Can't communicate with card, can't init the card. #24
Comments
|
This (6999) I guess comes from jcardsim and indicates not selectable applet. But you have selected a very long list of IMHO not needed layers to have something as simple as "key in software to sign things with". |
Well, whole idea behind this is to have qualified key on qualified device. |
|
Could you elaborate on what you are trying to achieve or what you mean by "qualified"? |
|
https://en.wikipedia.org/wiki/Secure_signature_creation_device Long story short: certificate providers insist (due to regulatory bodies insisting), that signature users shall not have access to private key used to sign things. Since (luckily) the card still has to generate the key pair, I want to know the private part of the pair that was generated. The whole process of issuing a certificate is remote. It's my guess that signature provider's software creates some kind of CSR with card's assistance. |
|
Secure signature creation device and qualified status in the context of EU eIDAS laws and software emulation like jcardsim or "random uncertified applets from the internet" do not really mix well? |
|
Like I said, "I understand the security implications." - and I actually trust "random uncertified applets from the Internet" more than "closed blackbox that does things". |
|
Not trying to undermine trust in anything, just trying to understand how you would apply this in real life, like how would you convince a qualified certificate provider to issue any certificates to unattested devices. If they sign software certificates, why not use something like openssl for a software certificate without 4 layers of emulation (the stack described above). If there is remote issuance to a device, it should by all means make use of secure channels. |
|
Their software is communicating directly with card reader on end-user's PC |
|
So you want to try to intercept that communication and provide your own key in the csr? |
|
Well, that would be one approach that could perhaps work if CSR isn't sent in some kind of a secure envelope itself. But I want to just provide my own card, that will generate key pair that's known to me (or even better -- will let me upload my own key to it) |
|
Do you think their software is using IsoApplet as the card communication protocol? Or you intend to modify IsoApplet to look and behave like whatever card they are targeting? Assuming that there is indeed no secure messaging and you could intercept the key generation, please let me know of that CA in private. |
|
I want to use virtual card reader (the one I'm using currently as described in OP) with virtual card in it. Perhaps with some name changes. But first I need to make things work, and I seem to be stuck on this 6999 :( I also tried @frankmorgner 's vpicc/vicc component but it's either incomplete, or I'm missing something that causes python errors. I first need to be fairly confident with every piece before I try it for real, and currently I can't just make a virtual card that can generate a keypair and sign things with it. And sure, I won't keep my success to myself :) Oh, and from what I gather, their software is using PKCS, but I plan to test things once I have basics working |
|
While there are easy to understand security implications with software vs hardware keys (and legal compliance implications when it comes to signature validity, when dealing with qualified signatures) there are also implementation implications where my prior experience wants to give a friendly warning that getting opensc + virtualsmartcard + jcardsim + isoapplet to work (look into OpenSC travis here: https://github.com/OpenSC/OpenSC/blob/master/.travis.yml#L134) could be a nice small feat, but it will be the smallest and most obvious things to fix before you can do what I think you're trying to do. A "virtual card" is not precisely a "virtual machine" that both can be used to run a licensed copy of MS office. |
|
one step at a time. ;) - worst case scenario is: I'll learn something new |
|
If the software is using PKCS#11, I'd recommend using something like SoftHSM instead of adding 4 extra emulation layers for no reason. Long story short: for a learning experience (what it seems to be) this all is probably fun. But even for that I'd do some empirical research on the piece of software you are tyring to meddle with (most importantly: pcsc traces. Maybe active debugging etc) to pinpoint what exactly you're trying to do (especially true if this is a learning experience vs exact idea of what you're trying to achieve) This issue is not something that can be "fixed" in IsoApplet codebase with a PR. Seems more like something that should be discussed in some IRC channel. |
|
Thanks for the pointers. Travis log is very close to what I remember doing. I'll see if I can get things working with it. After that I'll take a look at OpenHSM. Please PM me the IRC channel's location ;) |
|
I am also interested in knowing where people hang out to discuss JavaCard / Globalplatform development. |
Hi!
I'm trying to create a virtual card for the sole purpose of having a card for digital signatures that can be used remotely, and while at it, with a private key known by me that can also be used outside the card. I understand the security implications.
To my understanding, the following setup should make it possible:
vpcd from https://frankmorgner.github.io/vsmartcard/virtualsmartcard/
jCardSim from https://github.com/licel/jcardsim
and isoApplet from here.
not without some struggle I've managed to set things up, but unfortunately rabbit hole is still going deeper :(
I've started all the tools like follows:
pcscd -f -d
java -classpath jcardsim-3.0.5-SNAPSHOT.jar:IsoApplet/src com.licel.jcardsim.remote.VSmartCard jcardsim_isoapplet.cfg
pcsc_scan reports:
Using reader plug'n play mechanism
Scanning present readers...
0: Virtual PCD 00 00
1: Virtual PCD 00 01
Sun Aug 30 20:21:29 2020
Reader 0: Virtual PCD 00 00
Event number: 1
Card state: Card inserted,
ATR: 3B 80 80 01 01
ATR: 3B 80 80 01 01
TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0
TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1
Possibly identified card (using /root/.cache/smartcard_list.txt):
3B 80 80 01 01
ISO 14443 Type B without historical bytes
Electronic Passport
Spanish passport (2012)
Canadian Passport
Venez_Prox
Reader 1: Virtual PCD 00 01
Event number: 0
Card state: Card removed,
doing a:
pkcs15-init --card-profile /usr/share/opensc/isoApplet.profile -C -vvvvvvvvvvvvv --pin 1234 --puk 12345678
(--profile doesn't change things)
causes polling of every known driver. Interesting bits:
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:341:sc_connect_card: trying driver 'isoApplet'
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:114:isoApplet_select_applet: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:546:sc_transmit_apdu: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:473:sc_lock: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:657:pcsc_lock: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:1237:isoApplet_card_reader_lock_obtained: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card-isoApplet.c:1245:isoApplet_card_reader_lock_obtained: returning with: 0 (Success)
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] card.c:513:sc_lock: returning with: 0 (Success)
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:513:sc_transmit: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:363:sc_single_transmit: called
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] apdu.c:367:sc_single_transmit: CLA:0, INS:A4, P1:4, P2:0, data(12) 0x7f9ff6c75a28
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:297:pcsc_transmit: reader 'Virtual PCD 00 00'
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:298:pcsc_transmit:
Outgoing APDU (17 bytes):
00 A4 04 00 0C F2 76 A2 88 BC FB A6 9D 34 F3 10 ......v......4..
01 .
P:1450766; T:0x140325007353920 20:23:54.379 [pkcs15-init] reader-pcsc.c:216:pcsc_internal_transmit: called
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] reader-pcsc.c:307:pcsc_transmit:
Incoming APDU (2 bytes):
69 99 i.
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] apdu.c:535:sc_transmit: returning with: 0 (Success)
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] card.c:523:sc_unlock: called
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] reader-pcsc.c:709:pcsc_unlock: called
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] iso7816.c:133:iso7816_check_sw: Unknown SWs; SW1=69, SW2=99
P:1450766; T:0x140325007353920 20:23:54.380 [pkcs15-init] card-isoApplet.c:131:isoApplet_select_applet: Card returned error: -1200 (Card command failed)
Am I doing something wrong, or did I hit some obscure bug? Pretty much everything is current version from git, built today. Any hints will be much appreciated. Thanks.
Also tagging @philipWendland @frankmorgner as you were authors of most reading material I've consumed today :)
The text was updated successfully, but these errors were encountered: