Sunday, December 18. 2016
Finally the integration of DNIe 3.0 was committed and it is working successfully. Today Viktor Tarasov merged my final changes to force caching and increasing the number of re-tries if version 3.0 is detected. You can follow the whole process in the DNIe 3.0 bug and the final pull request.
The temporary solution for the CKA_ALWAYS_AUTHENTICATE problem commented in the previous entry is to cache both private keys (authentication and signature, the later is a non-repudiation key) and not label them with that attribute. The recommendation from OpenSC guys was to force caching and a large number of re-tries (use_pin_caching=true and pin_cache_counter=30000) inside DNIe initialization. Obviously this is a workaround for a weird implementation in the DNIe but the forced parameters make DNIe 3.0 work in any situation.
I think that all the people involved (Spanish people in the bug and OpenSC members) preferred the option of mixing the two possible solutions: the authentication key would work using the cache (like it is working now), but the non-repudiation/signature key would be marked as CKA_ALWAYS_AUTHENTICATE (the cache would not work for it except if it is explicitly enabled in the opensc.conf). Nevertheless this mixed solution needs a little change in the current pin cache implementation. It is not very important but affects to all the other drivers and the general behavior of the library. I am still interested in going to that solution but, for the moment, merging a working DNIe 3.0 was more urgent.
If you are worried about caching the pin of a non-repudiation key I can just comment the following:
The current implementation of the official driver works in the same way (there is a cache, a re-login and no CKA_ALWAYS_AUTHENTICATION is presented in any key).
The DNIe has an option (--enable-dnie-ui at configuration time) that shows a warning message before any use of the non-repudiation key. This warning is a non-standard replacement of the key attribute. I do not know how many distros include the option (but for example ubuntu seems to use it).
As I said, the mixed solution seems to be the most optimal and let us forget about the horrible warning and use the standard CKA_ALWAYS_AUTHENTICATE. Let's see what happens in the future. For the moment, what it is sure is that DNIe 3.0 will be available in the next OpenSC version.
He estado intentando obtener un certificado de la FNMT con el DNI 3.O usando OPENSC y si bien es capaz de identificarme no lo es en cambio de firmar.
Este es el procedimiento que he llevado a cabo.
git clone https://github.com/OpenSC/OpenSC.git
instalar el modulo criptografico pkcs11 en firefox
Y la web de la FNMT requiere la instalación de este complemento para firmar
Luego he seguido estás instrucciones
1º Introduzca la contraseña del DNIe y pulse Aceptar.
2º Elija el certificado con el que identificarse (debe ser el certificado de autenticación de su DNIe) y pulse Aceptar.
3º En el proceso de generación de claves, en caso de solicitarse longitud de claves elija Grado alto.
4 Pulse en "Pulse aquí para consultar y aceptar las condiciones de expedición del certificado " para desplegar la condiciones, marque la casilla y pulse Siguiente.
5º En el diálogo que le aparece para elegir un objeto elija "Dispositivo software de seguridad" y pulse Aceptar.
6º En el siguiente paso rellene los datos requeridos. Marque la casilla si desea incluir su correo electrónico en el certificado para poder cifrar y firmar emails. Pulse Aceptar.
7º Verifique que los datos introducidos son correctos y pulse firmar.
8º Para firmar el texto elija su certificado de firma digital de su DNIe e introduzca el PIN del DNIe. (esto ya no funciona) cuando seleccionas el certificado de firma digital lo que sucede es que se termina a la sesión del DNIE
9º Le aparecerá una ventana para confirmar que va a firmar con su clave de FIRMA, pulse Sí. (no aparece)
10ºSi el proceso se ha realizado correctamente le aparecerá que su solicitud ha sido procesada correctamente. Recibirá en su cuenta de correo electrónico su CÓDIGO DE SOLICITUD.
11º Diríjase a la página de descarga para descargar su certificado con el código de solicitud obtenido en el punto 10.
Try to write in english because the blog is thought to go to a broader audience. And... What do you want me to do with this? I'm not going to ask for a FMNT certificate to test this problem. The signature process works in general. If the issue is related to the signTextJS addon try to make an easier test-case and open a bug in OpenSC. Does this procedure work with DNIe 2.0? Did it work before for you? Does it work with official packages for linux?
I have been trying to obtain a certificate from the FNMT using the DNI 3.0 with the master brand of Opensc and although it is able to identify the signing process fails.
This is the procedure I have carried out.
Git clone https://github.com/OpenSC/OpenSC.git
Cd OpenSC /
./configure --prefix = / home / masters / DNI30
Install the pkcs11 cryptographic module in firefox
The web of the FNMT requires the installation of this complement to sign
Then I followed these instructions
1st Enter the DNIe password and press OK.
2nd Choose the certificate with which to identify (must be the certificate of authentication of your DNIe) and press OK.
3rd In the process of generating keys, in case of requesting key length choose High Degree.
4th Click on "Click here to consult and accept the conditions of issuance of the certificate" to display the conditions, check the box and click Next.
5th In the dialog that appears to choose an object choose "Security Software Device" and press OK.
6th In the next step fill in the required data. Check the box if you want to include your email in the certificate so you can encrypt and sign emails. Click OK.
7th Verify that the entered data are correct and press sign.
8th To sign the text choose the certificate of digital signature of your DNIe and enter the PIN of the DNIe. (This no longer works) when you select the digital signature certificate what happens is that you end the DNIE session
9th A window will appear to confirm that you will sign with your SIGNATURE key, press Yes. (Not shown)
10th If the process was successful, it will appear that your request has been processed correctly. You will receive an APPLICATION CODE in your email account.
11th Go to the download page to obtain your certificate with the application code received in point 10.
I will test the ability to sign with the DNI 3.0 on this website and I will pass the results.
There's a known problem right now in the opensc DNIe driver. It's about login/logout. See here:
Maybe it's related. If it also fails with a DNIe 2.0 using the current branch it's probably the same bug. Too many changes in the las days... Sorry.
With DNI 3.0 it does not work with either the master branch of Opensc or the official PKCS # 11 library but now I can't test it with a DNI 2.0.
Today I had the "good" idea to activate access through the DNIe to my bank account at BBVA. While activating access through the DNIe has worked perfectly it is now impossible access to my account through the dni
When you attempt the access and after accepting to execute some applets in Java (these crap often cause problems) the system remains waiting with this message: acceding to the bbva through electronic DNI. Again it seems something related to the login since at no time asks for the password of the dni.