Building eOI (Slovenian eID) on ubuntu 22.04 about opensc HOT 12 CLOSED

Build debian buster was not succesfull as it does not have openpace as package.

from opensc.

What actually is your question or issue?

If your point is that dependencies for specific card drivers are not properly documented, please feel free to extend https://github.com/OpenSC/OpenSC/wiki/Compiling-and-Installing-on-Unix-flavors or to create a seperate page for eOI in the wiki so that this is more visible (i.e. create a pull request here https://github.com/OpenSC/Wiki). Obviously, if you want to use eOI in buster, then you need to compile OpenPACE by hand before compiling OpenSC.

If your point is that there is a wrong flag on the first slot of the PKCS#11 mapping, please explain where this leads to a problem. Is it impossible to use some key on the card or does the supposedly bad first slot cause a problem with some application?

from opensc.

Thank you for your answer.
I did what you said and built openpace on debian and rebuilt opensc with success. After that I added security db for Chrome to use. In Chrome and Chromium I get only one/pinless token added, but Chrome asks for PIN.

The problem with one token instead of 3 listed from the card (pkcs11-tool -L) is probably the same as with #2986 . The pkcs15-tool -k returns only one key.
pkcs15-tool --list-applications returns 3 apps, but probably only 2 are relavant for opensc . One (pinless) is the one I am seeing. The other one should ask for PIN and is usable for higher security uses (See #2986 (comment)).

from opensc.

pkcs15-tool -k only lists a subset of private keys with respect to the whole token, because only exactly one card application is bound. You may want to select the desired one with --aid. That being said, however, PKCS#11 exposes all available card applications and keys, i.e. chrome DOES see all keys and certificates.

It is a known issue of NSS clients such as Firefox and Chromium in Linux, that it tries to verify every possible PIN on card detection even though not everyone is needed to unlock the specific key. You may want to post a bug report at Mozilla.

In OpenSC, we have integrated a detection for NSS-powered browsers so that only the card application for authentication is exposed with only exactly one PIN. Could you please check if that works correctly in your case? To check, please start firefox and configure OpenSC as "certificate module" (you could also use pkcs11-register as shortcut). If you still see all three slots of your card in the overview, this could mean that we need to change something inside the eOI driver.

from opensc.

I was able to enable the card in firefox. I noticed, that when using modutil for chrome I used onepin-opensc-pkcs11.so, but for firefox I used opensc-pkcs11.so. There is no difference as both ask for pin before listing certificates. I noticed the difference that when I enter correct PIN for the card I get only one certificate, but when I enter no pin (blank) I get my cert, issuer cert and root cert listed by firefox. those 3 certificates are listed with pkcs15-tool -c. Firefox finds only one slot:

I tried to enable, the other app with command line tools, but I failed to find enough info online to be confident.

from opensc.

With the 0.24.0 release, the functionality of the onepin-module is integrated into the base module and it is expected that you should see no difference. We still keep the one-pin module for backward compatibility.

That you see only one slot is intended as well, because we only want to expose the authentication certificate in the browsers, to to the NSS-issue mentioned above. Is this the correct slot (i.e. certificate)?

Regarding the PIN prompts, please check the RC for 0.25.0 if this is still present, because #2928 and #2924 may have fixed that.

from opensc.

No, it is not the slot that is intended for authentication with the card. The 2 slots in the other application are the ones intended for that.

from opensc.

I think I managed to find the problem. OpenSC on some level by default decides that the app E828BD080F014E585031 is the right app to use. This is not correct as this app has a pinless access, which is OK maybe for some uses, but not for identification or signing. The example opensc.conf has the proper setup for the card. If someone would need pinless part of the card they should modify it by conf file. The default app after instalation should be E828BD080F014E585030. With this app access to the keys is possible only with a pin.

from opensc.

Where should card support set the default app, if there is no conf entry , to be presented to the user?

Both apps I mentioned are usable to users, but E828BD080F014E585030 is the app that most would expect from OpenSC to present its slots as those slots are the ones that can be used for signing and identity. Users for E828BD080F014E585031 should set the conf entry as the slot in there is special in every way as it does not need a PIN to access (so, no login) as contraversial as it may be.

from opensc.

@frankmorgner I've built the 0.25.0-rc1 on debian buster and status concerning EOI driver is the same as on 0.24.0. The slot that should be pinless still gets PIN prompt in Chrome.

from opensc.

FYI: On Ubuntu 22.04 desktop with version 0.24.0 opensc-tool -D would core dump close to the end of the list. If interested I can provide debug info. On the other hand with 0.25.0-rc1 the problem is fixed.

from opensc.

FYI: On Ubuntu 22.04 desktop there was a core dump on 0.25.0-rc1 while signing PDF with pyHanko(uses python-pkcs11), after applying release 0.25.0 the core dump did not repeate.

from opensc.