new pre release for 0.11.2 available

It would be good to have opensc 0.11.2 soon, so I made
another
pre-release with current trunk available:

h
ttp://www.opensc-project.org/files/opensc/testing/
http://www.opensc-project.org/files/
opensc/testing/opensc-0.11.2-pre4.tar.gz

Please test this and give feedback. 

I'm sorry, currently I find next to no time for opensc. 

Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Any chance getting the patch for the PIV compression ticket
#128
into this release?

Andreas Jellinghaus wrote:
> It would be good to have opensc 0.11.2 soon, so I made
another
> pre-release with current trunk available:
> 
> h
ttp://www.opensc-project.org/files/opensc/testing/
> http://www.opensc-project.org/files/
opensc/testing/opensc-0.11.2-pre4.tar.gz
> 
> Please test this and give feedback. 
> 
> I'm sorry, currently I find next to no time for opensc.

> 
> Regards, Andreas
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
> 
> 

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

On Mon, Mar 05, 2007 at 04:37:14PM -0600, Douglas E. Engert
wrote:
> Any chance getting the patch for the PIV compression
ticket #128
> into this release?

I think it looks good at a glance.

Does it apply cleanly to svn?

Has it been tested?


Two general comments:

1. I would prefer if the p15card-helper bit was made into a
separate
patch to be applied first.

2. Does the copyright belong to Identity Alliance or Thomas
Harning
or both? Currently both are in the notice. In another
project we use
(for the Identity Alliance case):

/*
 * Copyright (C) 2006 Identity Alliance
 * Written by Thomas Harning <thomas....>
for Identity Alliance
 */

..so it is ultra clear.


//Peter
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Peter,
I sent this to Andreas and Nils, but it might help answer
your
questions


Andreas Jellinghaus wrote:
> Am Montag, 5. März 2007 23:37 schrieben Sie:
>> Any chance getting the patch for the PIV
compression ticket #128
>> into this release?
> 
> I'm asking Nils for feedback. As far as I remember he
had some comment / 
> change request for the code.
> 

There where some issues with not testing for zlib, that
would be easy to
add the #ifdef's. I think there where some comments about
naming too.
Nils would know more.

> but on the other hand - if the patch doesn't break
anything - I prefer to
> add code if noone has time to improve it. Work
shouldn't be lost.
> 
> if I remember correctly, the code was done by the
author of the muscle
> driver. 

He is one of the people from Identity Alliance. I believe
Identity
Alliance was founded by David Corcoran. David's picture is
on their web
site: http://www.identitya
lliance.com/ I believe he started Muscle as an
independent consultant. David has authored some of their PIV
documents.
They have IdAlly, a Windows CSP, that can call PKCS#11 and 
can work with 
OpenSC. So Identity Alliance is closely tied to OpenSC.
Having the
ompression code added would make sure PIV was compliant.

When I wrote the original PIV code, there was a one line
reference to
compressing which I left undone, as it was not clear how
this was to be
done, or if would ever be done, so I did not add it.

But based on the patch and notes from Kennith Carrera, Also
a consultant,
I believe, it looks like some cards are being issued with
compressed certificates.

> did you test the code? does it work for you? or did
anyone else?

Yes, to the effect that OpenSC still worked with
uncompressed certificates.
Yesterday. I don't have a card with a officaly compressed
certificate, but
I think Kennith does. Yesterday I started writing the code
to add to
piv-tool to compress a certificate, and I expect to try that
today, (its
7:00AM and I am at home) test the patch with it, build
OpenSC on MacOS,
send Kennith an updated libopensc, so he can try with his
compressed cert.

> sorry that I have to ask, but > 10 test&respond
cycles with the muscle
> guys got me nowhere, their driver still does not work.


I don't think Identity Alliance is interested in Muscle much
any more,
but have moved on to consulting with PIV, as the U.S.
federal government
is trying to implement PIV. There is a lot of consultant
work going on
in Washington DC. It is not clear (to me st least) who is
doing Muscle,
and what its future as a mainstream smart card applet is.

My part in all this, is we have a lot of open source Unix
systems, as
desktops and for PIV to be use able it has to be on the
desktop.
Microsoft and Apple will provide PIV support for their
systems, but
no one was doing anything for the Open Source systems. I am
also the
past chair of the IETF Kerberos working group, and using PIV
cards via
PKCS#11 with the Heimdal or MIT Kerberos PKINIT is a great
way to
authenticate, even to Active Directory.

So I feel that it is important to get the compressed code in
to the
next release of OpenSC to keep itcompatable. So if you can
give me a
few days to try and pull this together...

Thanks.


> 
> Regards, Andreas
> 
> 

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

On Tue, 2007-03-06 at 13:11 +0100, Peter Stuge wrote:
> On Mon, Mar 05, 2007 at 04:37:14PM -0600, Douglas E.
Engert wrote:
> > Any chance getting the patch for the PIV
compression ticket #128
> > into this release?
> 
> I think it looks good at a glance.
> 
> Does it apply cleanly to svn?
> 
(Not sure on that... haven't worked w/ OpenSC for a little
while)
> Has it been tested?
> 
We've tested it on end-state PIV cards, ones that we have
programmed,
and used the compression utility for a few other items we've
worked on.
> 
> Two general comments:
> 
> 1. I would prefer if the p15card-helper bit was made
into a separate
> patch to be applied first.
> 
> 2. Does the copyright belong to Identity Alliance or
Thomas Harning
> or both? Currently both are in the notice. In another
project we use
> (for the Identity Alliance case):
> 
> /*
>  * Copyright (C) 2006 Identity Alliance
>  * Written by Thomas Harning <thomas....>
for Identity Alliance
>  */
Sorry it wasn't more clear.  The copyright for those patches
would
belong to Identity Alliance.  Feel free to modify the
headers to better
match the necessary format...
-- 
Thomas Harning Jr.
Authentication Engineer  Identity Alliance
http://www.trustbearer.co
m/

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

what would be better? release -pre4 as 0.11.2 and create 
0.11.3-pre1 with that patch? or do a -pre5 with it?

Nils already gave a comment on the code a long time ago,
should
be on the ML archive. I rely on Nils for comments, as he
knows the
code much better than I do. but I'm currently quite busy and
have
little time for opensc, and since Nils hasn't responded to
the thread so
far I guess he is busy too. so if anyone can step in and
work on the
code to address these issues, that would be great.

for example compiling without zlib support would be a good
thing.
(most windows users might want to try without I guess.)

Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Douglas E. Engert wrote:
> Peter,
> I sent this to Andreas and Nils, but it might help
answer your
> questions
> 
> 
> Andreas Jellinghaus wrote:
>> Am Montag, 5. März 2007 23:37 schrieben Sie:
>>> Any chance getting the patch for the PIV
compression ticket #128
>>> into this release?
>>
>> I'm asking Nils for feedback. As far as I remember
he had some comment 
>> / change request for the code.
>>
> 
> There where some issues with not testing for zlib, that
would be easy to
> add the #ifdef's. 

still someone needs to do it 

> I think there where some comments about naming too.
> Nils would know more.

well, "do_decompress" is a bad name for a function
which we want to export ...
(*if* we want to export this function at all ?)

Nils
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Tarasov Viktor wrote:
> Andreas Jellinghaus a écrit :
>> It would be good to have opensc 0.11.2 soon, so I
made another
>> pre-release with current trunk available:
>>
>> h
ttp://www.opensc-project.org/files/opensc/testing/
>> http://www.opensc-project.org/files/
opensc/testing/opensc-0.11.2-pre4.tar.gz
>>
>> Please test this and give feedback. 
>>
>> I'm sorry, currently I find next to no time for
opensc. 
>>   
> There is a little patch for Oberthur card:
> - some ACLs forgotten;
> - in compute_signature() limit the Le to 256 bytes.

Are you sure that is an error?
It is possible for a card to return data with 61XX
indicating there
is more data. The PIV cards can and some of our test cards
are Oberthur
but don't use this code.

The original olen is also used in line 1157:
   apdu.resplen = olen;

The fix would be somethiung like line 1154:
   apdu.le = olen > 256 ? 256 : olen;



> 
> By the way,
> for some libopensc card drivers, in compute_signature()
procedure,
> the output length is assigned to Le of the Compute
Signature APDU.
> So, when the length of the reserved output buffer is
more then 256 bytes
> (that's the case of tools/pkcs15-crypt),
> the APDU is considered as invalid (libopensc/apdu.c
+270)
> 
> I've tested crypto regression tests -- for me it's OK.
> 
> 
>> Regards, Andreas
>>   
> Kind wishes,
> Viktor.
> 
>>   
>> _______________________________________________
>> opensc-devel mailing list
>> opensc-devellists.opensc-project.org
>> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
>>
>>   
> 
> 
>
------------------------------------------------------------
------------
> 
> --- src/libopensc/card-oberthur.c       (revision
3120)
> +++ src/libopensc/card-oberthur.c       (working copy)
>  -890,6 +890,10 
>                 ops[4] = SC_AC_OP_PIN_SET;  /*
SC_AC_OP_SET_REFERENCE */
>                 ops[5] = SC_AC_OP_PIN_CHANGE;  /*
SC_AC_OP_CHANGE_REFERENCE */
>                 ops[6] = SC_AC_OP_PIN_RESET;  /*
SC_AC_OP_RESET_COUNTER */
> +#else
> +               ops[4] = SC_AC_OP_LIST_FILES;  /*
SC_AC_OP_SET_REFERENCE */
> +               ops[5] = SC_AC_OP_LIST_FILES;  /*
SC_AC_OP_CHANGE_REFERENCE */
> +               ops[6] = SC_AC_OP_LIST_FILES;  /*
SC_AC_OP_RESET_COUNTER */
>  #endif
>         } 
>         else if (file->type ==
SC_FILE_TYPE_WORKING_EF)   {
>  -1148,6 +1152,11 
>                 SC_TEST_RET(card->ctx,
SC_ERROR_INVALID_ARGUMENTS, "Illegal input
length");
>         }
>  
> +       if (olen > 256)   {
> +               sc_debug(card->ctx, "Output
length reduced to 256 bytes");
> +               olen = 256;
> +       }
> +
>         sc_format_apdu(card, &apdu,
SC_APDU_CASE_4_SHORT, 0x2A, 0x9E, 0x9A);
>         apdu.datalen = ilen;
>         apdu.data = in;
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Andreas Jellinghaus a écrit :
> It would be good to have opensc 0.11.2 soon, so I made
another
> pre-release with current trunk available:
>
> h
ttp://www.opensc-project.org/files/opensc/testing/
> http://www.opensc-project.org/files/
opensc/testing/opensc-0.11.2-pre4.tar.gz
>
> Please test this and give feedback. 
>
> I'm sorry, currently I find next to no time for opensc.

>   
There is a little patch for Oberthur card:
- some ACLs forgotten;
- in compute_signature() limit the Le to 256 bytes.

By the way,
for some libopensc card drivers, in compute_signature()
procedure,
the output length is assigned to Le of the Compute Signature
APDU.
So, when the length of the reserved output buffer is more
then 256 bytes
(that's the case of tools/pkcs15-crypt),
the APDU is considered as invalid (libopensc/apdu.c +270)

I've tested crypto regression tests -- for me it's OK.


> Regards, Andreas
>   
Kind wishes,
Viktor.

>   
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel
>
>   


_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Am Donnerstag, 8. März 2007 00:03 schrieb Douglas E.
Engert:
> By the way, every system I have has zlib. And the
Windows
> Smart Card Bundle also builds with zlib, so what system
does not
> have it?

new users on windows trying to compile it themself. 

the scb procedure works, maybe even quite good. but somehow
some people manage to work with the raw source or prefer it
that
way (or don't know about scb).

> OK, I will send them. I sent the patch to the list and
to
> you the three of you, and it was 41k, over the limit
for the
> list. Did it get truncated?

no, that only moderates it and one of us has to approve the
posting. which I did at 41 k (but usualy I don't with >
200k).

> Should I atache these to the ticket #128 as files?

that would work as well.

Regards, Andreas
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel