DNIe support got merged by code from the OpenDNIe fork, by pull request #168. The code is now in Master. OpenSC software which you can download from this website still does NOT support the Spanish Ceres cards.
DNIe is one of the SpanishEid-s. There exists a patch for OpenSC which adds support for DNIe in OpenSC. http://opendnie.cenatic.es/
There are two different OpenSC implementations for Spanish National eID card (DNIe) support
- The official one provided by Spanish Dirección General de la policía y de la Guardia Civil (DGP) is based in OpenSC-0.11.8, released under GPLv3. It’s not being currently mantained
- OpenDNIe is an alternate LGPL implementation, written from scratch based on several documents and forums around DNIe. It’s intended to be integrated into OpenSC mainstream, so is actively mantained and synced with OpenSC repository
You can find the (unmaintained) original GPLv3 DGP’s source code used at Spanish Police web page. OpenDNIe repository can be found at Cenatic Foundation site
From the public administration point of view the card has been procured by the Ministry of Interior, The chip card is a ST19WL34 provided by ST Microelectrónics and software has been procured by Fabrica Nacional De Moneda y Timbre.
The DNIe card software is closely related to ’’FNMT’s Ceres card’’, being very similar in structure and design.
OpenDNIe is copyright 2011 of Juan Antonio Martinez < jonsito @ terra dot es >
Resources:
- The official home page for the Spanish DNIe is http://www.dnielectronico.es
- The OpenDNIe web page is http://opendnie.cenatic.es
- The main reference for DNIe internals is their Reference Manual: http://forja.cenatic.es/docman/view.php/160/666/manual_tecnico_dnie.pdf
- Reference to card chip at ST site: http://www.st.com/internet/mcu/product/85241.jsp
- Link to Ceres Card info: http://www.cert.fnmt.es/index.php?cha=cit&sec=9&page=85
- OpenSC Install & configure options for OpenDNIe card: http://opendnie.cenatic.es/wiki/index.php/Documentacion_OpenDNIe_Instalacion
This is what is present when you dump the pkcs15 structure of a DNIe
PKCS#15 Card [DNI electrónico]:
Version : 0
Serial number : 06B62458828132
Manufacturer ID: DGP-FNMT
Flags : Login required, PRN generation
PIN [PIN1]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x211], case-sensitive, initialized, integrity-protected
Length : min_len:4, max_len:16, stored_len:8
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Private RSA Key [KprivAutenticacion]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1 (0x1)
Native : yes
Path : 3f003f110101
Auth ID : 01
ID : 4130364236323435383832383133323230313031313131313634303236
GUID : {41303642-3632-3435-3838-323831333232}
Private RSA Key [KprivFirmaDigital]
Object Flags : [0x3], private, modifiable
Usage : [0x20C], sign, signRecover, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 2 (0x2)
Native : yes
Path : 3f003f110102
Auth ID : 01
ID : 4630364236323435383832383133323230313031313131313634303236
GUID : {46303642-3632-3435-3838-323831333232}
Public RSA Key [KpuAutenticacion]
Object Flags : [0x3], private, modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x12], extract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f003f110101
Auth ID : 01
ID : 4130364236323435383832383133323230313031313131313634303236
Public RSA Key [KpuFirmaDigital]
Object Flags : [0x3], private, modifiable
Usage : [0x2C0], verify, verifyRecover, nonRepudiation
Access Flags : [0x12], extract, local
ModLength : 2048
Key ref : 2
Native : yes
Path : 3f003f110102
Auth ID : 01
ID : 4630364236323435383832383133323230313031313131313634303236
X.509 Certificate [CertAutenticacion]
Object Flags : [0x3], private, modifiable
Authority : no
Path : 3f0060817004
ID : 4130364236323435383832383133323230313031313131313634303236
GUID : {41303642-3632-3435-3838-323831333232}
X.509 Certificate [CertFirmaDigital]
Object Flags : [0x3], private, modifiable
Authority : no
Path : 3f0060817005
ID : 4630364236323435383832383133323230313031313131313634303236
GUID : {46303642-3632-3435-3838-323831333232}
X.509 Certificate [CertCAIntermediaDGP]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f0060617006
ID : 5330364236323435383832383133323230313031313131313634303236
GUID : {53303642-3632-3435-3838-323831333232}
Encoded serial : 02 10 642066C9997BAEE14402DA6EA422D649
