opensc compatibility

[klali]

The openpgp applet today is not compatible with opensc, it would probably be a good idea to be compatible even if opensc requires the atr to be listed to recognize the card.

[Yannovitch]

+1

[oliverklee]

:+1:

[Doridian]

+1

[jas4711]

So what's involved in making this happen? Is it about patching OpenSC, or is something required in the applet?

[klali]

It's probably only changes to the applet to conform to expectations of OpenSC.

As the openpgp driver in OpenSC does it's detection based on ATR the driver choice has to be forced instead of autodetected. The first and simplest test is to run:

$ OPENSC_DEBUG=9 opensc-tool -c openpgp -n

and compare with a standard openpgp card.

[asheiduk]

It seems that OpenSC sends SELECT-FILE:

00 A4 04 00 06 D2 76 00 01 24 01 00

The OpenPGP card returns

62 15 84 10 D2 76 00 01 24 01 02 00 00 05 00 00
21 E4 00 00 8A 01 05 90 00

but Yubico only returns

90 00

The OpenPGP spec 2.0 allows to return a FCI or empty (p. 31) but OpenSC bails out expecting either an FCI or FCP response.

[stv0g]

The OpenPGP spec 2.0 allows to return a FCI or empty (p. 31) but OpenSC bails out expecting either an FCI or FCP response.

Sounds like OpenSC is not following the spec? In this case we should patch OpenSC instead of the applet?

[jas4711]

What's the SELECT FILE command supposed to do? If we can make OpenSC accept this (supposedly legal?) output, would it make the OpenSC OpenPGP PKCS#11 driver work? That would be good -- I just read http://changelog.complete.org/archives/9381-detailed-smart-card-cryptographic-token-security-guide and it suggested the neo didn't work with opensc in openpgp mode.

[frankmorgner]

Just stumbled across this; a bug report would have been nice...

Anyway, it's fixed in OpenSC with https://github.com/OpenSC/OpenSC/pull/1232