Hello, Le 19/10/2012 15:02, Mathias Tausig a écrit : > I am writing a PKCS#15 application for a (cardos v4.4) smartcard which > references an external signature application. The RSA key and the PIN are > stored in that external application, the PIN needs to be verified upon every > key usage. > > To accomplish this, I have set the userConsent value in the > PrivateKeyDictionaryFile to 1. > > Here is the content of the PrkDF (output from openssl): > > 0:d=0 hl=2 l= 67 cons: SEQUENCE > 2:d=1 hl=2 l= 30 cons: SEQUENCE > 4:d=2 hl=2 l= 18 prim: UTF8STRING :Signaturschlüssel > 24:d=2 hl=2 l= 2 prim: BIT STRING > 0000 - 07 80 .. > 28:d=2 hl=2 l= 1 prim: OCTET STRING > 0000 - 11 . > 31:d=2 hl=2 l= 1 prim: INTEGER :01 > 34:d=1 hl=2 l= 14 cons: SEQUENCE > 36:d=2 hl=2 l= 1 prim: OCTET STRING :B > 39:d=2 hl=2 l= 2 prim: BIT STRING > 0000 - 05 . > 0002 - <SPACES/NULS> > 43:d=2 hl=2 l= 2 prim: BIT STRING > 0000 - 03 b8 .. > 47:d=2 hl=2 l= 1 prim: INTEGER :02 > 50:d=1 hl=2 l= 17 cons: cont [ 1 ] > 52:d=2 hl=2 l= 15 cons: SEQUENCE > 54:d=3 hl=2 l= 6 cons: SEQUENCE > 56:d=4 hl=2 l= 4 prim: OCTET STRING > 0000 - 3f 00 1f ff ?... > 62:d=3 hl=2 l= 2 prim: INTEGER :0400 > 66:d=3 hl=2 l= 1 prim: INTEGER :14 > 69:d=0 hl=2 l= 0 prim: EOC > > The problem is, that when I try to use the card with pkcs11-tool (either with > the --test option or with a --sign command), it doesn't verify the pin before > signing. Here is the relevant part of the APDU output: > > Oct 19 14:40:20 off17 pcscd[4590]: 00006755 APDU: 00 A4 08 00 02 1F FF > Oct 19 14:40:20 off17 pcscd[4590]: 00024106 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 00001410 APDU: 00 20 00 81 06 31 32 33 34 > 35 > 36 > Oct 19 14:40:20 off17 pcscd[4590]: 00048516 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 00005039 APDU: 00 A4 08 00 02 50 15 > Oct 19 14:40:20 off17 pcscd[4590]: 00024963 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 00001737 APDU: 00 A4 08 00 02 1F FF > Oct 19 14:40:20 off17 pcscd[4590]: 00028271 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 00000164 APDU: 00 22 01 B6 03 83 01 02 > Oct 19 14:40:20 off17 pcscd[4590]: 00019795 SW: 90 00 > Oct 19 14:40:20 off17 pcscd[4590]: 00000185 APDU: 00 2A 9E 9A 80 00 01 FF FF > FF > FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF > FF FF FF FF FF FF FF F > F FF FF FF FF FF FF FF FF FF FF FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 > 1A 05 00 04 14 04 75 9 > 5 D0 FA E9 72 FB ED 0C 51 B4 A4 1C 7A 34 9E 0C 47 BB 80 > Oct 19 14:40:20 off17 pcscd[4590]: 00039821 SW: 69 82 > > In the first two commands the signature DF (1fff) is entered and the PIN > verified, thant it switches back to the PKCS#15 DF without doing anything > there > (APDU#3). Than the signature DF is reentered and a signing command is tried > without prior authentication. > > Is this a bug, is the userConsent field not heeded, or am I missing something?
Please confirm (or not) -- in your test you are not using the current OpenSC pkcs#11 module but only using the pkcs11-tool. According to your logs, the application DF is selected between the PIN verifying and 'sign' operation. That's the behavior of the previous versions of OpenSC. Could you tell us more about the application that generates the APDUs? If it based on the older OpenSC version, try to change the 'lock_login' configuration option. > cheers > Mathias Kind regards, Viktor. > _______________________________________________ > opensc-devel mailing list > opensc-devel@lists.opensc-project.org > http://www.opensc-project.org/mailman/listinfo/opensc-devel _______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
