Change the Default Transport Keys

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Change the Default Transport Keys

pierre lhostis

Hello all,

I do not want to use Axalto default Tranport Key for my Cryptoflex
e-gate 32K tokens but a specific one that we initialize with the COVE
Axalto Tool.

I then use Python scripts to initialize my token with OpenSC and I don't
want script users to enter the Transport Key from the command line when
prompted to to avoid mistakes.

Right now, using the -T option with the pkcs15-init tool is only fine
when token is initialized with default Transport Key.
ex. pkcs15-init -EC -T --label 'Carte02' --no-so-pin

If I removed the -T option, the user needs to enter it at prompt and I
don't want that to happen.

So that is why I'd like to know where the default Transport Keys are
stored in OpenSC to be able to replace it for my token. I checked the
opensc.conf + the profiles files (especially the flex.profile which is
used in our case) but I was unable to find them, sorry...

I was planning to add something like this to the flex.profile file:
    # This is the secure messaging key required for
    # creating files in the MF
    key AUT1 {
        value           =11:11:11:11:11:11:11:11;
    }

But I am not sure about the way I can represent the value of the key (hex is OK?)
But I still does not understand where the default transport key is stored
 and how OpenSC make the link between a card type and a Transport Key?

Thanks,
Pierre



_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Change the Default Transport Keys

Nils Larsch
pierre lhostis wrote:

> Hello all,
>
> I do not want to use Axalto default Tranport Key for my Cryptoflex
> e-gate 32K tokens but a specific one that we initialize with the COVE
> Axalto Tool.
>
> I then use Python scripts to initialize my token with OpenSC and I don't
> want script users to enter the Transport Key from the command line when
> prompted to to avoid mistakes.
>
> Right now, using the -T option with the pkcs15-init tool is only fine
> when token is initialized with default Transport Key.
> ex. pkcs15-init -EC -T --label 'Carte02' --no-so-pin
>
> If I removed the -T option, the user needs to enter it at prompt and I
> don't want that to happen.

use expect [1]

>
> So that is why I'd like to know where the default Transport Keys are
> stored in OpenSC to be able to replace it for my token. I checked the
> opensc.conf + the profiles files (especially the flex.profile which is
> used in our case) but I was unable to find them, sorry...

currently the default value is hard-coded in src/libopensc/card-flex.c.
yep, it would be better to store such values in a config file (I think
some time ago I had a patch for this ...)

>
> I was planning to add something like this to the flex.profile file:
>     # This is the secure messaging key required for
>     # creating files in the MF
>     key AUT1 {
>         value           =11:11:11:11:11:11:11:11;

perhaps something like
        default-value = [ATR]<some separator>11:11:11:11;
would be better (to tie a certain default key to an ATR)

>     }
>
> But I am not sure about the way I can represent the value of the key (hex is OK?)

hex is fine

> But I still does not understand where the default transport key is stored
>  and how OpenSC make the link between a card type and a Transport Key?

currently it is implemented via a sc_card_ctl call

Nils

[1] http://expect.nist.gov/
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Change the Default Transport Keys

pierre lhostis

Thank you Nils for your very helpful answer,

Before making several unsuccessful attempts with this sensitive item
which is the transport key, I want to be sure of my syntax because I
noticed that in the card-flex.c files, ATRs and Transport Keys are coded
using double quotes:

So if I include a transport key in my flex.profile file:
- should I mandatory use double quote?
- can I use upper- or lower-ccase indifferently?
- are ":" also mandatory?

ex.   key AUT1 {
         value           ="1A:2B:3C:4D:5E:6F:7A:8B";
or value           =1A:2B:3C:4D:5E:6F:7A:8B;
or       value           ="1A2B3C4D5E6F7A8B";
or       value           =1A2B3C4D5E6F7A8B;
etc.

Also, you suggested me the following syntax:
        default-value = [ATR]<some separator>11:11:11:11;
does it mean, that the following would be correct:
default-value
= "3B:95:18:40:FF:62:01:02:01:04"<space>"1A:2B:3C:4D:5E:6F:7A:8B";

Thanks,
Pierre

> pierre lhostis wrote:
> > Hello all,
> >
> > I do not want to use Axalto default Tranport Key for my Cryptoflex
> > e-gate 32K tokens but a specific one that we initialize with the COVE
> > Axalto Tool.
> >
> > I then use Python scripts to initialize my token with OpenSC and I don't
> > want script users to enter the Transport Key from the command line when
> > prompted to to avoid mistakes.
> >
> > Right now, using the -T option with the pkcs15-init tool is only fine
> > when token is initialized with default Transport Key.
> > ex. pkcs15-init -EC -T --label 'Carte02' --no-so-pin
> >
> > If I removed the -T option, the user needs to enter it at prompt and I
> > don't want that to happen.
>
> use expect [1]
>
> >
> > So that is why I'd like to know where the default Transport Keys are
> > stored in OpenSC to be able to replace it for my token. I checked the
> > opensc.conf + the profiles files (especially the flex.profile which is
> > used in our case) but I was unable to find them, sorry...
>
> currently the default value is hard-coded in src/libopensc/card-flex.c.
> yep, it would be better to store such values in a config file (I think
> some time ago I had a patch for this ...)
>
> >
> > I was planning to add something like this to the flex.profile file:
> >     # This is the secure messaging key required for
> >     # creating files in the MF
> >     key AUT1 {
> >         value           =11:11:11:11:11:11:11:11;
>
> perhaps something like
> default-value = [ATR]<some separator>11:11:11:11;
> would be better (to tie a certain default key to an ATR)
>
> >     }
> >
> > But I am not sure about the way I can represent the value of the key (hex is OK?)
>
> hex is fine
>
> > But I still does not understand where the default transport key is stored
> >  and how OpenSC make the link between a card type and a Transport Key?
>
> currently it is implemented via a sc_card_ctl call
>
> Nils
>
> [1] http://expect.nist.gov/

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Change the Default Transport Keys

Nils Larsch
pierre lhostis wrote:
> Thank you Nils for your very helpful answer,
>
> Before making several unsuccessful attempts with this sensitive item
> which is the transport key, I want to be sure of my syntax because I
> noticed that in the card-flex.c files, ATRs and Transport Keys are coded
> using double quotes:

in card-flex.c of course as it is a c-string

>
> So if I include a transport key in my flex.profile file:
> - should I mandatory use double quote?

in a profile everything is a string => should not be necessary

> - can I use upper- or lower-ccase indifferently?

although I like some consistency it shouldn't matter (and if it's
matter I would consider a bug and fix it)

> - are ":" also mandatory?

no

>
> ex.   key AUT1 {
>          value           ="1A:2B:3C:4D:5E:6F:7A:8B";
> or value           =1A:2B:3C:4D:5E:6F:7A:8B;
> or       value           ="1A2B3C4D5E6F7A8B";
> or       value           =1A2B3C4D5E6F7A8B;

second and fourth

> etc.
>
> Also, you suggested me the following syntax:
> default-value = [ATR]<some separator>11:11:11:11;
> does it mean, that the following would be correct:
                                             ^^^^^^^
it's just a proposal

> default-value
> = "3B:95:18:40:FF:62:01:02:01:04"<space>"1A:2B:3C:4D:5E:6F:7A:8B";

I would perhaps use "/" to separate the ATR from the default key
(and without quotes).

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Change the Default Transport Keys

pierre lhostis

Nils:
Still no luck:

I inserted the key AUT1 in the following manner in the flex.profile
file:
cardinfo {
    max-pin-length      = 8;
    pin-encoding        = ascii-numeric;
    pin-pad-char        = 0x00;
    pin-domains         = yes;
    key AUT1 {
        value       = 2C15E526E93E8A1x; # I vary the x part
        }

    # This profile does not PIN-protect certificates
    # stored on the card. If you enable this, you MUST
    # adjust the sizes of the pin-domain and key-dir DFs
    # accordingly.
    protect-certificates = no;
}

- I set up a new Transport Key with the Axalto COVE tool.
- I check it using opensc-explorer and verify AUT1
2C:15:E5:26:E9:3E:8A:1x
- I then try the "pkcs15-init -EC -T --label 'Card02' --no-so-pin"
command... with no luck for the moment
[If I try "pkcs15-init -EC --label 'Card02' --no-so-pin" I can enter the
TK manually and successfully but I would prefer the TK in the .profile
to work instead]
- To avoid 3 failing TK attempts to block the card, I change the TK
after one or two failed attempts. It seems to reset the failed attempt
counter.

I tried the following syntaxes:
* value = "2C:15:E5:26:E9:3E:8A:18";
* value = "2C15E526E93E8A18";
* value = 2C:15:E5:26:E9:3E:8A:18;
* value = 2C15E526E93E8A18;

I also tried it the ASCII way:
* value = "abcdefgh"; which is failing on syntax
        profile.c:1974:parse_error: /usr/share/opensc/flex.profile: Error
parsing PIN/key "abcdefgh"
        pkcs15-lib.c:332:sc_pkcs15init_bind: Failed to load profile: Syntax
error
* value = "=abcdefgh"; syntax is OK but TK check fails

I also tried your proposal:
* default-value = 3B:95:18:40:FF:62:01:02:01:04/2C:15:E5:26:E9:3E:8A:18
* or default-value = 2C:15:E5:26:E9:3E:8A:18
        It failed on syntax:
profile.c:1974:parse_error: /usr/share/opensc/flex.profile: Command
"default-value" not understood in this context.
pkcs15-lib.c:332:sc_pkcs15init_bind: Failed to load profile: Syntax
error

