PIV patch for OpenSC and SCA

Larner, Russell wrote:
> My company has been working with the PIV functionality
in OpenSC and 
> SCA, and we needed to add a couple of features:
> 
> - Individual PIV card serial number calculation (to
enable correct cert 
> caching in SCA)
> 
>   This was fairly complex, due to issues in the PIV
specifications.  See 
> the new comments in piv_get_serial_nr for more details.
 It is needed in 
> SCA since the serial number is used to cache
certificates.  (I.E. the 
> Macintosh Keychain would only see certificates from the
first card ever 
> inserted for a given user)
> 
>

Yes this is a feature that was left till later. I will have
a look at it.

> 
> - 2048-bit certificate support (should also work for
3072, but not tested)

I have this working, with the pkcs15-cert, pkcs15-pubkey and
pkcs15-privkey
working together to set the modulus_length.

> 
>   This required exposing the parse_x509_cert method
from pkcs15-cert.c 
> so card-piv.c could parse the certificate to determine
the number of 
> bytes in the public key.
> 
>  
> 
> - Some cards allowed 4 character and non-numeric PINs;
FIPS-201 standard 
> is 6 character minimum, numeric-only.  (See comments in
piv_pin_cmd)
> 
>   Added PIN length and type enforcement to the PIV card
support, since 
> not all cards are correctly limiting the PIN. 
>

Not sure if that is a good idea, but wil look at it.

>  
> 
> - Missing unlock in some piv_get_challenge error
states.
> 
>   This caused problems if the user entered an incorrect
PIN – the card 
> would stay locked and could crash applications when
they tried to close 
> the card.
> 
>  
OK.

> 
> - Added the application name to logging to allow for
easier debugging
> 
>   Since a lot of testing needed multiple applications
to be running, it 
> became important to know what application was making
each log entry.
> 
>  
> 
>  
> 
> SCA changes:
> 
> - OpenSCKeyHandle::getKeySize and ::getOutputSize now
return actual 
> values based on key size.
> 
>  
> 
> Note that these changes have only been tested on the
Macintosh.  I’ve 
> attached the patches: libopensc.patch is against
OpenSC, and 
> OpenSC.Tokend.patch is against SCA.
> 
>  
What version of OpenSC?

> 
> Sorry for dumping all these at once.  Please let me
know if there are 
> any questions.
> 
>

No problem. Glad to see others are interested in using the
OpenSC
with PIV.

> 
> Russell Larner| Senior Software Engineer|
+1781-515-7112| e-Mail 
> rlarnerrsa.com <mailto:rlarnerrsa.com>
> 
> **
> 
>  
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

On Thu, 2007-05-17 at 11:04 -0400, Larner, Russell wrote:
> This was fairly complex, due to issues in the PIV
specifications.  See
> the new comments in piv_get_serial_nr for more details.
 It is needed
> in SCA since the serial number is used to cache
certificates.  (I.E.
> the Macintosh Keychain would only see certificates from
the first card
> ever inserted for a given user)
Note: Using CPLC will not work on all PIV cards... Multos
offers a PIV
card and since they are not a JavaCard... no CPLC exists.

-- 
Thomas Harning Jr.
Authentication Engineer  Identity Alliance
http://www.trustbearer.co
m/

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

I was wondering about that - we only have Oberthur and
Gemplus cards to
test with.  There is the possibility of using other bits in
the flag
configuration to allow some other type of serial number
calculation.
(Also note that, if it can't find the CLPC, then a 'NULL'
serial number
is used - so that each card insertion is seen as a unique
card in SCA.
Unfortunately, this means the cert cache on the Macintosh
is
ever-growing...)

