Results 1 to 4 of 4

Thread: Set up and use Italian (Regione Friuli Venezia Giulia) healthcare smart-card (CRS)

  1. #1
    Join Date
    Dec 2008
    Location
    Italy
    Posts
    132

    Default Set up and use Italian (Regione Friuli Venezia Giulia) healthcare smart-card (CRS)

    I know this is mainly an “Italian” topic, but there's non “Italian forum” so I'll post here: in case move somewhere else. There's a dutch thread (http://forums.opensuse.org/forums/ne...lezer-eid.html) regarding the same smart-card reader, but it's about a different openSUSE release. PM me in case.

    A few instruction about setting up and using to authenticate in a web site the smart-card (chip card) and the smart-card reader that Regione Autonoma Friuli Venezia Giulia (FVG – an Italian region) gives free to his citizens on a system equipped with openSUSE 12.1 x86_64 will follow here.
    64bit environment is not supported by FVG, but, for me, it seems to work well: however instruction provided by FVG for a 32 bit openSUSE environment are not complete and cannot be fully followed for a 64 bit environment.
    This guide wants to help: I hope it does. Software versions change in time (getting better …): what is here stated, works for daily usage. I can't manage to unlock the smart-card (i.e. to use the PUK number or to change the PIN): a M$ Windows partition and docs delivered by FVG help for this.

    Status quo
    Operating System: Linux 3.1.0-1.2-desktop x86_64
    Distro: openSUSE 12.1 (x86_64)
    Browser: MozillaFirefox (release 9.0.1-2.9.2-x86_64 from vendor openSUSE)
    Smart-card: not expired, second generation (that is the one with European and Italian flag and regional symbol)
    Smart-card reader: “bit4id” minilector USB, distributed by FVG

    What to do
    First, check if reader is recognized. Insert the reader in an USB port, open a terminal, type “lsusb” (you don't need to be root). I get this:
    Code:
    Bus 002 Device 015: ID 072f:9000 Advanced Card Systems, Ltd ACR38 AC1038-based Smart Card Reader
    (reader is recognized as “ACR38”).

    All is OK, but without correct software/driver it is useless, in particular it will not be possible to use the smart-card to gain access to restricted areas of FVG web site.

    Let's begin adding a repository: you can do as you like, I use YaST, graphical interface, as URL use:
    Index of /repositories/security:/chipcard/openSUSE_12.1
    (this repository contains newer packages of what we will install later).

    Let's install these packages:
    libpcsclite1 (version 1.8.1-68.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
    pcsc-lite (version 1.8.1-68.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
    perl-pcsc (version 1.4.10-12.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
    pcsc-acr38 (version 1.7.10-23.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
    opensc (version 0.12.2-31.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)
    pcsc-tools (version 1.4.18-1.1-x86_64 from vendor obs://build.opensuse.org/security:chipcard)

    The last one is optional, we will use it once, but it's useful to check what happens when plugging in the reader and when inserting the smart-card.

    Activate “pcscd” daemon. Again do as you like, I use YaST (System Services – Runlevel, expert mode, “Set/Reset” button, “Enable the service” to start it powering on the computer, “Start/Stop/Refresh” button, “Start now ...” to start it now).
    I plugged in the reader and from command line (no need to be root), I typed “pcsc_scan”, … I thought I was ready, but instead I got:
    Code:
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.1
    Using reader plug'n play mechanism
    Scanning present readers...
    Waiting for the first reader...
    Not so good...
    So I rebooted (too much?) and got (OK this time):
    Code:
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.1
    Using reader plug'n play mechanism
    Scanning present readers...
    0: ACS ACR38U 00 00
    
    Thu Jan 19 00:33:40 2012
    Reader 0: ACS ACR38U 00 00
      Card state: Card removed,
    Inserting the smart-card :
    Code:
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.1
    Using reader plug'n play mechanism
    Scanning present readers...
    0: ACS ACR38U 00 00
    
    Thu Jan 19 00:34:59 2012
    Reader 0: ACS ACR38U 00 00
      Card state: Card inserted, 
      ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
    
    ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
    + TS = 3B --> Direct Convention
    + T0 = FF, Y(1): 1111, K: 15 (historical bytes)
      TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
        129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s                                                                                    
      TB(1) = 00 --> VPP is not electrically connected
      TC(1) = FF --> Extra guard time: 255 (special value)
      TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1 
    -----
      TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
      TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
    -----
      TA(3) = FE --> IFSC: 254
      TB(3) = 55 --> Block Waiting Integer: 5 - Character Waiting Integer: 5
    + Historical bytes: 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80
      Category indicator byte: 00 (compact TLV data object)
        Tag: 6, len: B (pre-issuing data)
          Data: 05 08 C8 0C 01 11 01 43 4E 53
        Mandatory status indicator (3 last bytes)
          LCS (life card cycle): 10 (Proprietary)
          SW: 3180 (Error not defined by ISO 7816)
    + TCK = 05 (correct checksum)
    
    Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
    3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
            Healtcare card (TS-CNS) - Provincia Autonoma di Trento
    Provincia Autonoma di Trento is not Regione Autonoma Friuli Venezia Giulia, but it's good anyway.
    (CTRL-C to get out from pcsc_scan command, of course).

    So now reader and smart-card are both recognized. It's time to configure Firefox to use the smart-card as an authentication method.
    Open Firefox and, in the address bar, type “about:config”, jump over the warning and type “renego” in the filter box. Choose “security.ssl.renego_unresticted_host” parameter, change it writing the string “cartaservizi.regione.fvg.it” (as stated on FVG web site docs).
    Furthermore, in “Edit” menu, “Preferences”, “Advanced”, “Security Devices”, push “Load” button, choose something for the “Module Name” field and select “/ur/lib64/opensc-pkcs11.so” for the “Module filename” field.

    Now, once reader and smart-card are both inserted, it's possible to surf on private areas of FVG web site (carta regionale dei servizi - ROOT) and clicking on “accedi ai servizi” (https://cartaservizi.regione.fvg.it/...rsHome/Welcome), will pop up:

    1) a window asking for the PIN (personal identification number) card
    2) a window asking to choose the correct certificate to use:
    3) a web page stating that you have been authenticated successfully:
    3-bis) sometimes there's an error web page (“The connection was reset”), just hit “Try again” button.

    That's all: enjoy yourself!

  2. #2
    Join Date
    Dec 2008
    Location
    Italy
    Posts
    132

    Default UPDATE - openSUSE 12.3

    Status quo
    Operating System: Linux 3.7.10-1.1-desktop
    Distro: openSUSE 12.3 (Dartmouth)(x86_64)
    Browser: MozillaFirefox 19.0.2-1.4.1-x86_64 (vendor openSUSE)
    Smart-card: not expired, second generation (that is the one with European and Italian flag and regional symbol)
    Smart-card reader: “bit4id” minilector USB, distributed by FVG

    Add this repository:
    Index of /repositories/security:/chipcard/openSUSE_12.3

    Install these packages without the smart card reader plugged-in:
    libpcsclite1 (1.8.8-94.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-lite (1.8.8-94.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    perl-pcsc (1.4.10-16.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-acr38 (1.7.11-15.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    opensc (0.12.2-38.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-tools (1.4.18-1.1-x86_64) vendor obs://build.opensuse.org/security:chipcard

    Check if all is OK.
    From command line launch "pcsc_scan".
    You should get:
    [without the smart card reader]
    Code:
    ace@tm8372:~> pcsc_scan 
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.8
    Using reader plug'n play mechanism
    Scanning present readers...
    Waiting for the first reader...
    [smart card reader plugged-in, but with no card inserted]
    Code:
    ace@tm8372:~> pcsc_scan 
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.8
    Using reader plug'n play mechanism
    Scanning present readers...
    Waiting for the first reader...found one
    Scanning present readers...
    0: ACS ACR38U 00 00
    
    Thu Mar 21 17:48:16 2013
    Reader 0: ACS ACR38U 00 00
      Card state: Card removed,
    [smart card reader with smart card inserted]
    Code:
    ace@tm8372:~> pcsc_scan 
    PC/SC device scanner
    V 1.4.18 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.8
    Using reader plug'n play mechanism
    Scanning present readers...
    Waiting for the first reader...found one
    Scanning present readers...
    0: ACS ACR38U 00 00
    
