-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Towards 0.17.0 #1055
Comments
@dengert, yes, I'll get back to it during the weekend. Thanks. |
You'll find a pre-release of OpenSC 0.17.0 on Github. A draft version of the user visible changes is available in this ticket. I've put together a wiki page on how to systematically test your card. Please extend the page with test results from your smar cards. If you think that some important usage of OpenSC is missing (I'm looking at you, |
I'm planning the first of july as release date, so please be active in commenting and testing! |
Found #1065 |
See #1066 |
@fabled @CardContact @rickyepoderi @Jakuje @hongquan @FeitianSmartcardReader @hamano @konstantinpersidskiy @hhonkanen @nunojpg @iay @martinpaljak @viktorTarasov @hean01 @l1k @darconeous @yoe @vletoux @okirch @tc-anssi @resoli @adminmt @rainermetsvahi @metsma @Hubitronic @drew-tyfone @LudovicRousseau @marschap @andbil @fancycode Since you've created a card driver or contributed lately, please give your feedback on the wiki page if your card is working in the upcoming release. Even if some tests for the card driver have already been performed (first table), please add your actual card to the second table. As far as I know, this is also the first survey of which cards are actually used with OpenSC. Compiling the list of authors above, I've realized that many card drivers haven't changed in years (apart from some - mostly untested - fixes). I'm planning to remove the old drivers from the list of Thanks for everyone giving feedback! |
Hi, I have the next chance to do testing on the week from 3rd July to 7th July. I will allocate some time for testing the MyEID driver then and get back with the results. |
On the wiki page, is there anyway to add a footnote to the check box? For example Windows has its own minidriver for PIV, and so i recommend using it instead of the OpenSC minidriver. When you release 0.17.0 are you going to fix all the outstanding issues, or at least list them. I was surprised my name was left of the list of developers above. |
Sorry, @dengert that your name slipped into the list. I noticed your testing and I am glad that you already found some issues! I've added all discovered issues (including #1071) to https://github.com/OpenSC/OpenSC/projects/1 and hope to get this fixed for the upcoming release. I was hoping to make the 0.17 release on 01.07., but if we need some more time, that's no problem @hhonkanen. |
Hi, I'm testing JPKI driver with OSX tokend. |
You could set |
I am interested to get the Swissbit secure microSD cards listed as compatible. These embed an SLE78 with a TrustedLogic JTOP OS. I know it is working with Muscle and ISO Applet, but how do we get it formally listed. I am starting tests now and appreciate your guidance.
|
@Hubitronic When done testing, edit the first table in https://github.com/OpenSC/OpenSC/wiki/Smart-Card-Testing and add emoticons for what you've tested. In the second table add something like these two lines:
Ideally, you should be more specific about what muscle applet you're referring to! As far as I know, there are a many customized versions out there, of which none is really maintained... |
@frankmorgner I've already debug tokend, tokend seems to read certificate corectlly. but Safari does not send certificate to TLS server even safari show certificate selection dialog. |
@hamano you could check if chrome has the same problem (it also uses tokend). I've experienced that sometimes Safari (and Chrome) don't immediately notice that everything went fine. Refreshing the page once or twice was enough to show the TLS-client-authentication-protected site. |
Good to know that a new version is almost here. Personally I can only test right now DNIe 3.0 on linux (sorry but I don't have any other box). In two or three weeks I suppose I'll be able to test linux/windows DNIe 2.0/3.0. But MacOS is completely out of my radar, so I'm going to write in the bug of the DNIe 3.0 integration if somebody else wants to test MacOs. |
I will go through the testing of the cards I have available during today and probably start of the next week. So far the
More tests and fixtures later. Also I will update the wiki as soon all the tests will be finished. |
Done a full P11 regression test with a vanilla SmartCard-HSM. Change PIN failing as described in #1076. |
It showed up that the PR including CardOS 5.3 support itself went wrong while I was trying to adjust the provided mechanisms to reflect the reality (remove |
#1081 resolves the CAC |
NitroKey crashes with the rc1 build from few days ago, but works with master though I don't see any significant change in between them in
But clearly, we should check the result of |
@Jakuje Thank you for testing Nitrokey. I planned to do but haven't found time yet. |
Tests with Firefox as a client and GnuTLS as a sever (do not have proper CA set up, but certificate is send properly):
I will try to investigate what is going on in Firefox with NitroKey. Edit: It looks like NitroKey ends in the cycle where it tries to login and logout for some reason until I unload the slot:
Not sure where it is picking up the empty pin and why it does not do so for other drivers. I can attach also opensc debug log if it can be helpful. Let me know. |
@Jakuje Regarding this comment of yours: You mentioned "Nitrokey". Did you test it with Nitrokey HSM or another Nitrokey model? |
@jans23 sorry for not being clear. I meant the one NitroKey HSM. I don't have any other to test with. |
@hongquan Jakuke didn't test with a Nitrokey Pro. If you could find time to do so, that would be great. |
The installation of the DMG on MacOS Sierra v10.12.5 fails because "“OpenSC 0.17.0.pkg” can’t be opened because it is from an unidentified developer.". The DMG needs to be signed. |
Am seeing #1060 with v1.7.0-rc1. You get "agent refused operation" after reboot until you unplug and reinsert the smartcard reader. |
@jans23 @hongquan
|
I did some testing today with a MyEID card. I tested package opensc-0.17.0.tar.gz on an Ubuntu VM which I have for testing purposes. At first I faced some difficulties with the environment, it took a while to realize that I need to install libssl-dev package before I can get pkcs15-init built and installed. Tested first with an empty card (pkcs#15 structure and pins created, but no keys) using command pkcs11-tool --login --test. It didn't find opensc-pkcs11.so automatically so I had to specify --module with the full path. The test resulted in "no errors." but it didn't do much, so I decided to add some keys. I added a 1024 bit RSA key using pkcs15-init. Passed with "no errors.", "all 4 signature functions seem to work ok". Added a 256 bit EC key and tested again. It crashed at "warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_ATTRIBUTE_TYPE_INVALID (0x12)". I have ran into some problem when testing MyEID's features with "pkcs11-tool --test" earlier, so I have a set of commands which I usually run. For example MyEID doens't support signing raw unhashed data with 2048 bit keys so the test fails if there's a 2K key on the card, and it doesn't seem to work with EC keys. So I am wondering how I should initialize the card before the test, so that the test could be considered passed. I checked "some test cases passed" at the test results. I'll try to find time to do some more testing this week and run my usual test commands. |
I continued MyEID testing today. Here is a summary of the results: Initialize a card with two user pins and finalize it, using pkcs15-init: OK Test keys using pkcs11-tool --login --test, 1024 bit test OK with the following results: Testing 2048 bit key fails with the following message, because MyEID doesn't support RSA-X-509 with 2K keys. This test has given the same error in previous OpenSC releases. Generating a secp256r1 EC key using pkcs11-tool: OK @frankmorgner do you think these results are enough for marking the pkcs#11 test as passed? |
@hhonkanen as long as there is no unexpected failure, that's great news. Thanks for taking the time to go through all this. If you want to test TLS client authentication, you may try to set up GNUTLS as server as suggested above. Please only write all tests have passed, if you verified all of them. |
@Jakuje did you have time to look again at the issue you have reported above with the NitroKey? |
I've created a new release candidate, which fixes most issues already found. The only critical outstanding problem I'd like to see fixed is #1050 ( @CardContact ?). Also, If there is no significant change or discovery, I'm creating the release in a week or two. |
I've tested rc2 in linux and windows with DNIe 2.0 ad 3.0 (4 tests).
If you want me to do more things in a non linux box, speak this weekend or forever hold your peace. 😉 |
For Windows a "certutil -scinfo" is fine
Vincent
|
@vletoux It didn't work for me then, as soon as you enter the DNIe in the reader windows starts to find a proper driver and it finds the official Spanish DNIe implementation and not opensc. I uninstalled it and tried to load the opensc one but it didn't find anything. But surely it's my fault, windows is not my strong area. |
@frankmorgner I was away last week. The problem should be fixed by the commit Jakuje@a058b89 -- I will fill a PR soon. |
#1093 is solved. Waiting for your PR. |
@rickyepoderi you need to add your card to the registry. SC-HSM has some information about this in the wiki (make sure to use your card's ATR). |
I just faild to build from source archive(opensc-0.17.0.tar.gz) on debian.
Bulding from git repository is no problem, also 0.17.0-rc1.tar.gz has npa-tool.1. |
@hamano where did you get the |
@LudovicRousseau, @hamano that's already fixed (#1093) |
@frankmorgner, @hhonkanen, I have tested firefox (on linux) to connect site with TLS autentification, with MyEID card, this it works. Windows 10 (32bit) install/uninstall works, certutil -scinfo works, can import certs from the card, browser (EDGE) connects to TLS auth. site works. Windows login/unlock not tested, PIN change - not tested |
@popovec, thank you for testing TLS with MyEID! |
The new release 0.17.0 of OpenSC is available on GitHub. Thanks for everyone contributing in terms of bug fixes, new features and testing. I've started updating the wiki pages so that it starts serving as a useful source of information. You're welcome to add details of your card or smart card use cases as well. |
I think it's time to prepare and publish the next major release.
I propose the end of the next week as a limit date to close (or to decide to postpone) pending issues and pull requests. I've created https://github.com/OpenSC/OpenSC/projects/1 with the open tasks I'd still like to see resolved for the release (Please extend the list if you're missing something). I'll then create a release candidate in about two weeks and hope to publish the final release in july.
What do you say, @OpenSC/core, @OpenSC/maintainers?
The text was updated successfully, but these errors were encountered: