1
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:html="http://www.w3.org/1999/xhtml"><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
4
</title><style type="text/css">
6
</style></head><body><div id="content" class="wiki">
7
<div class="wikipage searchable">
9
<h1 id="TCOSbasedpreformattedcards">TCOS based preformatted cards</h1>
11
<a style="padding:0; border:none" href="/opensc/attachment/wiki/TCOS/Card-Images.gif" shape="rect"><img src="/opensc/raw-attachment/wiki/TCOS/Card-Images.gif" alt="Images of TCOS cards" title="Images of TCOS cards"></img></a>
14
TeleSec (part of T-Systems), Deutsche Post and DATEV are german companies that sell TCOS based preformatted cards, i.e NetKey E4 cards, SignTrust cards and DATEV-cards. All these cards used to have a TCOS 2.03 operating system and an almost PKCS#15 compatible file-layout. OpenSC has read-only support for these kind of cards.
17
If OpenSC would fully support TCOS, one could erase the preformatted card and initialize the card with a PKCS#15 filesystem. This is not possible right now as OpenSC lacks support for initializing a PKCS#15 layout on an empty card with TCOS operation system.
20
The good news are: With the help of an emulation layer OpenSC can use cards that are almost PKCS#15 compatible. For the above mentioned cards such an emulation layer exists. The emulation cannot store certificates, keys or pins on the card, but you can use whatever is visible through the emulation layer.
23
If you know of other TCOS based cards and are willing to help, please post information on the mailing list. You might also send <tt>opensc-tool -f</tt> output to me, maybe I can extend the emulation such that it works with your card as well.
26
Since late 2006 TCOS 3.0 cards are available from TeleSec and a test card plus excellent doku reached me in december 2006. Besides 2048 bit keys TCOS 3.0 has some other new features. In december 2007 the TCOS 2.0 driver was extended such that it supports TCOS 3.0 cards as well. This support is not included in version 0.11.4. If you want to use TCOS 3 cards you must either wait until the next OpenSC version is out or use a nightly snapshot or get the latest version from our repositiry.
29
The 2048 bit NetKey cards will be TCOS 3.0 based. The signature key of this new card can be used only with secure messaging. Since OpenSC does not have support for secure messaging the signature key will not be supported soon.
32
All other trust center that were using TCOS2 cards until the end of 2007 do not offer TCOS based cards anymore. SignTrust now uses a StartCos 3.0 based card and Datev is out of business.
34
<h2 id="NetKeyE4filesystemlayout">NetKey E4 filesystem layout</h2>
36
NetKey E4 cards contain different applications. Two of them, namely application NKS and application SIGG, are made visible through the NetKey emulation layer. The NKS application contains 3 keypairs (4 on TCOS3-cards), 3 read only certificates, 6 empty certificate files, 2 PINs and one signature-counter. The SigG application contains one keypair that can be used according to german signature law, 1 certificate and 1 PIN. The NetKey emulation layer will show you all these keys and certs. With TCOS2-cards you can use all of them, with TCOS3-cards you can only use the keys within the NKS application. To use the signature key on TCOS3-cards a secure channel MUST be created and this is something OpenSC does not support yet. I'm working on a workaround, which will temporarily create a secure channel before the signature key is used and closes this channel immediately after the key was used. Let me know if you want to use the signature key of TCOS3 based cards with OpenSC. If nobody is interested I will work on other thinks.
38
<pre class="wiki" xml:space="preserve"> pkcs15-tool -c
40
will list all certificates. It will not list empty certificate files. Here's the output for a new NetKey E4 card (TCOS3 version):
42
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -c
43
X.509 Certificate [Telesec Signatur Zertifikat]
49
X.509 Certificate [Telesec Verschluesselungs Zertifikat]
55
X.509 Certificate [Telesec Authentifizierungs Zertifikat]
61
X.509 Certificate [Telesec 1024bit Zertifikat]
67
X.509 Certificate [SigG Zertifikat 1]
73
The public-keys on NetKey cards are record-based transparent files and cannot be used for cryptographic operations. They are on the card for convenience only. OpenSC extracts the public keys from the certificates and does not use the public key files.
76
The Signature-Key can do signature-operations only. All other private keys can be used for decryption- and signature operations.
78
<h3 id="HowdoIstoreadditionalcertificatesintotheabovementionedemptycertificate-files">How do I store additional certificates into the above mentioned empty certificate-files?</h3>
80
You (and OpenSC) dont see the empty certificate files through the emulation layer. One consequence is that you cannot store your own certificates into these files with pkcs11-tool or pkcs15-init.
