New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
A Slovakian eID card driver? #208
Comments
|
Please re-open the issue if you stumble upon problems for your implementation. |
The newly published closed-source Linux Slovak eID client contains 8 XML files which may be of some interest. They all begin with
and describe APDUs like this:
|
Sounds like it's a software according to ISO 24727, similar to https://github.com/ecsec/open-ecard. The But I could have a look at it, maybe the card is similar to the German ID card... |
Yes, I found that already… Yet that Java application doesn't work here for a reason. I don't know if it's a good idea to post these files here (as the license is not known), so probably I just give you a link to the download page: https://eidas.minv.sk/TCTokenService/download/. It is in Slovak, but it's pretty easy to understand what's where (Stiahnuť inštalátor next to Debian 7.0 should be a link to the tarball with .deb inside). |
The XML files look indeed very similar to the CardInfo files of the German ID card. You may want to have a look at my driver for the nPA https://frankmorgner.github.io/vsmartcard/npa/README.html, which integrates int OpenSC and implements all the mechanisms your card uses, too. You can use Please note that by design EAC (eID) will not be available via pkcs#11/minidriver. But you should be able, however, to use eSign (if your card is initialized). |
Oh, I'm looking into building instructions… so convoluted :) |
Why not to use vendor supplied library? https://blog.danman.eu/ssh-autentifikacia-s-eid-obcianskym-preukazom-pod-linuxom/ |
Because it's not free software and doesn't work reliably? |
OK, excuse my stupid question sir |
Study of the eID Model in Slovakia: The solution used for the Slovak eID card is derived from the German eID card system and based on EAC technology, according to BSI TR-03110. Rather than using an X.509 certificate, the verification of an electronic identity stored in the eID card based on reading the identity data via an EAC channel is used for electronic authentication and identification. |
Then my comment from above holds. According to your citation, the Slovakian card has a QES functionality that is compatible with PKCS#11 and Minidriver/CSP. It's the same for the German ID card. The latter is fully integrated in my fork of OpenSC (pull request). Since I implemented all of BSI TR-03110, I suppose the Slovakian card could be used with minor adjustments (for example adding an ATR for recognizing the card). You could verify the compatibility in my fork using the npa-tool, which ignores the ATR, but allows all cryptographic operations (i.e. EAC). |
@frankmorgner, 5 years later I think I’m motivated to have a look at this again, but I’m unsure where to start. npa-tool, of course, doesn’t recognise the card as is. |
npa-tool is not tied to a specific card driver and may work with your card as well. We recently integrated the Polish ID card, which also uses eID (PACE) for communicating with the card. You may want to look at card-edo.c for a starting point. |
I tried forcing the npa driver (by also modifying the matching function) and managed to get it a bit further. I then thought of modifying the unlock routine to use the different card app id my card has just to see whether it can talk to it, but also found the @frankmorgner, do you use any chat platforms, IRC etc? It would be great to talk about this in a slightly more real-time fashion if you’re not strictly opposed to the idea 😃 |
A bit more info. If I "force" npa-tool to use the npa driver, I goes through as far as this:
I have also snooped the official driver’s comms (APDUs and SWs), I can share them privately if you’re interested. |
I'd like to avoid IRC and the like. Send me the log to my email frankmorgner at gmail.com, and I'll take a look if i have some minutes |
Ack, sent; thanks for your help! |
The error above is actually an informative message and doesn't lead to an abortion. 1.0.24727.3.0.9 is defined in ISO/IEC 24727-3, clause A.9. Although the document doesn't go into detail, the workflow chart seems to indicate that the terminal is doing a standard PIN verification (as opposed to, for example, PACE). However, authentication with EAC as implemented in npa-tool strictly requires PACE. That's why npa-tool stops here. The good news is, that the log you've sent me indicates that the card doesn't use any secure messaging what so ever. The only interesting things in the pcscd log are
The bad news without further research or specification we're stuck here. To proceed, you need to find out the following:
I'm think without help of someone familiar with your card we will not be able to integrate your card into OpenSC. |
A year later I have found this issue while trying to figure out if I could use open source software to interact with my new Slovak ID card. I'll start with a comment in this issue but if you prefer I could open new one. Firstly Slovakia used to issue ID cards with "Smart Card Atos CardOS V5.0 QES EAC V1.0 version V1.0" [1] which certification ended on June 26. My card was issued after this date and I haven't found exact identification of a chip and applications there. My card has ATT Output of
which unfortunately ends up with "Your card is not present in the database." By trial and error I have found out that driver is still Official linux application uses I'm pretty new in smart cards but I'm able to read C code. I'm trying to compare
which is repeated also somewhat later. I guess this might be a ping or noop?
a)
b) OpenSC/src/libopensc/card-cardos.c Lines 295 to 296 in 2f94a6b
which later in logs means:
I've tried to change that constant except of the last byte (
a) Line 190 in 2f94a6b
Line 203 in 2f94a6b
which seems to return some bunch of data. I'm not sure how identifiable they are but they contain more or less these ASCII strings:
b)
Which apparently ends up with an error.
Which ends up with success. Then:
which fails:
Another attempt:
is successfull. Then:
again ends up with (final) fail:
Edit: well, I have realized that I haven't issued exactly the same commant for those apps. While in one case I tried to dump all info, original I've tried to run I'm not sure if this is only a slight deviation from Polish/German card or something that would need much deeper investigation. Could anybody give a hint please? [2]
|
I believe to have a card identical to the one mentioned by @scrool. I got it working by stitching together and slightly modifying pieces of code found within OpenSC. https://github.com/jurajsarinay/OpenSC/tree/skeid In a few weeks Slovakia will start issuing dual interface cards, likely based on CardOS 6.0. The v5.4 cards issued today remain valid until mid-2031, supporting them makes sense. The card carries PKCS 15 structures OpenSC cannot parse, probably because parts of the CIAs are indeed invalid. The information from my card can be found here: skeid_v3.tar.gz The files appear not to differ between cards (my sample size is of course rather limited). Instead of examining why exactly the (internal) binding fails, I find it easier to hard code the few necessary parameters in a new emulator. The most recent software provided by the government does not parse (or even read) the PKCS 15 structures either. The card supports, but does not require PACE (or SM) for the operations I am interested in. There are (at most) 3 keys & certificates, a single mechanism (RSA-PKCS) and two PINs that result in two slots. The following operations (via PKCS 11) work reasonably well:
I miss PSS and OAEP, cannot get the card to do raw RSA. PUK and unblocking features were omitted on purpose. Feedback welcome. |
Wow, that’s a great analysis. |
The official e-ID client produces very useful logs once you enable debug tracing. Edit ~/.eID_klient/config.json as follows (tested with v4.1): {
"log": {
"logToFile": true,
"logFromLevel": "LogLevel_Debug",
"plainApduToFile": true,
"verboseFile": true,
"secApduToFile": true}
} When you interact with the GUI application or use the proprietary PKCS11 module, log files show up in ~/.eID_klient/. This way you can inspect several other functions the program performs (such as sign-on, arguably out of scope of this issue or OpenSC). Once you have an idea what you want from the card, opensc-explorer does the job. |
I am just started writing a driver for Slovakian eID for fun, despite there is a promise from authorities to provide some Linux support in future.
Because I am a naive newbie in opensc and smart cards and till now I have no technical specification for this card, I appreciate any information and help from community.
For now, the plan is to find suitable implementation of function from existing drivers and integrating them into the driver.
If you are interested you are welcome to join.
For now, there is only detection of card and only default iso 7816 functions.
/tools/opensc-tool --reader 0 --atr
3b:df:18:00:81:31:fe:58:00:31:b9:64:05:0e:01:00:73:b4:01:d3:00:00:00:22
varga@ntb-varga:src$ ./tools/opensc-tool --reader 0 --name
Slovakian eID
Martin
The text was updated successfully, but these errors were encountered: