[opensc-devel] PIN not sent to card before signing

Mathias Tausig Fri, 19 Oct 2012 06:02:37 -0700

Hello!

I am writing a PKCS#15 application for a (cardos v4.4) smartcard which 
references an external signature application. The RSA key and the PIN are 
stored in that external application, the PIN needs to be verified upon every 
key usage.


To accomplish this, I have set the userConsent value in the 
PrivateKeyDictionaryFile to 1.

Here is the content of the PrkDF (output from openssl):

0:d=0  hl=2 l=  67 cons: SEQUENCE          
    2:d=1  hl=2 l=  30 cons:  SEQUENCE          
    4:d=2  hl=2 l=  18 prim:   UTF8STRING        :Signaturschlüssel
   24:d=2  hl=2 l=   2 prim:   BIT STRING        
      0000 - 07 80                                             ..
   28:d=2  hl=2 l=   1 prim:   OCTET STRING      
      0000 - 11                                                .
   31:d=2  hl=2 l=   1 prim:   INTEGER           :01
   34:d=1  hl=2 l=  14 cons:  SEQUENCE          
   36:d=2  hl=2 l=   1 prim:   OCTET STRING      :B
   39:d=2  hl=2 l=   2 prim:   BIT STRING        
      0000 - 05                                                .
      0002 - <SPACES/NULS>
   43:d=2  hl=2 l=   2 prim:   BIT STRING        
      0000 - 03 b8                                             ..
   47:d=2  hl=2 l=   1 prim:   INTEGER           :02
   50:d=1  hl=2 l=  17 cons:  cont [ 1 ]        
   52:d=2  hl=2 l=  15 cons:   SEQUENCE          
   54:d=3  hl=2 l=   6 cons:    SEQUENCE          
   56:d=4  hl=2 l=   4 prim:     OCTET STRING      
      0000 - 3f 00 1f ff                                       ?...
   62:d=3  hl=2 l=   2 prim:    INTEGER           :0400
   66:d=3  hl=2 l=   1 prim:    INTEGER           :14
   69:d=0  hl=2 l=   0 prim: EOC               

The problem is, that when I try to use the card with pkcs11-tool (either with 
the --test option or with a --sign command), it doesn't verify the pin before 
signing. Here is the relevant part of the APDU output:

Oct 19 14:40:20 off17 pcscd[4590]: 00006755 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00001410 APDU: 00 20 00 81 06 31 32 33 34 35 
36
Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00005039 APDU: 00 A4 08 00 02 50 15
Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00001737 APDU: 00 A4 08 00 02 1F FF
Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00000164 APDU: 00 22 01 B6 03 83 01 02
Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00
Oct 19 14:40:20 off17 pcscd[4590]: 00000185 APDU: 00 2A 9E 9A 80 00 01 FF FF FF 
FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
FF FF FF FF FF FF FF F
F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 
1A 05 00 04 14 04 75 9
5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80
Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82

In the first two commands the signature DF (1fff) is entered and the PIN 
verified, thant it switches back to the PKCS#15 DF without doing anything there 
(APDU#3). Than the signature DF is reentered and a signing command is tried 
without prior authentication.

Is this a bug, is the userConsent field not heeded, or am I missing something?

cheers
Mathias

_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel

[opensc-devel] PIN not sent to card before signing

Reply via email to