Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: GnuPG: devel

Extended length APDU solved for Cardman

  

 
GnuPG devel RSS feed   Index | Next | Previous | View Threaded


wk at gnupg

Jun 30, 2009, 12:33 AM

Post #1 of 3 (1032 views)
Permalink
Extended length APDU solved for Cardman
Hi Ludovic,

After spending too much time trying to trace the USB commands of the
Cardman readers using Windows under KVM I switched back to the old
sniffusb tool on native Windows.

I figured out how to send extended APDUs and it works now with GnuPG's
internal driver and the new OpenPGP card. I have not yet tested other
cards. Tested with a CM6121 and the CM4040 PCCARD reader. I still need
to check wether the Cherry keyboard works the same way and maybe even
try the KAAN reader.

You need to switch to TPDU mode for extended length APDUs. They are
send using the CCID Escape sequence 00 00 00 1A followed by the TPDU.
The response is a 1A followed by the TPDU. The only problem is that you
need to resync the T=1 sequence counter if the reader returns an error
(which is likely). Make sure to use a NAD of 0x00.

If you want to trace stuff yourself
http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/tools/ccidmon.c?root=GnuPG
might be useful. Should build as a standalone program; usage is

ccidmod --sniffusb <logfile.usb



Salam-Shalom,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


ludovic.rousseau at free

Jun 30, 2009, 2:22 AM

Post #2 of 3 (969 views)
Permalink
Re: Extended length APDU solved for Cardman [In reply to]
----- "Werner Koch" <wk [at] gnupg> a écrit :
> Hi Ludovic,

Hello Werner,

> After spending too much time trying to trace the USB commands of the
> Cardman readers using Windows under KVM I switched back to the old
> sniffusb tool on native Windows.
>
> I figured out how to send extended APDUs and it works now with
> GnuPG's
> internal driver and the new OpenPGP card. I have not yet tested
> other
> cards. Tested with a CM6121 and the CM4040 PCCARD reader. I still
> need
> to check wether the Cherry keyboard works the same way and maybe even
> try the KAAN reader.
>
> You need to switch to TPDU mode for extended length APDUs. They are
> send using the CCID Escape sequence 00 00 00 1A followed by the TPDU.
> The response is a 1A followed by the TPDU. The only problem is that
> you
> need to resync the T=1 sequence counter if the reader returns an
> error
> (which is likely). Make sure to use a NAD of 0x00.

You are using a proprietary command to switch the reader in TPDU mode. Is it documented somewhere by Omnikey?

You should not have to play this game with the Kobil KAAN readers. They are declared as "Short and Extended APDU level exchange".

I am surprised you invested so much energy in supporting (limited) readers instead of using existing TPDU or extended APDU readers.

You can also see the page [1] to know the readers you should recommand for use with the OpenPGP card.

> If you want to trace stuff yourself
> http://cvs.gnupg.org/cgi-bin/viewcvs.cgi/trunk/tools/ccidmon.c?root=GnuPG
> might be useful. Should build as a standalone program; usage is
>
> ccidmod --sniffusb <logfile.usb

This tools looks great and was missing me when I started by CCID driver.

Regards,

[1] http://pcsclite.alioth.debian.org/ccid_extended_apdu.html

--
Dr. Ludovic Rousseau

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel


wk at gnupg

Jun 30, 2009, 3:55 AM

Post #3 of 3 (977 views)
Permalink
Re: Extended length APDU solved for Cardman [In reply to]
On Tue, 30 Jun 2009 11:22, ludovic.rousseau [at] free said:

> You are using a proprietary command to switch the reader in TPDU mode. Is it documented somewhere by Omnikey?

As usual with Omnikey stuff: Docs are hard to get and they are not eager
to help developers to get their hadware working.

> You should not have to play this game with the Kobil KAAN readers. They are declared as "Short and Extended APDU level exchange".

I had severe problems with mine; according to people working with the
Windows driver it is known that these readers have problems with
extended length APDUs. I have not used mine for weeks; I'll try it
later.

> I am surprised you invested so much energy in supporting (limited) readers instead of using existing TPDU or extended APDU readers.

The driving force is that we have the new OpenPGP cards and can't use
them with laptops. The CM4040 pccard reader is widely used and I
suggested it in the past to many folks; they are now using it on a daily
base (including me).

> You can also see the page [1] to know the readers you should recommand for use with the OpenPGP card.

I know ;-)


Shalom-Salam,

Werner

--
Die Gedanken sind frei. Auschnahme regelt ein Bundeschgesetz.


_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

GnuPG devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.