-Rusty

-----Original Message-----
From: Thomas Harning Jr. [mailto:thomas.harningtrustbearer.com] 
Sent: Thursday, May 17, 2007 12:34 PM
To: Larner, Russell
Cc: opensc-devellists.opensc-project.org
Subject: Re: [opensc-devel] PIV patch for OpenSC and SCA

On Thu, 2007-05-17 at 11:04 -0400, Larner, Russell wrote:
> This was fairly complex, due to issues in the PIV
specifications.  See
> the new comments in piv_get_serial_nr for more details.
 It is needed
> in SCA since the serial number is used to cache
certificates.  (I.E.
> the Macintosh Keychain would only see certificates from
the first card
> ever inserted for a given user)
Note: Using CPLC will not work on all PIV cards... Multos
offers a PIV
card and since they are not a JavaCard... no CPLC exists.

-- 
Thomas Harning Jr.
Authentication Engineer  Identity Alliance
http://www.trustbearer.co
m/

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

'Hard-coding' the PIN length requirements in the PIV card
driver is
definitely not optimal.  However, there wasn't much choice
since it is a
requirement in FIPS 201 that some cards (Oberthur and
Gemplus) don't
implement.

The OpenSC patch was done against 0.2.11-rc1, but I've
applied it
against 0.2.11 without any rejections.  (Unfortunately our
firewall
doesn't allow subversion access - it is causing trouble with
PROPFIND -
so I haven't been able to get source directly.)

-Rusty

-----Original Message-----
From: Douglas E. Engert [mailto:deengertanl.gov]

Sent: Thursday, May 17, 2007 11:37 AM
To: Larner, Russell
Cc: opensc-devellists.opensc-project.org
Subject: Re: [opensc-devel] PIV patch for OpenSC and SCA

Larner, Russell wrote:
> My company has been working with the PIV functionality
in OpenSC and 
> SCA, and we needed to add a couple of features:
> 
> - Individual PIV card serial number calculation (to
enable correct
cert 
> caching in SCA)
> 
>   This was fairly complex, due to issues in the PIV
specifications.
See 
> the new comments in piv_get_serial_nr for more details.
 It is needed
in 
> SCA since the serial number is used to cache
certificates.  (I.E. the 
> Macintosh Keychain would only see certificates from the
first card
ever 
> inserted for a given user)
> 
>

Yes this is a feature that was left till later. I will have
a look at
it.

> 
> - 2048-bit certificate support (should also work for
3072, but not
tested)

I have this working, with the pkcs15-cert, pkcs15-pubkey
and
pkcs15-privkey
working together to set the modulus_length.

> 
>   This required exposing the parse_x509_cert method
from pkcs15-cert.c

> so card-piv.c could parse the certificate to determine
the number of 
> bytes in the public key.
> 
>  
> 
> - Some cards allowed 4 character and non-numeric PINs;
FIPS-201
standard 
> is 6 character minimum, numeric-only.  (See comments in
piv_pin_cmd)
> 
>   Added PIN length and type enforcement to the PIV card
support, since

> not all cards are correctly limiting the PIN. 
>

Not sure if that is a good idea, but wil look at it.

>  
> 
> - Missing unlock in some piv_get_challenge error
states.
> 
>   This caused problems if the user entered an incorrect
PIN - the card

> would stay locked and could crash applications when
they tried to
close 
> the card.
> 
>  
OK.

> 
> - Added the application name to logging to allow for
easier debugging
> 
>   Since a lot of testing needed multiple applications
to be running,
it 
> became important to know what application was making
each log entry.
> 
>  
> 
>  
> 
> SCA changes:
> 
> - OpenSCKeyHandle::getKeySize and ::getOutputSize now
return actual 
> values based on key size.
> 
>  
> 
> Note that these changes have only been tested on the
Macintosh.  I've 
> attached the patches: libopensc.patch is against
OpenSC, and 
> OpenSC.Tokend.patch is against SCA.
> 
>  
What version of OpenSC?

> 
> Sorry for dumping all these at once.  Please let me
know if there are 
> any questions.
> 
>

No problem. Glad to see others are interested in using the
OpenSC
with PIV.

