diff --git a/etc/Makefile.mak b/etc/Makefile.mak index 6bb36f92..c50e9a8a 100644 --- a/etc/Makefile.mak +++ b/etc/Makefile.mak @@ -1,7 +1,7 @@ all: opensc.conf.win -opensc.conf.win: opensc.conf.in - @IF DEFINED USE_SED (sed.exe s/@DEBUG_FILE@/\%TEMP\%\\opensc-debug.log/;s/@DEFAULT_SM_MODULE@/smm-local.dll/ opensc.conf.in > opensc.conf.win) ELSE (copy /y opensc.conf.in opensc.conf.win) +opensc.conf.win: opensc.conf.win.in + copy /y opensc.conf.win.in opensc.conf.win clean:: del /Q opensc.conf.win diff --git a/etc/opensc.conf.win.in b/etc/opensc.conf.win.in new file mode 100644 index 00000000..14d614ed --- /dev/null +++ b/etc/opensc.conf.win.in @@ -0,0 +1,656 @@ +# Configuration file for OpenSC +# Example configuration file + +# NOTE: All key-value pairs must be terminated by a semicolon. + +# Default values for any application +# These can be overridden by an application +# specific configuration block. +app default { + # Amount of debug info to print + # + # A greater value means more debug info. + # Default: 0 + # + debug = 0; + + # The file to which debug output will be written + # + # Special values 'stdout' and 'stderr' are recognized. + # Default: stderr + # + # debug_file = %TEMP%\opensc-debug.log + + # Re-open debug file (used in WIN32) + # + # In Windows, file handles can not be shared between DLL-s, + # each DLL has a separate file handle table. + # For that reason reopen debug file before every debug message. + # + # Default: true + # reopen_debug_file = false; + + # PKCS#15 initialization / personalization + # profiles directory for pkcs15-init. + # Default: obtained from windows registers + # + # profile_dir = ""; + + # Paranoid memory allocation. + # + # If set to 'true', then refuse to continue when locking of non-pageable + # memory fails. This can cause subtle failures but is more secure when + # you have a swap disk. + # Default: false + # + # paranoid_memory = false; + + # CT-API module configuration. + reader_driver ctapi { + # module @libdir@/libtowitoko.so { + # CT-API ports: + # 0..3 COM1..4 + # 4 Printer + # 5 Modem + # 6..7 LPT1..2 + # ports = 0; + # } + } + + # The following section shows definitions for PC/SC readers. + reader_driver pcsc { + # Limit command and response sizes. + # Default: n/a + # max_send_size = 255; + # max_recv_size = 256; + # + # Connect to reader in exclusive mode? + # Default: false + # connect_exclusive = true; + # + # What to do when disconnecting from a card (SCardDisconnect) + # Valid values: leave, reset, unpower. + # Default: reset + # disconnect_action = unpower; + # + # What to do at the end of a transaction (SCardEndTransaction) + # Valid values: leave, reset, unpower. + # Default: leave + # transaction_end_action = reset; + # + # What to do when reconnection to a card (SCardReconnect) + # Valid values: leave, reset, unpower. + # Note that this affects only the internal reconnect (after a SCARD_W_RESET_CARD). + # A forced reset via sc_reset() always does a full powerup. + # Default: leave + # reconnect_action = reset; + # + # Enable pinpad if detected (PC/SC v2.0.2 Part 10) + # Default: true + # enable_pinpad = false; + # + # Use specific pcsc provider. + # Default: winscard.dll + # provider_library = winscard.dll + } + + # Options for OpenCT support + reader_driver openct { + # Virtual readers to allocate. + # Default: 2 + # readers = 5; + # + # Limit command and response sizes. + # Default: n/a + # max_send_size = 255; + # max_recv_size = 256; + }; + + # What card drivers to load at start-up + # + # A special value of 'internal' will load all + # statically linked drivers. If an unknown (ie. not + # internal) driver is supplied, a separate configuration + # configuration block has to be written for the driver. + # Default: internal + # NOTE: When "internal" keyword is used, must be last entry + # + # card_drivers = customcos, internal; + + # Card driver configuration blocks. + + # For card drivers loaded from an external shared library/DLL, + # you need to specify the path name of the module + # + # card_driver customcos { + # The location of the driver library + # module = @libdir@/card_customcos.so; + # } + + # Force using specific card driver + # + # If this option is present, OpenSC will use the supplied + # driver with all inserted cards. + # + # Default: autodetect + # + # force_card_driver = customcos; + + # In addition to the built-in list of known cards in the + # card driver, you can configure a new card for the driver + # using the card_atr block. The goal is to centralize + # everything related to a certain card to card_atr. + # + # The supported internal card driver names can be retrieved + # from the output of: + # $ opensc-tool --list-drivers + + # Generic format: card_atr + + # New card entry for the flex card driver + # card_atr 3b:f0:0d:ca:fe { + # All parameters for the context are + # optional unless specified otherwise. + + # Context: global, card driver + # + # ATR mask value + # + # The mask is logically AND'd with an + # card ATR prior to comparison with the + # ATR reference value above. Using mask + # allows identifying and configuring + # multiple ATRs as the same card model. + # atrmask = "ff:ff:ff:ff:ff"; + + # Context: card driver + # + # Specify used card driver (REQUIRED). + # + # When enabled, overrides all possible + # settings from the card drivers built-in + # card configuration list. + # driver = "flex"; + + # Set card name for card drivers that allows it. + # name = "My CryptoFlex card"; + + # Card type as an integer value. + # + # Depending on card driver, this allows + # tuning the behaviour of the card driver + # for your card. + # type = "2002"; + + # Card flags as an hex value. + # Multiple values are OR'd together. + # + # Depending on card driver, this allows + # fine-tuning the capabilities in + # the card driver for your card. + # + # Optionally, some known parameters + # can be specified as strings: + # + # rng - On-board random number source + # + # flags = "rng", "0x80000000"; + + # + # Context: PKCS#15 emulation layer + # + # When using PKCS#15 emulation, force + # the emulation driver for specific cards. + # + # Required for external drivers, but can + # be used with built-in drivers, too. + # pkcs15emu = "custom"; + + # + # Context: reader driver + # + # Force protocol selection for specific cards. + # Known parameters: t0, t1, raw + # force_protocol = "t0"; + # } + + # PIV cards need an entry similar to this one: + # card_atr 3B:7D:96:00:00:80:31:80:65:B0:83:11:00:AC:83:00:90:00 { + # name = "PIV-II"; + # driver = "piv"; + # } + + # Estonian ID card and Micardo driver sometimes only play together with T=0 + # In theory only the 'cold' ATR should be specified, as T=0 will + # be the preferred protocol once you boot it up with T=0, but be + # paranoid. + # + # Warm ATR v1 + card_atr 3b:6e:00:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { + force_protocol = t0; + } + # Cold ATR v1 + card_atr 3b:fe:94:00:ff:80:b1:fa:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:43 { + force_protocol = t0; + } + # Warm ATR v2 + card_atr 3b:5e:11:ff:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { + force_protocol = t0; + } + # Cold ATR v2 + card_atr 3b:de:18:ff:c0:80:b1:fe:45:1f:03:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:2b { + force_protocol = t0; + } + # Digi-ID cold ATR. The same card has the same warm ATR as "Cold ATR v1" above + # The card is claimed to only support T=0 but in fact (sometimes) works with T=1, even if not advertised in ATR. + card_atr 3b:6e:00:00:45:73:74:45:49:44:20:76:65:72:20:31:2e:30 { + force_protocol = t0; + } + # Cold ATR v3 dev1 + card_atr 3b:fe:18:00:00:80:31:fe:45:45:73:74:45:49:44:20:76:65:72:20:31:2e:30:a8 { + force_protocol = t0; + } + # Warm ATR v3 dev1 + card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:56:1b:16:83:01:90:00:86 { + force_protocol = t0; + } + # Warm ATR v3 dev2 + card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:01:90:00:e1 { + force_protocol = t0; + } + # Warm ATR v3 (18.01.2011) + card_atr 3b:fe:18:00:00:80:31:fe:45:80:31:80:66:40:90:a4:16:2a:00:83:0f:90:00:ef { + force_protocol = t0; + } + + # D-Trust cards are also based on micardo and need T=0 for some reason + card_atr 3b:ff:94:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:23 { + force_protocol = t0; + } + card_atr 3b:ff:11:00:ff:80:b1:fe:45:1f:03:00:68:d2:76:00:00:28:ff:05:1e:31:80:00:90:00:a6 { + force_protocol = t0; + } + + # Oberthur's AuthentIC v3.2.2 + card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:00:70:0A:90:00:8B { + type = 11100; + driver = "authentic"; + name = "AuthentIC v3.1"; + + # Name of SM configuration sub-section + # secure_messaging = local_authentic; + } + + # IAS/ECC cards + card_atr 3B:7F:96:00:00:00:31:B9:64:40:70:14:10:73:94:01:80:82:90:00 { + type = 25001; + driver = "iasecc"; + name = "Gemalto MultiApp IAS/ECC v1.0.1"; + secure_messaging = local_gemalto_iam; + # secure_messaging = local_adele; + md_read_only = false; + md_supports_X509_enrollment = true; + } + card_atr 3B:7F:96:00:00:00:31:B8:64:40:70:14:10:73:94:01:80:82:90:00 { + type = 25001; + driver = "iasecc"; + name = "Gemalto MultiApp IAS/ECC v1.0.1"; + secure_messaging = local_gemalto_iam; + md_read_only = false; + md_supports_X509_enrollment = true; + } + #card_atr 3B:DD:18:00:81:31:FE:45:80:F9:A0:00:00:00:77:01:08:00:07:90:00:FE { + # type = 25002; + # driver = "iasecc"; + # name = "Oberthur IAS/ECC v1.0.1"; + # # No 'admin' application for this card -- no secure messaging + #} + #card_atr 3B:7F:18:00:00:00:31:B8:64:50:23:EC:C1:73:94:01:80:82:90:00 { + # type = 25003; + # driver = "iasecc"; + # name = "Morpho YpsID S3 IAS/ECC"; + # # secure_messaging = local_morpho_YpsID_S3; + #} + card_atr 3B:DF:18:FF:81:91:FE:1F:C3:00:31:B8:64:0C:01:EC:C1:73:94:01:80:82:90:00:B3 { + type = 25004; + driver = "iasecc"; + name = "Amos IAS/ECC v1.0.1"; + md_read_only = false; + md_supports_X509_enrollment = true; + secure_messaging = local_amos; + } + card_atr 3B:DC:18:FF:81:91:FE:1F:C3:80:73:C8:21:13:66:01:0B:03:52:00:05:38 { + type = 25004; + driver = "iasecc"; + name = "Amos IAS/ECC v1.0.1"; + md_read_only = false; + md_supports_X509_enrollment = true; + secure_messaging = local_amos_eid; + } + + secure_messaging local_authentic { + # name of external SM module + # module_name = smm-local.dll; + + # directory with external SM module + # Default: defined by windows register + # module_path = ""; + + # specific data to tune the module initialization + # module_data = "Here can be your SM module init data"; + + # SM mode: + # 'transmit' -- in this mode the procedure to securize an APDU is called by the OpenSC general + # APDU transmit procedure. + # In this mode all APDUs, except the ones filtered by the card specific procedure, + # are securized. + # 'acl' -- in this mode APDU are securized only if needed by the ACLs of the command to be executed. + # + #mode = transmit; + + # SM type specific flags + # flags = 0x78; # 0x78 -- level 3, channel 0 + + # Default KMC of the GP Card Manager for the Oberthur's Java cards + # kmc = "00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00"; + } + + secure_messaging local_gemalto_iam { + module_name = smm-local.dll; + # module_path = ""; + # module_data = ""; + type = acl; # transmit, acl + + ifd_serial = "11:22:33:44:55:66:77:88"; + + # Keyset values from IAM profiles of the Gemalto IAS/ECC cards + keyset_02_enc = "RW_PRIV_ENC_TEST"; + keyset_02_mac = "RW_PRIV_MAC_TEST"; + + keyset_E828BD080FD2504543432D654944_01_enc = "RO_ENC_TEST_KEY_"; + keyset_E828BD080FD2504543432D654944_01_mac = "RO_MAC_TEST_KEY_"; + + keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; + keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; + } + + secure_messaging local_amos { + module_name = smm-local.dll; + # module_path = ""; + # module_data = ""; + mode = acl; + ifd_serial = "11:22:33:44:55:66:77:88"; + keyset_02_enc = "ENCROECHANTILLON"; + keyset_02_mac = "MACROECHANTILLON"; + } + + secure_messaging local_amos_eid { + module_name = smm-local.dll; + # module_path = ""; + # module_data = ""; + mode = acl; + ifd_serial = "11:22:33:44:55:66:77:88"; + keyset_E828BD080FD2504543432D654944_03_enc = "RW_PUBL_ENC_TEST"; + keyset_E828BD080FD2504543432D654944_03_mac = "RW_PUBL_MAC_TEST"; + } + + secure_messaging local_adele { + module_name = smm-local.dll; + # module_path = ""; + # module_data = ""; + type = acl; # transmit, acl + + ifd_serial = "11:22:33:44:55:66:77:88"; + + # Keyset values from 'Adele' profiles of the IAS/ECC cards + keyset_01_enc = "EMENCECHANTILLON"; + keyset_01_mac = "EMMACECHANTILLON"; + + keyset_02_enc = "AAENCECHANTILLON"; + keyset_02_mac = "AAMACECHANTILLON"; + + keyset_E828BD080FD2500000040301_02_enc = "E2ENCECHANTILLON"; + keyset_E828BD080FD2500000040301_02_mac = "E2MACECHANTILLON"; + + keyset_D2500000044164E86C650101_02_enc = "E1ENCECHANTILLON"; + keyset_D2500000044164E86C650101_02_mac = "E1MACECHANTILLON"; + + keyset_D2500000044164E86C650101_03_enc = "SIENCECHANTILLON"; + keyset_D2500000044164E86C650101_03_mac = "SIMACECHANTILLON"; + } + + # Below are the framework specific configuration blocks. + + # PKCS #15 + framework pkcs15 { + # Whether to use the cache files in the user's + # home directory. + # + # At the moment you have to 'teach' the card + # to the system by running command: pkcs15-tool -L + # + # WARNING: Caching shouldn't be used in setuid root + # applications. + # Default: false + # use_file_caching = true; + # + # Use PIN caching? + # Default: true + # use_pin_caching = false; + # + # How many times to use a PIN from cache before re-authenticating it? + # Default: 10 + # pin_cache_counter = 3; + # + # Older PKCS#11 applications not supporting CKA_ALWAYS_AUTHENTICATE + # may need to set this to get signatures to work with some cards. + # Default: false + # pin_cache_ignore_user_consent = true; + # + # Enable pkcs15 emulation. + # Default: yes + # enable_pkcs15_emulation = no; + # + # Prefer pkcs15 emulation code before + # the normal pkcs15 processing. + # Some cards (like esteid and pteid) work in emu-only mode, + # and do not depend on this option. + # + # Default: no + # try_emulation_first = yes; + + # Enable builtin emulators. + # Default: yes + # enable_builtin_emulation = no; + # + # List of the builtin pkcs15 emulators to test + # Default: esteid, openpgp, tcos, starcert, itacns, infocamere, postecert, actalis, atrust-acos, gemsafeGPK, gemsafeV1, tccardos, PIV-II; + # builtin_emulators = openpgp; + + # additional settings per driver + # + # For pkcs15 emulators loaded from an external shared + # library/DLL, you need to specify the path name of the module + # and customize the card_atr example above correctly. + # + # emulate custom { + # The location of the driver library + # module = p15emu_custom.dll; + # } + + # some additional application parameters: + # - type (generic, protected) used to distinguish the common access application + # and application for which authentication to perform some operation cannot be + # obtained with the common procedures (ex. object creation protected by secure messaging). + # Used by PKCS#11 module configurated to expose restricted number of slots. + # (for ex. configurated to expose only User PIN slot, User and Sign PINs slots, ...) + application E828BD080FD25047656E65726963 { + type = generic; + model = "ECC Generic PKI"; + } + + application E828BD080FD2500000040301 { + type = generic; + model = "Adèle Générique"; + } + + application E828BD080FD2504543432D654944 { + type = protected; + model = "ECC eID"; + } + + application E828BD080FD2500000040201 { + type = protected; + model = "Adèle Admin-2"; + } + } +} + +# Parameters for the OpenSC PKCS11 module +app opensc-pkcs11 { + pkcs11 { + # Should the module support hotplug of readers as per PKCS#11 v2.20? + # This affects slot changes and PC/SC PnP, as v2.11 applications + # are not allowed to change the length of the slot list. + # Default: true + # plug_and_play = false; + + # Maximum Number of virtual slots. + # If there are more slots than defined here, + # the remaining slots will be hidden from PKCS#11. + # Default: 16 + # max_virtual_slots = 32; + + # Maximum number of slots per smart card. + # If the card has fewer keys than defined here, + # the remaining number of slots will be empty. + # Default: 4 + # slots_per_card = 2; + + # (max_virtual_slots/slots_per_card) limits the number of readers + # that can be used on the system. Default is then 16/4=4 readers. + + # Normally, the pkcs11 module will create + # the full number of slots defined above by + # num_slots. If there are fewer pins/keys on + # the card, the remaining keys will be empty + # (and you will be able to create new objects + # within them). + # Default: true + # hide_empty_tokens = false; + + # By default, the OpenSC PKCS#11 module will not lock your card + # once you authenticate to the card via C_Login. + # + # Thus the other users or other applications is not prevented + # from connecting to the card and perform crypto operations + # (which may be possible because you have already authenticated + # with the card). This setting is not very secure. + # + # Also, if your card is