access to SmartTerminal XX44

Discussion:

Vieri

2014-03-20 14:05:32 UTC

Hi,

I'm having trouble accessing a smartcard (authentic driver - Cherry MY 8040 USB multiboard keyboard & reader).

pcsc_scan seems to see and identify the card correctly.

However,
I haven't tried anything else in Linux (like use the certificate within
the card to sign something or access a web site, etc.). In fact,
all I really want is to "redirect" the smartcard data to a Windows 2003 Terminal Server.
I use the following command from a Linux client:

rdesktop -r scard rdpserver

I even tried to set the device names accordingly:

rdesktop -r scard:"Cherry GmbH SmartTerminal XX44 00 00"="Cherry GmbH SmartTerminal XX44 0" -f "$RDP_SERVER"

I
can see that the reader is detected in Windows Terminal Server and that
it detects the events of inserting and removing a card.
However,
when connecting with a Windows client, a user certificate is
automatically installed in several apps (IE, etc.) whereas it's not if I
connect with a Linux rdesktop client.

I compared the 2 logs I
get in the Windows 2003 Terminal Server (PC/SC diagnostics tool) when
connecting with a Windows client and a Linux rdesktop client.
Basically,
when connected from Linux I get "Clock rate" and "BWT" errors. When
connected from Windows Clock rate=4MHz and BWT=1439.48 work etu
(actually these 2 values may vary if I connect from other Windows
clients).

Here are the details (when connected with a Linux client):
Cherry GmbH SmartTerminal XX44 00 00:

Attribute       |Value
--------------------------------+----------------------------------------------
ATR          |3b fb 18 00 00 81 31 fe 45 00 31 c0 64 77 e9 10 00 01 90 00 62
Clock rate (MHz)    |Error
Convention       |direct
Protocol       |T=1
(TA1) Divider F       |372
(TA1) Transfer factor D    |12
(TB1) VPP supply    |unnecessary
(TC1) Extra guardtime N    |0 work etu
(TC2) Work waiting time    |115200 work etu
(TA3) IFSC (byte)    |254
(TB3) CWT       |43 work etu
(TB3) BWT       |Error
Historical Characters (text) | 1Àdwé
Historical Characters (hex) |00 31 c0 64 77 e9 10 00 01 90 00

I posted more debug information on the following forum:
http://forums.gentoo.org/viewtopic-t-986680.html

Below I'm specifying the support data asked for at http://pcsclite.alioth.debian.org/ccid.html#support:

Versions

    CCID driver version: 1.4.15
    pcsc-lite version: 1.8.11
    smart card reader name: Cherry GmbH SmartTerminal XX44
    the output of the command "/usr/sbin/pcscd --version": pcsc-lite version 1.8.11.
Copyright (C) 1999-2002 by David Corcoran <***@musclecard.com>.
Copyright (C) 2001-2011 by Ludovic Rousseau <***@free.fr>.
Copyright (C) 2003-2004 by Damien Sauveron <***@labri.fr>.
Report bugs to <***@lists.musclecard.com>.
Enabled
features: Linux i486-pc-linux-gnu serial usb libudev
usbdropdir=/usr/lib/readers/usb ipcdir=/run/pcscd
configdir=/etc/reader.conf.d

Platform

    Operating
system or GNU/Linux distribution name and version: Linux
3.10.32-std402-i586 #2 SMP Mon Feb 24 21:56:40 UTC 2014 i686 Intel(R)
Atom(TM) CPU N450 @ 1.66GHz GenuineIntel GNU/Linux
(custom system rescue CD based on Gentoo)
    Smart card middleware name and version: unknown/unused
    Reader manufacturer name and reader model name: Cherry MY 8040 USB (multiboard)
    Smart card name: unknown

Log


Attached log.txt (recorded while rdesktop connects to the Windows
Terminal Server and the user removes and reinserts again the smartcard
into the keyboard slot)

Any ideas?

Thanks,

Vieri

Ludovic Rousseau

2014-03-23 10:51:56 UTC

Permalink

Post by Vieri
Hi,

Hello,

Post by Vieri
I'm having trouble accessing a smartcard (authentic driver - Cherry MY 8040 USB multiboard keyboard & reader).
pcsc_scan seems to see and identify the card correctly.
However,
I haven't tried anything else in Linux (like use the certificate within
the card to sign something or access a web site, etc.). In fact,
all I really want is to "redirect" the smartcard data to a Windows 2003 Terminal Server.
rdesktop -r scard rdpserver
rdesktop -r scard:"Cherry GmbH SmartTerminal XX44 00 00"="Cherry GmbH SmartTerminal XX44 0" -f "$RDP_SERVER"
I
can see that the reader is detected in Windows Terminal Server and that
it detects the events of inserting and removing a card.
However,
when connecting with a Windows client, a user certificate is
automatically installed in several apps (IE, etc.) whereas it's not if I
connect with a Linux rdesktop client.
I compared the 2 logs I
get in the Windows 2003 Terminal Server (PC/SC diagnostics tool) when
connecting with a Windows client and a Linux rdesktop client.
Basically,
when connected from Linux I get "Clock rate" and "BWT" errors. When
connected from Windows Clock rate=4MHz and BWT=1439.48 work etu
(actually these 2 values may vary if I connect from other Windows
clients).
Attribute |Value
--------------------------------+----------------------------------------------
ATR |3b fb 18 00 00 81 31 fe 45 00 31 c0 64 77 e9 10 00 01 90 00 62
Clock rate (MHz) |Error
Convention |direct
Protocol |T=1
(TA1) Divider F |372
(TA1) Transfer factor D |12
(TB1) VPP supply |unnecessary
(TC1) Extra guardtime N |0 work etu
(TC2) Work waiting time |115200 work etu
(TA3) IFSC (byte) |254
(TB3) CWT |43 work etu
(TB3) BWT |Error
Historical Characters (text) | 1Àdwé
Historical Characters (hex) |00 31 c0 64 77 e9 10 00 01 90 00
http://forums.gentoo.org/viewtopic-t-986680.html

I don't see any problem in the smart card side on GNU/Linux.

rdesktop is also working a minimum since you can get the ATR of the
card on the Windows side. Good.

Windows can't display the "Clock rate" and "BWT" because the Windows
diagnostic tool uses SCardGetAttrib() with the attribute
SCARD_ATTR_CURRENT_CLK (tag: 0x80202) that are is supported by the
PC/SC on the GNU/Linux side.

Maybe your Minidriver, or whatever code is running on the Windows side
to support your card, is also confused by unsupported attributes for
SCardGetAttrib().

Can you debug/modify the Windows code?

Bye

--
Dr. Ludovic Rousseau

Vieri

2014-03-24 12:08:56 UTC

Permalink

----- Original Message -----

Post by Ludovic Rousseau
Windows can't display the "Clock rate" and "BWT" because the Windows
diagnostic tool uses SCardGetAttrib() with the attribute
SCARD_ATTR_CURRENT_CLK (tag: 0x80202) that are is supported by the
PC/SC on the GNU/Linux side.
Maybe your Minidriver, or whatever code is running on the Windows side
to support your card, is also confused by unsupported attributes for
SCardGetAttrib().
Can you debug/modify the Windows code?

Unfortunately as far as I can tell the Windows software is closed source.
This is what I have installed on the Windows Terminal Server:

AuthentIC Webpack v4.0.8 (Oberthur Card Systems)
Cherry Smart Device Package V1.9 Build 2 (v. 1.9.0.2) (Cherry GmbH http://support.cherry.de)
Cherry Tools V4.3 Rev.3 Build 6 (v. 4.3.3.6) (Cherry GmbH http://support.cherry.de)

I suppose the first package is the smartcard firmware, the second is the reader driver and the third are reader tools such
as the PC/SC diagnostics tool I used.

The only thing I can try is to downgrade or upgrade one of these software packages.

I downloaded the Windows software from:
http://www.cherry.de/files/software/CherrySmartCard-Setup_32_EN.zip
http://www.cherry.de/files/software/CherrySmartCard-Setup_31_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_59_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_58_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_54_EN.zip

As a side note (not sure if it's useful), when connecting from Windows client the AuntentIC Manager software (Oberthur Card Systems) reports:
Smart card information:
Label: IDone Classic Card
Model: Cosmo64 RSA v5.4
Firmware: Version 0.00
Manufacturer: Oberthur Card Systems
Serial Number: 0000000014D73843
Free memory: 31744 bytes
AuthentIC Manager version 3.4.1.0
Oberthur Card Systems

After installing CherrySmartCard-Setup_32_EN.zip and connecting from Linux with rdesktop, I'm still getting the same clock sync rate error.
If I remove CherrySmartCard-Setup_32_EN and install CherrySmartCard-Setup_31_EN.zip and connect from Linux with rdesktop, I get the same error.

In any case, the PC/SC diagnostics tool seems to have the same version number in both CherrySmartCard-Setup_32_EN and CherrySmartCard-Setup_31_EN.

I don't know how to debug this.

I guess I'm stuck here. The only thing I can do is modify the ccid/pcscd part in Linux and recompile. Would it be useful to tamper somehow with SCARD_ATTR_CURRENT_CLK?
Can pcscd "debug" what the Windows driver is trying to call?

Thanks,

Vieri

Ludovic Rousseau

2014-03-24 14:07:13 UTC

Permalink

Post by Vieri
----- Original Message -----

Unfortunately as far as I can tell the Windows software is closed source.
AuthentIC Webpack v4.0.8 (Oberthur Card Systems)
Cherry Smart Device Package V1.9 Build 2 (v. 1.9.0.2) (Cherry GmbH http://support.cherry.de)
Cherry Tools V4.3 Rev.3 Build 6 (v. 4.3.3.6) (Cherry GmbH http://support.cherry.de)
I suppose the first package is the smartcard firmware, the second is the reader driver and the third are reader tools such
as the PC/SC diagnostics tool I used.
The only thing I can try is to downgrade or upgrade one of these software packages.
http://www.cherry.de/files/software/CherrySmartCard-Setup_32_EN.zip
http://www.cherry.de/files/software/CherrySmartCard-Setup_31_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_59_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_58_EN.zip
http://www.cherry.de/files/software/Cherry_Tools_54_EN.zip
Label: IDone Classic Card
Model: Cosmo64 RSA v5.4
Firmware: Version 0.00
Manufacturer: Oberthur Card Systems
Serial Number: 0000000014D73843
Free memory: 31744 bytes
AuthentIC Manager version 3.4.1.0
Oberthur Card Systems
After installing CherrySmartCard-Setup_32_EN.zip and connecting from Linux with rdesktop, I'm still getting the same clock sync rate error.
If I remove CherrySmartCard-Setup_32_EN and install CherrySmartCard-Setup_31_EN.zip and connect from Linux with rdesktop, I get the same error.
In any case, the PC/SC diagnostics tool seems to have the same version number in both CherrySmartCard-Setup_32_EN and CherrySmartCard-Setup_31_EN.
I don't know how to debug this.
I guess I'm stuck here. The only thing I can do is modify the ccid/pcscd part in Linux and recompile. Would it be useful to tamper somehow with SCARD_ATTR_CURRENT_CLK?

That may make the "PC/SC diagnostics tool" more happy.
But that may not solve your real problem with the card certificates. I
think that the problem comes from "AuthentIC Webpack v4.0.8 (Oberthur
Card Systems)" software.

Post by Vieri
Can pcscd "debug" what the Windows driver is trying to call?

Yes. It is in my previous email.

Bye

--
Dr. Ludovic Rousseau

Vieri

2014-03-24 19:00:08 UTC

Permalink

----- Original Message -----

I think that the problem comes from "AuthentIC Webpack v4.0.8 (Oberthur
Card Systems)" software.

Thanks, I'll try to install a different version of that software.

Meanwhile, I'd also like to access the certificate on the card from Linux. I suppose I need to use opensc from www.opensc-project.org or can I do so without it (sorry, I'm really new to this)?
Label: IDone Classic Card
Model: Cosmo64 RSA v5.4
Manufacturer: Oberthur Card Systems
it seems that my card type is "ID-ONE Cosmo 64k".
I searched around and only got more confused.
I don't know if what I have is a "java card" in which case I'd need to look at:
https://www.opensc-project.org/opensc/wiki/JavaCard
and supposedly try to load the Muscle Applet:
https://www.opensc-project.org/opensc/wiki/MuscleApplet

I don't think OpenSC-0.9.6 supports my v.5.4 cards because it seems to support up to v5.2 as stated here:
https://www.opensc-project.org/opensc/wiki/Oberthur

And I don't think I need the IAS/ECC branch of OpenSC because I see no reference to CosmopolIC v7 in my cards:
https://www.opensc-project.org/opensc/wiki/IAS-ECC

So am I way off-course if I try to use MuscleApplet?

Thanks for your help,

Vieri