Reading data object <0>
applicationName: 0000
Label: ADMIN_DatosFiliacion
applicationOID: NONE
Path: 3f0060317001
Auth ID: 01
Reading data object <1>
applicationName: 0000
Label: ADMIN_ImagenFacial
applicationOID: NONE
Path: 3f0060317002
Auth ID: 01
Reading data object <2>
applicationName: 0000
Label: ADMIN_ImagenFirma
applicationOID: NONE
Path: 3f0060317003
Auth ID: 01
Aditionaly there are some other data available:
- Certificates used to stablish Secure Messaging Channel ( according CWA14890-1 standard )
- EF 3F00/6020: ICC intermediate CA certificate in CVC ( CardVerifiableCertificate ) format
- EF 3F00/601F: ICC Certificate ( CVC format )
- Extra information about card
- EF 3F00/0006: IDESP ( Card Serial Number)
- EF 3F00/2F03: DNIe card software version (not available in every cards)
- Chip Serial Number can be obtained by mean of APDU 90 B8 00 00 07
- There is no EF nor ED files available
- PIN related data are stored at 3F00/0000, but no read/write operations available on this EF
DataObjects shown in pkcs15 structure are only readables with special unpublished software at Police’s office
Public and Private keys are stored together in the same EF (A propietary file type 15 is returned from FCI) so public keys are not readables, and need to be extracted from certificates
The card stores Three certificates (PIN-CHV1 protected):
- User Certificate (Authentication)
- User Certificate (Signature)
- Intermediate CA Certificate
These certificates are stored in compressed format
From DGP’s page:
Tag Value Meaning TS 0x3B Direct Convention T0 0x7F Y1=0x07=0111; TA1,TB1 y TC1 present. K=0x0F=1111; 15 historical bytes TA1 0x38 FI (Factor de conversión de la tasa de reloj) = 744 DI (Factor de ajuste de la tasa de bits) = 12 Máx 8 Mhz. TB1 0x00 No Vpp (programming voltage) required TC1 0x00 No additional wait time required. H1 0x00 Not used H2 0x6A Issuer data (10 bytes) H3 0x44 'D' H4 0x4E 'N' H5 0x49 'I' H6 0x65 'e' ( stands for 'DNIe' keyword ) H7 Incorporated Match-On-Card technology issuer 0x10 SAGEM 0x20 SIEMENS H8 0x02 IC manufacturer: STMicroelectronics. H9 0x4C H10 0x34 IC type: 19WL34 H11 0x01 MSB OS version: 1 H12 0x1v LSB OS version: 1v H13 Life cycle phase 0x00 pre-personalization. 0x01 personalization. 0x03 user. 0x0F final. H14 0xss H15 0xss (2) Status bytes
H13-H15: 0×03 0×90 0×00 user phase
H13-H15: 0×0F 0×65 0×81 final phase: unoperative card
The ATR’s and masks used in OpenSC are:
- Running (user lifecycle) cards
“3B:7F:00:00:00:00:6A:44:4E:49:65:00:00:00:00:00:00:03:90:00”,
“FF:FF:00:FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:FF:FF:FF”, - Invalidated (final phase) cards
“3B:7F:00:00:00:00:6A:44:4E:49:65:00:00:00:00:00:00:0F:65:81”,
“FF:FF:00:FF:FF:FF:FF:FF:FF:FF:FF:00:00:00:00:00:00:FF:FF:FF”,
- DNIe supports PKCS1 padding and SHA1 hashes with 1024/2048bit RSA keys
- Secure Messaging according CWA14890 standard is used to perform any critical task
- DNIe does not support Logical Channels as described in ISO7816-4. So every comunication
with the card require the use of a single SM channel. This leads to many concurrency problems - DNIe requieres PIN (CHV1) to access UserCertificates
- As shown in pkcs15 tree, public and private keys are stored together in the same EF file, this
makes “pkcs15-tool —read-public-keys” to fail - The chip is prone to self-destroy on voltage level changes. NEVER plug/unplug reader with DNIe inserted
- Some critical task needs to be done at Police’s station with special hard/soft: Change/unlock pin, Certificate renewal
- DNIe does not support APDU chaining, instead envelope cmd is issued by mean of a propietary apdu ( CLA 90 + envelope cmd )
Current implementation of DNIe OpenSC driver consists in:
- card-dnie.c the (read-only) card driver
- pkcs15-dnie.c a very simple emulation layer that fixes cert paths and ID’s
- cwa14890.c and cwa14890.h card-independent implementation for CWA14890 standard for Secure Messaging
- cwa-dnie.c DNIe Data provider for cwa14890.c, that provides (local) keys and certificates required to complain with cwa14890 SM protocol
- A wrap funcion for sc_transmit_apdu() method, that catches al apdu requests, and translates into SM format when required
- several glue patches
OpenDNIe repository is synced with OpenSC mainstream trunk
There is also nigthly builds availables for Windows32/64 and MacOS