[PATCH] support for Italian CNS

[ep]

This patch adds seemingly working support for the Italian CNS (eID and more) card.

[ep]

README and patches

[ep]

NOTE: if you test this, do not forget to edit opensc.conf and enable "itacns" for "builtin_emulators" in the "framework pkcs15" section.

[alonbl]

Is it ready for merge? No opened issues? Why did you not enable the driver is opensc.conf?

[ep]

Replying to alonbl:

Is it ready for merge? No opened issues? Why did you not enable the driver is opensc.conf?

I forgot that it can/should be enable in the default configuration; thanks for reminding me!

I'd like to get some more testing/reports, but I guess that I'd get them more easily if it's in trunk, and it should not hurt anyone. I'll post here an updated version with a couple of enhancements (PUK, more standard data objects, detection of the official ID card) and a couple of fixes (the configuration and PIN retries, as soon as I figure it out). That will be ready for merge, in my opinion.

Thanks!

[ep]

Updated patch

[ep]

itacns-0.2.tar.gz is ready for merge, IMO. No open issues that I could detect.

[ep]

Version 0.3, with Secure Messaging

[ep]

Version 0.3 has some more important changes, all related to the implementation of Secure Messaging; I'll soon post a message onto the mailing list rather than explain them here.

[ep]

Version 0.3 is being actively tested and developed by a team. Interested parties can download the latest version of the patches from the Mercurial repository at  http://itacns.corp.it/hg/itacns/ .

[martin]

Milestone 0.11.7 deleted

[martin]

In addition to the small things this patch does, it adds support for secure messaging, which design might not be the only and best solution.

[viktor.tarasov@…]

Martin Paljak wrote:
Can you have a look and see if:
a) parts of it can be integrated anyway
b) some of the code could be re-used for a better SM implementation
c) some parts of the design can be upgraded on the way

I take this ticket.

[viktor.tarasov@…]

I've been too optimistic, it'll be hardly possible to integrate these patchs without having CNS card .

I would like to do it in the two stages: first of all the support of CNS card without secure messaging; then some more general support of SM.

Afais, in the CNS card the SM protects qualified signature and associated PINs. So, at the first stage, the support of CNS card without Q-Sign key and SignPIN should be implemented.

Proposed patch make some touchs of the core sources, imho, not always justified; it uses deprecated PRKEY access; Sign PIN flags, defined in CNS emulator, imho, should be corrected... that's what I've seen at the first glance. It'll be difficult to make a changes to this patch without card.

So, I propose to postpone CNS ard support untill the better times.

[ep]

Replying to viktor.tarasov@…:

I've been too optimistic, it'll be hardly possible to integrate these patchs without having CNS card .

I do and I'm willing to do the work :)

I would like to do it in the two stages: first of all the support of CNS card without secure messaging; then some more general support of SM.

That's the path I took. I agree completely with your view.

Proposed patch make some touchs of the core sources, imho, not always justified;

IIRC, they were needed workarounds; I feel that we could at least conditionally include those of them that are really needed.

it uses deprecated PRKEY access; Sign PIN flags, defined in CNS emulator, imho, should be corrected... that's what I've seen at the first glance.

Please give me a pointer or two, if you have time. The PRKEY issue completely escapes me right now (couldn't dig up anything in the mailing list).

Otherwise, I'll try to keep the patches in sync with OpenSC.

Thanks!

[viktor.tarasov@…]

About PRKEY: I've seen in the patch a new SC_PKCS15_PRKEY_ACCESS_SIGN_WITH_DECRYPT flag, that I confounded with recently deprecated SC_PKCS15_CARD_FLAG_SIGN_WITH_DECRYPT .

About SignPIN flags: the both SignPIN and SignPUK have the SC_PKCS15_PIN_FLAG_UNBLOCKING_PIN flag.

[mike3050]

Replying to ep:

Replying to viktor.tarasov@…:

I've been too optimistic, it'll be hardly possible to integrate these  auto insurance quotes patchs without having CNS card .

I do and I'm willing to do the work :)

I would like to do it in the two stages: first of all the support of CNS card without secure messaging; then some more general support of SM.

That's the path I took. I agree completely with your view.

Proposed patch make some touchs of the core sources, imho, not always justified;

IIRC, they were needed workarounds; I feel that we could at least conditionally include those of them that are really needed.

it uses deprecated PRKEY access; Sign PIN flags, defined in CNS emulator, imho, should be corrected... that's what I've seen at the first glance.

Please give me a pointer or two, if you have time. The PRKEY issue completely escapes me right now (couldn't dig up anything in the mailing list). Otherwise, I'll try to keep the patches in sync with OpenSC. Thanks!

Thank you.

[ep]

The last patch is aligned with the current trunk.

[soujak]

Replying to ep:

The last patch is aligned with the current trunk.

Just thanks. I'm going to test it in the next weeks.

[ep]

Updated patch against current trunk.

[ep]

Updated; further clean-up performed.

[ep]

Cardholder name is now included in the PKCS #15 label