> 
> Russell Larner| Senior Software Engineer|
+1781-515-7112| e-Mail 
> rlarnerrsa.com <mailto:rlarnerrsa.com>
> 
> **
> 
>  
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Hey,

Please explain the motivation for this caching scheme, and
please
outline how it works.

On Thu, May 17, 2007 at 02:40:21PM -0500, Douglas E. Engert
wrote:
> I really don't like adding card manufacture specific
code to get
> the serial number of the card to what should be generic
PIV code.

Full ack.

If one serial per cert is required, the globally unique id
for a cert
is the issuer+serial or issuer+subject AFAIK.

//Peter
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

OK, I have taken the RSA patch, and added most of the minor
changes to
what I had been working on: to use 2048, 1024 and 3072 bit
keys,
allow for creating the 9A, 9C and 9D keys and having the
sc_pkcs15emu
and framework determine the modulus_length from the cert if
the
objects indicate it is = 0.

I have also changed some of the p15card-helper so it works
with
openssl req and the engine to allow a cert request to be
generated.

I have left out the serial number stuff, till we can figure
this out.

Russell, Thomas can you have a look at this soon?

Larner, Russell wrote:
> My company has been working with the PIV functionality
in OpenSC and 
> SCA, and we needed to add a couple of features:
> 
> - Individual PIV card serial number calculation (to
enable correct cert 
> caching in SCA)
> 
>   This was fairly complex, due to issues in the PIV
specifications.  See 
> the new comments in piv_get_serial_nr for more details.
 It is needed in 
> SCA since the serial number is used to cache
certificates.  (I.E. the 
> Macintosh Keychain would only see certificates from the
first card ever 
> inserted for a given user)
> 
>  
> 
> - 2048-bit certificate support (should also work for
3072, but not tested)
> 
>   This required exposing the parse_x509_cert method
from pkcs15-cert.c 
> so card-piv.c could parse the certificate to determine
the number of 
> bytes in the public key.
> 
>  
> 
> - Some cards allowed 4 character and non-numeric PINs;
FIPS-201 standard 
> is 6 character minimum, numeric-only.  (See comments in
piv_pin_cmd)
> 
>   Added PIN length and type enforcement to the PIV card
support, since 
> not all cards are correctly limiting the PIN. 
> 
>  
> 
> - Missing unlock in some piv_get_challenge error
states.
> 
>   This caused problems if the user entered an incorrect
PIN – the card 
> would stay locked and could crash applications when
they tried to close 
> the card.
> 
>  
> 
> - Added the application name to logging to allow for
easier debugging
> 
>   Since a lot of testing needed multiple applications
to be running, it 
> became important to know what application was making
each log entry.
> 
>  
> 
>  
> 
> SCA changes:
> 
> - OpenSCKeyHandle::getKeySize and ::getOutputSize now
return actual 
> values based on key size.
> 
>  
> 
> Note that these changes have only been tested on the
Macintosh.  I’ve 
> attached the patches: libopensc.patch is against
OpenSC, and 
> OpenSC.Tokend.patch is against SCA.
> 
>  
> 
> Sorry for dumping all these at once.  Please let me
know if there are 
> any questions.
> 
>  
> 
> Russell Larner| Senior Software Engineer|
+1781-515-7112| e-Mail 
> rlarnerrsa.com <mailto:rlarnerrsa.com>
> 
> **
> 
>  
> 
> 
>
------------------------------------------------------------
------------
> 
> _______________________________________________
> opensc-devel mailing list
> opensc-devellists.opensc-project.org
> http://www.opensc-project.org/mailman/listinfo/opensc
-devel

-- 

  Douglas E. Engert  <DEEngertanl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

On 17.05.2007, at 18:04, Larner, Russell wrote:
> SCA changes:
...
> Note that these changes have only been tested on the
Macintosh.   
> I’ve attached the patches: libopensc.patch is against
OpenSC, and  
> OpenSC.Tokend.patch is against SCA.
Looks reasonable. Do you have a a binary (ppc only is OK)
Tokend  
available for testing ? (As my mac dev environment is on
backup  
storage  somewhere..)

m.
-- 
Martin Paljak

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
Larner, Russell a écrit :
>
> My company has been working with the PIV functionality
in OpenSC and
> SCA, and we needed to add a couple of features:
>
> - Individual PIV card serial number calculation (to
enable correct
> cert caching in SCA)
>
> This was fairly complex, due to issues in the PIV
specifications. See
> the new comments in piv_get_serial_nr for more details.
It is needed
> in SCA since the serial number is used to cache
certificates. (I.E.
> the Macintosh Keychain would only see certificates from
the first card
> ever inserted for a given user)
>
> - 2048-bit certificate support (should also work for
3072, but not tested)
>
> This required exposing the parse_x509_cert method from
pkcs15-cert.c
> so card-piv.c could parse the certificate to determine
the number of
> bytes in the public key.
>
> - Some cards allowed 4 character and non-numeric PINs;
FIPS-201
> standard is 6 character minimum, numeric-only. (See
comments in
> piv_pin_cmd)
>
> Added PIN length and type enforcement to the PIV card
support, since
> not all cards are correctly limiting the PIN.
>
> - Missing unlock in some piv_get_challenge error
states.
>
> This caused problems if the user entered an incorrect
PIN – the card
> would stay locked and could crash applications when
they tried to
> close the card.
>
> - Added the application name to logging to allow for
easier debugging
>
> Since a lot of testing needed multiple applications to
be running, it
> became important to know what application was making
each log entry.
>
> SCA changes:
>
> - OpenSCKeyHandle::getKeySize and ::getOutputSize now
return actual
> values based on key size.
>
> Note that these changes have only been tested on the
Macintosh. I’ve
> attached the patches: libopensc.patch is against
OpenSC, and
> OpenSC.Tokend.patch is against SCA.
>
> Sorry for dumping all these at once. Please let me know
if there are
> any questions.
>
Hi Russel,

I've compiled and released a new test SCA release with your
patches. Just compiled, not tested (no PIV card available).

http://www.opensc-project.org/files/sc
a/experimental/sca-0.2.2-testPIV.dmg

Happy testing,

Jean-Pierre

_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

Peter,

The caching scheme, to my knowledge, is Apple's method to
increase
performance for certificates stored on smart cards.  From
what I've been
able to determine, the Macintosh stores certificate data in
a file on
the operating system, with the file name based on a hash of
the serial
number of the smart card.  (Hopefully someone better versed
in Apple/SCA
internals can confirm or clarify?)

I'm fairly sure that SCA could be changed to not depend on
having a
'good' serial number for the caching.  However, I think this
would be
putting the fix in the wrong spot - at least, I would expect
a serial
number to be an acceptable identifier for a given smart
card.

I will see what I can do with the CCC container, which
should remove the
manufacturer-specific code.  

-Rusty

-----Original Message-----
From: opensc-devel-bounceslists.opensc-project.org
[mailto:opensc-devel-bounceslists.opensc-project.org]
On Behalf Of
Peter Stuge
Sent: Thursday, May 17, 2007 3:47 PM
To: opensc-devellists.opensc-project.org
Subject: Re: [opensc-devel] PIV patch for OpenSC and SCA

Hey,

Please explain the motivation for this caching scheme, and
please
outline how it works.

On Thu, May 17, 2007 at 02:40:21PM -0500, Douglas E. Engert
wrote:
> I really don't like adding card manufacture specific
code to get
> the serial number of the card to what should be generic
PIV code.

Full ack.

If one serial per cert is required, the globally unique id
for a cert
is the issuer+serial or issuer+subject AFAIK.

//Peter
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel
_______________________________________________
opensc-devel mailing list
opensc-devellists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc
-devel

PIV patch for OpenSC and SCA

Thread: PIV patch for OpenSC and SCA