Working with OpenSC

От Infonotary
Версия от 16:04, 31 юли 2013 на Inmivanov (беседа | приноси) (Нова страница: OpenSC don't have programs with graphic interface, so all the operations must be performed with Terminal. == Testing installation == You may check if the reader and the …)
(разл) ← По-стара версия | Текуща версия (разл) | По-нова версия → (разл)
Направо към навигацията Направо към търсенето

OpenSC don't have programs with graphic interface, so all the operations must be performed with Terminal.

Testing installation

You may check if the reader and the smart card is recognized with the following command:

1) opensc-tool -l - this command lists all the readers that are plugged in the computer. It should show something like this:

Readers known about:
Nr.    Driver     Name
0      pcsc       OMNIKEY CardMan 6121 0

2) opensc-tool -n - 1)with this command you may check if your card is recognized correctly. If it's OK, you should get message “ CardOS M4”. If you get an error, that finishes with “ Failed to connect to card : Unresponsive card ( correctly inserted?)”, most probably your card is not inserted correctly in your smart card reader.

Change PIN

The PIN code of the card can be changed from the Device Manager of Firefox or with the following command - pkcs15-tool --change-pin. The length of the PIN on Infonotary cards can from 4 to 16 symbols, that can contain letters and digits.

Unblock PIN

In case that Firefox ask you for PIN multiple times, most probably you've blocked your PIN. You can unblock it with the following command pkcs15-tool -u

Change SO-PIN

SO-PIN can be changed with following command - pkcs15-tool --change-pin -a ID, here the ID must be change with it's identifier. You can check by running the following pkcs15-tool --list-pins. Part of the log must look like that:

PIN [SO-PIN]
Com. Flags: 0x3
ID : 02
Flags : [0x99], case-sensitive, unblock-disabled, initialized, soPin
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 130
Type : UTF-8
Path :

Identifier of the SO-PIN is the text, which is against ID section. In this case the command for changing the SO-PIN is pkcs15-tool --change-pin -a 02

Displaying the content of the card

With the following command you may see all the objects on the smart card pkcs15-tool -D

Forbid OpenSC to work with a specific card

Cards that are labeled T&S DS/2048 of the manufacturer Bit4id, re not supported in OpenSC 12.0 and above, so if you want to use that kind of a card with CardOS card you will have to edit the configuration file of OpenSC. You must add the following after the row with „app default {“:

	card_atr 3b:ff:18:00:ff:81:31:fe:55:00:6b:02:09:03:03:01:11:01:43:4e:53:11:31:80:8c {
		name = " T&S DS/2048 (disabled)";
		driver = "mcrd";
	}

n Mac OS X the file is /Library/OpenSC/etc/opensc.conf, to open it with privileges to edit you must use the following command - sudo /Applications/TextEdit.app/Contents/MacOS/TextEdit /Library/OpenSC/etc/opensc.conf

In Linux the configuration file location is /etc/opensc/opensc.conf or in /etc/opnesc.conf

The same way you can forbid certain model smart cards from OpenSC. You must add analogical section in the configuration file with the following content:

	card_atr ATR {
		name = "name of the card";
		driver = "model of the card";
	}

With the command opensc-tool -a you can display the ATR of a card. A list with the drivers that are supported you can receive by enteringopensc-tool --list-drivers

Test

In order to check if the certificate works correctly you can use this command - pkcs11-tool -lt --module opensc-pkcs11.so. This command will ask you to enter PIN of the card "Please enter User PIN:". The PIN won't be displayed on the screen even with start. Press Enter to confirm. You should get a message like this:

Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
  not implemented
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (DDA8BB6F-86C2-48F7-B061-F2F4023ED8F2)
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Verify (currently only for RSA):
  testing key 0 (DDA8BB6F-86C2-48F7-B061-F2F4023ED8F2)
    RSA-X-509: OK
    RSA-PKCS: OK
    SHA1-RSA-PKCS: OK
    MD5-RSA-PKCS: OK
    RIPEMD160-RSA-PKCS: OK
Key unwrap (RSA)
  testing key 0 (DDA8BB6F-86C2-48F7-B061-F2F4023ED8F2)
    DES-CBC: OK
    DES-EDE3-CBC: OK
    BF-CBC: OK
    CAST5-CFB: OK
Decryption (RSA)
  testing key 0 (DDA8BB6F-86C2-48F7-B061-F2F4023ED8F2)
    RSA-X-509: OK
    RSA-PKCS: OK
Testing card detection
Please press return to continue, x to exit: x
Testing card detection using C_WaitForSlotEvent
Please press return to continue, x to exit: x
No errors 

When this message is displayed - “Please press return to continue, x to exit”, you must press “x” and press Enter. In case there is some problems with the reader, the card or the certificate, the command will finished with the message “error” and a description of the problem. For instance if your PIN is blocked you will get message : “ error: PKCS11 function C_Login failed: rv = CKR_PIN_LOCKED (0xa4)" , and if the entered PIN is incorrect the message will be :"error: PKCS11 function C_Login failed: rv = CKR_PIN_INCORRECT (0xa0)".

In versions of OpenSC before 0.13, in dependance of the content of the card, it is possible to receive an error below “Signatures (currently only RSA signatures)“ . In this case you will have to test if it work in other program, like Firefox.