83
You must use opensc-explorer and store the certificate directly into the right position or use netkey-tool, a small program, that I wrote exactly for that purpose. Since version 0.7 of SCB netkey-tool is contained in the Windows version too. As of april 2008 netkey-tool was not changed such that it supports both TCOS2 and TCOS3 cards.
86
In general (and in particular with TCOS-cards) it's a lot more complicated to create a new file on a smartcard than updating an existing one. That's the reason why there are empty certificate files on a NetKey card. They contain 1536 0xFF-bytes and you can overwrite them with your own certificate (if your certificate has at most 1536 bytes).
89
There is one problem with many PKCS#11 or PKCS#15 smartcard-applications. They assume that the ID of a certificate uniquely identifies the certificate itself. This is wrong as the ID only identifies the private/public keypair that belongs to the certificate. So if you have more than one certificate for the same keypair all these certificates will share the same ID-value. OpenSC has this problem with NetKey cards too. Have a look at the -r option of pkcs15-tool. In order to select a certificate you can only specify its ID and pkcs15-tool will output the first certificate from the card that has such an ID-value.
92
If you have stored a certificate on your NetKey card, you most likely want to use this certificate (and not the readonly-one). Therefore the emulation will add the user-certificates first into its internal list.
94
<h3 id="SomeremarksaboutthepinsofaTCOS2-basedNetkeycard">Some remarks about the pins of a TCOS2-based Netkey card</h3>
96
There are two global pins on a TCOS2 based NetKey-card and some of the directories contain further pins. TCOS3-based cards are slightly different buth since netkey-tool does not support TCOS3-cards yet I will not explain the differences.
99
The NetKey emuation will list the two global pins (PIN and PUK) and the two local pins contained in directory DF01 (PIN0 and PIN1). The TCOS card operation system can protect a private key by more than one pin. OpenSC does NOT support this and will always ask for one specific pin. If a key is protected by both a global pin and a local pin OpenSC will always ask for the local one.
102
Now that you know that you MUST use local PIN0 or local PIN1 and cannot use your global PIN instead you probably want to know the initial value of those local pins. But these local pins were set to a random 6-digit number when TeleSec Gmbh produced your card. So you cannot know them until you changed them.
105
You can change local PIN0 only if you know either local PIN0 itself or your global PIN. And you cannot change a pin once it was blocked. So if your local PIN0 is blocked (for example because you provided you global PIN when OpenSC asked you for the local one and you did that for at least three times) then you must unblock it first.
108
Here's an example about how to unblock your local PIN0, how to change its value to 111111 with your global PIN and then change its value from 111111 to 222222. It assumes that your global PIN is 123456
110
<pre class="wiki" xml:space="preserve">netkey-tool --pin 123456 unblock pin0
111
netkey-tool --pin 123456 change pin0 111111
112
netkey-tool --pin0 111111 change pin0 222222
114
One more hint: Your global PUK was set to an 8-digit random number at production time of your TCOS2-based NetKey card. This random number is stored on your card in a transparent file. This transparent file is read-protected by your global PIN. If you ever block your global PIN you will need your global PUK. But once your global PIN is blocked you cannot read the initial value of your global PUK anymore.
117
<tt>netkey-tool --pin <your_global_pin></tt> will print out the initial PUK-value. If you changed your global PUK to some other value the transparent file on your card will still contain the initial value.
120
<tt>netkey-tool</tt> does not support the SigG application. If you want to change your SigG-PIN or read/write yout SigG-certificates with <tt>netkey-tool</tt> please let me know.
122
<h2 id="SignTrustlayout">SignTrust layout</h2>
124
The following information applies to 1024 bit SignTrust cards only. 2048 bit SignTrust cards do not contain a TCOS chip but are StarCos 3.0 based. They layout is very similar, but this information won't help OpenSC-users as OpenSC does not support StarCos 3.0 as of april 2008.
127
SignTrust cards contain three applications (i.e. directories). Each of them contain one certificate, one private key and one pin.
130
The signature-key is restricted such that it can create signatures only, the other keys can be used for decryption- and signature operations. There are no empty certificate files on a SignTrust card (as with NetKey cards) so you cannot store your own certificates on a SignTrust card.
133
The certificate from the signature-application can ba used to create SigG (german signature law) conforming digital signatures.
