A quick entry this time. This week the version 0.17.0 of OpenSC has been released which supports DNIe 3.0 by default. Hopefully all the main linux distributions will update the package and the version 3.0 will be finally integrated out of the box in any linux desktop or laptop. My personal impression is that only a few are testing so let's see if no bugs are still present. As always, if somebody finds an issue, please file it in the github project and I will try to work on it when I have time.
I am going to take this opportunity to explain in more detail the difference between DNIe in OpenSC and the official driver provided by the Spanish government. I see that there are a lot of confusion about what is what, and a lot of people even do not know that there are two different implementations.
The FNMT (Fabrica Nacional de la Moneda y Timbre) gives a full PKCS#11 library called MultiPKCS11. This library provides a PKCS#11 compatible API to connect to several crypto-devices (among them DNIe v2.0 and v3.0). This is the current implementation you have to use in linux if you want to follow the official path (the old versions of OpenSC provided before are very old and almost incompatible with any modern linux distribution). The FNMT also provides the source for that library (which I use a lot to understand the internals of the card), but it is not clear under what license those sources are distributed. Now I realize that there is documentation to compile it in a rhel 7 box, but I have to say that I have never been able to compile it. This official PKCS#11 can be downloaded from the FNMT download page, the MultiPKCS11 links are at the end of it.
The second implementation is the one that comes with the OpenSC project. The OpenDNIe driver is a complete and new implementation started long ago because of the mess done with the source code given by the Spanish government (license). I wrote a detailed entry about this same subject long ago. So the OpenDNIe driver integrated in OpenSC is done by unselfish people who come and go (because we have a life too!), mainly it was started by Juan Antonio Martinez (he implemented the first fully functional driver for v2.0), then Germán Blanco (who integrated it in OpenSC and maintained it for some years) and now me (I added v3.0 support and some minor modifications). There are and have been another nice people who collaborate in testing too (special mention to miguel-cv). But that is all. None of the people I have mentioned (included me) has any relation with the official driver or works for the FNMT. We are/were doing this only for free and because we like it. So please understand the situation.
For the moment I will try to maintain the driver in OpenSC but you never know what will happen in the future. You can always test things with both implementations before reporting bugs or issues, that usually helps. And also remember that PKCS#11 and web are right now quite incompatible about digital signature, there is no standard way of signing with crypto-devices in the web and all the techniques (applets, addons,...) are problematic (there are several articles about the topic in this blog). So, OpenSC/OpenDNIe is not always the culprit, the situation is much more complex than anyone would usually expect.
Enjoy the new release!
Comments