Schlumberger / Axalto Cyberflex

Earlier versions of Cyberflex cards have the same or a very similiar filesystem interface like the Cryptoflex cards. Those cards work well with OpenSC.

Newer versions however are pure JavaCards and will not work without a JavaApplet.

MuscleCard is an open source software containing a Java Cardlet for several smart cards implementing the JavaCard standard. Starting with OpenSC 0.11.2 support for MuscleCard has been added.

Current Test Status: Test in Progress with Schlumberger/Axalto e-gate (sealed, with a Cyberflex card inside). No other card has been tested, and these tests are still incomplete. Only for the brave! This might kill your card! No warranty whatsoever!

Initializing a JavaCard

First you need to install gpshell from the global platform open source project:

wget http://mesh.dl.sourceforge.net/sourceforge/globalplatform/globalplatform-3.0.2.tar.gz
tar xfvz globalplatform-3.0.2.tar.gz
cd globalplatform-3.0.2
./configure --prefix=/usr
make
make install
cd ..

wget http://mesh.dl.sourceforge.net/sourceforge/globalplatform/gpshell-1.3.1.tar.gz
tar xfvz gpshell-1.3.1.tar.gz
cd gpshell-1.3.1
./configure --prefix=/usr
make
make install
cd ..

Second you need to configure PC/SC properly. GP doesn't know about OpenCT or CT-API, but OpenCT can be a PC/SC Reader.

cat > /etc/reader.conf.d/openct <<EOF
FRIENDLYNAME    OpenCT
DEVICENAME      /dev/null
LIBPATH         /usr/lib/openct-ifd.so
CHANNELID       0
EOF
update-reader.conf
/etc/init.d/pcscd restart
opensc-tool -l
opensc-tool -a -r 0

/etc/reader.conf.d/ feature is available on debian/ubuntu and on fedora as far as I know, users of other distributions will want to edit (NOT OVERWRITE) /etc/reader.conf directly. Also only debian/ubuntu users need to run update-reader.conf command. opensc-tool -l should show the OpenCT reader via pcsc, and be able to read the atr from it.

Next you need to download the MuscleCard Applet. The Muscle Web page is at http://www.musclecard.com/ but you can download the Applet directly from http://www.identityalliance.com/CardEdgeII.ijc

Finally you need to run gpshell with these commands:

$ gpshell
mode_201
enable_trace
establish_context
card_connect -readerNumber 1
select -AID a0000000030000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 404142434445464748494a4b4c4d4e4f -enc_key 404142434445464748494a4b4c4d4e4f // Open secure channel
delete -AID A0000003230101
delete -AID A00000032301
delete -AID A00000000101
delete -AID A000000001
install -file CardEdgeII.ijc -nvDataLimit 12000 -instParam 00 -priv 2
card_disconnect
release_context

The last two "delete" commands will remove an older version of the applet.

Next you need to set the PIN codes to "00000000", so you can initialize the card. You can change the pin codes later. (FIXME: How?)

opensc-tool -s 00:A4:04:00:06:A0:00:00:00:01:01  -s B0:2A:00:00:38:08:4D:75:73:63:6C:65:30:30:04:01:08:30:30:30:30:30:30:30:30:08:30:30:30:30:30:30:30:30:05:02:08:30:30:30:30:30:30:30:30:08:30:30:30:30:30:30:30:30:00:00:17:70:00:02:01

Now the token has a working MuscleCard Cardlet and is ready for use with OpenSC.

Using the Token with OpenSC

Sorry, not tested so far. Still getting an error.

pkcs15-tool -C -p pkcs15+onepin

FAQ

What to do on Windows ?

http://sourceforge.net/projects/globalplatform has a download package of GPShell.exe for windows, so no need to compile it on your own.

Download

and unzip both in the current directory. Run the same commands mentioned above and you should be fine. Note however that this is 100% untested, please report back if it works (or not) on the opensc-user or opensc-devel MailingLists. Thanks for your feedback!

Is there a tool for it?

A small tool to get some information about the cards can be found here: http://www.contrib.andrew.cmu.edu/~cg2v/jcop-opensc-0.2.tar.gz It was written for IBM JCop cards but should work as well with Cyberflex cards.

How can I format or update cards with the old applet?

If you use ID Ally - it will delete the old applet before installation of the new. gpshell should allow you to delete: first A00000000101 then A000000001

What can I do if I specified a too small size?

Delete A00000000101 (instance) and reinstantiate to a larger size. (this will delete all data / key / ... )

I'm asked about Unspecified PIN [Reference 1]

There are two APDUs that have to be run first if you use GPShell (which sets the default pins, puks, etc):

00 A4 04 00 06 A0 00 00 00 01 01 and B0 2A 00 00 38 08 4D 75 73 63 6C 65 30 30 04 01 08 30 30 30 30 30 30 30 30 08 30 30 30 30 30 30 30 30 05 02 08 30 30 30 30 30 30 30 30 08 30 30 30 30 30 30 30 30 00 00 17 70 00 02 01

Both need to be send in one go - without card reset in between. The first selects the muscle applet, the second sets the default pins to "00000000".