Definition of abbreviations
AC - Access Condition
AID - Application IDentifier
To identify a card in open networks (e.g. key servers) and for the purpose of Log-In in local or open networks or to a single computer, it is necessary to have unique application numbers. For that reason every card manufacturer or personalizer who makes the card/application ready to run has a unique address. This manufacturer identification is controlled by FSF Europe e.V. and given to every interested manufacturer for free. Only registered manufactures are allowed to produce applications compatible with an OpenPGP application. The system works similar to MAC addresses on network cards. The 2 bytes are coded binary and the values 0000 and FFFF are reserved for test purposes.
ATR - Answer To Reset
GENERATE ASYMMETRIC KEY PAIR
This command either initiates the generation and storing of an asymmetric key pair, i.e., a public key and a private key in the card, or returns the public key of an asymmetric key pair previously generated in the card. In case of key pair generation the command does not set the values of the corresponding fingerprint.
After receiving the public key the terminal has to calculate the fingerprint and store it in the relevant DO. The generation of a key pair for digital signature resets the digital signature counter to zero (000000). The command can only be used after correct presentation of CHV3 for the generation of a key pair. Reading of a public key is always possible.
No (G)UI => Signature key can't be used
btw: this is not only the case for pins with a userConsent attribute, it's the case for _all_ local pins
Differences with 'official' sources + implications
* BELPIC_SET_LANG: export a function that allows the application to specify the
language for the dialogs
Q: I'm currently working with a Sun Ray system 2.0 on Solaris 8 and wish to use a smart card reader installed into Thin Clients for digital signatures?
A: Make sure that you have the latest patches for SRSS 2.0, and the latest SUNWsrcbp package. That package provides a
PC/SC-lite API for the internal Sun Ray reader. That will get you going at the APDU level. Note a couple of things about Sun Ray:
The SUNWsrcbp package only provides APDU-level access (the PC/SC-lite API) via the libpcsclite.so shared library. You
don't need a special header file since this is built with the standard winscard.h header file.
Q: I get the x509 certificate from my smartcard. How can I extract the name of
the owner and the public key?
A: What has worked is:
pkcs15-tool -r 45 | openssl x509 -noout -text
openssl has the x509 utility with a header file "openssl/x509.h" with functions to do that.
Erasing the whole card using the DELETE MF command
starcos spk 2.3 does not support file deletion. Only some cards/tokens support the "DELETE MF" command erasing the whole card ("test cards"). Whether or not your card supports DELETE MF can be determined from the GET CARD DATA response using opensc-tool.exe -s 80:f6:00:01:00
The last byte should be 0xc0 if DELETE MF etc. is supported.
Q: I have a problem with openSSH and eToken Pro. My smartcard has 2 Private Keys and 2 Certificates.
A: If you're using OpenSC 0.9.4 (or earlier), you may need this patch:
Q: How do you make a Mozilla plugin which will speak to a smartcard with pkcs11?
A: This should be possible with client certificates. Have a look at
Q: Where's a link for the IE plugin for PKCS11?
A: The MS-signed CSP #11 acts as a gateway between a pkcs #11 library and the
Microsoft Crypto API.
Q: At the moment I may access the cards and read their ATR but don't know if I need different "driver" for signing with different smartcard operating systems. Does Musclecard provide a common interface?
A: Yes - you need an initiator-side driver for the musclecard "cardedge" - the
protocolar interface to a set of _mechanisms_ in a cryptomodule, such as the digital signature mechanism.
Application builders use such basic security frameworks to construct secure (distributed) applications, and leverage them in richer frameworks such as
NET framework, or in JAVA 2. The semantics of the security framework in which the cardedge is used dictate what class of secure application one can
(1) Plugging an custom assembly into the .NET framework specializes the interaction of the card, with the wider secure distributed object system.
Q: How does ActiveCard differ from the Javacard Musclecard?
A: ActiveCard applets have an access control decision function that is not present in the javacard musclecard implementation. It allows the card's policy to specify "authentication strength" on a per-method basis: e.g. the host driver must first complete XAUT strong authentication, and only then can one invoke the verify pin method, or access the read bio template method, prior to requesting the match-on-board method, for example.
Q: Explain the difference between smart card readers in a super complex way?
A: Basically you have readers where the 14443-1234 implementation resides
completely in firmware (such as Integrated Engineering), readers where some bits are in firmware and others on the host (such as Philips Mifare
Pegoda RD-700) and readers where the whole stack resides on the host (such as Omnikey cm5121).
Q: Where can I buy smart card related items?
Q: Where can I locate smartcard software?
Q: Where can I find a list of natively supported cardreaders?
Q: Where can I download the latest version of the Apple SmartCardServices source?
Q: Where can I get information for server administrators who wish to
Department of Defense DoD PKI enable standard internet protocols on Unix
A: The U.S. Naval Research Laboratory has an info page at https://airborne.nrl.navy.mil/PKI/
Q: I've compiled [and am running] pcsc-lite 1.3.1 and the OmniKey 3121 driver
on my Fedora [Core 5] box. When I insert and then remove my card, I get data in /var/log/messages.
A: There is a contained README in the OpenManager GUI. But, it does only
work for some OpenPlatform 2.0.1' cards, so you must look at your smart card, what it
supports. In general you should use gpshell, it is much more stable.
Generally this is only meaningful if the application you want to use with the certificate can understand
the format and talks to the smart card. The Muscle PKCS#11 module can do this. Use it with Thunderbird, Mozilla, ... and sign your
Q: Who is C3P0, apart from the droid on Star Wars?
A: C3PO are a Spanish smart card reader
manufacturer, which also sell smart cards. One of the smart cards they distribute is the FNMT
Cryptographic smart card, called Criptonita. In order to use it, there is the Opensc-Ceres
Q: What is the difference between e-wallet and e-purse?
Q: What is the advantage of T=1 protocol compared to T=0 protocol? Which applications use T=1 protocol and which use T=0 protocol?
A: To be blunt T=1 works. T=0, as defined by ISO, doesn't. Never has. Never will.
Q: I've got a smartcard and don't know what to do with it?
A: You must first get the technical information for your smart card.
Then decide what application on the card you want to use if you can even install an application on the
card. You must know the APDU (If you don't know what APDUs are you should Google or read ISO
7816-4) specification. (The application has nothing to do with the OS on the card, so the OS is not
Q: How do I select from a bunch of various certificates rather than just the first one?
A: Try StrongSwan from which has a regular
PKCS#11 smartcard interface and allows to select certificates according to position e.g.
Q: I am trying to use openSC java but I get an exception while trying to add OpenSC provider.
A: If you are using opensc-java under Win32 and the JVM process is unable
to resolve all dependent DLLs, you might either
2) Install all additional DLLs referenced by your PKCS#11 module in %SystemRoot%
3) Set the current working directory the running program to the directory, where additional DLLs referenced by your PKCS#11 module are located.
In order to find dependent DLLs, you might use the 'deoends.exe' tool from MSVC or an equivalent tool. The opensc PKCS#11 module depnds BTW in opensc.dll pkcs15init.dll libeay32.dll libssl32.dll, which are typically installed in your SCB directory.
Q: What is $DISPLAY used for?
A: - $DISPLAY is used for two things - one purpose is as an index into a a port number that libpcsclite.so uses when it wants to talk to an instance of pcscd (so that if the base port of pscsd is, say, 9000, then $DISPLAY=:7.0 would contact it's pcscd instance on 9007) and the second is as an untrusted key that is used by pcscd to determine if the caller can access the particular instance of pcscd. We use PAM to determine that, and in the Sun Ray case, we know which X display value is associated with which UID, and our Sun Ray PAM module can then take the untrusted $DISPLAY that comes from the caller and the trusted UID that comes from the kernel via the peer credentials that are available on a socket call, and if the two match, then access is granted.
Q: - I have a couple of OLD cryptoflex cards which have been in use for testing about a year ago. Now it seems that these cards are blocked completely. I cannot unblock or erase them. Even knowing the correct PIN and PUK I still get "Authentication method blocked" on unblock. Is there a way to completely erase all keys pins and certificates from a Schlumberger Cryptoflex card (without PUK)?
A: - Try the 32k personalisation tool from Axalto under windows: http://www.cryptoflex.com/Support/index.html as the Schlumberger Cryptoflex should be the same like the Axalto Cryptoflex. It works with some Cryptoflex cards, but seems to be for the 32k version only. You will also need the transport key of your card.
Q: Can one Windows workstation can use the smartcard reader of another workstation via the RDC protocoll?
A: On XP PRO the server is enabled by MyComputer->Properties->Remote the click on "Allow users to connect remotely to this computer." On XP PRO the client is under Start->Programs->Accessories->Communication->Remote Desktop Connection. Then run the client and look under Options->Local Resources. The last check box should be "smart cards".
Think of it as ssh to shhd with X windows being tunneled back to the ssh machine. RDC can also share the local printer, local disks, sound and local serial port.
Q: Is the only purpose of passing the $DISPLAY to disambiguate the case where the user is logged into multiple Sun Rays (DTUs, you call them, IIRC) simultaneously?
A: When built with the option, ./configure --enable-inetv4, the default will be for pcscd to use a base port# with xdpy#
Q: I need to store certificate in a smartcard without storing a privateKEY because certificate is already created and signed by CA. Do I have to use C_Create_Object ? or C_CopyObject ?
A: C_CreateObject() should work. You could have a look at write_object() in pkcs11-tool.c for sample code. If you just want a tool to do this, you could use "pkcs11-tool -w ..." or (preferably) "pkcs15-init -X ..."
Q: Where can I find the PKCS #11 PAM Login Tools?
Q: Where can I find DIKE software from InfoCamere?
A: Here's the link but all the text is in Italian http://www.card.infocamere.it/installazione/software.php They have versions for Windows, Linux and Mac.
The latest ID Ally Beta 2 software with features including the following: