giomba
/
opensc
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

remove old text files. 

new documentation is in opensc/docs/opensc.html (and .xml)


git-svn-id: https://www.opensc-project.org/svnp/opensc/trunk@1244 c6295689-39f2-0310-b995-f0e70906c6a9
This commit is contained in:
aj 2003-07-10 10:44:23 +00:00
parent aee7119020
commit d94de46a59
12 changed files with 0 additions and 456 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
AUTHORS
View File

@ -1,15 +0,0 @@
Authors of OpenSC:
Juha Yrjölä <juha.yrjola@iki.fi>
Antti Tapaninen <aet@cc.hut.fi>
Timo Teräs <timo.teras@iki.fi>
Olaf Kirch <okir@suse.de>
Contributors:
Stef Hoeben <Hoeben.S@Zetes.com> (pkcs11, libopensc, win32 port)
Andreas Jellinghaus <aj@dungeon.inka.de> (usbtoken, tools, auto{conf,make})
Robert Bihlmeyer <robbe@orcus.priv.at> (bug fixes)
Contributors to usbtoken:
Matthias Brüstle
Kevin Stefanik <kstef@mtppi.org>

35
README
View File

@ -1,35 +0,0 @@
README for OpenSC
Introduction
============
libopensc is a library for accessing SmartCard devices using PC/SC Lite
middleware package. It is also the core library of the OpenSC project.
Basic functionality (e.g. SELECT FILE, READ BINARY) should work on any ISO
7816-4 compatible SmartCard. Encryption and decryption using private keys on
the SmartCard is at the moment possible only with PKCS#15 compatible cards,
such as the FINEID (Finnish Electronic IDentity) card manufactured by
Setec.
Building and Installing libopensc
=================================
See the INSTALL file for instructions. If you are using the CVS version,
you have to run the 'bootstrap' script before running configure. Please
note, that for bootstrap to work, you have to have the correct versions of
Autoconf, Automake and Libtool installed.
Troubleshooting
===============
A mailing-list has been set up for support and discussion about the
OpenSC project. Additional info is available at OpenSC web site.
Resources
=========
See the OpenSC web site at http://www.opensc.org/

76
README.Win32
View File

@ -1,76 +0,0 @@
README for Win32 port of OpenSC
Compiling
=========
Type "nmake -f makefile.mak" in the opensc\ dir to compile.
You need also perl and flex installed for the compile process
to complete succesfully.
What works
==========
At the moment only libopensc.dll and opensc-pkcs11.dll, and most
executables in the tools\ and tests\ dir have been ported.
They are tested on Win98, WinNT, Win2000 and WinXP.
Installation
============
No installation script has been provided, so you have to do this
manually:
- Copy opensc.conf to your Windows directory (usually C:\WINDOWS
or C:\WINNT). This is optional.
- Copy opensc.dll and opensc-pkcs11.dll to your path.
- If you want to use pkcs15-init.exe, make sure the *.profile files
in the pkcs15-init\ dir are in the same directory as pkcs15-init.exe.
What needs to be done
=====================
Other parts of OpenSC be should ported as well.
Also we should implement native Win32 APIs such as
CryptoAPI Provider, some login stuff and ActiveX plugin for
Explorer to do the signing.
How to add openssl
==================
This adds extended functionality.
E.g. the pkcs15-init tool, pkcs11 hash mechanisms and more
pkcs11 signature mechs.
- download and compile the openssl sources from
http://www.openssl.org/source/
- Add the inc32\ dir to your include path,
the out32dll\ to your lib path and your executable path
set include=%include%;.....\inc32
set lib=%lib%;.....\out32dll
set path=%path%;....\out32dll
- In src/tools/Makefile.mak
- uncomment pkcs15-init.exe in the "TARGETS" line (optionally)
- Add libeay32.lib (and gdi32.lib) to the "link" line
- In src/libopensc/Makefile.mak
- Add libeay32.lib (and gdi32.lib) to the "link" line
- In src/pkcs11/Makefile.mak
- Add libeay32.lib (and gdi32.lib) to the "link" line
- In win32/Make.rules.mak
- Add /DHAVE_OPENSSL to the "COPTS" line
- For the pkcs11 OpenSSL engine
- Add sslengines to the "SUBDIRS" line in opensc/src/Makefile.mak
To add the OpenSSL code to the DLLs (so you won't need libeay32.dll
anymore): statically compile OpenSSL and add gdi32.lib next to
libeay32.lib in the 3 Makefile.mak files above.

33
README.cards
View File

@ -1,33 +0,0 @@
Supported Cards
===============
CryptoFlex
Support signing/decrypting, and initialization
GPK 4K, 8K, 16K
Support signing/decrypting, and initialization.
NOTE: You will not be able to initialize a GemSafe cards -
these card already have been personalized by Gemplus, and you
cannot erase them or create new key files on them.
eToken
Support signing/decrypting, and initialization.
NOTE: The eToken does not support keys that can
be used for decryption and signing simultaneously.
You need to create two keys with different usage.
Micardo
Supported - need to fill in the details
Miocos
Supported - need to fill in the details
Setcos
Supported - need to fill in the details
Tcos
Supported - need to fill in the details

39
README.signer
View File

@ -1,39 +0,0 @@
Introduction
============
OpenSC Signer is a Netscape plugin that will generate digital signatures
using facilities on PKI-capable smartcards.
Building and Installing libopensc
=================================
You should specify your plugin directory with:
$ configure --with-plugin-dir=<directory>
Common plugin directories are /usr/lib/mozilla/plugins and
/usr/lib/netscape/plugins.
See the INSTALL file for more instructions.
NOTE: PIN code dialog is done through libassuan from Project Ägypten.
If you don't have it installed already, download it from the link
below.
Troubleshooting
===============
A mailing-list has been set up for support and discussion about the
OpenSC project. Additional info is available at the OpenSC web site.
Resources
=========
OpenSC web site:
http://www.opensc.org/
Information about Assuan and project Ägypten:
http://www.gnupg.org/aegypten/

5
THANKS
View File

@ -1,5 +0,0 @@
The following people provided inspiration, moral support and/or valuable
information during the development of OpenSC:
Antti Partanen <antti.partanen@vrk.intermin.fi>
David Corcoran <corcoran@linuxnet.com>

23
TODO
View File

@ -1,23 +0,0 @@
* Debian packaging
* GUI applications
* Ports to MacOS X (jey) and Win32 (fabled?)
* Add support for EMV and GSM (anyone?)
Nitty gritty details:
* Pin pad support
* Merge DODF patches (mostly done)
* put generic PEM encoding/decoding functions into libopensc?
* Merge pkcs11 proxy from Zetes
* pkcs11: support decrypt for those cards that have it
* pkcs11: make sure all PIN ops work through pkcs11
* pkcs11: unblock pins: check for unblock pins in AODF
* all: support for RSA-PSS
* pkcs15-init: support SOPIN on Cryptoflex
* pkcs15-init: use max. possible usage by default
* pkcs15-init: during keygen, make sure the pubkey usage is right
* pkcs15-init: when using an unblock PIN, write an AODF entry for it
(alternatively: set unblockDisabled flag for those PINs that have no PUK?)
* pkcs15: fix sc_pkcs15_change_reference_data; add unblock function
* pkcs11: make sure all PIN ops work through pkcs11

79
docs/pkcs11.txt
View File

@ -1,79 +0,0 @@
The OpenSC PKCS11 implementation
1) What is PKCS11
PKCS11 is a standard API for accessing cryptographic tokens
such as smart cards, Hardware Security Modules, ...
It contains functions like C_GetSlotList(), C_OpenSession(),
C_FindObjects(), C_Login(), C_Decrypt(), ...
Some core concepts of pkcs11 are:
- slot: the place in which a smart card can be put. Usually this
corresponds with a card reader (but: see below, Virtual slots).
- token: the thing that is put in a slot. Usually this corresponds
with a smart card (but: see below, virtual slots).
- object: a key, a certificate, some data, ... Is either a token
object (if it resides on the card) or a session object (if it
doesn't reside on the card, e.g. a certificate given to the
pkcs11 library to do a verification).
- session: before you can do anything with a token, you have to
open a session on it.
- operation: a signature, decryption, digest, ... operation, that
can consist of multiple function calls. Example: C_SignInit(),
C_SignUpdate(), C_SignFinal(); here the first function starts
the operation, the third one ends it. Only one operation can be
done in the same session, but multiple sessions can be opened
on the same token.
2) Virtual slots
Per token, only 2 PINs can be given: the SO (Security Officer) PIN
and the user PIN. However, smart cards can have 2 or more user
PINs.
A way to this solve problem is to have multiple 'virtual' slots,
as explained in appendix D of the pkcs11 standard. So per physical
reader, you have a number of virtual slots. If you insert a card
in the reader, a token will appear in all the virtual slots,
and each token will contain 1 PIN along with the private keys
it protects and certificates corresponding to those private keys.
Because OpenSC supports multiple cards, it is not known in advance
how many PINs a smart card will have. Therefore, a default number
of 4 virtual slots is used. You can change this default in the
pkcs11 section of opensc.conf: num_slots.
Opensc implements the following behaviour: for each PIN, its
private keys and corresponding certs, there is 1 virtual slot
allocated. If there are any objects left, they are put in the
next free virtual slot. And if there are some virtual slots left,
an 'empty' token is 'put' in them; on this empty token a PIN and
data can then be put. If you find this too confusing, you
can hide empty tokens with the hide_empty_tokens option in
the config file.
Example:
Take a card with 2 PINs. Each PIN protects a private key and
each private key has a corresponding cert chain. And then there
are 3 other roots certs that have nothing to do with the other
data.
Now if num_slots = 4, hide_empty_tokens = false; and if you put
the card your second card reader, you'll get the following:
- token in slot 4: PIN 1, key 1, cert chain 1
- token in slot 5: PIN 2, key 2, cert chain 2
- token in slot 6: the 3 other root certs
- token in slot 7: no data
If hide_empty_tokens would have been true, slot 7 wouldn't show
a token.
Note: if in the example the 2 cert chain would have common
certificates, those certificates would appear in the tokens
in slots 4 and 5. (Which would cause a problem if those
certs were deleted, this hasn't been solved yet in OpenSC).
Another good-to-know: the number of virtual slots has been
hard-coded (it is 8 at the moment). So if num_slots = 4,
only the first 2 readers will be visible. Or if you'd put
num_slots to 3, the first 2 readers will have 3 virtual
slots and the third reader will have 2.

18
src/openssh/README
View File

@ -1,18 +0,0 @@
Steps for your OpenSSH pleasure:
- Download, compile and install OpenSSL (http://www.openssl.org)
- Download the current version of OpenSSH/portable
from http://www.openssh.com/portable.html
- Read openssh/README.smartcard, compile and install
- Download a public key from your SmartCard in OpenSSH format
(e.g. 'ssh-keygen -D <reader num>[:<certificate ID>] > <file>')
- Transfer the public key to desired server
- Run OpenSSH with 'ssh -I <reader num>[:<certificate ID>] <host>'
(e.g. '-I 0:45' uses first available reader and certificate with
ID 45h, '-I 0' uses the first found certificate')
With luck you should be authenticated and ready to go. If it won't work,
try enabling debug information with the '-d' switch.
--
Antti Tapaninen <aet@cc.hut.fi>

