The EPO uses GemSafeV1 cards with the ATR:
Code: Select all
3B:7D:96:00:00:80:31:80:65:B0:83:11:48:C8:83:00:90:00
The first issue was the PIN policy which is ASCII, max length 8, min length 4, padded with 0x00. This differs from the default PIN policy that OpenSC uses for GemSafeV1 cards.
The second issue was that there's not one but two certificate/key pairs on the card: The first certificate (in key container #3) only has the key usage attribute "Non Repudiation". The second certificate (in key container #4, which is the default key container) has the key usage attributes "Digital Signature, Key Encipherment". Thus, only the second certificate can actually be used for authenticating against the EPO services, the other one is rejected. The problem was that OpenSC only made the first certificate found on the card available, all other certificates were ignored. The code was therefore extended to support multiple certificate/key pairs.
It goes without saying that this is entirely unsupported by the EPO. If you get in trouble or it doesn't work for you, do not ask the EPO for help but resort to the OpenSC mailing list. (I'm not allowed to post the URL here due to the idiotic spam filter.)