134
Neither the CA-certificate nor the Root-Certificate is stored on the card but you can download them
135
<a class="ext-link" href="http://www.deutschepost.de/dpag?tab=1&skin=hi&check=&lang=de_DE&xmlFile=link1015298_1007978" shape="rect"><span class="icon">here</span></a>.
138
Here's some output that shows the SigG-certificate of my SignTrust card:
140
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -r 45 | openssl x509 -noout -text -certopt no_pubkey,no_sigdump
144
Serial Number: 32322 (0x7e42)
145
Signature Algorithm: sha1WithRSAEncryption
146
Issuer: C=DE, O=Deutsche Post Com GmbH, OU=Signtrust, CN=CA DP Com 5:PN
148
Not Before: Sep 21 10:19:04 2005 GMT
149
Not After : Sep 21 10:19:04 2007 GMT
150
Subject: CN=Peter Koch, SN=Koch, GN=Peter, C=DE/serialNumber=1
152
X509v3 Authority Key Identifier:
153
keyid:22:BB:26:65:07:57:15:DE:06:EB:10:1E:CC:77:82:A7:13:79:74:C6
154
DirName:/C=DE/O=Bundesnetzagentur/CN=10R-CA 1:PN
156
X509v3 Key Usage: critical
158
X509v3 Certificate Policies:
160
X509v3 CRL Distribution Points:
161
URI:ldap://dir.signtrust.de/o=Deutsche%20Post%20Com%20GmbH,c=de
162
CRLissuer:<UNSUPPORTED>
163
Authority Information Access:
164
OCSP - URI:http://dir.signtrust.de/Signtrust/OCSP/servlet/httpGateway.PostHandler
166
The remaining certificates (from the authentication and encryption application) are signed by
167
a selfsigned Root-certificate from Deutsche Post.
169
<h2 id="Universitycards">University cards</h2>
171
There are two universities in germany (that I know of) which use TCOS2-cards. These cards have their own layout and the emulation tries its best to support them. One card is the <a class="ext-link" href="http://www.tu-darmstadt.de/hrz/chipkarte" shape="rect"><span class="icon">student card of the Technical University of Darmstadt</span></a> and the other on is the <a class="ext-link" href="http://www.uni-giessen.de/uni/chipkarte" shape="rect"><span class="icon">student card of the University of Giessen</span></a>. Both cards contain one application with one private key, one public key file and one certificate, protected by one global PIN and PUK.
174
Here' some output that shows the layout of a TUD-card:
176
<pre class="wiki" xml:space="preserve">$ pkcs15-tool -D
177
PKCS#15 Card [TUD Card]:
179
Serial number : 8949017200003335855
180
Manufacturer ID: TU Darmstadt
186
Flags : [0x51], case-sensitive, initialized, unblockingPin
187
Length : min_len:6, max_len:16, stored_len:16
197
Flags : [0xD1], case-sensitive, initialized, unblockingPin, soPin
198
Length : min_len:8, max_len:16, stored_len:16
205
Private RSA Key [Schluessel 1]
207
Usage : [0x7], encrypt, decrypt, sign
208
Access Flags: [0x1D], sensitive, alwaysSensitive, neverExtract, local
216
X.509 Certificate [Zertifikat 1]
222
If you are using a similar card that OpenSC does not yet support please let me know.
224
<h2 id="DATEVcards">DATEV cards</h2>
226
As of april 2008 Datev does not run a Trustcenter anymore, so the following information is of historical interest only:
229
DATEV offered different smart cards. Some were NetKey cards (those that can create signatures in accordance with the german signature law) and will be detected as such. One model was not (named DATEV Smartcard classic) and this card has a seperate emulation. It contains two application. One application has one certificate and one keypair while the other application contains two certificates and two keypairs. There's only one global PIN that protects all keys.
238
<a href="/opensc/attachment/wiki/TCOS/Card-Images.gif" title="View attachment" shape="rect">Card-Images.gif</a>
239
(<span title="52061 bytes">50.8 KB</span>) - added by <em>pk</em>
240
<a class="timeline" href="/opensc/timeline?from=2006-11-19T21%3A55%3A20Z%2B0000&precision=second" title="2006-11-19T21:55:20Z+0000 in Timeline" shape="rect">2 years</a> ago.
241
<q>Images of TCOS cards</q>
244
</div><div class="footer"><hr></hr><p><a href="index.html">Back to Index</a></p></div></body></html>
added
removed
doc/nonpersistent/wiki.out/TCOS.html