Finally, I put the key AUT1 {value = 2C15E526E93E8A1x;} outside the
cardinfo { } section. It failed on syntax (does not recognize key
keyword properly)

Nervous breakdown or white hair could come soon... :)
Any advice welcome,
Pierre

> pierre lhostis wrote:
> > Thank you Nils for your very helpful answer,
> >
> > Before making several unsuccessful attempts with this sensitive item
> > which is the transport key, I want to be sure of my syntax because I
> > noticed that in the card-flex.c files, ATRs and Transport Keys are coded
> > using double quotes:
>
> in card-flex.c of course as it is a c-string
>
> >
> > So if I include a transport key in my flex.profile file:
> > - should I mandatory use double quote?
>
> in a profile everything is a string => should not be necessary
>
> > - can I use upper- or lower-ccase indifferently?
>
> although I like some consistency it shouldn't matter (and if it's
> matter I would consider a bug and fix it)
>
> > - are ":" also mandatory?
>
> no
>
> >
> > ex.   key AUT1 {
> >          value           ="1A:2B:3C:4D:5E:6F:7A:8B";
> > or value           =1A:2B:3C:4D:5E:6F:7A:8B;
> > or       value           ="1A2B3C4D5E6F7A8B";
> > or       value           =1A2B3C4D5E6F7A8B;
>
> second and fourth
>
> > etc.
> >
> > Also, you suggested me the following syntax:
> > default-value = [ATR]<some separator>11:11:11:11;
> > does it mean, that the following would be correct:
>                                              ^^^^^^^
> it's just a proposal
>
> > default-value
> > = "3B:95:18:40:FF:62:01:02:01:04"<space>"1A:2B:3C:4D:5E:6F:7A:8B";
>
> I would perhaps use "/" to separate the ATR from the default key
> (and without quotes).
>
> Nils

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Change the Default Transport Keys

Nils Larsch
pierre lhostis wrote:

> Nils:
> Still no luck:
>
> I inserted the key AUT1 in the following manner in the flex.profile
> file:
> cardinfo {
>     max-pin-length      = 8;
>     pin-encoding        = ascii-numeric;
>     pin-pad-char        = 0x00;
>     pin-domains         = yes;
>     key AUT1 {
>         value       = 2C15E526E93E8A1x; # I vary the x part
>         }
>
>     # This profile does not PIN-protect certificates
>     # stored on the card. If you enable this, you MUST
>     # adjust the sizes of the pin-domain and key-dir DFs
>     # accordingly.
>     protect-certificates = no;
> }
>
> - I set up a new Transport Key with the Axalto COVE tool.
> - I check it using opensc-explorer and verify AUT1
> 2C:15:E5:26:E9:3E:8A:1x
> - I then try the "pkcs15-init -EC -T --label 'Card02' --no-so-pin"
> command... with no luck for the moment
> [If I try "pkcs15-init -EC --label 'Card02' --no-so-pin" I can enter the
> TK manually and successfully but I would prefer the TK in the .profile
> to work instead]
> - To avoid 3 failing TK attempts to block the card, I change the TK
> after one or two failed attempts. It seems to reset the failed attempt
> counter.
>
> I tried the following syntaxes:
> * value = "2C:15:E5:26:E9:3E:8A:18";
> * value = "2C15E526E93E8A18";
> * value = 2C:15:E5:26:E9:3E:8A:18;
> * value = 2C15E526E93E8A18;
>
> I also tried it the ASCII way:
> * value = "abcdefgh"; which is failing on syntax
> profile.c:1974:parse_error: /usr/share/opensc/flex.profile: Error
> parsing PIN/key "abcdefgh"
> pkcs15-lib.c:332:sc_pkcs15init_bind: Failed to load profile: Syntax
> error
> * value = "=abcdefgh"; syntax is OK but TK check fails
>
> I also tried your proposal:
> * default-value = 3B:95:18:40:FF:62:01:02:01:04/2C:15:E5:26:E9:3E:8A:18
> * or default-value = 2C:15:E5:26:E9:3E:8A:18
> It failed on syntax:
> profile.c:1974:parse_error: /usr/share/opensc/flex.profile: Command
> "default-value" not understood in this context.
> pkcs15-lib.c:332:sc_pkcs15init_bind: Failed to load profile: Syntax
> error
>
> Finally, I put the key AUT1 {value = 2C15E526E93E8A1x;} outside the
> cardinfo { } section. It failed on syntax (does not recognize key
> keyword properly)
>
> Nervous breakdown or white hair could come soon... :)

ops, I thought you know that you need to patch profile.c as well. I
guess I misunderstood something. Anyway I will look in my archives
if I have a similar patch somewhere ...

Nils
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user