Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

Christian Horn
Hi,


I am unable to use the keys on this smartcard labeled
"TeleSec NetKey Card" here.
Using pcsc-lite 1.2.9beta9 / openct 0.6.6 / opensc 0.10.0
the card is accessed as a TCOS-card by opensc.
pkcs15-tool reports 4 x509 certs, 2 private keys and
3 pins (1 global and 2 local ones). Reading the x509-certs
from the card works.

Whenever I try to use one of the two keys it fails, may be
because the local pins are tried to use instead of the global
pin. The latter one should be used, 'Tries left' has value 3
there, on the local pins its 0.

As applications is tried openswan, strongswan and pkcs15-crypt,
the errormessages are always 'pin incorrect' and the like.
netkey-tool shows the global pin as 'verified' when i use it.

How to make opensc and the applications use the global pin?
Changing the location of the localpins (df015080 and df015081)
to 5000 in the opensc-sources didnt help. Setting the local
pins with netkey-tool fails, with opensc i can 'change CHV0'
in directory DF01, but pkcs15-tool still shows 0 tries for the
local pins.
Is pkcy15-crypt the correct application to verify if the access
works? I read somewhere it doesnt work for netkey-cards, they
need other applications.

Any comments appreciated,

Christian.
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

Peter Koch-3
Hi Christian

> I am unable to use the keys on this smartcard labeled
> "TeleSec NetKey Card" here.
> Using pcsc-lite 1.2.9beta9 / openct 0.6.6 / opensc 0.10.0
> the card is accessed as a TCOS-card by opensc.
> pkcs15-tool reports 4 x509 certs, 2 private keys and
> 3 pins (1 global and 2 local ones). Reading the x509-certs
> from the card works.
>
> Whenever I try to use one of the two keys it fails, may be
> because the local pins are tried to use instead of the global
> pin. The latter one should be used, 'Tries left' has value 3
> there, on the local pins its 0.

The keys are protected by either the global PIN or one of the
local PINs. This functinality (key is protected by more than
one key) is TCOS specific. OpenSC does not support his
and will always ask you for one specific PIN. And if it asks
for PIN0 and you provide PIN instead this will reduce your
tries-left-counter for PIN0.

So either provide the correct value for PIN0 or set all your
PINs to the same value.

There's a tool called netkey-tool that you may use to unblock
PIN0. You will need PIN to unblock PIN0 or PIN1

One more hint: Make sure you know your PUK before you start
to play around with your PIN.

> As applications is tried openswan, strongswan and pkcs15-crypt,
> the errormessages are always 'pin incorrect' and the like.
> netkey-tool shows the global pin as 'verified' when i use it.
>
> How to make opensc and the applications use the global pin?
> Changing the location of the localpins (df015080 and df015081)
> to 5000 in the opensc-sources didnt help.

Why do you want to use the global PIN THe local PIN0 should work
find (if you know its value :-) )

> Setting pins with netkey-tool fails, with opensc i can 'change CHV0'
> in directory DF01, but pkcs15-tool still shows 0 tries for the
> local pins.

This is beause you must unblock PIN0 first. You cannot change a
blocked PIN

Try:

netkey-tool --pin 123456 unblock pin0
netkey-tool --pin 123456 change pin0 123456

> Is pkcy15-crypt the correct application to verify if the access
> works? I read somewhere it doesnt work for netkey-cards, they
> need other applications.

That was true for OpenSC 0.9.6. With 0.10.0 pkcs15-crypt is supposed
to work. And if it does not - please let us know.

Peter

--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

Christian Horn
Hi,

thanks a lot for helping.


>> Whenever I try to use one of the two keys it fails, may be
>> because the local pins are tried to use instead of the global
>> pin. The latter one should be used, 'Tries left' has value 3
>> there, on the local pins its 0.
>There's a tool called netkey-tool that you may use to unblock
>PIN0. You will need PIN to unblock PIN0 or PIN1

Unblocking and setting the local pins using netkey-tool worked,
OpenSwan can now use the keys.
Ive made a section on http://www.opensc.org/opensc/wiki/TCOS
for that, feel free to remove it if it doesnt fit there.


>One more hint: Make sure you know your PUK before you start
>to play around with your PIN.

Didnt show up on the netkey-output, unfortunatelly.


>> How to make opensc and the applications use the global pin?
>> Changing the location of the localpins (df015080 and df015081)
>> to 5000 in the opensc-sources didnt help.
>Why do you want to use the global PIN THe local PIN0 should work
>find (if you know its value :-) )

Yes, after unblocking & setting.


>netkey-tool --pin 123456 unblock pin0
>netkey-tool --pin 123456 change pin0 123456

Added to the Netkey-section in the wiki. Didnt cross my mind when
having a look at the netkey-tool options, and in the @ml-archives
i only found the null-pin setting with opensc-explorer.


>That was true for OpenSC 0.9.6. With 0.10.0 pkcs15-crypt is supposed
>to work. And if it does not - please let us know.
'pkcs15-crypt -s' gives me 'Compute signature failed: Buffer too small',
trying to use pkcs15-crypt for encryption produces neither an error,
nor an encrypted file.


Greetings, Christian.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

Peter Koch-3
> Ive made a section on http://www.opensc.org/opensc/wiki/TCOS
> for that, feel free to remove it if it doesnt fit there.

I moved your comments to the NetKey-card section (NetKey E4 cards and
TeleSec NetKey cards are the same) and added some more background
information. You were right. Its not obvious that you cannot use a
brand new NetKey card without changin your local pins first.

> >One more hint: Make sure you know your PUK before you start
> >to play around with your PIN.
>
> Didnt show up on the netkey-output, unfortunatelly.

netkey-tool needs your global PIN, so if you don't use the --pin
option it cannot print your global PUKs initital value.

> 'pkcs15-crypt -s' gives me 'Compute signature failed: Buffer too small',
> trying to use pkcs15-crypt for encryption produces neither an error,
> nor an encrypted file.

You must either feed exactly 128 bytes into pkcs15-crypt or ask
pkcs15-tool to pad you data by using the --pkcs1 option.

Also note that your signature-key can compute signatures only while
your other keys can compute signatures and can do decryption-operations.

Peter

--
Lust, ein paar Euro nebenbei zu verdienen? Ohne Kosten, ohne Risiko!
Satte Provisionen für GMX Partner: http://www.gmx.net/de/go/partner
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Accesssing keys on TCOS / NetKey Card: global/local-pin problem?

Christian Horn
Hi,

>I moved your comments to the NetKey-card section (NetKey E4 cards and
>TeleSec NetKey cards are the same) and added some more background
Its a bit hard for me to distinguish between TCOS and what only my
corporation has done.

>> Didnt show up on the netkey-output, unfortunatelly.
>netkey-tool needs your global PIN, so if you don't use the --pin
>option it cannot print your global PUKs initital value.
I used that, but on this card the PUK isnt found:
  'Reading crypted Initial-PUK-file: Cannot select crypted
  Initial-PUK-file, File not found'          

>> 'pkcs15-crypt -s' gives me 'Compute signature failed: Buffer too small',
>> trying to use pkcs15-crypt for encryption produces neither an error,
>> nor an encrypted file.
>You must either feed exactly 128 bytes into pkcs15-crypt or ask
>pkcs15-tool to pad you data by using the --pkcs1 option.
I used that, the output of pkcs15-crypt is really clear when the input
isnt long enough or --pkcs1 isnt used. I still get no output at all
(stdout, stderr or output-file) or 'Compute signature failed: Buffer too small'
from pkcs15-crypt.

>Also note that your signature-key can compute signatures only while
>your other keys can compute signatures and can do decryption-operations.
I tried out all two keys.

My company appears to use a strange two-stages process on the cards, it  
comes with two private keys and two initial certs, then csr's get genetated
and signed with your name, and written to the card after that.
Applications seem to use the cert with the same id as the private key,
not the later generated cert.
As i understand it opensc would be the place to bend that id, but i wont
take the time to tive into the code as the next generation of card here
is on the way.

The new version of cards in use here has the personalised cert in the
first place, i will test those as soon as i get it.

greetings, Christian.

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user