OpenSC now supports EPO smart cards

Here you can post your opinions and share information regarding smart cards and smart card drivers.

Posts: 3
Joined: Tue Dec 25, 2012 3:42 pm

OpenSC now supports EPO smart cards

Post by domino » Fri Jan 18, 2013 4:52 pm

To whom it may concern, the smartcards handed out by the EPO are now supported by OpenSC. It is thus possible to access the smartcard-protected EPO online services without the GemSafe libraries. Support was added after the release of 0.13.0, so you either have to use the master branch or wait for the next release.

The EPO uses GemSafeV1 cards with the ATR:

Code: Select all

The smartcards have two peculiarities which required code changes to OpenSC:

The first issue was the PIN policy which is ASCII, max length 8, min length 4, padded with 0x00. This differs from the default PIN policy that OpenSC uses for GemSafeV1 cards.

The second issue was that there's not one but two certificate/key pairs on the card: The first certificate (in key container #3) only has the key usage attribute "Non Repudiation". The second certificate (in key container #4, which is the default key container) has the key usage attributes "Digital Signature, Key Encipherment". Thus, only the second certificate can actually be used for authenticating against the EPO services, the other one is rejected. The problem was that OpenSC only made the first certificate found on the card available, all other certificates were ignored. The code was therefore extended to support multiple certificate/key pairs.

It goes without saying that this is entirely unsupported by the EPO. If you get in trouble or it doesn't work for you, do not ask the EPO for help but resort to the OpenSC mailing list. (I'm not allowed to post the URL here due to the idiotic spam filter.)