Andre Zepezauer wrote: > On Wed, 2010-11-03 at 10:48 +0100, Viktor TARASOV wrote: > >> Andre Zepezauer wrote: >> >>> On Tue, 2010-11-02 at 21:54 +0000, Mr Dash Four wrote: >>> >>> >>>>> Opensc-explorer shows me the content of CIAInfo.bin without >>>>> pin-verification. Does that answer your question? >>>>> >>>>> >>>>> >>>> Yeah, just about. Why do you think that is? Could this be a >>>> manufacturer-related issue? >>>> >>>> >>> No, that's a new bug in OpenSC. Somewhere in the framework (especially >>> in pkcs15init), the access conditions are handled the wrong way. >>> >>> >> What card are you using? >> What card profile are you using? >> Can you post here the debug (=8) logs from your >> card initialization and 'create data object' sequence, please? >> >> >> With CardOS v4.3b I'm getting the expected results: >> >> # cardos-tool -f >> Using reader with a card: OmniKey CardMan 3121 00 00 >> card in administrative state, ok >> >> # pkcs15-init -E >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> # pkcs15-init -C --label "IDX-SCM" -P --auth-id 53434D --so-pin >> "12345678" --so-puk "123456" --pin "9999" --puk "8888" >> Using reader with a card: OmniKey CardMan 3121 00 00 >> >> # pkcs15-init -W ../tests/sha1.hex --label "MyLabel" --application-name >> "MyData" --application-id "1.2.3.4.5.6" --auth-id 53434D --pin "9999" >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Security officer PIN [Security Officer PIN] required. >> Please enter Security officer PIN [Security Officer PIN]: >> >> # pkcs15-tool -C >> Using reader with a card: OmniKey CardMan 3121 00 00 >> Reading data object <0> >> applicationName: MyData >> Label: MyLabel >> applicationOID: 1.2.3.4.5.6 >> Path: 3f0050153403 >> Auth ID: 53434d >> >> # opensc-explorer >> OpenSC Explorer version 0.12.0-rc1 >> Using reader with a card: OmniKey CardMan 3121 00 00 >> OpenSC [3F00]> cd 5015 >> OpenSC [3F00/5015]> cat 3403 >> read failed: Security status not satisfied >> ACL for operation: CHV3 >> OpenSC [3F00/5015]> verify CHV3 39:39:39:39:00:00:00:00 >> Code correct. >> OpenSC [3F00/5015]> cat 3403 >> 00000000: 66 37 65 34 30 63 32 30 34 39 66 39 34 32 66 33 f7e40c2049f942f3 >> 00000010: 65 34 35 64 39 36 34 37 34 32 34 30 30 33 34 39 e45d964742400349 >> 00000020: 64 36 64 30 63 65 37 34 0A d6d0ce74. >> OpenSC [3F00/5015]> >> > > $pkcs15-init -C -c cardos -p pkcs15 --so-pin=12345678 > Unblock Code for New User PIN (Optional - press return for no PIN). > Please enter User unblocking PIN (PUK): [[return]] >
With such card initialisation it's quite natural to have non-protected 'private data'. File operations on the 'Private data' are protected by UserPIN: http://www.opensc-project.org/opensc/browser/trunk/src/pkcs15init/cardos.profile#L108 If UserPIN is not defined, then, when creating new file, the corresponding ACLs are set to 'NONE': http://www.opensc-project.org/opensc/browser/trunk/src/pkcs15init/pkcs15-lib.c#L3387 > $pkcs15-init -W CIAInfo.bin --application-id "1.2.3" -l "MyObject" -a ff > Security officer PIN [Security Officer PIN] required. > Please enter Security officer PIN [Security Officer PIN]: 12345678 > > Now use opensc-explorer. Yesterday I had this working with user-pins > too. Will try to reproduce that later. > -- Viktor Tarasov <viktor.tara...@opentrust.com> _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