not locked, you can enconter problems + # due to limitation of the OpenSC framework, that still is not + # thoroughly tested in the multi threads environment. + # + # Your settings will be more secure if you choose to lock your + # card. Nevertheless this behavior is a known violation of PKCS#11 + # specification. Now once one application has started using your + # card with C_Login, no other application can use it, until + # the first is done and calls C_Logout or C_Finalize. In the case + # of many PKCS#11 application this does not happen until you exit + # the application. + # Thus it is impossible to use several smart card aware applications + # at the same time, e.g. you cannot run both Firefox and Thunderbird at + # the same time, if both are configured to use your smart card. + # + # Default: false + # lock_login = true; + + # User PIN unblock style + # none: PIN unblock is not possible with PKCS#11 API; + # set_pin_in_unlogged_session: C_SetPIN() in unlogged session: + # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. + # set_pin_in_specific_context: C_SetPIN() in the CKU_SPECIFIC_CONTEXT logged session: + # PUK is passed as the 'OldPin' argument of the C_SetPIN() call. + # init_pin_in_so_session: C_InitPIN() in CKU_SO logged session: + # User PIN 'UNBLOCK' is protected by SOPIN. (PUK == SOPIN). + # # Actually this style works only for the PKCS15 contents without SOPIN. + # # For those with SOPIN, this mode will be usefull for the cards without + # # modes 00 and 01 of ISO command 'RESET RETRY COUNTER'. --vt + # + # Default: none + # user_pin_unblock_style = set_pin_in_unlogged_session; + + # Create slot for unblocking PIN with PUK + # This way PKCS#11 API can be used to login with PUK and + # change a PIN. + # Warning: causes problems with some applications like + # firefox and thunderbird. Thus turned off by default + # + # Default: false + # create_puk_slot = true; + + # Report as 'zero' the CKA_ID attribute of CA certificate + # For the unknown reason the middleware of the manufacturer of gemalto (axalto, gemplus) + # card reports as '0' the CKA_ID of CA cartificates. + # Maybe someone else will need it. (Would be nice to know who and what for -- VTA) + # + # Default: false + # zero_ckaid_for_ca_certs = true; + + # List of readers to ignore + # If any of the strings listed below is matched (case sensitive) in a reader name, + # the reader is ignored by the PKCS#11 module. + # + # Default: empty + # ignored_readers = "CardMan 1021", "SPR 532"; + + # Symbolic names of PINs for which slots are created + # Card can contain more then one PINs or more then one on-card application with + # its own PINs. Normally, to access all of them with the PKCS#11 API a slot has to be + # created for all of them. Many slots could be ennoying for some of widely used application, + # like FireFox. This configuration parameter allows to select the PINs or on-card application + # for which PKCS#11 slot will be created. + # Actually recognised following symbolic names: + # 'user', 'sign', 'application', all + # Only PINs initialised, non-SoPIN, non-unblocking are associated with symbolic name. + # 'user' is identified as first global or first local PIN. + # 'sign' is identified as second PIN: first local, second global or second local. + # 'application' slot created for each on-card application, + # even if they use a common global PIN. + # 'all' slot created for all non-sopin, non-unblocking PINs, + # optionally for PUK (see option 'create_puk_slot') + # + # Default: all + # create_slots_for_pins = "user,sign"; + # create_slots_for_pins = application; + # create_slots_for_pins = "application,sign"; + } +} + +# Used by OpenSC.tokend on Mac OS X only. +app tokend { + # The file to which debug log will be written + # Default: /tmp/opensc-tokend.log + # + # debug_file = /Library/Logs/OpenSC.tokend.log + + framework tokend { + # Score for OpenSC.tokend + # The tokend with the highest score shall be used. + # Default: 300 + # + # score = 10; + } +} + +# XXX: remove cardmod pseudodriver +app cardmod { + # cardmod app name use special pcsc reader subset + # fix options for this reader driver here. + + reader_driver cardmod { + # Enable pinpad if detected (PC/SC v2.0.2 Part 10) + # Default: true + # enable_pinpad = false; + } +}