49
src/pam/README
View File

@ -1,49 +0,0 @@
pam_opensc - smart card authentication module for PAM
-----------------------------------------------------
The following options are recognized:
debug - log more debugging info
audit - a little more extreme than debug
use_first_pass - don 't prompt the user for passwords
take them from PAM_ items instead
try_first_pass - don 't prompt the user for the passwords
unless PAM_(OLD)AUTHTOK is unset
use_authtok - like try_first_pass, but * fail * if the new
PAM_AUTHTOK has not been previously set.
(intended for stacking password modules only)
set_pass - set the PAM_ items with the passwords
used by this module.
nodelay - used to prevent failed authentication
resulting in a delay of about 1 second.
auth_method=X - use authentication method X, the following
methods are currently recognized:
pkcs15-ldap, pkcs15-eid
Generic options:
-h Show help
auth_method[pkcs15-ldap]:
-r <reader> Reader name
LDAP specific options:
-L ldap.conf Configuration file to load
-A entry Add new entry
-E entry Set current entry
LDAP entry specific options:
-H hostname
-P port
-S scope
-b binddn
-p passwd
-B base
-a attribute(s)
-f filter
auth_method[pkcs15-eid]:
-r <reader> Reader name
# Copy your PEM encoded certificate to a file in your home directory
# called '.eid/authorized_certificates'.
# NOTE:
# You can use the 'pkcs15-tool -r <ID> -o ~/.eid/authorized_certificates'
# command to get the PEM encoded certificate. Find the ID by saying
# 'pkcs15-tool -c'. FINEID card owners should use 45 for the ID.

64
src/pkcs11/README
View File

@ -1,64 +0,0 @@
Installation
------------
Netscape:
Select menu: Communicator -> Tools -> Security Info
Select Cryptographic Modules
Click: Add
Module name: descriptive name about module (eg. opensc-pkcs11)
Module file: absolute path of opensc-pkcs11.so
For proper operation, you also need to configure the module:
In the Crypthographic Modules dialog, select the OpenSC card,
and click on the "Config" button to the right. Select the
"Enable this token" radio button, and select the "Publicly
readable Certs" button.
This will ensure that netscape uses the card when trying to
display encrypted messages in netscape messenger. Setting
"Publicly readable Certs" will also stop a pretty annoying habit
of netscape which is to ask for all PINs when browsing sites
requiring client authentication.
You should _not_ select the "RSA" button. If this option is
selected, netscape will try to use the card for all public key
operations, and will fail horribly.
Mozilla:
Make sure Personal Security Manager (PSM) is installed
(eg. mozilla-psm package is installed).
Select menu: Edit -> Preferences
Select category: Privacy & Security -> Certificates
Click: Manage Security Devices
Click: Load
Module name: descriptive name about module (eg. opensc-pkcs11)
Module file: absolute path of opensc-pkcs11.so
Notes
-----
Netscape seems to show more information about the security module
than Mozilla. Otherwise all stuff is untested.
Thread safety on Linux and Mac OS X:
Netscape/Mozilla uses the CKF_OS_LOCKING_OK flag in C_Initialize().
The result is that the browser process doesn't end when closing
the browser, so you have to kill the process yourself.
(If the browser would do a C_Finalize, the sc_pkcs11_free_lock()
would be called and there wouldn't be a problem.)
Therefore, we don't use the PTHREAD locking mechanisms, even if they
are requested. This seems to work fine for Mozilla, BUT will cause
problems for apps that use multiple threads to access this lib
simultaneously.
If you do want to use OS threading, compile with -DPKCS11_THREAD_LOCKING
On Windows, no PTHREAD lib is used and there the problem doesn't
occur. So there the OS locking is enabled.

20
src/sslengines/README
View File

@ -1,20 +0,0 @@
engine-pkcs11
-------------
This is an OpenSSL engine for making certificate requests for
a key that resides on an smart card. When the certificate
request has to be signed, the smart card is contacted through
the opensc-pkcs11 lib for creating the signature.
Usage:
- start the OpenSSL tool: openssl
- at the prompt, enter: engine dynamic -pre SO_PATH:engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD
(for Windows, use "engine_pkcs11" instead of "engine_pkcs11.so")
- at the prompt, enter: req -engine pkcs11 -new -key <key> -keyform engine -out req.pem -text
In the last line, <key> has the format [slot_<slotNr>][-][id_<keyID>], in which
- the optional slotNr indicates which pkcs11 slot to take (starting from 0, which is also the default)
- keyID is the key ID in hex notation
Examples: id_45 -> private key with ID = 0x45 in the first 'suited' slot
slot_2-id_46 -> private key with ID = 0x46 in the third slot