CH - Gov - SwissAdmin PKI Class B Card Support (possibly Gemalto IDPrime MD830) #2619
Comments
|
There is already an issue asking for this type of cards in #2589. I think I got some APDU traces from these cards that were using secure messaging so they were not useful for getting the idea what is needed to support these cards in OpenSC. I think this will be the case for your card too:
Implementing Secure messaging just from the traces is hard/impossible. It would require at least decompile the proprietary tool to get the keys and algorithms that are used in there. |
|
Speaking from my experience as a Macbook user, trying things out for private use: What you need (maybe among other libraries) if you intend to reverse-engineer the SM protocol is libIDPrimePKCS11.dylib. I can't provide it here, but you might be able to find it online (unfortunately not directly from Thales, but from smartcards resellers – and codesigned). I've found it packaged as part of "SafeNetAuthenticationClient", but only versions >= 10.8 work on Monterey. At least, installing the proper PKCS11 middleware libraries allows macOS to communicate with the card and use it as a PIV token for login, as well as offer its certificates to login to websites supporting or requiring them as a credential. @NickLohr: Regarding windows, on the same website(s) where you can find the drivers for macOS, you can also find drivers for Windows. That may help. |
|
We already got couple of cards including MD830 from Thales and from other customer interested in supporting them through opensource driver and @xhanulik is already working on getting them working (without the SM). We already have some preliminary results and I hope we will be able to provide some code for testing in coming weeks. Trying with more different cards would very appreciated. |
|
@perfaram implies that the same card may be also be used as a PIV card. Does the "CH - Gov - SwissAdmin PKI Class B Card" support PIV? |
|
Not sure. I have IDPrime MD 830 but as well as some Thales IDPrime PIV v3.0 which is recognized by OpenSC, but not by SAC and I was not able to write any objects on that yet. |
|
May be same card but different applets. Hard to keep track of cards, applets and which are approved by which gov. |
Problem Description
Current AdminPKI Klasse B smart cards are not supported. Some support documents are talking about Gemalto IDPrime MD930.
Proposed Resolution
unknown
Steps to reproduce
Insert AdminPKI Klasse B Smart Cards and try to access it
Logs
C:\Program Files\OpenSC Project\OpenSC\tools>opensc-tool --atr
Using reader with a card: Alcor Micro USB Smart Card Reader 0
3b:7f:96:00:00:80:31:80:65:b0:84:56:51:10:12:0f:fe:82:90:00
C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool -L
Available slots:
Slot 0 (0x0): (GetSlotInfo failed, CKR_DATA_LEN_RANGE)
C:\Program Files\OpenSC Project\OpenSC\tools>cardos-tool -i
Using reader with a card: Alcor Micro USB Smart Card Reader 0
Failed to connect to card: Incorrect parameters in APDU
SafeNet Authentication Client (Thales):
Name des Tokens: Swiss Government PKI
Token-Kategorie: Hardware
Lesername: Alcor Micro USB Smart Card Reader 0
Seriennummer (PKCS#11): 84D1701A2A62XXXX
Freier Speicherplatz der Token-Karte (mindestens): 20873
Karten-ID (GUID): 0xA1400028CE0C3879A1400028CExxxxxx
Produktname: IDPrime MD 830-FIPS Rev B
Kartentyp: IDPrime
Applet Version: IDPrime Java Applet 4.3.5.D
Maskenversion: G286
Kennwort des Tokens: vorhanden
Verbleibende Änderungsversuche des TokenKennworts: 5
Maximale Änderungsversuche des TokenKennworts: 5
Verfall des TokenKennworts: Kein Verfall
Kennwort des Administrators: vorhanden
Verbleibende Änderungsversuche des AdministratorKennwort: 5
Maximale Änderungsversuche des AdministratorKennwort: 5
FIPS: FIPS 140-2 L3
Common Criteria (CC): CC EAL6+ certified on chip level
Full Secure Messaging (SM): Ja
Sign Padding auf Token: Ja
Unterstützte Schlüsselgröße: 2048 bits
ECC: Unterstützt
CSP: eToken Base Cryptographic Provider
KSP: SafeNet Smart Card Key Storage Provider
Links:
https://www.bit.admin.ch/bit/de/home/subsites/allgemeines-zur-swiss-government-pki/zertifikatstypen/klasse-b--prestaged-.html
The text was updated successfully, but these errors were encountered: