestas. Desafortunadamente, este no es el caso. - OpenSC ofrece pues un módulo específico por cada - tarjeta (o familia de tarjetas)
-
- pkcs15init -
-
Las tarjetas inteligentes suelen incorporar un - sistema de ficheros, donde almacenar claves y - certificados. Asímismo incorporan comandos para crear - directorios y ficheros, ajustar permisos y seguridad, - etc. En función de la tarjeta no solo los comandos - son distintos, sino que incluso la estructura de - ficheros y modelo de seguridad difieren. El módulo - pkcs15init esconde estas diferencias al resto de la - aplicación
-
- La infraestructura PKCS - #15 -
-
-

- PKCS #15Es el estandard de manejo - y almacenamiento de claves y certificados en un - dispositivo criptográfico. A pesar de ello, muchos - fabricantes de tarjetas implementan sus propios - mecanismos, por ejemplo especificando diferentes - directorios. OpenSC implementa el estandard - PKCS#15, existiendo un módulo de emulación para - aquellas tarjetas que se apartan del estandard

-

De hecho es posible elaborar una infraestructura - nueva para implementar compatibilidad con sistemas - que no cumplan dicho estandard

-
-
-
-
-
-
-
-
-

- El módulo - lector

-
-
-
-

PC/SC Lite es una aplicación middleware que sirve para - interactuar, por un lado con los drivers para lectores de - tarjetas, y por otro con las aplicaciones que las - manejan. OpenSC puede usar PC/SC Lite mediante el modulo - lector pcsc, aunque soporta otras alternativas

-

PC/SC es un API estandard entre aplicaciones, como - gestor de recursos para lectores de tarjetas - inteligentes. Es muy popular en el entorno operativo - Windows. La documentación está disponible en: - - http://www.pcscworkgroup.com/.

-

PC/SC Lite es la implementación del estandard PCSC - para sistemas Linux, Unix, Windows y MacOS X, realizada - por David Corcoran - . La aplicación está - disponible como software libre y gratuíto. Para descargar - esta aplicación, refierase a la página web del Movimiento - para el Uso de smart cards en Entornos Linux ( M.U.S.C.L.E - ) - - http://www.linuxnet.com/.

-

Para instalar el soporte de OpenSC para pcsc-lite, es - necesario instalar PCSCLite primero, y seguidamente - configurar OpenSC especificando la ubicación de la - instalación de PCSC

- - - - -
- 
-$ cd opensc-<version>
-$ ./configure --with-pcsclite=/path/to/pcsclite
-                                
-
-
-

-

OpenCT es una nueva aplicación para manejo de tarjetas - inteligentes, lectores y terminales de acceso. OpenCT ha - sido escrito desde cero , constituyendo un entorno muy - ligero, e incluyendo todos los drivers. Está dispobible - para sistemas Linux, pero si se desea su uso en otros - entornos Unix o BSD, por favor consulte en la lista de - correo de opensc-devel

-

OpenCT es software libre. El código fuente está - disponible de manera gratuita. OpenCT es desarrollado - conjuntamente con OpenSC y se recomienda su uso - preferente para entornos Linux. OpenCT está disponible en - la página web de OpenSC - - http://www.opensc.org/. Para dudas y consultas acudan - a la lista de correo -

-

Para compilar OpenSC con soporte OpenCT, es necesario - tener instalado éste primero. La documentación de OpenCT - está incluída en el código fuente, así como disponible en - línea a través del enlace: - - http://www.opensc.org/files/doc/openct.html. Una vez - instalado OpenCT, recompile OpenSC indicando la ubicación - de las bibliotecas OpenCT

- - - - -
- 
-$ cd opensc-<version>
-$ ./configure --with-openct=/path/to/openct
-                                
-
-
-

-

CT-API es un estandard para manejadores de tarjetas - inteligentes. Fué desarrollado en la década de los 80, - para aplicaciones MS-Dos, y quizás no sea muy conocido en - los ambientes multi-usuario y multi-tarea de la - actualidad. Sin embargo, CT-API está muy extendido y - muchos lectores proveen soporte para este estándard - incluso bajo Linux.

-

OpenSC puede usar drivers CT-API directamente. No - obstante su uso se reserva para aplicaciones de - depuración y no se recomienda en instalaciones - multi-usuario o con múltiples aplicaciones que usen el - lector

-

El soporte CT-API en OpenSC no necesita párametros - especiales a la hora de recompilar. Léase el fichero de - configuración - opensc.confpara saber como - configurar el driver CT-API bajo OpenSC

-
-
-
-
-
-
-

- Capítulo 5. Compilación e - Instalación de libopensc

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Linux - -
-
- - Windows - -
-
- - Windows - con soporte OpenSSL - -
-
-
-
-
-
-
-

- Linux

-
-
-
-

Lea el fichero - INSTALLpara ver las - instrucciones de compilación. Si se está partiendo de una - versión descargada del CVS, necesitará ejecutar - previamente el script 'bootstrap' antes de ejecutar - 'configure'. Del mismo modo, deberá tener versiones - actualizadas de Autoconf, Automake, y Libtool

-
-
-
-
-
-

- Windows

-
-
-
-

Ejecute "nmake -f makefile.mak" en el directorio - opensc para compilar

-

Además de nmake, deberá tener perl y flex instalados - para poder realizar la compilación

-

El fichero Makefile.mak no incorpora mecanismos para - "make install", por lo que deberá realizar la instalación - de manera manual

-
-
    -
  1. Copiar opensc.conf al directorio Windows ( - generalmente C:\WINDOWS o C:\WINNT). Esta operación - es opcional
    2. -
  2. Copiar opensc.dll y opensc-pkcs11.dll a una - ubicación dentro del path
    3. -
  3. Si se quiere utilizar el comando pkcs15-init.exe, - asegurese de que los ficheros *.profile residentes en - el directorio src\pkcs15init\ están en el mismo - directorio que pkcs15-init.exe, o en el directorio - Windows
    4. -
-
-
-
-
-
-
-

- Windows - con soporte OpenSSL

-
-
-
-

Esta opción añade funcionalidad extra (por ejemplo - PKCS#11 hash y mecanismos de firmas pkcs#11 - adicionales

-
-
    -
  1. Descargar y compilar los fuentes de OpenSSL de: - http://www.openssl.org/source/
    2. -
  2. Añadir el directorio \inc32 al include_path, y el - \out32dll al library_path y exec_path - - - - -
    - 
    -set include=%include%;.....\inc32
-set lib=%lib%;.....\out32dll
-set path=%path%;....\out32dll
-                                        
-
    -
    3. -
  3. En el fichero src\tools\Makefile.mak descomentar - "pkcs15-init.exe en la línea "TARGETS", y - (opcionalmente) añadir "libeay32.lib" y "gdi32.lib" - al la línea marcada como "link" (enlace)
    4. -
  4. En el fichero src\libopensc\Makefile.mak, añadir - "libeay32.dll" y "gdi32.dll" a la línea marcada como - "link" (enlace)
    5. -
  5. Realizar la misma inclusión en el fichero - src\pkcs11\Makefile.mak en las entradas "link" de las - secciones "TARGET" y "TARGET3"
    6. -
  6. En el fichero win32\Make.rules.mak, añadir - /DHAVE_OPENSSL a la línea "COPTS"
    7. -
-
-

Para no necesitar las librerías dinámicas: compilar - OpenSSL estáticamente y substituír los ficheros gdi32.dll - y libeay32.dll por los ficheros gdi32.lib t libeay32.lib, - respectivamente, en los tres ficheros Makefile.mak - anteriormente indicados

-
-
-
-
-
-
-

- Capítulo 6. Estado del - desarrollo

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Tarjetas - -
-
- - Windows - -
-
- - Módulo PKCS #11 en - Netscape y Mozilla - -
-
-
-
-
-
-
-

- Tarjetas

-
-
-
-
-
-
- CryptoFlex -
-
-

Soporta firma/desencriptación e - inicialización

-
-
- Gemplus PK 4K, 8K, 16K -
-
-

Soporta firma/desencriptación e - inicialización

-

Nota: no le será posible inicializar una tarjeta - GemSafe - estas tarjetas vienen personalizadas por - GemPlus y no se pueden borrar o añadir nuevos - ficheros de claves en ellas

-
-
- Aladdin eToken PRO -
-
-

Soporta firma/desencriptación e - inicialización

-

Nota: CardOS solo soporta claves para firmado, o - desencriptación, pero no para ambas. Esta - limitación puede ser evitada creando/almacenando - claves con la opción "--split-keys"

-
-
- Eutron CryptoIdendity - IT-SEC -
-
-

Soporta firma/desencriptación e - inicialización

-

Nota: CardOS solo soporta claves para firmado, o - desencriptación, pero no para ambas. Esta - limitación puede ser evitada creando/almacenando - claves con la opción "--split-keys"

-
-
- Micardo -
-
-

Soportada ( TODO: incluir detalles )

-
-
- Miocos -
-
-

Soportada ( TODO: incluir detalles )

-
-
- Setcos -
-
-

Soportada ( TODO: incluir detalles )

-
-
- Tcos -
-
-

Soportada ( TODO: incluir detalles )

-
-
-
-
-
-
-
-
-

- Windows

-
-
-
-

Actualmente, solo han sido portados a Windows: - libopensc.dll, pkcs11-spy.dll, opensc-pkcs11.dll y la - mayor parte de los ejecutables del directorio \tools y - \tests. Estas bibliotecas han sido testeadas en Win98, - WinNT, Win2000 y WinXP

-
-
-
-
-
-

- Módulo PKCS #11 en - Netscape y Mozilla

-
-
-
-

Netscape parece mostrar más información acerca de sus - módulos de seguridad que Mozilla. No obstante el soporte - no ha sido testeado

-

Notas sobre threads en Linux y MacOS X: Netscape y - Mozilla usan el parámetro CKF_OS_LOCKING_OK en la función - C_Initialize(). Como resultado, el thread del navegador - no termina cuando se cierra éste, y debe ser abortado - manualmente. Esto es debido a que el navegador no invoca - C_Finalize, que liberaría los locks, tal y como - especifica el estandard

-

Por consiguiente OpenSC no utiliza los mecanismos de - bloqueos de threads, incluso aunque sean solicitados. - Esto parece funcionar en Mozilla, pero puede causar - problemas en aplicaciones que utilicen múltiples hilos - que accedan simultáneamente a la librería pkcs11

-

Si se desea utilizar los mecanismos de threading, - recompilar con la opción -DPKCS11_THREAD_LOCKING. En - Windows no se usan hilos, y por consiguiente este - problema no existe, por lo que se usa el mecanismo de - bloqueos del sistema

-
-
-
-
-
-
-

- Capítulo 7. Uso de - OpenSC

-
-
-
-
-

- Tabla de contenidos -

-
-
- - OpenSC y - Netscape - -
-
- - OpenSC y - Mozilla - -
-
- - OpenSC y - OpenSSL - -
-
- - OpenSC y - OpenSSH - -
-
- - Pluggable - Authentication Module - -
-
-
-
- - eid based - authentication - -
-
- - Autenticación - basada en LDAP - -
-
-
-
-
-
-
-
-
-

- OpenSC y - Netscape

-
-
-
-
-
    -
  1. Seleccionar: Communicator -> Tools -> - Security Info
    2. -
  2. Seleccionar: Cryptographic Modules
    3. -
  3. Pulsar: Add
    4. -
  4. Indicar nombre del módulo: "OpenSC PKCS #11 - Module" Indicar ubicación del fichero: - /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
    5. -
-
-

Para que el módulo funcione adecuadamente, es - necesario activarlo: En el Menú "Cryptographic Modules" - Seleccionar la tarjeta OpenSC, y pulsando en "Config", - activar los botones "Enable this token" y "Publicly - readable Certs"

-

Con esto se garantiza que Netscape utilizará la - tarjeta cuando intente mostrar mensajes encriptados en el - Netscape Messenger. Del mismo modo habilitar "Publicly - readable Certs" evitará que Netscape nos pida el PIN cada - vez que se acceda a una página que requiera autenticación - del Cliente

-

El boton "RSA" NO DEBE ser activado. En caso - contrario, Netscape intentará usar la tarjeta cada vez - que vaya a generar claves públicas, y fallará (no todas - las tarjetas soportan esta funcionalidad)

-

FIXME: Especificar versión de Netscape a la que se - aplican estas instrucciones

-
-
-
-
-
-

- OpenSC y - Mozilla

-
-
-
-
-
    -
  1. Asegurese que el Personal Security Manager (PSM) - está instalado (paquete mozilla-psm)
    2. -
  2. Seleccionar menú: Edit -> Preferences
    3. -
  3. Seleccionar Categoría: Privacy & Security - -> Certificates
    4. -
  4. Pulsar en: "Manage Security Devices"
    5. -
  5. Seleccionar: Load
    6. -
  6. Indicar nombre del módulo: "OpenSC PKCS #11 - Module" y ubicación del fichero: - /path/to/opensc/lib/pkcs11/opensc-pkcs11.so
    7. -
-
-
-
-
-
-
-

- OpenSC y - OpenSSL

-
-
-
-

OpenSSL es una potente utilidad que implementa los - protocolos SSL, así como una biblioteca criptográfica de - uso general. Entre sus características, se incluye la - posibilidad de incluir "al vuelo" capacidades - criptográficas adicionales (engines), como pueda ser la - adicción de hardware criptográfico

-

OpenSC incluye dos "engines" para OpenSSL. Esto - permite el uso de OpenSSL y sus diversas utilidades - asociadas en combinación con las capacidades - criptográficas de las tarjetas inteligentes

-

Para utilizar estas habilidades, es preciso cargar el - "engine" dentro de OpenSSL, y luego utilizar de la manera - habitual las aplicaciones. He aquí un ejemplo de - utilización desde el comando - - openssl - :

-

Ejemplo de cómo cargar el "engine" OpenSC

- - - - -
- 
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre
-SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so -pre ID:opensc
--pre LIST_ADD:1 -pre LOAD
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so
-[Success]: ID:opensc
-[Success]: LIST_ADD:1
-[Success]: LOAD
-Loaded: (opensc) opensc engine
-OpenSSL> 
-                                
-
-
-

-

Un comando OpenSSL típico puede ser la recuperación de - un certificado: - req -engine opensc -new -key - - key - -keyform engine -out req.pem -text. Consulte la - documentación de OpenSSL para detalles adicionales

-

- - - key - Especifica el identificador de una clave en - Hexadecimal. - por ejemplo "45" corresponde al la clave - con ID="0x45"

-

OpenSC incluye dos "engines" para OpenSSL: - engine_opensc.soy - engine_pkcs11.so.

-

El módulo engine_opensc.so sólo funciona bajo OpenSC, - y no funcionará cuando haya múltiples aplicaciones - accediendo concurrentemente a la tarjeta, o existan en la - tarjeta varios certificados. Pero en los casos simples: - (una aplicación, una tarjeta, un certificado) es el - módulo indicado por su simplicidad

-

El módulo engine_pkcs11.so es mucho mas genérico y - flexible. funcionará en todos los casos, incluídos - aquellos en que existan múltiples tarjetas, claves, - certificados, con aplicaciones concurrentes. Además está - basado en el estandard PKCS#11, por lo que no solo puede - usar la biblioteca OpenSC (como hace por defecto), sino - cualquier otra implementación de PKCS#11

-

Para cargar dicho "engine", ejecutar el comando:

- - - - -
- 
-aj@simulacron:~$ openssl
-OpenSSL> engine dynamic -pre
-SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so -pre ID:pkcs11
--pre LIST_ADD:1 -pre LOAD -pre
-MODULE_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so
-(dynamic) Dynamic engine loading support
-[Success]: SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so
-[Success]: ID:pkcs11
-[Success]: LIST_ADD:1
-[Success]: LOAD
-[Success]: MODULE_PATH:/home/aj/opensc/pkcs11/opensc-pkcs11.so
-Loaded: (pkcs11) pkcs11 engine
-OpenSSL> 
-                                
-
-
-

Y luego proceda normalmente

-

Un comando típico OpenSSL puede ser la recuperación de - un certificado: - req -engine pkcs11 -new -key - - key - -keyform engine -out req.pem -text. Consulte la - documentación de OpenSSL para más detalles

-

- - key - tiene el formato - [slot_<slotNr>][-][id_<keyID>], donde

-
-
    -
  • El parámetro (opcional) slotNr indica el slot - PKCS#11 a usar (empezando por cero, que es el valor - por defecto
    • -
  • keyID es el identificador de clave en notación - hexadecimal
    • -
-
-

Ejemplos:

-
-
    -
  • id_45 => clave privada con ID = 0x45 en el - primer slot disponible
    • -
  • slot_2-id_46 => clave privada con ID = 0x46 en - el tercer slot
    • -
-
-

-

En sistemas Windows, solo está portado el módulo - pkcs11. Al cargar dicho engine, utilize el nombre - "engine_pkcs11" en lugar de "engine_pkcs11.so"

-
-
-
-
-
-

- OpenSC y - OpenSSH

-
-
-
-

La versión 3.6.1p2 de OpenSSH necesita un parche para - compilar con soporte OpenSC. Encontrará dicho parche en - el directorio src/openssh

-

Para compilar OpenSSH, ejecute el comando "configure" - de la siguiente manera: - ./configure - --with-opensc=/path/to/opensc

-

Necesitará tener certificados en su tarjeta: un par de - claves no es suficiente. Descargue el certificado en - formato OpenSSH con el comando: - ssh-keygen -D - - reader - [ - : - - certificate ID - ] > - - file -

-

Reemplace - - reader - con el número del lector que desea ( por defecto 0). - El comando - opensc-tool -lle proporcionará la - lista de lectores disponibles. Añada el identificador del - certificado en caso necesario ( por defecto ID=45 ). El - comando - pkcs11-tool -Ole indica la lista - de certificados y sus identificadores

-

Una vez realizada la extracción del certificado, - copielo al servidor e incluyalo en el fichero - ~/.ssh/authorized_keystal y - como se hace habitualmente

-

Para usar una tarjeta con OpenSSH, ejecute: - ssh -I - - reader - [ - : - - certificate ID - ]

-

Del mismo modo se puede usar la utilidad ssh-agent con - OpenSC. para ello use el comando: - ssh-add -s - - reader -

-
-
-
-
-
-

- Pluggable - Authentication Module

-
-
-
-

El sistema PAM (Pluggable authentication modules) es - el mecanismo por el que Linux, y otros sistemas Unix - utilizan para los procedimientos de autentificación de - usuarios. OpenSC incluye un módulo que permite añadir la - autentificación mediante tarjetas inteligentes: - "pam_opensc"

-

pam_opensc identifica las siguientes opciones:

-
-
-
- debug -
-
registra información para depuración
-
- audit -
-
registra información sobre trazas
-
- use_first_pass -
-
No solicita contraseñas al usuario, sino que - utiliza los elementos definidos en la configuración - de los módulos PAM
-
- try_first_pass -
-
No solicita contraseña, a menos que la opción - PAM_(OLD)AUTHOK esté especificada
-
- use_authtok -
-
Exige la opción PAM_AUTHOK, fallando en caso - contrario
-
- set_pass -
-
Ajusta las opciones PAM_ con las contraseñas - usadas en éste módulo
-
- nodelay -
-
Elimina el retardo de un segundo en caso de - autenticación fallida
-
- auth_method=X -
-
Selecciona entre pkcs15-ldap o pkcs15-eid (opción - por defecto) como modo de funcionamiento del - módulo
-
-
-

-

Opciones Genéricas:

-
-
-
- -h -
-
muestra ayuda
-
- -r reader -
-
Nombre del lector (FIXME: not number?)
-
-
-

-
-
-
-
-

- eid based - authentication

-
-
-
-

Este es el método de autentificación por defecto: - Cree un directorio - .eiden su directorio raíz y - copie su certificado (en formato PEM) en el fichero - - .eid/authorized_certificates.

-

Nota: - pkcs15-tool -cle mostrará los - certificados y sus identificadores. El comando - pkcs15-tool -r ID -o - ~/.eid/authorized_certificatesle permitirá - recuperar y guardar el certificado en el fichero - deseado

-
-
-
-
-
-

- Autenticación - basada en LDAP

-
-
-
-

Si escogemos la opción auth_metod=pkcs15-ldap, se - activará el soporte LDAP para autenticación a través de - OpenSC. Las siguientes opciones están contempladas:

-
-
-
- -L ldap.conf -
-
especifica el fichero de configuración a - usar
-
- -A entry -
-
Añadir nueva entrada
-
- -E entry -
-
Activar entrada actual
-
- -H hostname -
-
Nombre del servidor LDAP
-
- -P port -
-
Puerto en el que el servidor está - escuchando
-
- -S scope -
-
Ambito (scope) del servidor
-
- -b binddn -
-
binddn de la conexión
-
- -p passwd -
-
contraseña del binding LDAP
-
- -B base -
-
base del binding LDAP
-
- -a attributes -
-
Atributos a recuperar
-
- -f filter -
-
filtro de búsqueda
-
-
-

FIXME: incluir un ejemplo de estructura de datos - LDAP: fichero de configuración, etc

-
-
-
-
-
-
-
-

- Capítulo 8. The OpenSC PKCS - #11 library

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Qué es PKCS #11 - -
-
- - Slots Virtuales - -
-
-
-
-
-
-
-

- Qué es PKCS - #11

-
-
-
-

- PKCS #11es el API estandard para el - acceso a dispositivos criptográficos, tales como tarjetas - inteligentes, modulos de seguridad hardware, etc... El - API está definido mediante funciones como: - C_GetSlotList(), C_OpenSession(), C_FindObjects(), - C_Login(), C_Sign(), C_GenerateKeyPair(), ...

-

Algo de terminología básica de PKCS #11

-
-
    -
  • Slot: ubicación en la que se puede insertar una - tarjeta inteligente. Normalmente se corresponde con - un lector de tarjetas ( ver "slots virtual" )
    • -
  • Token: elemento que se sitúa en un slot. - Habitualmente se refiere a una smart card (ver slots - virtual)
    • -
  • Objeto (Object) una clave, certificado, datos, - etc. Puede ser un objeto referido a un token (eg. un - certificado residente en la tarjeta) o bien un objeto - referido a la sesion (eg. un dato a firmar/encriptar - )
    • -
  • Sesión: antes de poder operar con un token, es - necesario abrir una sesión y asociarla con él
    • -
  • Operación: una firma, una desencriptación, etc - que puede conllevar una o varias llamadas a la - biblioteca. Solo se puede realizar una operación por - cada sesion, pero pueden ser abiertas múltiples - sesiones sobre el mismo token
    • -
-
-

-
-
-
-
-
-

- Slots - Virtuales

-
-
-
-

PKCS#11 define que cada token tiene asociado dos PIN's - (Personal Identification Number): el del usuario (User - PIN) y el del administrador (Security Officer PIN). A - pesar de ello muchas tarjetas soportan más de un PIN de - usuario (eg PIN1 y PIN2 en tarjetas de telefonos - móviles). La manera de resolver este problema es la de - proveer de múltiples "slots virtuales" ( definidos en el - apéndice D del - estándard PKCS #11. Por ello cada - lector simula uno o varios slots. Si se inserta una - tarjeta, aparecerán tantos slots como PIN's disponibles. - En cada slot aparecerá un token que contiene los objetos - asociados a cada PIN. Es el equivalente a disponer de - "varias tarjetas en una", cada una con su PIN

-

OpenSC puede trabajar simultáneamente con varias - tarjetas, y no sabe a priori cuantos slots se crean por - cada tarjeta. Por ello se crean por defecto 4 slots - virtuales. Se puede cambiar dicho número en el parámetro - "num_slots" del fichero /etc/opensc.conf

-

Para numerar los slots, OpenSC adopta el siguiente - convenio: por cada PIN, sus claves, y certificados, se le - asigna un slot virtual. Si hay más objetos son asignados - al siguiente slot libre. Si quedan slots libres se crean - en ellos slots adicionales marcados como vacíos donde - pueden ser insertados tanto un nuevo PIN como sus objetos - asociados. Si no se desea añadir nuevos objetos, la - directiva "hide_empty_tokens" del fichero de - configuración esconde los slots libres

-

Ejemplo. Sea un sistema con dos lectores. Sea una - tarjeta con dos PINs. Cada PIN proteje una clave privada - y un certificado. Además existen tres certificados raíz - no asociados a dicho PIN. Si tenemos la configuracion - num_slots=4 , hide_empty_tokens=false, e insertamos la - tarjeta en el segundo lector, obtendremos lo - siguiente:

-
-
    -
  • token en slot 4: PIN 1, key 1, cert 1
    • -
  • token en slot 5: PIN 2, key 2, cert 2
    • -
  • token en slot 6: los 3 certificados raíz
    • -
  • token en slot 7: vacío
    • -
-
-

Si se hubiera especificado "hide_empty_tokens=false", - el slot 7 no contendría ningún token

-

Nota: si en el anterior ejemplo, la cadena de - certificados contuviera algún certificado común, dicho - certificado aparecería duplicado en los slots 4 y 5 (lo - que causaría problemas si se intentara borrar. Este - problema no está aún resuelto en OpenSC )

-

Otra cosa a recordar: OpenSC tiene prefijado el número - máximo de slots virtuales a 8. por ello, si se selecciona - "num_slots = 4" solo se podrán manejar dos lectores. O, - por ejemplo, si se seleciona "num_slots = 3", los dos - primeros lectores verán 3 slots, mientras que el tercero - verá solo 2

-
-
-
-
-
-
-

- Capítulo 9. Seguridad

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Ordenes desde línea de - Comandos - -
-
- - Acceso a la card - -
-
- - Protegiendo tarjetas con la - utilidad pkcs15-init - -
-
- - Protección de los ficheros de - configuración, profiles, y caché - -
-
- - Acceso como administrador - (root) - -
-
-
-
-
-
-
-

- Ordenes desde línea de - Comandos

-
-
-
-

OpenSC permite especificar el PIN y las claves como - argumentos en la línea de comandos. Esta operación sólo - es recomendable en casos de test o cuando se es el único - usuario del sistema. En sistemas multiusuario, los otros - usuarios pueden ejecutar comandos como "ps" o "top", y - probablemente puedan ver los argumentos asociados al - comando en ejecución. Del mismo modo, dichos comandos - suelen quedar registrados en los archivos "history"

-

La solución pasa por usar un script, o en el caso del - comando pkcs15-init, especificar los PINS y claves en un - fichero, e indicar el nombre de éste con la opción - "--options-file"

-
-
-
-
-
-

- Acceso a la card

-
-
-
-

Pueden aparecer otros problemas en entornos - multiusuario donde más de un usuario tenga acceso al - lector:

-
-
    -
  • Si el usuario deja la tarjeta insertada con la - sesion abierta, otro usuario podría modificar el pin, - bloquearlo, o incluso anular la tarjeta
    • -
  • Si la sesión realiza caché de PIN's o claves, - otro usuario podría usar nuestra tarjeta y suplantar - nuestra personalidad
    • -
-
-

-

Una solución puede ser crear un usuario/grupo - "scard/scard" bajo el que se ejecuta el servidor pcscd y - al que solo se puede acceder desde xdm. No es una - solución perfecta, pero funciona en estaciones que solo - disponen de un lector

-

En el caso de que las aplicaciones utilicen la - biblioteca PKCS#11, el sistema garantiza acceso exclusivo - una vez que se proporciona el PIN. Esta es la - configuración por defecto. Si se desea que múltiples - aplicaciones puedan trabajar a la vez con dicha - biblioteca, es necesario especificar la opción - "lock_login = false" en el fichero /etc/opensc.conf; pero - en este caso la tarjeta quedará accesible por - terceros

-

Las otras aplicaciones OpenSC no garantizan el acceso - exclusivo

-
-
-
-
-
-

- Protegiendo tarjetas con - la utilidad pkcs15-init

-
-
-
-

Muchas tarjetas incorporan una clave "de fábrica", que - se usa para crear el sistema de ficheros inicial en la - tarjeta. Una vez creado el sistema de ficheros se protege - mediante PIN, con lo que dicha clave ya no es válida

-

Esto significa que los datos del usuario no son - accesibles para nadie que posea la clave de fábrica, en - el sentido de que no pueden ser accedidos o usados

-

No obstante, con dicha clave, otro usuario podría - destruír el sistema de ficheros, borrando todo su - contenido

-

En si mismo esto es positivo: en el caso de pérdida de - tarjeta, los datos solo pueden ser destruídos, no leídos. - Pero puede darse otro problema: los certificados pueden - ser substituídos por otros falsos. Por consiguiente: sea - muy cuidadoso cuando utilice las tarjetas en entornos - hostiles, y proteja SIEMPRE los certificados con PIN

-
-
-
-
-
-

- Protección de los ficheros de - configuración, profiles, y caché

-
-
-
-

Aunque por sí mismos, los ficheros opensc.conf y - xxx.profile no contienen información sensible, es muy - importante garantizar que no son modificados

-

Algunos ejemplos de lo que se puede hacer modificando - dichos ficheros:

-
-
    -
  • Ajustar el nivel de depuración a un nivel mayor o - igual a 6, con lo que la información sensible (PINs) - queda registrada
    • -
  • Cambiar los permisos de acceso del sistema de - ficheros, con lo que la tarjeta quedaría - "abierta"
    • -
  • Cambiar los certificados en el directorio - caché
    • -
-
-

-

Por defecto, el fichero de configuración y los - ficheros profiles deberían ser propiedad del - administrador, con permisos 644. Del mismo modo, el caché - de certificados debería residir en el directorio $HOME - del usuario con permisos 600. No obstante, si el - directorio en el que se ejecutan tiene ficheros profile, - estos toman precedencia sobre los del sistema

-
-
-
-
-
-

- Acceso como administrador - (root)

-
-
-
-

De lo anterior se deduce que no se puede proteger la - tarjeta ante alguien que tenga permisos de root, que - pueda cambiar los profiles, o que pueda modificar los - ejecutables o supervisar las comunicaciones con las - tarjetas

-
-
-
-
-
-
-

- Capítulo 10. Tareas - pendientes de desarrollo

-
-
-
-
-

- Tabla de contenidos -

-
-
- - General - -
-
- - Windows - -
-
-
-
-
-
-
-

- General

-
-
-
- - - - -
- 
-
-* Generación de paquetes Debian
-* Aplicaciones gráficas
-* Soporte de tarjetas EMV, GSM y JavaCards ( algún voluntario? )
-                        
-
-
- - - - -
- 
-
-* incluir funciones de (de)codificación PEM en LibOpenSC
-* pkcs11: soporte de desencriptación en aquellas tarjetas que lo
-soportan
-* pkcs11: asegurarse que todas las operaciones de manejo de PIN se
-gestionan a través del API pkcs11
-* pkcs11: gestion de desbloqueo de PIN's mediante PUK
-* general: soporte de operaciones RSA-PSS
-* pkcs15-init: soporte de SOPIN en CryptoFlex
-* pkcs15-init: al generar claves, comprobar que las claves son
-correctas
-* pkcs15-init: al manejar PUK crear la entrada AODF asociada
- ( alternativamente, ajustar unblockDisabled para aquellos PIN's
-sin PUK )
-* pkcs15: corregir sc_pkcs15_change_reference_data: añadir funcion
-de desbloqueo
-
-                        
-
-
-
-
-
-
-
-

- Windows

-
-
-
-

Toda la funcionalidad de OpenSC debería ser portada a - Windows. Del mismo modo se debería implementar una - biblioteca para que OpenSC actue como CryptoAPI Provider, - implementar mecanismos de autenticación (login), y - controles ActiveX para que Internet Explorer pueda - realizar signados

-
-
-
-
-
-
-

- Capítulo 11. Resolución de - problemas

-
-
-
-

Existe una lista de correo para soporte y discusión en - el proyecto OpenSC. Información adicional sobre el proyecto - se puede encontrar en el - sitio - Web.

-

Se pueden seguir los siguientes procedimientos para - comprobar qué es lo que falla:

-
-
    -
  • Comprobar que se encuentra el lector - opensc-tool -l
    • -
  • Comprobar que se reconoce la tarjeta: - opensc-tool -adebería mostrar - el ATR de ésta
    • -
  • Comprobar que la tarjeta soporta el estandard - pkcs15, obteniendo la lista de objetos almacenados: - pkcs15-tool -C -c -k - --list-public-keys
    • -
-
-

-

Ajustando el nivel de depuración a valores superiores a - 5, y especificando los ficheros de error y log en el - fichero de configuración

-
-
-
-
-
-

- Capítulo 12. Recursos y - enlaces

-
-
-
-

La página web del proyecto OpenSC - - http://www.opensc.org/

-

Información sobre los proyectos Assuan y Ägypten: - - http://www.gnupg.org/aegypten/

-
-
-
-
-
-

- Capítulo 13. Modulo de - firmado

-
-
-
-
-

- Tabla de contenidos -

-
-
- - Compilando e - instalando el Módulo signer - -
-
-
-

OpenSC Signer es un plugin para Netscape/Mozilla, que - puede generar firmas digitales a partir de tarjetas - inteligentes. Se utiliza para el firmado de páginas web ( - mimetype .sgn )

-
-
-
-
-

- Compilando e - instalando el Módulo signer

-
-
-
-

Especifique el directorio de instalación para el - módulo al ejecutar "configure": - $ configure --with-plugin-dir= - - <directory> -

-

Directorios típicos son /usr/lib/mozilla/plugins y - /usr/lib/netscape/plugins.

-

Consulte el fichero INSTALL para instrucciones - adicionales

-

Nota: este módulo necesita abrir ventanas de diálogo - para introducir el PIN. Dichas ventanas se generan con la - biblioteca libassuan, del proyecto Ägypten. Si no las - tiene instaladas, deberá hacerlo antes de proceder a - compilar OpenSC

-
-
-
-
-
-
-

- Capítulo 14. Notas sobre - DocBook

-
-
-
-

Este documento está realizado y mantenido con DocBook - XML. A continuación se indican algunos enlaces de - introducción

-

Este documento ha sido escrito como XML, no SGML. Para - convertirlo, utilice una hoja de estilo XSL, no DSSSL. - Rechace el uso de utilidades que manejen SGML o DSSSL. Ya - no son usadas y se consideran obsoletas

-

El enlace - - DocBook Open Repository projecten SourceForge, contiene - las hojas de estilo necesarias para convertir este - documentos a otros formatos

-

El libro - DocBook: - The Definitive Guide (O'Reilly Book)ilustra DocBook, es - muy manejable, y puede ser utilizado como herramienta en - línea de manera gratuita

-

El libro - DocBook XSL: The Complete GuideContiene - una buena introducción sobre como crear y manejar - documentos, dónde obtener el software y las utilidades, y - como procesar los textos. Es un libro muy recomendable

-

Este documento es demasiado engorroso. Si sabe HTML, por - favor ayúdenos a mejorarlo. Algunas partes deberían ser - ajustadas mediante hotas de estilo ( - Reference for the HTML stylesheet - parameters), pero la mayor parte puede ser hecha con - CSS. !Ayúdanos!

-
-
- - diff --git a/doc/old/opensc.html b/doc/old/opensc.html deleted file mode 100644 index 4348b030..00000000 --- a/doc/old/opensc.html +++ /dev/null @@ -1,3246 +0,0 @@ - - - - - - - - - OpenSC Manual - - - - - - - - - -
-
-
-
-

- OpenSC Manual -

-
- -
-
-

- - -
-
-
- -
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - 1. Introduction - - -
- -
- - - 2. Authors and Contributors - - -
- -
-
-
- - - Thanks - - -
-
-
- -
- - - 3. Copyright and License - - -
- -
- - - 4. Overview - - -
- -
-
-
- - - Layers in libopensc - - -
- -
- - - The reader layer - - -
-
-
- -
- - - 5. Building and Installing libopensc - - -
- -
-
-
- - - Windows - - -
- -
- - - Windows with OpenSSL - - -
-
-
- -
- - - 6. Status - - -
- -
-
-
- - - Card Status - - -
- -
- - - Windows - - -
- -
- - - PKCS #11 Module in Netscape and Mozilla - - -
-
-
- -
- - - 7. Using OpenSC - - -
- -
-
-
- - - OpenSC and Netscape - - -
- -
- - - OpenSC and Mozilla - - -
- -
- - - OpenSC and OpenSSL - - -
- -
- - - OpenSC and OpenSSH - - -
- -
- - - Pluggable Authentication Module - - -
- -
-
-
- - - eid based authentication - - -
- -
- - - LDAP based authentication - - -
-
-
-
-
- -
- - - 8. The OpenSC PKCS #11 library - - -
- -
-
-
- - - What is PKCS #11 - - -
- -
- - - Virtual slots - - -
-
-
- -
- - - 9. Security - - -
- -
-
-
- - - Command line arguments - - -
- -
- - - Access to the card - - -
- -
- - - Protection of cards made with the pkcs15-init - tool - - -
- -
- - - Storing config, profile and pkcs15 cache files - - -
- -
- - - Root access - - -
-
-
- -
- - - 10. What needs to be done - - -
- -
-
-
- - - In general - - -
- -
- - - Windows - - -
-
-
- -
- - - 11. Troubleshooting - - -
- -
- - - 12. Resources - - -
- -
- - - 13. Signer - - -
- -
-
-
- - - Building and installing the OpenSC Signer - - -
-
-
- -
- - - 14. A few hints on DocBook documents - - -
-
-
- -
-
-
-
-

- - Chapter 1. Introduction -

-
-
- -
-
- -

- libopensc is a library for accessing smart card devices. - It is also the core library of the OpenSC project. Basic - functionality (e.g. SELECT FILE, READ BINARY) should work - on any ISO 7816-4 compatible smart card. Encryption and - decryption using private keys on the smart card is - possible with PKCS #15 compatible cards, such as the - FINEID (Finnish Electronic IDentity) card. -

-
- -
-
-
-
-

- - Chapter 2. Authors and Contributors -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Thanks - - -
-
-
- -

- Here is a list of all Authors and Contributors of OpenSC - in alphabetical order: -

- -
- -
- -
-
-
-
-

- Thanks -

-
-
- -
-
- -

- The following people provided inspiration, moral - support and/or valuable information during the - development of OpenSC: -

- -
- -
- -

- OpenSC did neither invent the wheel nor write all code - from scratch. We could reuse some code from other - projects mostly to interface with these projects. - Thanks to the original authors: -

- -
- -
-
-
- -
-
-
-
-

- - Chapter 3. Copyright and License -

-
-
- -
-
- - - - - -
- 
-                OpenSC smart card library
-                Copyright (C) OpenSC developers 
-
-                This library is free software; you can redistribute
-                it and/or
-                modify it under the terms of the GNU Lesser General
-                Public
-                License as published by the Free Software
-                Foundation; either
-                version 2.1 of the License, or (at your option) any
-                later version.
-
-                This library is distributed in the hope that it
-                will be useful,
-                but WITHOUT ANY WARRANTY; without even the implied
-                warranty of
-                MERCHANTABILITY or FITNESS FOR A PARTICULAR
-                PURPOSE.  See the GNU
-                Lesser General Public License for more details.
-
-                You should have received a copy of the GNU Lesser
-                General Public
-                License along with this library; if not, write to
-                the Free Software
-                Foundation, Inc., 59 Temple Place, Suite 330,
-                Boston, MA  02111-1307  USA
-
-
-
- -
-
-
-
-

- - Chapter 4. Overview -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Layers in libopensc - - -
- -
- - - The reader layer - - -
-
-
- -

- OpenSC is a large toolkit. The main building block is the - opensc library. It has three layers of code, each with - several drivers in it. Other libraries are the PKCS #11 - module, a PAM module, two engines for OpenSSL. In - addition there are several tools to test and use these - tools and libraries. -

- -

- Purpose of this chapter is to give an overview of the - inner workings of the opensc library, to give a short - presentation what the other libraries do, and finally - what the opensc toolchest has to offer. Each tool has - it's own man page, each library it's own section in this - document. -

- -
-
-
-
-

- Layers in - libopensc -

-
-
- -
-
- -

- libopensc is the basic library used by everything else. - It offer basic functionality like talking to smart - cards, but also advances functions like generating RSA - keys on a smart card. -

- -

- libopensc has several layers of functionality, each - implemented by one or several drivers. The layers are: -

- -
-
-
- - reader - -
- -
- OpenSC needs some way to talk to smart card readers - and cards in the smart card readers. Different - software can be used for that purpose, each - software has it's own reader module so OpenSC can - use that software. -
- -
- - card - -
- -
- In a perfect world all smart cards would implement - ISO 7816 standard, and thus accept the same - commands and give the same answers. Unfortunately - most cards have their own commands, syntax and - responses. The card modules in libopensc implement - these different commands. -
- -
- - pkcs15init - -
- -
- Smart cards usually have a file system. To store or - create keys or certificates on a smart card one - needs to format the card, create directories and - objects and set permissions in a secure way. Not - only are the commands to do this different from - card to card, also the security model is often very - different. These pkcs15init modules implement these - differences. -
- -
- - PKCS #15 framework - -
- -
-

- - PKCS #15 - is the standard on how to store certificates - and keys on a smart card or crypto token. But - many vendors have their own proprietary mechanism - for storing these informations, for example in - different directories. OpenSC implements the PKCS - #15 standard, but there is also an emulation - module for a slightly incompatible storage - mechanism in the works. -

- -

- It should be possible to implement a completely - different framework for compatibility with a non - PKCS #15 way of storing and accessing keys and - certificates. -

-
-
-
-
- -
-
-
-
-

- The reader - layer -

-
-
- -
-
- -

- PC/SC Lite is well known as smart card middleware. It - interacts with drivers for the smart card readers on - the bottom, and with smart card applications on the - top. OpenSC can use PC/SC Lite via the pcsc reader - module, but also supports a number of alternatives. -

- -

- PC/SC is a standard with interfaces between - applications, a resource manager and drivers for smart - card readers. This standard is very popular on the - Windows operating System. The documents are available - from - - - http://www.pcscworkgroup.com/ - . -

- -

- PC/SC Lite is an implementation of the PC/SC standard - for Linux, Unix, Mac OS X and Windows by David Corcoran - - - . The software is available with full source code - and available for free. To download the software, - please visit the website of the Movement for the use of - smart cards in a Linux environment (M.U.S.C.L.E.) at - - - http://www.linuxnet.com/ - . -

- -

- To install OpenSC with support for PC/SC Lite, please - install PC/SC Lite first. Then configure OpenSC to use - PC/SC Lite and specify the location where PC/SC Lite is - installed like this: -

- - - - - -
- 
-                  $ cd opensc-<version>
-                  $ ./configure --with-pcsclite=/path/to/pcsclite
-                                                  
-
-
- -

- -

- OpenCT is a new framework for accessing smart cards, - card readers and card terminals. It was written from - scratch, already includes all drivers, and is very - lightweight. OpenCT is available for Linux, but if you - want to use it on other Unix or BSD operating systems, - please ask for help on the opensc-devel mailing list. -

- -

- OpenCT is open source software. As such it is available - with full source code for free. OpenCT is a software - companion to OpenSC and the preferred way of accessing - smart cards under Linux. OpenCT is available from the - OpenSC website - - - http://www.opensc.org/ - and questions go to the - - mailing list. -

- -

- To compile OpenSC with support for OpenCT, please - install OpenCT first. Documentation on OpenCT is part - of the source code, and also available online at - - - http://www.opensc.org/files/doc/openct.html - . Then configure OpenSC to use OpenCT and specify - the location where OpenCT is installed like this: -

- - - - - -
- 
-                  $ cd opensc-<version>
-                  $ ./configure --with-openct=/path/to/openct
-                                                  
-
-
- -

- -

- CT-API is a standard format for drivers for smart card - readers. It was invented in the eighties for DOS - applications and is maybe not very fit for todays - multiuser multitasking applications. However CT-API is - still quite popular, and many smart card readers have - drivers in CT-API format even for Linux. It is - recommended to use these drivers if the PC/SC Lite - middleware described above. -

- -

- But OpenSC can also use CT-API drivers directly. This - is meant for debugging mostly and not recommended in a - multi user or multi application environment. -

- -

- OpenSC includes always support for drivers in CT-API - format, you don't need to do anything special for - compiling. See the - - - opensc.conf - configuration file on how to configure an CT-API - driver with OpenSC. -

-
-
- -
-
-
-
-

- - Chapter 5. Building and Installing - libopensc -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Windows - - -
- -
- - - Windows with OpenSSL - - -
-
-
- -

- See the INSTALL file for instructions. If you are using - the CVS version, you have to run the 'bootstrap' script - before running configure. Please note, that for bootstrap - to work, you have to have the correct versions of - Autoconf, Automake and Libtool installed. -

- -
-
-
-
-

- Windows -

-
-
- -
-
- -

- Type "nmake -f makefile.mak" in the opensc\ dir to - compile. -

- -

- You need also perl and flex installed for the compile - process to complete successfully. -

- -

- No installation script has been provided, so you have - to do this manually: -

- -
-
    -
  1. - Copy opensc.conf to your Windows directory (usually - C:\WINDOWS or C:\WINNT). This is optional. -
    2. - -
  2. - Copy opensc.dll and opensc-pkcs11.dll to your path. -
    3. - -
  3. - If you want to use pkcs15-init.exe, make sure the - *.profile files in the pkcs15-init\ dir are in the - same directory as pkcs15-init.exe, or in your - Windows directory. -
    4. -
-
-
- -
-
-
-
-

- Windows - with OpenSSL -

-
-
- -
-
- -

- This adds extended functionality. E.g. the pkcs15-init - tool, PKCS #11 hash mechanisms and more PKCS #11 - signature mechanisms. -

- -
-
    -
  1. - Download and compile the OpenSSL sources from - - - http://www.openssl.org/source/ - -
    2. - -
  2. - Add the inc32\ dir to your include path, the - out32dll\ to your lib path and your executable path - - - - - - -
    - 
    -                        set include=%include%;.....\inc32
-                        set lib=%lib%;.....\out32dll
-                        set path=%path%;....\out32dll
-                                                                
-
    -
    -
    3. - -
  3. - In src/tools/Makefile.mak uncomment pkcs15-init.exe - in the "TARGETS" line (optionally) and add - libeay32.lib (and gdi32.lib) to the "link" line -
    4. - -
  4. - In src/libopensc/Makefile.mak add libeay32.lib (and - gdi32.lib) to the "link" line -
    5. - -
  5. - In src/pkcs11/Makefile.mak add libeay32.lib (and - gdi32.lib) to the "link" lines of TARGET and - TARGET3. -
    6. - -
  6. - In win32/Make.rules.mak add /DHAVE_OPENSSL to the - "COPTS" line -
    7. -
-
- -

- To add the OpenSSL code to the DLLs (so you won't need - libeay32.dll anymore): statically compile OpenSSL and - add gdi32.lib next to libeay32.lib in the 3 - Makefile.mak files above. -

-
-
- -
-
-
-
-

- - Chapter 6. Status -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Card Status - - -
- -
- - - Windows - - -
- -
- - - PKCS #11 Module in Netscape and Mozilla - - -
-
-
- -
-
-
-
-

- Card Status -

-
-
- -
-
- -
-
-
- - CryptoFlex - -
- -
-

- Support signing/decrypting, and initialization -

-
- -
- - Gemplus PK 4K, 8K, 16K - -
- -
-

- Support signing/decrypting, and initialization. -

- -

- NOTE: You will not be able to initialize a - GemSafe cards - these card already have been - personalized by Gemplus, and you cannot erase - them or create new key files on them. -

-
- -
- - Aladdin eToken PRO - -
- -
-

- Support signing/decrypting, and initialization. -

- -

- NOTE: CardOS only supports keys for decryption or - signing, but not both. If you create/store keys - with "--split-keys" OpenSC will work around this - limitation. -

-
- -
- - Eutron CryptoIdendity IT-SEC - -
- -
-

- Support signing/decrypting, and initialization. -

- -

- NOTE: CardOS only supports keys for decryption or - signing, but not both. If you create/store keys - with "--split-keys" OpenSC will work around this - limitation. -

-
- -
- - Micardo - -
- -
-

- Supported - need to fill in the details -

-
- -
- - Miocos - -
- -
-

- Supported - need to fill in the details -

-
- -
- - Setcos - -
- -
-

- Supported - need to fill in the details -

-
- -
- - Tcos - -
- -
-

- Supported - need to fill in the details -

-
-
-
-
- -
-
-
-
-

- Windows -

-
-
- -
-
- -

- At the moment only libopensc.dll, pkcs11-spy.dll - opensc-pkcs11.dll, and most executables in the tools\ - and tests\ dir have been ported. They are tested on - Win98, WinNT, Win2000 and WinXP. -

-
- -
-
-
-
-

- PKCS #11 Module - in Netscape and Mozilla -

-
-
- -
-
- -

- Netscape seems to show more information about the - security module than Mozilla. Otherwise all stuff is - untested. -

- -

- Thread safety on Linux and Mac OS X: Netscape/Mozilla - uses the CKF_OS_LOCKING_OK flag in C_Initialize(). The - result is that the browser process doesn't end when - closing the browser, so you have to kill the process - yourself. (If the browser would do a C_Finalize, the - sc_pkcs11_free_lock() would be called and there - wouldn't be a problem.) -

- -

- Therefore, we don't use the PTHREAD locking mechanisms, - even if they are requested. This seems to work fine for - Mozilla, BUT will cause problems for apps that use - multiple threads to access this lib simultaneously. -

- -

- If you do want to use OS threading, compile with - -DPKCS11_THREAD_LOCKING On Windows, no PTHREAD lib is - used and there the problem doesn't occur. So there the - OS locking is enabled. -

-
-
- -
-
-
-
-

- Chapter 7. Using - OpenSC -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - OpenSC and Netscape - - -
- -
- - - OpenSC and Mozilla - - -
- -
- - - OpenSC and OpenSSL - - -
- -
- - - OpenSC and OpenSSH - - -
- -
- - - Pluggable Authentication Module - - -
- -
-
-
- - - eid based authentication - - -
- -
- - - LDAP based authentication - - -
-
-
-
-
- -
-
-
-
-

- OpenSC and - Netscape -

-
-
- -
-
- -
-
    -
  1. - Select menu: Communicator -> Tools -> - Security Info -
    2. - -
  2. - Select Cryptographic Modules -
    3. - -
  3. - Click: Add -
    4. - -
  4. - Fill in module name: "OpenSC PKCS #11 Module" and - module file: - /path/to/opensc/lib/pkcs11/opensc-pkcs11.so -
    5. -
-
- -

- For proper operation, you also need to configure the - module: In the Cryptographic Modules dialog, select the - OpenSC card, and click on the "Config" button to the - right. Select the "Enable this token" radio button, and - select the "Publicly readable Certs" button. -

- -

- This will ensure that Netscape uses the card when - trying to display encrypted messages in Netscape - messenger. Setting "Publicly readable Certs" will also - stop a pretty annoying habit of Netscape which is to - ask for all PINs when browsing sites requiring client - authentication. -

- -

- You should _not_ select the "RSA" button. If this - option is selected, Netscape will try to use the card - for all public key operations, and will fail horribly. -

- -

- FIXME: this is for which versions of Netscape? -

-
- -
-
-
-
-

- OpenSC and - Mozilla -

-
-
- -
-
- -
-
    -
  1. - Make sure Personal Security Manager (PSM) is - installed (eg. mozilla-psm package is installed). -
    2. - -
  2. - Select menu: Edit -> Preferences -
    3. - -
  3. - Select category: Privacy & Security -> - Certificates -
    4. - -
  4. - Click: Manage Security Devices -
    5. - -
  5. - Click: Load -
    6. - -
  6. - Fill in module name: "OpenSC PKCS #11 Module" and - module file: - /path/to/opensc/lib/pkcs11/opensc-pkcs11.so -
    7. -
-
-
- -
-
-
-
-

- OpenSC and - OpenSSL -

-
-
- -
-
- -

- OpenSSL is a robust, full-featured toolkit implementing - the SSL protocols as well as a general purpose - cryptography library. It features a so called engine - interface to combine the toolkit with the cryptographic - abilities of some hardware. -

- -

- OpenSC includes an engine for OpenSSL. This allows to - use the OpenSSL library and command line utilities in - combination with smart card cryptography. -

- -

- Here is an example how it works with the command line - tool - - - - openssl - - . You need to load the opensc engine first, and - then can enter any command as usual (e.g. create or - sign a certificate). -

- -

- Here is an example of how to load the engine. -

- - - - - -
- 
-                  aj@simulacron:~$ openssl
-                  OpenSSL> engine dynamic -pre
-                  SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so
-                  -pre ID:opensc -pre LIST_ADD:1 -pre LOAD
-                  (dynamic) Dynamic engine loading support
-                  [Success]:
-                  SO_PATH:/home/aj/opensc/lib/opensc/engine_opensc.so
-                  [Success]: ID:opensc
-                  [Success]: LIST_ADD:1
-                  [Success]: LOAD
-                  Loaded: (opensc) opensc engine
-                  OpenSSL> 
-                                                  
-
-
- -

- -

- A typical OpenSSL command might be to make a - certificate request: - - - req -engine opensc -new -key - - - - key - - -keyform engine -out req.pem -text - . See the OpenSSL documentation for details. -

- -

- - - - - - key - - can specify the ID of a key in hex, - e.g. "45" - would be key 0x45. - -

- -

- Actually OpenSC has even two engines for OpenSSL: - - - engine_opensc.so - and - - - engine_pkcs11.so - . -

- -

- The opensc engine does only work with OpenSC. It will - not work, if several applications try to use the smart - card at the same time or one applications tries to use - several smart cards at the same time. Or several - certificates or keys within one card. But for the - simple case (one app, one cert, one smart card) it is - working very fine. -

- -

- The PKCS #11 engine is very generic and flexible. It - will always work, even in complex situations involving - several cards, keys, objects, certificates or - concurrent applications. Also it is fully based on PKCS - #11 and that way it can use the OpenSC PKCS #11 library - (and does so by default), but it will work with any - other PKCS #11 library, too. -

- -

- To load the PKCS #11 engine, issue this command: -

- - - - - -
- 
-                  aj@simulacron:~$ openssl
-                  OpenSSL> engine dynamic -pre
-                  SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so
-                  -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
-                  MODULE_PATH:/home/aj/opensc/lib/pkcs11/opensc-pkcs11.so
-                  (dynamic) Dynamic engine loading support
-                  [Success]:
-                  SO_PATH:/home/aj/opensc/lib/opensc/engine_pkcs11.so
-                  [Success]: ID:pkcs11
-                  [Success]: LIST_ADD:1
-                  [Success]: LOAD
-                  [Success]:
-                  MODULE_PATH:/home/aj/opensc/pkcs11/opensc-pkcs11.so
-                  Loaded: (pkcs11) pkcs11 engine
-                  OpenSSL> 
-                                                  
-
-
- -

- and then proceed as normal. -

- -

- A typical OpenSSL command might be to make a - certificate request: - - - req -engine pkcs11 -new -key - - - - key - - -keyform engine -out req.pem -text - . See the OpenSSL documentation for details. -

- -

- - - key - - has the format - [slot_<slotNr>][-][id_<keyID>], in which -

- -
-
    -
  • - the optional slotNr indicates which PKCS #11 slot - to take (starting from 0, which is also the - default) -
    • - -
  • - keyID is the key ID in hex notation -
    • -
-
- -

- Examples: -

- -
-
    -
  • - id_45 => private key with ID = 0x45 in the first - 'suited' slot -
    • - -
  • - slot_2-id_46 => private key with ID = 0x46 in - the third slot -
    • -
-
- -

- -

- For Windows, only the PKCS #11 engine (not the OpenSC - engine) has been ported; use "engine_pkcs11" instead of - "engine_pkcs11.so". -

-
- -
-
-
-
-

- OpenSC and - OpenSSH -

-
-
- -
-
- -

- Version 3.6.1p2 of OpenSSH needs a patch to compile - with OpenSC. You will find this patch in src/openssh/. -

- -

- When compiling OpenSSH you need to run configure like - this: - - - ./configure --with-opensc=/path/to/opensc - -

- -

- You need to have a certificate on your smart card. A - key is not enough. Download the public key of your - certificate in Openssh format with this command: - - - ssh-keygen -D - - - - reader - - [ - - - : - - - - certificate ID - - - ] > - - - - file - - - -

- -

- Replace - - - - reader - - with the number of the reader you want to use, - default it 0. - - - opensc-tool -l - will give you a list of available readers. Add the - certificate ID if you need to select one. Default is - 45. - - - pkcs11-tool -O - will give you a list of available certificates and - their IDs. -

- -

- Then transfer the public key to the desired server and - add it to - - - ~/.ssh/authorized_keys - as usual. -

- -

- To use a smart card with Openssh run - - - ssh -I - - - - reader - - [ - - - : - - - - certificate ID - - - ] - -

- -

- You can also use the OpenSSH ssh-agent tool with - OpenSC. If you want to do so, use - - - ssh-add -s - - - - reader - - - -

-
- -
-
-
-
-

- Pluggable - Authentication Module -

-
-
- -
-
- -

- Pluggable authentication modules (PAM) is the default - way under Linux and other Unix operating systems to - configure authentication. OpenSC includes a module to - allow smart card based authentication: pam_opensc. -

- -

- The following options are recognized: -

- -
-
-
- - debug - -
- -
- log more debugging info -
- -
- - audit - -
- -
- a little more extreme than debug -
- -
- - use_first_pass - -
- -
- don't prompt the user for passwords, take them from - PAM_ items instead -
- -
- - try_first_pass - -
- -
- don't prompt the user for passwords unless - PAM_(OLD)AUTHTOK in used -
- -
- - use_authtok - -
- -
- require PAM_AUTHTOK set, use it, fail otherwise -
- -
- - set_pass - -
- -
- set the PAM_ item with the passwords used by this - module -
- -
- - nodelay - -
- -
- used to prevent failed authentication resulting in - a delay of about 1 second. -
- -
- - auth_method=X - -
- -
- choose either pkcs15-ldap or pkcs15-eid - authentication. pkcs15-eid is the default. -
-
-
- -

- -

- Generic options: -

- -
-
-
- - -h - -
- -
- Show help -
- -
- - -r reader - -
- -
- Reader name (FIXME: not number?) -
-
-
- -

- -
-
-
-
-

- eid based - authentication -

-
-
- -
-
- -

- This is the default authentication method. Create a - directory - - - .eid - in your home directory and copy your PEM encoded - certificate to the file - - - .eid/authorized_certificates - . -

- -

- Note: - - - pkcs15-tool -c - will show you all certificates and their ID, - - - pkcs15-tool -r ID -o ~/.eid/authorized_certificates - will save the certificate - - - - ID - - to that file. -

-
- -
-
-
-
-

- LDAP based - authentication -

-
-
- -
-
- -

- Setting auth_method to pkcs15-ldap will enable LDAP - based authentication. These options are supported: -

- -
-
-
- - -L ldap.conf - -
- -
- Configuration file to load -
- -
- - -A entry - -
- -
- Add new entry -
- -
- - -E entry - -
- -
- Set current entry -
- -
- - -H hostname - -
- -
- hostname of LDAP server -
- -
- - -P port - -
- -
- port or LDAP server -
- -
- - -S scope - -
- -
- scope of LDAP server -
- -
- - -b binddn - -
- -
- binddn for LDAP connection -
- -
- - -p passwd - -
- -
- password for LDAP bind -
- -
- - -B base - -
- -
- base for LDAP bind -
- -
- - -a attributes - -
- -
- attributes to fetch -
- -
- - -f filter - -
- -
- filter in LDAP search -
-
-
- -

- FIXME: provide an example of LDAP data structure, - config file etc. -

-
-
-
- -
-
-
-
-

- Chapter 8. The - OpenSC PKCS #11 library -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - What is PKCS #11 - - -
- -
- - - Virtual slots - - -
-
-
- -
-
-
-
-

- What is PKCS #11 -

-
-
- -
-
- -

- - PKCS #11 - is a standard API for accessing cryptographic - tokens such as smart cards, Hardware Security Modules, - ... It contains functions like C_GetSlotList(), - C_OpenSession(), C_FindObjects(), C_Login(), C_Sign(), - C_GenerateKeyPair(), ... -

- -

- Some core concepts of PKCS #11 are: -

- -
-
    -
  • - slot: the place in which a smart card can be put. - Usually this corresponds with a card reader (but: - see below, Virtual slots). -
    • - -
  • - token: the thing that is put in a slot. Usually - this corresponds with a smart card (but: see below, - virtual slots). -
    • - -
  • - object: a key, a certificate, some data, ... Is - either a token object (if it resides on the card) - or a session object (if it doesn't reside on the - card, e.g. a certificate given to the PKCS #11 - library to do a verification). -
    • - -
  • - session: before you can do anything with a token, - you have to open a session on it. -
    • - -
  • - operation: a signature, decryption, digest, ... - operation, that can consist of multiple function - calls. Example: C_SignInit(), C_SignUpdate(), - C_SignFinal(); here the first function starts the - operation, the third one ends it. Only one - operation can be done in the same session, but - multiple sessions can be opened on the same token. -
    • -
-
- -

-
- -
-
-
-
-

- Virtual slots -

-
-
- -
-
- -

- Per token, only 2 PINs can be given: the SO (Security - Officer) PIN and the user PIN. However, smart cards can - have more than 1 user PIN. A way to this solve problem - is to have multiple 'virtual' slots, as explained in - appendix D of the - - - PKCS #11 standard - . So per physical reader, you have a number of - virtual slots. If you insert a card in the reader, a - token will appear in all the virtual slots, and each - token will contain 1 PIN along with the private keys it - protects and certificates corresponding to those - private keys. -

- -

- Because OpenSC supports multiple cards, it is not known - in advance how many PINs a smart card will have. - Therefore, a default number of 4 virtual slots is used. - You can change this default in the pkcs11 section of - opensc.conf: num_slots. -

- -

- OpenSC implements the following behaviour: for each - PIN, its private keys and corresponding certs, there is - 1 virtual slot allocated. If there are any objects - left, they are put in the next free virtual slot. And - if there are some virtual slots left, an 'empty' token - is 'put' in them; on this empty token a PIN and data - can then be put. If you find this too confusing, you - can hide empty tokens with the hide_empty_tokens option - in the config file. -

- -

- Example: Take a card with 2 PINs. Each PIN protects a - private key and each private key has a corresponding - cert chain. And then there are 3 other roots certs that - have nothing to do with the other data. Now if - num_slots = 4, hide_empty_tokens = false; and if you - put the card your second card reader, you'll get the - following: -

- -
-
    -
  • - token in slot 4: PIN 1, key 1, cert chain 1 -
    • - -
  • - token in slot 5: PIN 2, key 2, cert chain 2 -
    • - -
  • - token in slot 6: the 3 other root certs -
    • - -
  • - token in slot 7: no data -
    • -
-
- -

- If hide_empty_tokens would have been true, slot 7 - wouldn't show a token. -

- -

- Note: if in the example the 2 cert chain would have - common certificates, those certificates would appear in - the tokens in slots 4 and 5. (Which would cause a - problem if those certs were deleted, this hasn't been - solved yet in OpenSC). -

- -

- Another good-to-know: the number of virtual slots has - been hard-coded (it is 8 at the moment). So if - num_slots = 4, only the first 2 readers will be - visible. Or if you'd put num_slots to 3, the first 2 - readers will have 3 virtual slots and the third reader - will have 2. -

-
-
- -
-
-
-
-

- Chapter 9. Security -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Command line arguments - - -
- -
- - - Access to the card - - -
- -
- - - Protection of cards made with the pkcs15-init - tool - - -
- -
- - - Storing config, profile and pkcs15 cache files - - -
- -
- - - Root access - - -
-
-
- -
-
-
-
-

- Command line arguments -

-
-
- -
-
- -

- The OpenSC tools allow you to specify PINs and keys on - the command line. This is only suitable for testing or - when you are the only user of the machine. If there are - multiple users, other users usually are able to run - things like 'ps' or 'top', and probably are able to see - the arguments given to some process, too. Also, the - arguments probably get logged to some shell history - file like ~/.bash_history. -

- -

- The solution is to use a script or, in the case of the - pkcs15-init tool to put PINS and keys into a file and - used through the --options-file options. -

-
- -
-
-
-
-

- Access to the card -

-
-
- -
-
- -

- Some other problems if multiple users have access to - the reader(s): -

- -
-
    -
  • - If the user forgets a card to the reader while the - session isn't locked, a malicious other user could - run PIN verify commands to the card and probably - lock the PIN, or even lock the card for good. -
    • - -
  • - If a user is logged in to the card but the session - isn't locked, a malicious user could use the - previliged functionality (e.g. doing a signature, - writing data to the card). -
    • -
-
- -

- -

- A solution is to add the user to a specific "scard" - group after they've logged in through xdm. pcsc-lite's - pcscd runs as pseudouser/group scard/scard, and limit - the access to the server socket (pcscd.comm) as 770 - scard:scard. This way, other possible users that may - have logged in through ssh won't have any access to the - local card readers. Not a perfect solution, but works - for single-reader workstations well enough. -

- -

- In case your application uses the pkcs11 library, that - application will have, exclusive access access to the - card once you provided a PIN. This is the default - setting. If you would like multiple apps to use the - pkcs11 library, you can set 'lock_login = false;' in - the opensc.conf file, but this leaves your card open to - other user's applications as well. -

- -

- Other tools/libs (signer, openssh, pam) don't provide - unique access once you are logged in. -

-
- -
-
-
-
-

- Protection of cards made - with the pkcs15-init tool -

-
-
- -
-
- -

- Most cards have a default transport key that is used to - create a pkcs15 directory on the card. Within the - pkcs15 directory, files and keys are protected by PINs - so the transport key has no power there. -

- -

- This means that your keys and sensitive data are safe - against others (who know the default transport key), in - the sense that they can't be read or used. -

- -

- However,anyone knowing the transport key and who has - access to your card can delete the pkcs15 directory - with all its keys, certs, data, ... -

- -

- On itself, that may be a good thing if you lost your - card, but there's another problem: If your card - contains trusted certificates, and an adversary steals - your card, puts another pkcs15 dir with other certs on - the card and puts it back without you knowing, you may - not find out until you put trust in those untrusted - certs. Bottomline: be very carefull when using the card - as a tamper-resistant storage -- make them - PIN-protected for example. (Note: this if often not the - case: the trusted certificates are stored usually - stored in the application using them.) -

-
- -
-
-
-
-

- Storing config, profile and - pkcs15 cache files -

-
-
- -
-
- -

- While the opensc.conf and xxx.profile files don't - contain any sensitive information, it is very important - that they are not tampered with. -

- -

- Some examples of what an adversary with write access to - those files or an absent-minded administrator could do: -

- -
-
    -
  • - Set the debug level to 6, which means all sensitive - info (like PINs) is logged -
    • - -
  • - Change the access conditions in the profiles, so - that a card that is initialised with pkcs15-init - will be wide open for anyone to read/write/sign -
    • - -
  • - Change trusted certs in the pkcs15 cache -
    • -
-
- -

- -

- By default, the config and profile files can only be - written by root/Adminstrator and the cache files are in - the user home dir, so this is OK. Note however, that if - there are profile files in the current dir, it will be - those files that are used instead of the ones that were - installed in a system dir! -

-
- -
-
-
-
-

- Root access -

-
-
- -
-
- -

- From the above, it follows that you can't protect your - card, nor use your card to protect something against - someone with root access or who can change the - config/profile files, binaries or sniff/modify the - communication with the card. -

-
-
- -
-
-
-
-

- Chapter 10. What - needs to be done -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - In general - - -
- -
- - - Windows - - -
-
-
- -
-
-
-
-

- In general -

-
-
- -
-
- - - - - -
- 
-                  * GUI applications
-                  * Add support for EMV, GSM and Java cards
-                  (anyone?)
-                                          
-
-
- - - - - -
- 
-                  * put generic PEM encoding/decoding functions
-                  into libopensc?
-                  * pkcs11: support decrypt for those cards that
-                  have it
-                  * pkcs11: make sure all PIN ops work through
-                  pkcs11
-                  * pkcs11: unblock pins: check for unblock pins in
-                  AODF
-                  * all: support for RSA-PSS
-                  * pkcs15-init: support SOPIN on Cryptoflex
-                  * pkcs15-init: use max. possible usage by default
-                  * pkcs15-init: during keygen, make sure the
-                  pubkey usage is right
-                  * pkcs15-init: when using an unblock PIN, write
-                  an AODF entry for it
-                    (alternatively: set unblockDisabled flag for
-                  those PINs that have no PUK?)
-                  * pkcs15: fix sc_pkcs15_change_reference_data;
-                  add unblock function
-                                          
-
-
-
- -
-
-
-
-

- Windows -

-
-
- -
-
- -

- Other parts of OpenSC be should ported as well. Also we - should implement native Win32 APIs such as CryptoAPI - Provider, some login stuff and ActiveX plugin for - Internet Explorer to do the signing. -

-
-
- -
-
-
-
-

- - Chapter 11. Troubleshooting -

-
-
- -
-
- -

- A mailing list has been set up for support and discussion - about the OpenSC project. Additional info is available at - the - - - OpenSC web site - . -

- -

- You could follow these steps to get a first idea about - what is going wrong: -

- -
-
    -
  • - See if any readers can be found: - - - opensc-tool -l - -
    • - -
  • - See if your smart card can be found with - - - opensc-tool -a - (this should show the ATR of the card). -
    • - -
  • - See if your card is a pkcs15 card, and which pkcs15 - objects are on it: - - - pkcs15-tool -C -c -k --list-public-keys - -
    • -
-
- -

- -

- You can turn on debugging by setting "debug = 5;" in the - opensc.conf file and un-commenting the names of the debug - and error files. -

-
- -
-
-
-
-

- - Chapter 12. Resources -

-
-
- -
-
- -

- See the OpenSC web site at - - - http://www.opensc.org/ - -

- -

- Information about Assuan and project Ägypten: - - - http://www.gnupg.org/aegypten/ - -

-
- -
-
-
-
-

- - Chapter 13. Signer -

-
-
- -
-
- -
-

- - Table of Contents - -

- -
-
- - - Building and installing the OpenSC Signer - - -
-
-
- -

- OpenSC Signer is a Netscape plugin that will generate - digital signatures using facilities on PKI-capable smart - cards. -

- -
-
-
-
-

- Building and - installing the OpenSC Signer -

-
-
- -
-
- -

- You should specify your plugin directory with: - - - $ configure --with-plugin-dir= - - - - <directory> - - - -

- -

- Common plugin directories are /usr/lib/mozilla/plugins - and /usr/lib/netscape/plugins. -

- -

- See the INSTALL file for more instructions. -

- -

- NOTE: PIN code dialog is done through libassuan from - Project Ägypten. If you don't have it installed - already, download it from the link below. -

-
-
- -
-
-
-
-

- Chapter 14. A - few hints on DocBook documents -

-
-
- -
-
- -

- This document is maintained as DocBook XML document. Here - are some hints and links for newcomers. -

- -

- This document is written in XML not SGML. To convert it, - use a XSL stylesheet, not an DSSSL stylesheet. Ignore all - tools and web pages talking about SGML or DSSSL, those - talk about legacy technology no longer used and no longer - up to date. -

- -

- - DocBook Open Repository project - at SourceForge has the XSL stylesheet used to convert - this XML document to other formats. -

- -

- - DocBook: The Definitive Guide (O'Reilly Book) - documents DocBook, is very handy as reference and - available online for free. -

- -

- - DocBook XSL: The Complete Guide - is a book with a great introduction on how to create - a document, how to convert it, where to get the software, - tools and everything. It you a fast road to editing this - document, look at this book. -

- -

- This document might be ugly. If you know html, please - help us to improve it. Some stuff can be tuned in the XSL - stylesheet (see - - - Reference for the HTML stylesheet parameters - ), but most stuff can be improved via CSS styles. We - need help on this ! -

-
-
- - diff --git a/doc/pkcs11_keypair_gen.html b/doc/pkcs11_keypair_gen.html deleted file mode 100644 index 52a5774a..00000000 --- a/doc/pkcs11_keypair_gen.html +++ /dev/null @@ -1,28 +0,0 @@ - -pkcs11_keypair_gen - OpenSC - Trac
-

-PKCS11 Keypair generation, certificate request and writing the requested cert to the card -

-

-You can use the the pkcs11 library (opensc-pkcs11.so or opensc-pkcs11.dll) with Mozilla/Firefox/Netscape to go to an on-line CA (Certificate Authority). In this case, the browser will: -

-
  • ask the pkcs11 lib to generate a keypair on your card, -
  • create a certificate request, -
  • ask the pkcs11 lib to sign the cert request, -
  • send the cert request to the CA, -
  • (at a later time, when the CA is done) download the requested cert, -
  • and ask the pkcs11 lib to store the cert on your card. -

-However in order to work: -

-
  • you have to format your card with the "onepin" profile option: -
    • pkcs15-init -E -
    • pkcs15-init -C -p pkcs15+onepin --pin xxxx --puk yyyy -
  • you have set cache_pins should to true in opensc.conf -

-Currently, only 1 certificate can be requested this way. The reason is that Mozilla changes the ID of the key and cert into a hash of 20 bytes, and this confuses our pkcs15init library (used to 1-byte IDs) who will attempt to create a new key on the place of the first key (which fails)... -

-
-

Back to Index