Cannot delete data object on Feitian ePass2003

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Cannot delete data object on Feitian ePass2003

Florent Deybach
Hello,

I am using my ePass2003 to store a TrueCrypt keyfile as a data object.
I can store it with the TrueCrypt command line :


root@lenovo:~# truecrypt --token-lib=/usr/lib/opensc-pkcs11.so --import-token-keyfiles
Enter keyfile [none]: cleTruecrypt
Enter keyfile [finish]:
Enter password/PIN for token 'Florent (User PIN)':

As you can see, the object is present :

root@ubuntu12-10:~# pkcs15-tool --dump
Using reader with a card: Feitian ePass2003 00 00
[...]
Data object 'cleTruecrypt'
applicationName: cleTruecrypt
Path: 3f0050153400
Auth ID: 01

or with pkcs11-tool :

root@ubuntu12-10:~# pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -l --pin 1234 -O
Using slot 1 with a present token (0x1)
Data object 157289864
  label:          'cleTruecrypt'
  application:    'cleTruecrypt'
  app_id:         <empty>
  flags:           modifiable private



The thing is that I cannot delete it! I tried it with pkcs15-init, pkcs11-tool and the TrueCrypt utilities.
Every time I get the same error message : "User not logged in".

root@ubuntu12-10:~# pkcs11-tool --module=/usr/lib/opensc-pkcs11.so -l --pin 1234 --delete-object --type data --label cleTruecrypt
Using slot 1 with a present token (0x1)
error: PKCS11 function C_DestroyObject() failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)

root@ubuntu12-10:~# pkcs15-init -D data --application-name cleTruecrypt --label cleTruecrypt --auth-id 01
Using reader with a card: Feitian ePass2003 00 00
Deleted 0 objects
Failed to store PIN: Security status not satisfied

root@ubuntu12-10:~# truecrypt --delete-token-keyfiles --token-lib=/usr/lib/opensc-pkcs11.so
Enter keyfile [none]: token://slot/1/file/cleTruecrypt
Enter keyfile [finish]:
Enter password/PIN for token 'Florent (User PIN)':
Error: Security token error:
USER NOT LOGGED IN

Aborting.

Attached, the debug output of the pkcs11-tool delete command with the full debug (OPENSC_DEBUG=255).

I've posted this issue on Gooze forum also but no answer :(

Any idea?

Thanks in advance!
 

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

debug.txt (378K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Ondrej Mikle
On 03/28/2013 09:19 AM, Florent Deybach wrote:

> *As you can see, the object is present :*
> **
> *
>
>     *root@ubuntu12-10:~# pkcs15-tool --dump*
>
>     *Using reader with a card: Feitian ePass2003 00 00*
>
>     *[...]*
>     *Data object 'cleTruecrypt'*
>     *applicationName: cleTruecrypt*
>     *Path: 3f0050153400*
>     *Auth ID: 01*

My guess would be that the default ACLs prevent deleting the file. If you look
at /usr/share/opensc/epass2003.profile, there is the following part describing
ACLs for 3f00/5015/34xx files:

        # data objects are stored in transparent EFs.
        EF privdata {
    file-id = 3400;
        structure = transparent;
                        ACL     = *=NEVER,READ=$PIN,UPDATE=$PIN;
        }

That means the ACL for delete is NEVER, i.e. even PIN authorization won't
suffice for deletion of this file. It would be consistent with the log you
posted - the authenticate APDU instruction goes through OK, but erasing in the
last APDU fails with SW 0x69 0x82 "security status not satisfied".

AFAIK you won't be able to delete the file without erasing the card (pkcs15-init
-E) or erasing the parent DF 5015.

Note that the ACLs from the profile are applied at the moment a file is created
on token (like key or data object).

Ondrej

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Florent Deybach
Hello Ondrej,

Thanks very much for taking the time to explain this to me.

I guessed it was an ACL problems, I even tried to modify the profile file but in the wrong section.
And as you precised, the ACL are applied when a file is created on token.
I thought they would be applied during the PKCS15 initialization once and for all. It seems I was wrong!

However, opensc-explorer doesn't give me much information about the ACL.
Or do I need to "decrypt" the security attributes?

florent@ubuntu12-10:~# opensc-explorer
OpenSC Explorer version 0.13.0rc1
Using reader with a card: Feitian ePass2003 00 00
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> info 3400

Elementary File  ID 3400

File path:     3F00/5015/3400
File size:     64 bytes
EF structure:  Transparent
ACL for READ:         N/A
ACL for UPDATE:       N/A
ACL for DELETE:       N/A
ACL for WRITE:        N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE:   N/A
ACL for LIST FILES:   N/A
ACL for CRYPTO:       N/A
Security attributes:     96 96 FF 9F FF FF FF FF

So I guess it is possible to modify the ACL, right ?

By the way how do I read the ACL? Does the first one takes precedence over the others? i.e. the "NEVER" directive is for READ and UPDATE action, no?
*=NEVER,READ=$PIN,UPDATE=$PIN;

But if I can't read it I will never be able to use my object, right?

Would it be possible to use the following ACL, then?

ACL = READ=$PIN,UPDATE=NEVER;

What would be the collateral consequences of that? I mean, will other objects be affected by this change?

Again, thanks,

Cheers


2013/3/28 Ondrej Mikle <[hidden email]>
On 03/28/2013 09:19 AM, Florent Deybach wrote:
> *As you can see, the object is present :*
> **
> *
>
>     *root@ubuntu12-10:~# pkcs15-tool --dump*
>
>     *Using reader with a card: Feitian ePass2003 00 00*
>
>     *[...]*
>     *Data object 'cleTruecrypt'*
>     *applicationName: cleTruecrypt*
>     *Path: 3f0050153400*
>     *Auth ID: 01*

My guess would be that the default ACLs prevent deleting the file. If you look
at /usr/share/opensc/epass2003.profile, there is the following part describing
ACLs for 3f00/5015/34xx files:

        # data objects are stored in transparent EFs.
        EF privdata {
    file-id             = 3400;
        structure       = transparent;
                        ACL                     = *=NEVER,READ=$PIN,UPDATE=$PIN;
        }

That means the ACL for delete is NEVER, i.e. even PIN authorization won't
suffice for deletion of this file. It would be consistent with the log you
posted - the authenticate APDU instruction goes through OK, but erasing in the
last APDU fails with SW 0x69 0x82 "security status not satisfied".

AFAIK you won't be able to delete the file without erasing the card (pkcs15-init
-E) or erasing the parent DF 5015.

Note that the ACLs from the profile are applied at the moment a file is created
on token (like key or data object).

Ondrej

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Florent Deybach
Edit:

I can answer myself my question about tuning the ACL in the profile file :
The "*" character is for the attributes which are not defined after, correct?

So if I want to add the possibility to delete it:
*=NEVER,READ=$PIN,UPDATE=$PIN,DELETE=$PIN

Still, why does opensc-explorer list "N/A" for the ACL for READ and UPDATE?


2013/3/29 Florent Deybach <[hidden email]>
Hello Ondrej,

Thanks very much for taking the time to explain this to me.

I guessed it was an ACL problems, I even tried to modify the profile file but in the wrong section.
And as you precised, the ACL are applied when a file is created on token.
I thought they would be applied during the PKCS15 initialization once and for all. It seems I was wrong!

However, opensc-explorer doesn't give me much information about the ACL.
Or do I need to "decrypt" the security attributes?

florent@ubuntu12-10:~# opensc-explorer
OpenSC Explorer version 0.13.0rc1

Using reader with a card: Feitian ePass2003 00 00
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> info <a href="tel:3400" value="+333400" target="_blank">3400

Elementary File  ID <a href="tel:3400" value="+333400" target="_blank">3400

File path:     3F00/5015/3400
File size:     64 bytes
EF structure:  Transparent
ACL for READ:         N/A
ACL for UPDATE:       N/A
ACL for DELETE:       N/A
ACL for WRITE:        N/A
ACL for REHABILITATE: N/A
ACL for INVALIDATE:   N/A
ACL for LIST FILES:   N/A
ACL for CRYPTO:       N/A
Security attributes:     96 96 FF 9F FF FF FF FF

So I guess it is possible to modify the ACL, right ?

By the way how do I read the ACL? Does the first one takes precedence over the others? i.e. the "NEVER" directive is for READ and UPDATE action, no?
*=NEVER,READ=$PIN,UPDATE=$PIN;

But if I can't read it I will never be able to use my object, right?

Would it be possible to use the following ACL, then?

ACL = READ=$PIN,UPDATE=NEVER;

What would be the collateral consequences of that? I mean, will other objects be affected by this change?

Again, thanks,

Cheers



2013/3/28 Ondrej Mikle <[hidden email]>
On 03/28/2013 09:19 AM, Florent Deybach wrote:
> *As you can see, the object is present :*
> **
> *
>
>     *root@ubuntu12-10:~# pkcs15-tool --dump*
>
>     *Using reader with a card: Feitian ePass2003 00 00*
>
>     *[...]*
>     *Data object 'cleTruecrypt'*
>     *applicationName: cleTruecrypt*
>     *Path: 3f0050153400*
>     *Auth ID: 01*

My guess would be that the default ACLs prevent deleting the file. If you look
at /usr/share/opensc/epass2003.profile, there is the following part describing
ACLs for 3f00/5015/34xx files:

        # data objects are stored in transparent EFs.
        EF privdata {
    file-id             = <a href="tel:3400" value="+333400" target="_blank">3400;
        structure       = transparent;
                        ACL                     = *=NEVER,READ=$PIN,UPDATE=$PIN;
        }

That means the ACL for delete is NEVER, i.e. even PIN authorization won't
suffice for deletion of this file. It would be consistent with the log you
posted - the authenticate APDU instruction goes through OK, but erasing in the
last APDU fails with SW 0x69 0x82 "security status not satisfied".

AFAIK you won't be able to delete the file without erasing the card (pkcs15-init
-E) or erasing the parent DF 5015.

Note that the ACLs from the profile are applied at the moment a file is created
on token (like key or data object).

Ondrej

------------------------------------------------------------------------------
Own the Future-Intel&reg; Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest.
Compete for recognition, cash, and the chance to get your game
on Steam. $5K grand prize plus 10 genre and skill prizes.
Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Ondrej Mikle
On 03/29/2013 10:46 AM, Florent Deybach wrote:
> |I can answer myself my question about tuning the ACL in the profile file :
> |
>
> The "*" character is for the attributes which are not defined after, correct?

Yes, I think the wildcard character affects all other ACL that are not
explicitly listed.

> So if I want to add the possibility to delete it:
> |*=NEVER,READ=$PIN,UPDATE=$PIN,DELETE=$PIN

That should work (...provided that there's not some other bug).

Though note that if you try to delete a PIN-protected file in opensc-explorer,
you'll need to "cd 5015" before using "verify CHV1" for some reason. At least
the "verify" doesn't work for me when I'm in the MF 3F00, but works once I "cd
5015".

> |Still, why does opensc-explorer list "N/A" for the ACL for READ and UPDATE?

IIRC it's part of the epass2003 driver that's not finished. It always lists N/A
for epass2003. The real ACLs are in the last line starting with "Security
attributes", like in your example below:

>         Security attributes:     96 96 FF 9F FF FF FF FF

Each byte is a bitwise-or from the macros EPASS2003_AC_* defined in
src/libopensc/cardctl.h. The low nybble can be:

#define EPASS2003_AC_EVERYONE 0x00
#define EPASS2003_AC_USER 0x06
#define EPASS2003_AC_SO 0x08
#define EPASS2003_AC_NOONE 0x0F

which stands for "no pin needed", "user PIN needed", "SO-PIN needed",
"forbidden" (not sure about the SO-PIN, never really made it work).

The high nybble is a bit mysterious to me, as well, I've only seen the 0x90 ever
used:

#define EPASS2003_AC_MAC_UNEQUAL 0x80
#define EPASS2003_AC_MAC_NOLESS 0x90
#define EPASS2003_AC_MAC_LESS 0xA0
#define EPASS2003_AC_MAC_EQUAL 0xB0

The order of the "Security attributes" printed out is: READ, UPDATE, ??, DELETE,
??... (It comes from the contents of incoming APDU that is token's response to
"SELECT FILE" APDU, instruction 0xA4)

Some ACLs are not ever used for epass2003, e.g. INVALIDATE and REHABILITATE,
since the token does not support the corresponding APDU instructions.

I've never found any official documentation on epass2003, the stuff about ACLs
is what I discovered by trial/error and reading the driver's source.

Ondrej

------------------------------------------------------------------------------
Own the Future-Intel(R) Level Up Game Demo Contest 2013
Rise to greatness in Intel's independent game demo contest. Compete
for recognition, cash, and the chance to get your game on Steam.
$5K grand prize plus 10 genre and skill prizes. Submit your demo
by 6/6/13. http://altfarm.mediaplex.com/ad/ck/12124-176961-30367-2
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Florent Deybach

> So if I want to add the possibility to delete it:
> |*=NEVER,READ=$PIN,UPDATE=$PIN,DELETE=$PIN

That should work (...provided that there's not some other bug).

Indeed, I tried and it worked! I am able to delete my object without having to reset my entire card.
 
IIRC it's part of the epass2003 driver that's not finished. It always lists N/A
for epass2003. The real ACLs are in the last line starting with "Security
attributes", like in your example below:

>         Security attributes:     96 96 FF 9F FF FF FF FF

Each byte is a bitwise-or from the macros EPASS2003_AC_* defined in
src/libopensc/cardctl.h. The low nybble can be:

#define EPASS2003_AC_EVERYONE 0x00
#define EPASS2003_AC_USER 0x06
#define EPASS2003_AC_SO 0x08
#define EPASS2003_AC_NOONE 0x0F

which stands for "no pin needed", "user PIN needed", "SO-PIN needed",
"forbidden" (not sure about the SO-PIN, never really made it work).

The high nybble is a bit mysterious to me, as well, I've only seen the 0x90 ever
used:

#define EPASS2003_AC_MAC_UNEQUAL 0x80
#define EPASS2003_AC_MAC_NOLESS 0x90
#define EPASS2003_AC_MAC_LESS 0xA0
#define EPASS2003_AC_MAC_EQUAL 0xB0

Many thanks for taking the time to explain that to me. It makes more sense as I test the token (by trial/error just like you did...).
I tried with an IAS/ECC card and the ACL were listed correctly, except for the UPDATE ACL for which it displays "????", interesting!
 
The order of the "Security attributes" printed out is: READ, UPDATE, ??, DELETE,
??... (It comes from the contents of incoming APDU that is token's response to
"SELECT FILE" APDU, instruction 0xA4)

Some ACLs are not ever used for epass2003, e.g. INVALIDATE and REHABILITATE,
since the token does not support the corresponding APDU instructions.

Indeed, I also tried to set the WRITE attribute which seemed to me "standard", but it didn't change the security attributes returned by opensc-explorer...!

Anyway, you answered more than satisfactory to my problem, and for that I thank you again!

Cheers,
Florent


------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Cannot delete data object on Feitian ePass2003

Viktor Tarasov-3
Hello,

Le 04/04/2013 18:03, Florent Deybach a écrit :
> I tried with an IAS/ECC card and the ACL were listed correctly, except for the UPDATE ACL for which it displays "????", interesting!

Printed name for some ACL methods have been absent.

They are present in the latest sources:
https://github.com/OpenSC/OpenSC/commit/c66278098b4f81a34fdb19bdb6dee98c042814c3

Thanks,
Viktor.



------------------------------------------------------------------------------
Minimize network downtime and maximize team effectiveness.
Reduce network management and security costs.Learn how to hire
the most talented Cisco Certified professionals. Visit the
Employer Resources Portal
http://www.cisco.com/web/learning/employer_resources/index.html
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel