Re: [opensc-devel] Patch to MyEID profile
Hi, > -Original Message- > From: Viktor TARASOV > > Hi, > > Aventra development wrote: > > > > Here is a small patch that modifies the MyEID profile. This profile > > now initializes the cards like we want them (users are of course free > > to modify the profile to get cards like they want, but we think this > > should be the default). > > > > I suppose the ACL for card initialization (clearing card) is not > > desired to be NONE and therefore we undefined the > > KEEP_AC_NONE_FOR_INIT_APPLET, and you can anyway set it to anything > > you like by configuring the profile. > > > Your patch do not working for me when applied to trunk . > > The reasons are: > - actual implementation of pkcs15init needs to verify 'DELETE' acl of the > PKCS15-AppDF when doing 'create object' operations. So, your have to set it to > 'NONE' or 'User PIN'; > > - take into account my mail > http://www.opensc-project.org/pipermail/opensc-devel/2010- > September/014865.html > illustrated by diff from > http://www.opensc-project.org/pipermail/opensc-devel/2010- > September/014867.html > > In attachment there is a diff for myeid.profile (relative to trunk) that > actually 'works for me'. Thanks Viktor, the your profile patch looks good. I did not test the patch I posted against current trunk, instead I used snapshot from changeset 4707, sorry about that. > > > There is a downside with this configuration, pkcs15-init now asks many > > times (5 times I think) for the USER PIN when it initializes the MyEID > > card and creates the required files (it does not matter what you > > enter, because it wont be verified since the card is in creation state). > > > I propose you to use '--pin' argument for the 'pkcs15-init' command. > > > Pkcs15-init creates the SO-PIN, but not the USER PIN. It would be nice > > if pkcs15-init would create both PINs, since it is built to support > > two PINs (User and SO). Currently we create the user pin after > > initialization and finalize the card after that. If somebody knows how > > to get rid of the unnecessary user PIN queries please apply fix or > > help us do it. > > > > Pkcs15-init creates both PINs with this kind of command: > #pkcs15-init -C --label "IDX-SCM" -P --auth-id 53434D --so-pin "12345678" -- > so-puk "123456" --pin "" --puk "" -F > Great, this makes the initialization much nicer. > #pkcs15-tool --list-pins > Using reader with a card: OmniKey CardMan 3121 00 00 PIN [Security Officer > PIN] Object Flags : [0x3], private, modifiable ID : ff Flags : [0xB0], > initialized, needs-padding, soPin Length : min_len:4, max_len:8, stored_len:8 > Pad char : 0xFF Reference : 3 Type : ascii-numeric Path : > > PIN [IDX-SCM] > Object Flags : [0x3], private, modifiable ID : 53434d Flags : [0x30], > initialized, needs-padding Length : min_len:4, max_len:8, stored_len:8 Pad > char : 0xFF Reference : 1 Type : ascii-numeric Path : > > > Please apply this small patch, thanks! > > > > Kind regards, > > > > Toni > > > > Kind wishes, > viktor. Best wishes, Toni > > > ___ > > opensc-devel mailing list > > opensc-devel@lists.opensc-project.org > > http://www.opensc-project.org/mailman/listinfo/opensc-devel ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
Re: [opensc-devel] Patch to MyEID profile
Hi,
Aventra development wrote:
Here is a small patch that modifies the MyEID profile. This profile
now initializes the cards like we want them (users are of course free
to modify the profile to get cards like they want, but we think this
should be the default).
I suppose the ACL for card initialization (clearing card) is not
desired to be NONE and therefore we undefined the
KEEP_AC_NONE_FOR_INIT_APPLET, and you can anyway set it to anything
you like by configuring the profile.
Your patch do not working for me when applied to trunk .
The reasons are:
- actual implementation of pkcs15init needs to verify 'DELETE' acl of
the PKCS15-AppDF when doing 'create object' operations. So, your have to
set it to 'NONE' or 'User PIN';
- take into account my mail
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014865.html
illustrated by diff from
http://www.opensc-project.org/pipermail/opensc-devel/2010-September/014867.html
In attachment there is a diff for myeid.profile (relative to trunk) that
actually 'works for me'.
There is a downside with this configuration, pkcs15-init now asks many
times (5 times I think) for the USER PIN when it initializes the MyEID
card and creates the required files (it does not matter what you
enter, because it won’t be verified since the card is in creation state).
I propose you to use '--pin' argument for the 'pkcs15-init' command.
Pkcs15-init creates the SO-PIN, but not the USER PIN. It would be nice
if pkcs15-init would create both PINs, since it is built to support
two PINs (User and SO). Currently we create the user pin after
initialization and finalize the card after that. If somebody knows how
to get rid of the unnecessary user PIN queries please apply fix or
help us do it.
Pkcs15-init creates both PINs with this kind of command:
#pkcs15-init -C --label "IDX-SCM" -P --auth-id 53434D --so-pin
"12345678" --so-puk "123456" --pin "" --puk "" -F
#pkcs15-tool --list-pins
Using reader with a card: OmniKey CardMan 3121 00 00
PIN [Security Officer PIN]
Object Flags : [0x3], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3
Type : ascii-numeric
Path :
PIN [IDX-SCM]
Object Flags : [0x3], private, modifiable
ID : 53434d
Flags : [0x30], initialized, needs-padding
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 1
Type : ascii-numeric
Path :
Please apply this small patch, thanks!
Kind regards,
Toni
Kind wishes,
viktor.
___
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
Index: src/pkcs15init/myeid.profile
===
--- src/pkcs15init/myeid.profile(révision 4767)
+++ src/pkcs15init/myeid.profile(copie de travail)
@@ -53,8 +53,8 @@
PIN user-puk {
min-length = 4;
max-length = 8;
-attempts = 10;
-flags = needs-padding;
+attempts = 10;
+flags = needs-padding;
}
PIN so-pin {
@@ -80,7 +80,7 @@
DF MF {
path = 3F00;
type = DF;
-acl = CREATE=$SOPIN,DELETE=NONE;
+acl = CREATE=$PIN, DELETE=$SOPIN;
# This is the DIR file
EF DIR {
@@ -92,13 +92,13 @@
DF PKCS15-AppDF {
type = DF;
file-id = 5015;
-acl = DELETE=NONE, CREATE=$SOPIN;
+acl = DELETE=$PIN, CREATE=$PIN;
EF PKCS15-ODF {
file-id = 5031;
structure = transparent;
size = $odf-size;
- acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN;
+ acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
}
EF PKCS15-TokenInfo {
@@ -125,67 +125,67 @@
file-id = 4402;
structure = transparent;
size = $prkdf-size;
-acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
}
EF PKCS15-PuKDF {
file-id = 4403;
structure = transparent;
size = $pukdf-size;
-acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
}
EF PKCS15-CDF {
file-id = 4404;
structure = transparent;
size = $cdf-size;
-acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
+acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN;
}
EF PKCS15-DODF {
file-
[opensc-devel] Patch to MyEID profile
Hi, Here is a small patch that modifies the MyEID profile. This profile now initializes the cards like we want them (users are of course free to modify the profile to get cards like they want, but we think this should be the default). I suppose the ACL for card initialization (clearing card) is not desired to be NONE and therefore we undefined the KEEP_AC_NONE_FOR_INIT_APPLET, and you can anyway set it to anything you like by configuring the profile. There is a downside with this configuration, pkcs15-init now asks many times (5 times I think) for the USER PIN when it initializes the MyEID card and creates the required files (it does not matter what you enter, because it wont be verified since the card is in creation state). Pkcs15-init creates the SO-PIN, but not the USER PIN. It would be nice if pkcs15-init would create both PINs, since it is built to support two PINs (User and SO). Currently we create the user pin after initialization and finalize the card after that. If somebody knows how to get rid of the unnecessary user PIN queries please apply fix or help us do it. Please apply this small patch, thanks! Kind regards, Toni opensc-0.12.0-aventra.patch Description: Binary data ___ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
