Re: [opensc-devel] cardos split-key
Viktor TARASOV a écrit : > JP Szikora wrote: >> Viktor TARASOV a écrit : >>> >>> I would try to prepare patch, but actually I have no CardOS card >>> recognized by OpenSC . >>> The card CardOS that I have is: >>> 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a >>> Info : CardOS V4.3B (C) Siemens AG 1994-2004 >>> Chip type: 124 >>> >>> Any help would be greatly appreciated. >>> >> Hi Viktor, >> >> You have a strange CardOS card ;-) The ATR is not the usual CardOS >> 4.3B (but that can be changed) and the chip type is usually 123. Can >> you send a complete output of the cardos-info command? > Hi Jean-Pierre, > > here it is: > > 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a > Info : CardOS V4.3B (C) Siemens AG 1994-2004 > Chip type: 124 > Serial number: 27 20 ab 15 2a 12 > Full prom dump: > 33 66 00 1B 5B 5B 5B 5B 7C FF 27 20 AB 15 2A 12 3f..|.' ..*. > 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 > OS Version: 200.8 (that's CardOS M4.3B) > Current life cycle: 16 (operational) > Security Status of current DF: > Free memory : 818 > ATR Status: 0x128 unknown > Packages installed: > E1 09 01 04 13 02 C8 08 8F 01 01 ... > Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 > Free eeprom memory: 41116 > System keys: PackageLoadKey (version 0x00, retries 10) > System keys: StartKey (version 0xff, retries 10) > Path to current DF: > > > This card has been formated with Vasco tools, it contains some PKCS#15 > system. > I know the values of PIN, SOPIN(PUK ?) but I could not verify any of > the PINs referenced in it's EF.AOD . Hi Viktor, You have a 64k Cardos 4.3B card. The StartKey is still the default one (0xFF), but probably the erase command is protected or blocked at the ACL level. Need a deeper analysis. I'm not sure you can do too much with OpenSC and this externally formatted card. With opensc-explorer, you can always try to look and to understand the structure of your card. Maybe the best is to find an clean CardOS 4.3B to play with it. Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Incidentally this ATR matches a Vasco CertiID initialized CardOS4.3b card, could that be what you have? I've investigated (sniffed) a card like this and found 3 anomalies (from a pkcs15-perspective): Empty/zero-filled EF(TokenInfo), wrong padChar in EF(AODF) pin object, missing pinReference in EF(AODF) (sniffed value used in VERIFY is 0x06). Cheers, /Mats On 11/16/09 9:15 AM, "JP Szikora" wrote: Viktor TARASOV a écrit : > > I would try to prepare patch, but actually I have no CardOS card > recognized by OpenSC . > The card CardOS that I have is: > 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a > Info : CardOS V4.3B (C) Siemens AG 1994-2004 > Chip type: 124 > > Any help would be greatly appreciated. > Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel Scanned by Check Point Total Security Gateway. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
[opensc-devel] Re-implement PIN cache and sc_pkcs15init_authenticate (sc_keycache_get_key)
Hello,
After changeset 3784
http://www.opensc-project.org/opensc/changeset/3784/branches
Give special attention to:
-static void cache_pin(void *, int, const sc_path_t *, const void *,
size_t);
and
http://www.opensc-project.org/opensc/browser/branches/martin/0.12/src/pkcs11/framework-pkcs15.c?rev=3784#L3003
Tests Rytoken ECP:
C_Login()
C_CreateObject() -> (pkcs15_create_object -> pkcs15_create_data ->
sc_pkcs15init_store_data_object -> sc_pkcs15init_store_data ->
sc_pkcs15init_update_file) -> sc_pkcs15init_authenticate ->
---
[opensc-pkcs11] pkcs15-lib.c:3427:sc_pkcs15init_authenticate:
path=3f005501, op=1
[opensc-pkcs11] pkcs15-lib.c:3437:sc_pkcs15init_authenticate: r:[0x]
[opensc-pkcs11] pkcs15-lib.c:3438:sc_pkcs15init_authenticate:
acl:[0x0805ee48]
[opensc-pkcs11] pkcs15-lib.c:3455:sc_pkcs15init_authenticate: verify
---
do_get_and_verify_secret -> sc_keycache_get_key returned is $1 = -1407
=>
[opensc-pkcs11] misc.c:82:sc_to_cryptoki_error: opensc error: Requested
object not found (-1407)
Minimal patch (draft):
Index: src/pkcs11/framework-pkcs15.c
===
--- src/pkcs11/framework-pkcs15.c (revision 3852)
+++ src/pkcs11/framework-pkcs15.c (working copy)
@@ -1009,6 +1009,9 @@
rc = sc_pkcs15_verify_pin(card, pin, pPin, ulPinLen);
sc_debug(context, "PIN verification returned %d\n", rc);
+ if (rc >= 0)
+ sc_keycache_put_key(&pin->path, pin->type, pin->reference,
+ pPin, ulPinLen);
return sc_to_cryptoki_error(rc, p11card->reader);
}
@@ -1016,7 +1019,8 @@
{
struct pkcs15_fw_data *fw_data = (struct pkcs15_fw_data *)
p11card->fw_data;
int rc = 0;
-
+
+ /* FIXME: cleanup keycache, to do opposite sc_keycache_put_key */
sc_pkcs15_pincache_clear(fw_data->p15_card);
sc_logout(fw_data->p15_card->card);
@@ -1054,6 +1058,9 @@
rc = sc_pkcs15_change_pin(fw_data->p15_card, pin, pOldPin,
ulOldLen,
pNewPin, ulNewLen);
sc_debug(context, "PIN change returned %d\n", rc);
+ if (rc >= 0)
+ sc_keycache_put_key(&pin->path, pin->type, pin->reference,
+ pNewPin, ulNewLen);
return sc_to_cryptoki_error(rc, p11card->reader);
}
@@ -1099,6 +1106,8 @@
pkcs15_init_slot(fw_data->p15_card, slot, auth_obj);
pin_info = (sc_pkcs15_pin_info_t *) auth_obj->data;
+ sc_keycache_put_key(&pin_info->path, pin_info->type,
pin_info->reference,
+ pPin, ulPinLen);
return CKR_OK;
}
Any idea?
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] swisssign cardos cards and opensc: C_CreateObjects fails because of lifecycle
Am Montag 16 November 2009 10:20:42 schrieb Marc Wäckerlin: > Am Sonntag, 15. November 2009 schrieb Andreas Jellinghaus: > > Marc/Freddy: can you recompile opensc yourself, and edit > > src/libopensc/card- cardos.c (look for > > cardos_lifecycle_set and make it return > > SC_ERROR_NOT_SUPPORTED) - then try again storing a > > certificate. > > That's interesting: I did so, based on opensc-0.11.1.. This > so compiled version of opensc does not find any slot! make sure you run "./configure" with "--enable-pcsc", otherwise pcsc support won't be compiled in. Regards, Andreas ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
JP Szikora wrote: Viktor TARASOV a écrit : I would try to prepare patch, but actually I have no CardOS card recognized by OpenSC . The card CardOS that I have is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Any help would be greatly appreciated. Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Hi Jean-Pierre, here it is: 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a Info : CardOS V4.3B (C) Siemens AG 1994-2004 Chip type: 124 Serial number: 27 20 ab 15 2a 12 Full prom dump: 33 66 00 1B 5B 5B 5B 5B 7C FF 27 20 AB 15 2A 12 3f..|.' ..*. 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 OS Version: 200.8 (that's CardOS M4.3B) Current life cycle: 16 (operational) Security Status of current DF: Free memory : 818 ATR Status: 0x128 unknown Packages installed: E1 09 01 04 13 02 C8 08 8F 01 01 ... Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom memory: 41116 System keys: PackageLoadKey (version 0x00, retries 10) System keys: StartKey (version 0xff, retries 10) Path to current DF: This card has been formated with Vasco tools, it contains some PKCS#15 system. I know the values of PIN, SOPIN(PUK ?) but I could not verify any of the PINs referenced in it's EF.AOD . Cheers, Jean-Pierre Thanks, Viktor. -- Viktor Tarasov ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] swisssign cardos cards and opensc: C_CreateObjects fails because of lifecycle
Am Montag, 16. November 2009 schrieb Marc Wäckerlin: > Am Sonntag, 15. November 2009 schrieb Andreas Jellinghaus: > > Marc/Freddy: can you recompile opensc yourself, and > > edit src/libopensc/card- cardos.c (look for > > cardos_lifecycle_set and make it return > > SC_ERROR_NOT_SUPPORTED) - then try again storing a > > certificate. > > That's interesting: I did so, based on opensc-0.11.1.. > This so compiled version of opensc does not find any > slot! > > If I'm using libopensc2 version 0.11.8-1ubuntu1, then I > see the slot. > > Now I'll try: > 1. Patch on release 0.11.8 > 2. Release 0.11.11 without the patch Unchanged release 0.11.8 does not work - probably Ubuntu patches the file? I'll have to try the Ubuntu Sources ... Regards Marc -- Marc Wäckerlin -- SwissSign AG > extreme security & identity Pfingstweidstrasse 60b > CH - 8080 Zürich Tel: +41-58/386'24'93 > Mobil: +41-79/721'23'24 marc.waecker...@tech.swisssign.com > http://swisssign.com Secure Mailbox https://incamail.post.ch/ marc.waecker...@swisssign.com SwissSign, ein Unternehmen der Schweizerischen Post, schützt und beschleunigt Ihre Geschäftsprozesse mit einfachen Lösungen für eindeutige Identifikation, digitale Signatur und sichere Kommunikation E-Mail Richtlinien: http://marc.waeckerlin.org Bitte korrekt zitieren: mit '>' am Zeilenanfang ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] swisssign cardos cards and opensc: C_CreateObjects fails because of lifecycle
Am Sonntag, 15. November 2009 schrieb Andreas Jellinghaus: > Marc/Freddy: can you recompile opensc yourself, and edit > src/libopensc/card- cardos.c (look for > cardos_lifecycle_set and make it return > SC_ERROR_NOT_SUPPORTED) - then try again storing a > certificate. That's interesting: I did so, based on opensc-0.11.1.. This so compiled version of opensc does not find any slot! If I'm using libopensc2 version 0.11.8-1ubuntu1, then I see the slot. Now I'll try: 1. Patch on release 0.11.8 2. Release 0.11.11 without the patch Regards Marc -- mailto:m...@waeckerlin.org http://marc.waeckerlin.org E-Mail Richtlinien: http://email.waeckerlin.org - Nur notwendige Zitate und mit '>' einleiten. - Keine HTML/RichText-Mails, kein Word, etc. ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] cardos split-key
Viktor TARASOV a écrit : > > I would try to prepare patch, but actually I have no CardOS card > recognized by OpenSC . > The card CardOS that I have is: > 3b:fb:18:00:02:c1:0a:31:fe:58:56:44:53:43:34:c8:08:00:00:00:01:4a > Info : CardOS V4.3B (C) Siemens AG 1994-2004 > Chip type: 124 > > Any help would be greatly appreciated. > Hi Viktor, You have a strange CardOS card ;-) The ATR is not the usual CardOS 4.3B (but that can be changed) and the chip type is usually 123. Can you send a complete output of the cardos-info command? Cheers, Jean-Pierre ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