    Thu Mar 21 17:48:16 2013
    Reader 0: ACS ACR38U 00 00
      Card state: Card removed, 
    
    Thu Mar 21 17:50:22 2013
    Reader 0: ACS ACR38U 00 00
      Card state: Card inserted, 
      ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
    
    defined(@array) is deprecated at /usr/lib/perl5/vendor_perl/5.16.2/x86_64-linux-thread-multi/Chipcard/PCSC.pm line 69.
            (Maybe you should just omit the defined()?)
    ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
    + TS = 3B --> Direct Convention
    + T0 = FF, Y(1): 1111, K: 15 (historical bytes)
      TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
        129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
      TB(1) = 00 --> VPP is not electrically connected
      TC(1) = FF --> Extra guard time: 255 (special value)
      TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1 
    -----
      TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
      TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
    -----
      TA(3) = FE --> IFSC: 254
      TB(3) = 55 --> Block Waiting Integer: 5 - Character Waiting Integer: 5
    + Historical bytes: 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80
      Category indicator byte: 00 (compact TLV data object)
        Tag: 6, len: B (pre-issuing data)
          Data: 05 08 C8 0C 01 11 01 43 4E 53
        Mandatory status indicator (3 last bytes)
          LCS (life card cycle): 10 (Proprietary)
          SW: 3180 (Error not defined by ISO 7816)
    + TCK = 05 (correct checksum)
    
    Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
    3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
            Healtcare card (TS-CNS) - Provincia Autonoma di Trento
    Configure Firefox.
    Open Firefox and, in the address bar, type “about:config”, jump over the warning and type “renego” in the filter box. Choose “security.ssl.renego_unresticted_host” parameter, change it writing the string “cartaservizi.regione.fvg.it” (this is stated on FVG web site docs).
    Furthermore, in “Edit” menu, “Preferences”, “Advanced”, "Encryption", “Security Devices”, push “Load” button, choose something for the “Module Name” field and select “/usr/lib64/opensc-pkcs11.so” for the “Module filename” field.

    That's all.

    The card is a CNS (Carta Nazionale dei Servizi) not only a CRS (Carta Regionale dei Servizi) so you can use it even on different web sites.
    For example:

  3. #3
    Join Date
    Dec 2008
    Location
    Italy
    Posts
    132

    Default Firefox hangs when restarted in an empty gray windows or freezes after 2/3 seconds - WORKAROUND

    So you followed these instructions, but, after firefox configuration and restarting, it has stopped working.
    AFAIK the only way to get it working again is to create a new profile (from command line launch "firefox -ProfileManager") or copy back (overwrite) your firefox profile from a backupped one where the "/usr/lib64/opensc-pkcs11.so” was not set.
    Well I did some homework with different realeases of Firefox (even "vanilla") and it is my opinion that this is a problem related to PC/SC (pcsc-lite package) upgrade (from 1.4.18 to 1.4.21), not firefox.
    Before running firefox check with this command:
    Code:
    pcsc_scan
    If you get:
    Code:
    PC/SC device scanner
    V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.10
    Using reader plug'n play mechanism
    Scanning present readers...
    Waiting for the first reader...
    OK, press CNTRL+C, insert the smart card and go on.
    BUT, if you get:
    Code:
    PC/SC device scanner
    V 1.4.21 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.10
    and nothing more, press CNTRL+C, switch to root (su command) and restart the daemon (/etc/init.d/pcscd restart)

    This workaround should work. I think there's an issue with pcscd "auto exit": when the card/reader is not used for a while, something happens.
    The bad is that I wasn't able to recover the firefox profile: I recreated one.

  4. #4
    Join Date
    Dec 2008
    Location
    Italy
    Posts
    132

    Default UPDATE - openSUSE 13.1

    Status quo
    Operating System: Linux 3.11.10-7-desktop
    Distro: openSUSE 13.1 (Bottle)(x86_64)
    Browser: MozillaFirefox 29.0-20.1-x86_64 (vendor openSUSE)
    Smart-card: not expired, second generation (that is the one with European and Italian flag and regional symbol)
    Smart-card reader: NILOX 10NXCR12SM002 C.F. NM-G01 (“bit4id” minilector USB, distributed by FVG works the same)

    Now the 64bit environment is supported by FVG and it is possibile to unlock the smart-card
    (i.e. to use the PUK number or to change the PIN), but I still don't fully follow the official instructions. This is what I did: read on if you are curious.

    Add this repository:
    http://download.opensuse.org/reposit...openSUSE_13.1/

    Install these packages without the smart card reader plugged-in from the above mentioned repository:
    libpcsclite1 (1.8.11-100.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-lite (1.8.11-100.1-x86_64) vendor obs://build.opensuse.org/security:chipcard
    perl-pcsc (1.4.10-18.3-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-acr38 (1.7.11-17.2-x86_64) vendor obs://build.opensuse.org/security:chipcard (if you use “bit4id” minilector USB reader)
    pcsc-ccid (1.4.16-57.1-x86_64) vendor obs://build.opensuse.org/security:chipcard (if you use NILOX 10NXCR12SM002 reader)
    opensc (0.13.0-41.2-x86_64) vendor obs://build.opensuse.org/security:chipcard
    pcsc-tools (1.4.22-1.2-x86_64) vendor obs://build.opensuse.org/security:chipcard

    How to check if all is OK: from command line launch "pcsc_scan" (no need to be root user).
    You should get [smart card reader with smart card inserted]:
    Code:
    ace@R930-163:~> pcsc_scan 
    PC/SC device scanner
    V 1.4.22 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
    Compiled with PC/SC lite version: 1.8.11
    Using reader plug'n play mechanism
    Scanning present readers...
    0: Alcor Micro AU9520 00 00
     
    Mon May  5 12:28:37 2014
    Reader 0: Alcor Micro AU9520 00 00
      Card state: Card inserted, Shared Mode, 
      ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
     
    defined(@array) is deprecated at /usr/lib/perl5/vendor_perl/5.18.1/x86_64-linux-thread-multi/Chipcard/PCSC.pm line 69.
            (Maybe you should just omit the defined()?)
    ATR: 3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
    + TS = 3B --> Direct Convention
    + T0 = FF, Y(1): 1111, K: 15 (historical bytes)
      TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
        129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
      TB(1) = 00 --> VPP is not electrically connected
      TC(1) = FF --> Extra guard time: 255 (special value)
      TD(1) = C1 --> Y(i+1) = 1100, Protocol T = 1 
    -----
      TC(2) = 0A --> Work waiting time: 960 x 10 x (Fi/F)
      TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1 
    -----
      TA(3) = FE --> IFSC: 254
      TB(3) = 55 --> Block Waiting Integer: 5 - Character Waiting Integer: 5
    + Historical bytes: 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80
      Category indicator byte: 00 (compact TLV data object)
        Tag: 6, len: B (pre-issuing data)
          Data: 05 08 C8 0C 01 11 01 43 4E 53
        Mandatory status indicator (3 last bytes)
          LCS (life card cycle): 10 (Proprietary)
          SW: 3180 (Error not defined by ISO 7816)
    + TCK = 05 (correct checksum)
     
    Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
    3B FF 18 00 FF C1 0A 31 FE 55 00 6B 05 08 C8 0C 01 11 01 43 4E 53 10 31 80 05
            Healthcare card (TS-CNS) - Provincia Autonoma di Trento
    Now it's time to configure Firefox.
    First, go to Regione FVG website and download this package: "libbit4xpki-1.2.16-2.x86_64.rpm".
    Be careful, there's the 32bit and 64bit version. (Direct link should be this http://cartaservizi.regione.fvg.it/C...ent?arrfnbr=92).
    Install the downloaded package.
    Open Firefox and, in “Edit” menu, “Preferences”, “Advanced”, "Encryption", “Security Devices”, push “Load” button, choose something for the “Module Name” field and select “/usr/lib/bit4id/libbit4xpki.so” for the “Module filename” field.

    The old "/usr/lib64/opensc-pkcs11.so" doesn't work anymore, but this one is OK. Furthermore, there is an additional program that let you change the PIN o recover it through the PUK: "/usr/share/bit4id/bit4pin-x".

    That's all.

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •