12 Jan
2011
12 Jan
'11
4:57 p.m.
On 12/01/11 17:33, Lionel Elie Mamane wrote:
Interesting.
No Pb
Yes, noticed that too (... but only had noticed it _after_ I've already found
it out by other means...)
On Wed, Jan 12, 2011 at 03:15:38PM +0100, Alain Knaff
wrote:
ok... I guessed that much, but still wanted to be sure.
On 12/01/11 14:46, Lionel Elie Mamane wrote:
> I'm pleased to report that I've
developed a free software driver /
> middleware for LuxTrust-issued smartcards. Details at
> http://c3l.lu/wiki/index.php/Luxtrust#Using_Open_source_tools
This is great news, congratulations! This is
useful not only for 64 bit
processors, but also for non-Intel Linux devices such as the Nokia N900.
I suppose this works both for the credit-card sized smartcards and for the
"signing sticks" (which take a SIM-sized chipcard)?
Yes. From the software POV, the SIM-sized smartcard and the
credit-card sized smartcard are identical; they present the same ATR. The only difference I could see is the size of the
keys on it; if
memory serves me right the SIM-sized smartcards have 2048 bit keys and
the credit-card smartcards 1024 bit keys.
I find that rather ironic, as the credit-card sized smartcards are
advertised as slightly "more secure" by LuxTrust.
As far as I know, they market it as being "more professional", not more secure,
and this has more to do with the features that Luxtrust's PKI supports on the
various media, rather than the intrinsic security. Most important feature here
is that the credit-card sized cards support signature by multiple cards, which
is useful in an enterprise context if signatures of more than one
decision-taker are necessary to validate a given business transaction.
Moreover, Luxtrust provides a fraud insurance with their media, and the amount
insured is higher for the credit cards than for the SIMs.
Another fun fact is that the sticks are guaranteed for 5 years, but the credit
cards only for 3. Apparently, this is for purely mechanical reasons: contacts
of the credit cards wear faster than for the sticks (because the SIM is only
inserted into the stick once, and then stays there), and so the credit card
would never last 5 years.
Just out of
curiosity: how did you manage to do this, how did you
(or Georges Bart) get the necessary information for this
development?
Georges Bart: I don't know. Me: Well, I spied on the communication
between the binary-only driver and the smartcard, and with the help of
some "leaked" parts of (an older version) of the ISO standard on
(crypto) smartcards, which the smartcard *partially* follows, I made
sense of the stream of bytes and configured my driver to do the same. As Lilux, we have had contacts with Luxtrust
(...) Back then, they
agreed that _if_ a 64 bit driver was available from another source,
they would also follow with their libraries (... )
Great!
it might now be interesting to take up contact
again.
Our emails on that crossed each other. Yes, by all means! Btw, I had a peek in Gemalto's own drivers
(using a crude
decompiler), and apparently they heavily use OpenSC themselves...
They acknowledge that in their license / copyright file. However, they
do not obey OpenSC's license fully: they do not give us .o files for
their binary-only parts, so that we could relink it against a newer
version of OpenSC, which might actually make their binary-only driver
work on newer GNU/Linux systems (e.g. it does not work with Debian
"lenny" 5.0, only with Debian "etch" 4.0).
Weird. I use it on an Ubuntu 10.04, which is also fairly recent (came out last
year).
But I did notice that opensc based _applications_ cannot use the Gemsafe PKCS11
module (even on older Ubuntu 8.04), supposedly because the two copies of opensc
"fight" each other (the "dynamical" copy pulled in by the app, and the
static
one brought by the PKCS11 module). No such problem exists for apps that don't
use OpenSC directly (such as Firefox). Btw, this is how I first noticed that
Gemsafe uses OpenSC :-)
It might be interesting to see whether the Gemsafe module fails on lenny for
all apps (including Firefox), or only for those that use OpenSC (various handy
command line "test tools")
Also, legally, their licenses are an interesting mess. They did include the
LGPL for openSc in their package, but then put their own license (for the
proprietary parts) next to it, and both licenses basically contradict each
other (and there is no text which says which should count more). I would guess,
in case of doubt the OpenSC LGPL license should count, because they would not
legally be allowed to "remove" anything from the OpenSC license or else they
would forfeit their right to build upon OpenSC...
As far as the java JNI "shim" that loads the original gemsafe lib by absolute
path is concerned, maybe this could be tricked by renaming the open source
driver? Theoretically, the JNI shim should only depend on PKCS11 standard APIs,
so this might work...
From what they explained to me, they did this because
the Java Crypto API (not
the C PKCS11 API) was lacking some features which they
"needed" (such as
chosing among more than one card that might be present), so they had to resort
to this "hack" if they wanted to offer these features from Java. The C PKCS11
API does have the required features, so there is no reason why any standard
complying PKCS11 module shouldn't work, if it had the "correct" name....
Regards,
Alain