-
Notifications
You must be signed in to change notification settings - Fork 712
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support DNIe 3.0 #810
Comments
Indeed @germanblanco wanted to look into this, see #655 |
With the old DNIe (personal data have been edited) tux cameta # dnie-tool -a with a DNIe 3.0 tux cameta # dnie-tool -a With the old DNIe cameta@tux ~ $ opensc-tool -a cameta@tux ~ $ opensc-tool -n cameta@tux ~ $ opensc-tool --serial With a DNIe 3.0 cameta@tux ~ $ opensc-tool -a cameta@tux ~ $ opensc-tool -n cameta@tux ~ $ opensc-tool --serial It also should be noted that this corrupts the pcscd service and it becomes unable to read any card until I restart it. |
Keep in mind that DNIe 3.0 disables the "open session once and use many times" behavior. It requires PIN for each use. |
DNIe 3.0 has to establish a "pin channel" before entering "secure channel" . There's some initial work here: |
@miguel-cv as far as I know, the SM channel is created using PACE. I have a complete implementation of EAC in #831 including PACE. The implementation is tested with various implementations in various situations, so I think it should meet your requirements. A quick way of checking if you can perform PACE with your PIN is to use My efforts to include EAC and PACE in OpenSC date back to 2012, so don't expect #831 to be final. |
Hi, Same here with the DNIe 3.0. I get: And when trying to read, it starts a loop that hungs Firefox. Kind regards |
Are there any test cards available from somewhere? |
Is there a specification available? |
As of today, we are missing the command manual for dni 3.0 . A command manual for the previous version is available (in spanish) at http:https://myslide.es/documents/20100930-manual-de-comandos-del-dnie-tractis.html |
You can find everything about it in http:https://www.dnielectronico.es/, although everything is in Spanish. Be sure you use links for DNIe 3.0 (previous versions are different). If you need us to translate anything, just paste it here and ask for it 😉 |
Hi, I have started to work in the DNIe 3.0 integration (I have a first working version that can sign but very shoddy). Besides I have the impression that there is something very wrong in the last versions of opendnie/opensc. I had to move to a previous version of opensc in order to make it work. Can anybody test the last OpenSC code with a DNIe 2.0? Sorry, but I have now 3.0 and nobody I have asked for knows his damned pin. Please clone, compile and try to sign with the pkcs11-tool: pkcs11-tool -d <auth_key_id> -s I wrote a little entry in my blog with the major changes needed for 3.0 if you want to review what I'm doing: |
I can access to a DNIe 2.0 |
@miguel-cv told me yesterday that current opensc implementation of the DNIe is working with 2.0. So there should be something else here. I'll try to figure out what the hell is happening with the getResponse. This weekend I'll try to move all the changes again to the current opensc branch and I'll check it twice. I deeply worry that I'm going to need a DNIe 2.0 (besides my time this thing is going to cost me some beers and snacks). |
OK, I have the current OpenSC branch working now. The problem about the getResponse was that now we need to send something in the Le (>0) in order to force the getResponse to be called. @germanblanco I see that you changed several apdus (for example in dnie_pin_verify) this way:
So, you changed an APDU with no Le=0 (no response data) to another with Le>0 (now some response data is expected). Did you changed the APDUs for that reason? Because now the secure channel is executed over the pin channel, and therefore I needed to change some other calls doing the same trick (cwa_verify_cvc_certificate, cwa_set_security_env,...). Just a silly question, why not doing that in the wrapping method? Because the plain APDU has no return data expected (it is OK with Le=0), it is changed when wrapped cos the new apdu is of type 4 (the encoded response is the response data). |
Hi, I have uploaded a first version for DNIe 3.0 in my repo. You can test it: https://github.com/rickyepoderi/opensc/tree/dnie30 As you know I don't have easy access for a DNIe 2.0 so, if you can test it with both, it would be much appreciated. I'm going to try to understand why it is needed to send CASE 4 apdus instead of 3 now. Because I think it should be possible to send a SC_APDU_CASE_3_SHORT without any problems. |
I have tested it with both. |
@cameta I can believe you with DNIe 2.0 because I haven't tested anything with it. But with DNIe 3.0 it's weird because it's working for me: ricky@magneto: |
My DNI 2.0 is working with opensc-0.16.0 |
You might have a different version of the DNI 3.0 that mine. |
@cameta dni-tool works for DNIe 3.0 even in the 0.16 version. The only problem is that you cannot login. It works with 0.16.0 debian testing. So I think you have something weird with your DNIe 3.0:
With DNIe 2.0 I suppose that something is broken in my branch. I will need one to check what happens. I'll try to figure it out but it is going long because I have no easy access to a 2.0. |
My identity card works in the machine of the police. Could the fault be in my reader? |
@cameta Don't forget to checkout the branch dnie30 (master is just default OpenSC a few days ago, and now DNIe 3.0 is directly excluded in default):
|
tested, works well for me with 2.0 and 3.0 .
|
@rickyepoderi I get the error when compiling: pkcs15-lib.c:2214:23: error: dereferencing pointer to incomplete type Am I missing something? I'm compiling with g++ 4.9.2 |
@emunicio Not related to my changes (I haven't modified anything in pkcs15) but it sounds related to openssl. Which version do you have? |
@rickyepoderi |
@emunicio In my source from github master 0362439 |
@emunicio @dengert In my branch is at line 2214 because I updated it when I started the work in 3.0 (two or three weeks ago): https://github.com/rickyepoderi/OpenSC/blob/dnie30/src/pkcs15init/pkcs15-lib.c#L2214 I suppose some new change was made to that file during thatperiod. As I said, "pkcs15-lib.c" isn't modified in my dnie30 branch (indeed changes are exclusively related to DNIe files). |
Looking closer pkcs15init/pkcs15-lib.c , It looks like it had problems before converting to OpenSSL-1.1.0. These two line a a clue to what may be going on: This routine needs to be rewritten and tested. (I can rewrite it, but someone else who uses it needs to test it.) (I will look at it tommorrow.) |
Douglas E. Engert [email protected] |
Once the #914 request is merged the DNIe 3.0 should work with current default branch (I have tested with 3.0 and 2.0 and everything looks fine). I think this issue is finished and future enhancements or bugs will be dealt in new issue numbers. Thanks everybody involved here. Nevertheless I wanted to continue with the idea of making the non-repudiation key CKA_ALWAYS_AUTHENTICATE... @frankmorgner @dengert What do you think about the idea of the three configuration values for the pin_cache_ignore_user_consent option? (Explained in the pull request). I will implement and test it if you think it is valuable. |
Some of the flags should be on a card bases. For some cards, CKA_ALWAYS_AUTHENTICATE is used to enforce a policy, and the card may also enforce it. I would not like to see us add too many flags that make it easy to violate the policies of the card issuer. But for the DNIE, it sounds like the card has set CKA_ALWAYS_AUTHENTICATE by mistake for all keys. If you can call it something like pin_cache_ignore_user_consent_for_buggy cards, and then only use it for the buggy cards i.e. DNIE 3.0 that would be OK with me. |
Take in mind that adding a third option helps in a case that is possible with a perfect (not buggy) card. Imagine a card with two or more keys under the same pin, and only one of them is CKA_ALWAYS_AUTHENTICATE, then the cache cannot be used for all the normal keys (if pin_cache_ignore_user_consent=false cache is forbidden for all the keys, if pin_cache_ignore_user_consent=true cache is admitted for all). So the new option is intended to cover that workable case (the new option would store the pin in the cache but only would be permitted its use for the non CKA_ALWAYS_AUTHENTICATE keys). Nevertheless I understand your reservations about this point, that's why I'm asking... |
Ubuntu 16.10 & opensc 0.16.0-1ubuntu2. Firefox 50 keeps asking for password on DNIe 3. ./dnie-pkcs11-tester -l The password is correct, tested on Windows 10 w/o problems. |
@davernos Thanks for testing, we need more people doing it. I would need the debug, put the level debug to 9 in opensc.conf and execute the tester redirecting the error to a file:
And attach the file here. Please be aware that there are some sensible information in the file (dnie, names, password,...). I recommend you to change that information for asterisks or something similar. |
Ok, heres the debug file. Please, let me know if I left any sensible information. |
Ok, the error is just after the sc_reset:
This happens to me from time to time (although it is very rare). That is why I was investigating removing the sc_reset. Can you try with this branch? (This one has no sc_reset.) https://github.com/rickyepoderi/opensc/tree/new-sm It's the same but using my repo and the new-sm branch:
|
debug.zip was against 0.16.0. But master has a number of changes to improve PC/SC debugging and to handling of failures of any PC/SC SCard command. There is some question as to how soon after a reset is done can the next PC/SC command be done. The reset may have been from a processs that does not show up in the debug log. I see: |
Ok, I can confirm its working now with the "new-sm" branch.
Firefox is now accepting my password and certificate is working correctly. Let me know if you need more debug info or more tests. |
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
Can we close this issue? |
IMHO yes, you can. I think that dnie is working and, if some bug appears, I'll fix it opening another issue (like I'm already doing). |
OK, thanks! |
Sorry, in which version was this fixed? |
No version yet. Right now it's in the master branch and it will be in 0.17 when it comes out. |
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see #810)
As defined in BSI TR-03119 to issue SCardTransmit (with Uses Pseudo-APDU) instead of SCardControl (with FEATURE_VERIFY_PIN_DIRECT). It allows using a very basic PC/SC reader driver without special support for PIN verification or modification (such as the default CCID driver on Windows). Also gets IFD vendor information via escape commands. PC/SC's Get Uid command is now only triggered if enable_escape = true; was set by the user to allow disabling wrapped commands on broken readers (see OpenSC#810)
I am on Ubuntu 17.04 which ships with opensc 0.16 and testing with pkcs-tool ( |
I have cloned master branch, built it successfully but I still have the same issue with a dnie 3.0 (recurring window pin entry). Can anyone point me to the correct branch to use? Thanks |
I have a working DNIE 3.0 witjh the master branch. |
Hey, It seems that opensc is trying to release the new 0.17 version, see bug #1055. Testing has been requested for several platforms. Right now I can only test DNIe 3.0 on linux but in two/three weeks I'll be able to test DNIe 2.0/3.0 in linux/windows. But not a Mac guy at all, so if someone wants to test the MacOS bundle it 'd be much appreciated. |
DNIe 3.0 Working fine on ArchLinux using master branch. I had the recurring pin entry window bug and using the current master branch fixed the issue. Thank you! |
Expected behaviour
I should be able to use DNIe 3.0 with Firefox after configuring it.
Actual behaviour
Dialog asks for the PIN again and again endlessly, no matter if you enter the right PIN or you press Cance.
Steps to reproduce
Logs
Not sure how to get those.
CC @miguel-cv @germanblanco
The text was updated successfully, but these errors were encountered: