-
Notifications
You must be signed in to change notification settings - Fork 711
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
No PKCS11 support for Finnish ID Card version 3 #1504
Comments
If you're planning to make a contribution to the project, we'd love to add a new card to OpenSC. We would be happy to get you going and to comment on your code. However, please have in mind that in lack of hardware, documentation and manpower, we can't do this on our own. |
I'm a hobby coder at best and I lack the technical background to write any code for smartcard projects. I am, however, more than willing to do any debugging or tests required. I could also provide temporary ssh access to a machine with a card reader and the card inserted. |
Email sent to [email protected] on 11Oct2018 at 14:03 EEST:
|
maybe adding an additional ATR in the old driver would be enough. What's the output of |
This is the output for my Version 2 (two) card which was issued 2013. That card works perfectly fine with opensc-onepin. |
You could try your new card with the old driver by adding this to your
The types |
Nope, all three types give me this
|
bad news is that your opensc.conf setting didn't work... good news is that your cards is somewhat detected without it. Try the following patch: diff --git a/src/libopensc/card-setcos.c b/src/libopensc/card-setcos.c
index f0ed4343..3ee19f81 100644
--- a/src/libopensc/card-setcos.c
+++ b/src/libopensc/card-setcos.c
@@ -130,8 +130,7 @@ static int setcos_match_card(sc_card_t *card)
card->type = SC_CARD_TYPE_SETCOS_EID_V2_1;
else {
buf[sizeof(buf) - 1] = '\0';
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "SetCOS EID applet %s is not supported", (char *) buf);
- return 0;
+ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "SetCOS EID applet %s is unknown", (char *) buf);
}
return 1;
} A quick look at the documentation looks like there are some nice new features, like contactless PIN verification via PACE. But there's not much talk about what OS (Setcos?) is actually used. This could require some more work... |
The Estonian smartcard implementation next door (https://github.com/open-eid) already supports the Finnish v3 cards. Maybe somebody with a good eye for code can go and get it from there. |
We use provided proprietary binaries |
Sorry for the delay. First of all, the Population Register didn't even bother to answer my email itself but dumped my request to 1st level tech support who replied
Regarding @frankmorgner 's patch, I haven't gotten around to set up the build environment yet. Have to find some time for that. |
What binaries do you need? |
The version 3 cards apparently use Gemalto MultiApp 3.0. This is according to this: http:https://digisaatio.fi/wiki/Tekniikka/Henkil%C3%B6kortti in Finnish only, unfortunately, and I don't where that information is from since there are no sources listed. Although this would make sense as Setec has been a part of Gemalto for a while. According to the page the cards are supposed to have an "IAS Classic V4" applet and I tried to add the ATR to |
Correct direction is to have the card config as:
None of the available Next thing to try out is to create a correct OpenSC (IAS-ECC) FINeID (FINEID S1 - Electronic ID Application, v3.0) As you see lot of APDU request-response cycles works already but next obstacle is...
|
In an effort to get Tieto / Fujitsu to actually fix their official client I opened a not successful support request with them. They did make me capture a ton of debug logs. If those could help in any way, I'd be happy to provide them. Otherwise, my schedule is still to tight to get deeper into this. |
The Also
|
I'm going to poc a bit around in my fork, let us see where things end up here.. https://github.com/enyone/OpenSC/tree/fineid-dev Next obstacle is EF ATR at 2F01 contains only 5 bytes of data (only tag present is CARD_CAPABILITIES) and tag PRE_ISSUING not present in data. This obviously terminates init process at iasecc driver. It may end up the card is too "loosely coupled" with IAS-ECC v.1.0.1 spec and a completely new driver is a better option. Continuing with iasecc still. |
The data that would be there on an IAS-ECC card would be "IC manufacturer", "Type of the IC", "OS Version" and "Discretionary data" (IAS-ECC version), but this info seems to just be logged and not used since, at least I couldn't find any usages skimming/grepping through. If they are used though, at least manufacturer and os version can be found in EF.CIAInfo. I'm not sure what "Type of IC" is supposed to contain (contact/contactless?), and I'd think IAS-ECC version is not applicable. FINEID is also missing a field called "IO buffer size", which would contain maximum lengths for APDU commands and responses. The maximum response length is apparently 256 bytes for FINEID, with a fragmentation scheme for larger amounts of data, but that info doesn't seem to be included anywhere on the card. Also for secure messaging, max command/response lengths are 239 bytes for DES PACE and 231 bytes for AES PACE. If I remove the checks for pre-issuing data and issuer data lenghts in |
Thanks @ple21108 Card detection now functional with https://github.com/enyone/OpenSC/tree/fineid-dev Here is some information about the official closed-source client library for FINeID v3 cards developed by Fujitsu (it's Finnish subsidiary) for Väestörekisterikeskus. https://eevertti.vrk.fi/documents/2634109/0/Fujitsu+mPollux+DigiSign+Technical+References.pdf |
Glad to be able to help. Now, with I also tried Where do you think we should be moving next? I can keep reading the specs and testing, but C is not really my strong suit. |
Moved iasecc flop to https://github.com/enyone/OpenSC/tree/fineid-iasecc (fineid v3 does not obey iasecc) Continuing with a completely new separate driver at https://github.com/enyone/OpenSC/tree/fineid-oberthur |
Now asking review before actual PR to upstream OpenSC/OpenSC |
Closing this issue due to inactivity. Please re-open the ticket if more input is available. |
They seem to be issuing these now:
|
Problem Description
The Finnish ID card version 3 can't currently be used with PKCS11. It just isn't found.
Proposed Resolution
Specifications for the V3 card are available from the Finnish Population Register.
https://eevertti.vrk.fi/en/fineid-specifications
S1v30.pdf
S4-1v30.pdf
Logs
debug.log
The text was updated successfully, but these errors were encountered: