Mailing List Archive: GnuPG: devel

pinpad entry support in Git repository

Index | Next | Previous | View Threaded

gniibe at fsij

Dec 1, 2011, 9:09 PM

Post #1 of 11 (559 views)
Permalink

pinpad entry support in Git repository

Hi,

In the Git repository of GnuPG (of master branch), I added pinpad
input support for PC/SC. It is enabled for OpenPGPcard 2.0.

Could you please test it out?

(1) pinpad input for verify for user
(2) pinpad input for verify for admin
(3) pinpad input for passphrase modification by user
(4) pinpad input for passphrase modification by admin

Please let me know your reader and its features (has display or not).

If it is stable enough, I would like to apply changes to stable
branch.

Thanks in advance.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

nils.faerber at kernelconcepts

Dec 2, 2011, 1:41 AM

Post #2 of 11 (532 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

Am 02.12.2011 06:09, schrieb NIIBE Yutaka:
> Hi,
Hi!

> In the Git repository of GnuPG (of master branch), I added pinpad
> input support for PC/SC. It is enabled for OpenPGPcard 2.0.
>
> Could you please test it out?
>
> (1) pinpad input for verify for user
> (2) pinpad input for verify for admin
> (3) pinpad input for passphrase modification by user
> (4) pinpad input for passphrase modification by admin
>
> Please let me know your reader and its features (has display or not).
>
> If it is stable enough, I would like to apply changes to stable
> branch.

This is great news!
I have been waiting for this for quite some time - many thanks for your
effort!

For the moment though I am not able to test it but anyway I wanted to
communicate my great appreciation for your work.

Thanks again!

> Thanks in advance.
Cheers
nils

--
kernel concepts GmbH Tel: +49-271-771091-12
Sieghuetter Hauptweg 48
D-57072 Siegen Mob: +49-176-21024535
http://www.kernelconcepts.de

Attachments:

signature.asc (0.19 KB)

bjk at luxsci

Dec 3, 2011, 1:07 PM

Post #3 of 11 (536 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On Fri, Dec 02, 2011 at 02:09:19PM +0900, NIIBE Yutaka wrote:
> Hi,
>
> In the Git repository of GnuPG (of master branch), I added pinpad
> input support for PC/SC. It is enabled for OpenPGPcard 2.0.
>
> Could you please test it out?
>
> (1) pinpad input for verify for user
> (2) pinpad input for verify for admin
> (3) pinpad input for passphrase modification by user
> (4) pinpad input for passphrase modification by admin
>
> Please let me know your reader and its features (has display or not).
>
> If it is stable enough, I would like to apply changes to stable
> branch.

I have a GemPlus USB-SL which does not have a pinpad and am having
problems with this patch. I think I have narrowed it down to
check_pcsc_keypad() and control_pcsc_wrapped() returning "premature EOF"
after sending the CM_IOCTL_GET_FEATURE_REQUEST ioctl (or does that
determine if there is pinpad support or not?).

scdaemon later fails with "verify CHV2 failed: General error" after
pinentry retrieves my PIN.

--
Ben Kibbey
[XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC]

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

bjk at luxsci

Dec 4, 2011, 8:40 AM

Post #4 of 11 (534 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On Sat, Dec 03, 2011 at 04:07:49PM -0500, Ben Kibbey wrote:
> On Fri, Dec 02, 2011 at 02:09:19PM +0900, NIIBE Yutaka wrote:
> > Hi,
> >
> > In the Git repository of GnuPG (of master branch), I added pinpad
> > input support for PC/SC. It is enabled for OpenPGPcard 2.0.
> >
> > Could you please test it out?
> >
> > (1) pinpad input for verify for user
> > (2) pinpad input for verify for admin
> > (3) pinpad input for passphrase modification by user
> > (4) pinpad input for passphrase modification by admin
> >
> > Please let me know your reader and its features (has display or not).
> >
> > If it is stable enough, I would like to apply changes to stable
> > branch.
>
> I have a GemPlus USB-SL which does not have a pinpad and am having
> problems with this patch. I think I have narrowed it down to
> check_pcsc_keypad() and control_pcsc_wrapped() returning "premature EOF"
> after sending the CM_IOCTL_GET_FEATURE_REQUEST ioctl (or does that
> determine if there is pinpad support or not?).
>
> scdaemon later fails with "verify CHV2 failed: General error" after
> pinentry retrieves my PIN.

Nevermind. Working now.

Thanks,

--
Ben Kibbey
[XMPP: bjk AT jabber DOT org] - [IRC: (bjk) FreeNode/OFTC]

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

gniibe at fsij

Dec 18, 2011, 7:59 PM

Post #5 of 11 (507 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On 2011-12-02 at 14:09 +0900, NIIBE Yutaka wrote:
> Could you please test it out?
>
> (1) pinpad input for verify for user
> (2) pinpad input for verify for admin
> (3) pinpad input for passphrase modification by user
> (4) pinpad input for passphrase modification by admin

I think that it's better to have some test program testing the feature
of card reader, instead of asking test by GnuPG.

Thus, I wrote a python script. Attached is a program which tests PIN
entry using pinpad of card reader. It requires "Pyscard", smartcard
library for python. See http://pyscard.sourceforge.net/ for Pyscard.

This test program assumes that OpenPGP card v2 is inserted to it.

There are nine cases (if card reader supports all).

$ pinpad-test # verify user's PIN "
$ pinpad-test --admin # verify admin's PIN "
$ pinpad-test --change # change user's PIN "
$ pinpad-test --change --admin # change admin's PIN "
$ pinpad-test --change2 # change user's PIN by two steps"
$ pinpad-test --change2 --admin # change admin's PIN by two steps"
$ pinpad-test --unblock # change user's PIN by reset code"
$ pinpad-test --unblock --admin # change user's PIN by admin's PIN"
$ pinpad-test --put # setup resetcode "

Please test your readers, it they come with pinpad. And let me know
the result. Thanks in advance.

I maintain this script in the Gnuk repository:
http://www.gniibe.org/gitweb?p=gnuk.git;a=blob;f=tool/pinpad-test.py
--

Attachments:

pinpad-test.py (10.8 KB)

gniibe at fsij

Jan 4, 2012, 5:37 PM

Post #6 of 11 (467 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

Happy New Year, everyone!

On 2011-12-19 at 12:59 +0900, NIIBE Yutaka wrote:
> Thus, I wrote a python script. Attached is a program which tests PIN
> entry using pinpad of card reader. It requires "Pyscard", smartcard
> library for python. See http://pyscard.sourceforge.net/ for Pyscard.
>
> This test program assumes that OpenPGP card v2 is inserted to it.

I updated the test program for pinpad entry. It is also renamed (with
no hyphen in the filename). Attached is the newest version, which is
also available at:

http://www.gniibe.org/gitweb?p=gnuk.git;a=blob;f=tool/pinpadtest.py

It is extensively tested with Vasco DIGIPASS 920. Note that the
reader has firewall feature which doesn't allow VERIFY or CHANGE
REFERENCE DATA command with data from host, but only allows pinpad
entry by the reader. With no pinpad entry support, this reader were
useless at all. It works well except --unblock --admin.

I also tested with Gemalto's GemPC PinPad Smart Card Reader
(08e6:3478) which has the firmware "GemTwRC2-V2.10-GL04".
Unfortunately, it seems that this reader doesn't support variable
length PIN.

Please test your readers, it they come with pinpad. And let me know
the result. Thanks again, in advance.
--

Attachments:

pinpadtest.py (14.5 KB)

martin at martinpaljak

Jan 11, 2012, 1:01 AM

Post #7 of 11 (459 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

Hello,

On Thu, Jan 5, 2012 at 03:37, NIIBE Yutaka <gniibe [at] fsij> wrote:
> Happy New Year, everyone!
>
> On 2011-12-19 at 12:59 +0900, NIIBE Yutaka wrote:
>> Thus, I wrote a python script. Attached is a program which tests PIN
>> entry using pinpad of card reader. It requires "Pyscard", smartcard
>> library for python. See http://pyscard.sourceforge.net/ for Pyscard.
>>
>> This test program assumes that OpenPGP card v2 is inserted to it.
>
> I updated the test program for pinpad entry. It is also renamed (with
> no hyphen in the filename). Attached is the newest version, which is
> also available at:
>
> http://www.gniibe.org/gitweb?p=gnuk.git;a=blob;f=tool/pinpadtest.py
>
> It is extensively tested with Vasco DIGIPASS 920. Note that the
> reader has firewall feature which doesn't allow VERIFY or CHANGE
> REFERENCE DATA command with data from host, but only allows pinpad
> entry by the reader. With no pinpad entry support, this reader were
> useless at all. It works well except --unblock --admin.
>
> I also tested with Gemalto's GemPC PinPad Smart Card Reader
> (08e6:3478) which has the firmware "GemTwRC2-V2.10-GL04".
> Unfortunately, it seems that this reader doesn't support variable
> length PIN.
>
> Please test your readers, it they come with pinpad. And let me know
> the result. Thanks again, in advance.

Did some testing with three readers that were not mentioned, which I
had available. Attached a small "report".
Reader 1: ACS non-CCID reader ACR83, with the vnedor-provided modified
CCID driver. Did not work at all.
Reader 2: Gemalto Ezio Shield (variant): PIN commands worked as
expected (with pinmax up to 32, I did not type 32 digits though),
plaintext PIN commands were disallowed with 6d00
Reader 3: Omnikey 3821: worked as expected with pinpad.

Also a small patch against pinpadtest.py as I have several readers I
can't disconnect.

It might make sense to make a "probing script" that would discover
deficiencies in reader firmwares (like require certain message bits
(some of them are fixed in the CCID driver) or require fixed PIN
lengths etc)

Hope this helps,

Martin

Attachments:

report.txt (1.74 KB)

0001-pinpadtest-allow-working-with-more-than-a-single-con.patch (1.07 KB)

wk at gnupg

Jan 11, 2012, 3:37 AM

Post #8 of 11 (448 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On Wed, 11 Jan 2012 10:01, martin [at] martinpaljak said:

> Reader 3: Omnikey 3821: worked as expected with pinpad.

Are you sure about this? Do they now support extended length APDUs via
CCID or still only with their Windows driver?

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

martin at martinpaljak

Jan 11, 2012, 4:27 AM

Post #9 of 11 (450 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On Wed, Jan 11, 2012 at 13:37, Werner Koch <wk [at] gnupg> wrote:
> On Wed, 11 Jan 2012 10:01, martin [at] martinpaljak said:
>
>> Reader 3: Omnikey 3821: worked as expected with pinpad.
>
> Are you sure about this? Do they now support extended length APDUs via
> CCID or still only with their Windows driver?

I don't believe that PIN commands require extended APDU-s for normal people.

Lack of extended APDU-s for this reader is also written to the CCID
driver matrix limitations:

http://pcsclite.alioth.debian.org/ccid/limitations.html#180

Martin

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

wk at gnupg

Jan 11, 2012, 5:13 AM

Post #10 of 11 (447 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On Wed, 11 Jan 2012 13:27, martin [at] martinpaljak said:

> I don't believe that PIN commands require extended APDU-s for normal people.

It is more about the usability of the reader. For modern cards it thus
unusable with free software. We won't add any specific support for it.
If they would open the specs and describe how to exactly use the escape
sequences which allow sending of extendend length APDUs, we can
reconsider that.

Shalom-Salam,

Werner

--
Die Gedanken sind frei. Ausnahmen regelt ein Bundesgesetz.

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

gniibe at fsij

Jan 11, 2012, 5:12 PM

Post #11 of 11 (448 views)
Permalink

Re: pinpad entry support in Git repository [In reply to]

On 2012-01-11 at 11:01 +0200, Martin Paljak wrote:
> Did some testing with three readers that were not mentioned, which I
> had available. Attached a small "report".

Thanks a lot.

> Reader 1: ACS non-CCID reader ACR83, with the vnedor-provided modified
> CCID driver. Did not work at all.
> Reader 2: Gemalto Ezio Shield (variant): PIN commands worked as
> expected (with pinmax up to 32, I did not type 32 digits though),
> plaintext PIN commands were disallowed with 6d00
> Reader 3: Omnikey 3821: worked as expected with pinpad.
>
> Also a small patch against pinpadtest.py as I have several readers I
> can't disconnect.

I added your patch to the script.

> It might make sense to make a "probing script" that would discover
> deficiencies in reader firmwares (like require certain message bits
> (some of them are fixed in the CCID driver) or require fixed PIN
> lengths etc)

Pinpad entry for vaiable length PIN is a corner area. If there is a
way to identify card readers with PC/SC API, we could have white list
or black list, but I don't know portable way to distinguish readers.

It would be good if we can do probing the feature with no user
intervention, but I don't have idea for that.
--

_______________________________________________
Gnupg-devel mailing list
Gnupg-devel [at] gnupg
http://lists.gnupg.org/mailman/listinfo/gnupg-devel

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads