Clarify the LGPL situation with OpenSC usage in Portuguese eID software

[martin]

PortugueseEid apparently includes OpenSC code (probably modified) but does not come with source code or instructions from where to get the source.

A message must be sent to the official agency in Portugal, asking for explanations and source.

This ticket is created to track the communication and collect additional gathered information.

[joao]

 AMA appears to be the government entity responsible for the supervision of all things related to the "Cartão de Cidadão".

 Zetes is the agency responsible for the creation of the official middleware.

[martin]

See  the post on opensc-devel for more information

[martin]

Carlos Lima from Zetes  replied, acknowledging the problem and delegating the fix to PT government.

[martin]

e-mail has been sent to contact addresses found on the web page.

[martin]

As of the result of the mailing, the source code of the modified libopensc is available from the  website ( direct link).

Preliminary review suggests some parts required to build it are missing, but it's a good start. Based on OpenSC 0.8.1.

[joao]

Two drivers exist in the source. card-ias.c, which implements partial support for the IAS/ECC specification, and card-pteid.c, which implements partial support for the GemsafeV2 applet. The implemented functionality appears to be the minimum needed for the core OpenSC functionality to work (e.g., select file, read binary, etc.).

In card-ias.c, some specific PTEID hacks can be seen, as the applet does not appear to be fully IAS/ECC compatible.

The official PT middleware is, however, made of more parts that are not OpenSC derived, and therefore are not included in the available source code. Namely:

• A Secure Messaging and crypto layer, which appears to be written in C++.
• A high level card access library. This library allows operations such as reading the citizen photograph, address, ID number, among other data. Please note that this information is ultimately available through OpenSC - but the API makes the access to the data more straightforward, and also validates the data in the card transparently (i.e., it verifies that it was not tampered with).