Frequently Asked Questions - xhanulik/OpenSC GitHub Wiki
PKCS#11 is a software API for accessing cryptographic hardware like smart cards or HSM. PKCS#11 is not a hardware standard or hardware interface.
Links:
PKCS#15 is a format of on-card structures that defines a "filesystem layout" for smart cards. PKCS#15 does not define how those structures are generated or written to the card.
Links:
Most probably. The two standards do not conflict with each other. A PKCS#15 compatible smart card may not have a PKCS#11 module for platform X or a smart card might come with a PKCS#11 provider for platform X but format data on the card differently than PKCS#15 defines.
Not necessarily. PKCS#11 is a software interface, it means the vendor provides a PKCS#11 module with their hardware. You can use all PKCS#11 compatible software with the vendor PKCS#11 provider. If your card is also supported by OpenSC, you can use the OpenSC PKCS#11 provider, but you may not be able to:
- modify the card content,
- use keys created by OpenSC with the vendor PKCS#11 provider and vice versa.
Only if a pkcs15-init driver exists for the card. PKCS#15 defines how to look for objects, it does not define how the objects get written to the card.
No, unless you want your software to be open source or if your vendor does not provide a binary PKCS#11 module for you operating system or platform (for example ARM Linux).
No, unless you are using Linux and an USB token or exotic reader which is not CCID compatible, comes without a driver for pcsc-lite and at the same time is supported by OpenCT. The recommended method for accessing smart card readers is PC/SC and thus pcsc-lite.
I have installed OpenSC, OpenCT, pcsc-lite and ccid and I'm having troubles connecting to my CCID compatible reader
The preferred access method for CCID readers is via pcsc-lite. You have installed two CCID drivers which may compete for resources. You should remove OpenCT.
The location of libpcsclite.so.1
is wrong in OpenSC, which has been fixed in OpenSC SVN (Ubuntu bug, Debian bug). The quick fix to edit opensc.conf
:
provider_library = libpcsclite.so.1
Java looks for smart card readers via /usr/lib/libpcsclite.so
, which is not present on Debian/Ubuntu. You need to create a symlink, depending on your distribution:
sudo ln -s /lib/libpcsclite.so.1 /usr/lib/libpcsclite.so # For Ubuntu
sudo ln -s /usr/lib/libpcsclite.so.1 /usr/lib/libpcsclite.so # For Debian</code></pre>
It is a very technical way of saying "Your card is unsupported".
Check the list of supported hardware. Verify it with opensc-tool --name
to see if some driver knows how to handle your card. The expected result of the command is a line with a card driver name.
Read-only mode means that OpenSC can be used to use the keys and certificates present on the card but new keys or certificates can not be loaded by OpenSC. PIN codes can still be changed.
Somebody needs to write a driver for it. You can start by sending as much information as you can about the card to opensc-devel mailing list. Be sure to send the card ATR by sending the output of opensc-tool --atr
.
Currently no.
GnuPG supports OpenPGP card in a direct fashion. That support has nothing to do with OpenSC or PKCS#11. There also exists a PKCS#11 based solution for GnuPG, see gnupg-pkcs11 and gnupg-pkcs11-scd for more information.
OpenSC does not depend on OpenCT. Unless you have a USB token that does not support ICCD or CCID, you don't need OpenCT.
OS X apparently always uses "Enter password for Keychain keychainname
". The "name" for you token can be seen with pkcs15-tool -D
.
OpenSC will not transfer any information to other networked systems unless specifically requested by the user or the person installing or operating it. Debug information enabled via opensc.conf may contain personal identifying data, such as X.509 certificate data, which you may want to remove before submitting a bug report.
- https://www.javacardos.com - dedicated to building a comprehensive Java Card platform.
- http://www.aventra.fi - ships from Finland, Aventra-MyEID-PKI-card card
- http://www.cryptoshop.com - ships from Austria
- http://shop.kernelconcepts.de/ - ships from Germany, OpenPGP v2 card and CryptoStick token
- http://www.logidata-int.fr - ships from France
- http://www.smartcardfocus.com - ships from UK