Default PINs of the Oberthur AuthentIC 2.2 card?

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Steffen-2
Hi,

I've just received from Oberthur some samples of their

   CosmopolIC 64k v5.2 - AuthentIC 2.2

card. When I try to put a PKCS#15 directory structure on a card
using the OpenSC 0.10.0 command

   pkcs15-init --create-pkcs15

then the prompt

   Unspecified PIN [reference 2] required

appears. The Oberthur card has PIN: 9999 and SOPIN: 1234 printed
on it, but neither of them is accepted. Browsing the Oberthur
directory structure using opensc-explorer I see that CHV2 and CHV3
is used in the ACLs.

Does someone know the default values of the CHV2 and CHV3 PINs
and how a PKCS#15 directory structure can be successfully created
using OpenSC?

Best regards

Andreas

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Jellinghaus-2
I once got a card from Victor, and he told me the SO-PIN is
"12345678". As far as I remember the discussion he didn't want
to make that a transport key, as the pin might differ for each
batch of cards or customer.

Note: that was the SO-Pin for my card. If you try it with
your card you might destroy it. So be careful :)

Regards, Andreas
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Tarasov Viktor
Andreas Jellinghaus wrote:

>I once got a card from Victor, and he told me the SO-PIN is
>"12345678". As far as I remember the discussion he didn't want
>to make that a transport key, as the pin might differ for each
>batch of cards or customer.
>  
>
Maybe, it should be implemented like transport key, as you've told.
Till now, for all Oberthur AuthentIC cards, that I've seen,
default value of
SOPIN (CHV2 for OpenSC) is '12345678',
PIN (CHV1) -- '9999',
and PUK (for PIN) -- '1234'.

I have also some cards with the wrong SOPIN value printed of the card.
All of them, in fact, have real SOPIN '12345678'.

>Note: that was the SO-Pin for my card. If you try it with
>your card you might destroy it. So be careful :)
>
>Regards, Andreas
>  
>
Kind wishes,
Viktor.

>_______________________________________________
>opensc-devel mailing list
>[hidden email]
>http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
>
>
>  
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Steffen-2
Victor, thank you very much!

CHV2 is indeed "12345678"

CHV1 is "9999"
CHV3 is "1234"

Now the next hurdle:

pkcs15-init --erase-card --create-pkcs15 --profile oberthur

aborts with

profile.c:2037:parse_error: /usr/share/opensc/oberthur.profile:
                No path/fileid set for parent DF

I'm using the default oberthur profile from opensc-0.10.0.

Kind regards

Andreas

Tarasov Viktor wrote:

>
> Maybe, it should be implemented like transport key, as you've told.
> Till now, for all Oberthur AuthentIC cards, that I've seen,
> default value of
> SOPIN (CHV2 for OpenSC) is '12345678',
> PIN (CHV1) -- '9999',
> and PUK (for PIN) -- '1234'.
>
> I have also some cards with the wrong SOPIN value printed of the card.
> All of them, in fact, have real SOPIN '12345678'.
>
>
> Kind wishes,
> Viktor.

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Tarasov Viktor
Andreas Steffen wrote:

> Victor, thank you very much!
>
> CHV2 is indeed "12345678"
>
> CHV1 is "9999"
> CHV3 is "1234"
>
> Now the next hurdle:
>
> pkcs15-init --erase-card --create-pkcs15 --profile oberthur
>
> aborts with
>
> profile.c:2037:parse_error: /usr/share/opensc/oberthur.profile:
>                No path/fileid set for parent DF
>
> I'm using the default oberthur profile from opensc-0.10.0.


Can you try this init command without '--profile' option, please?

>
> Kind regards
>
> Andreas

Best regards,
Viktor.

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Steffen-2
Hi Victor,

without the --profile option the following
error results:

# pkcs15-init --erase-card --create-pkcs15

Failed to erase card: Security status not satisfied

With debugging enabled:

# pkcs15-init --erase-card --create-pkcs15 -vv

sc.c:141:sc_detect_card_presence: called
reader-openct.c:208:openct_reader_detect_card_presence: called
sc.c:146:sc_detect_card_presence: returning with: 1
Connecting to card in reader CCID Compatible...
card.c:372:sc_connect_card: called
reader-openct.c:232:openct_reader_connect: called
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
card-oberthur.c:179:auth_select_aid: serial number 324
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
card.c:480:sc_connect_card: card info: AuthentIC v5, 11004, 0x0
card.c:481:sc_connect_card: returning with: 0
Using card driver Oberthur AuthentIC.v2/CosmopolIC.v4.
reader-openct.c:388:openct_reader_lock: called
card.c:883:sc_card_ctl: card_ctl(4) not supported
card.c:741:sc_select_file: called; type=2, path=3f0050154946
card-oberthur.c:737:auth_select_file: path; type=2, path=3f0050154946
card-oberthur.c:739:auth_select_file: cache; type=0, path=
card-oberthur.c:716:select_file_id: selected 5015
iso7816.c:98:iso7816_check_sw: File not found
card-oberthur.c:681:select_file_id: Card returned error: File not found
card-oberthur.c:790:auth_select_file: return -1201
card.c:763:sc_select_file: returning with: -1201
About to erase card.
pkcs15-oberthur.c:135:cosm_erase_card: erase file dir 2F00
pkcs15-oberthur.c:84:cosm_delete_file:  id 2F00
card.c:741:sc_select_file: called; type=2, path=3f00
card-oberthur.c:737:auth_select_file: path; type=2, path=3f00
card-oberthur.c:739:auth_select_file: cache; type=0, path=3f005015
card-oberthur.c:790:auth_select_file: return 0
card.c:763:sc_select_file: returning with: 0
pkcs15-lib.c:2936:sc_pkcs15init_authenticate: path=3f00, op=2
pkcs15-lib.c:2952:sc_pkcs15init_authenticate: unknown acl method
card.c:597:sc_delete_file: called; type=0, path=2f00
card-oberthur.c:831:auth_delete_file: path; type=0, path=2f00
card-oberthur.c:832:auth_delete_file: called
iso7816.c:98:iso7816_check_sw: Security status not satisfied
card-oberthur.c:903:auth_delete_file: Card return error: Security status
not satisfied
card.c:602:sc_delete_file: returning with: -1211
pkcs15-oberthur.c:114:cosm_delete_file: return -1211
Failed to erase card: Security status not satisfied
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
card.c:493:sc_disconnect_card: called
reader-openct.c:281:openct_reader_disconnect: called
card.c:508:sc_disconnect_card: returning with: 0
ctx.c:709:sc_release_context: called
reader-openct.c:181:openct_reader_release: called
reader-openct.c:181:openct_reader_release: called
reader-openct.c:181:openct_reader_release: called
reader-openct.c:181:openct_reader_release: called
reader-openct.c:181:openct_reader_release: called
reader-openct.c:166:openct_reader_finish: called

And now the debug output with the --profile oberthur option:

# pkcs15-init --erase-card --create-pkcs15 --profile oberthur -vv

sc.c:141:sc_detect_card_presence: called
reader-openct.c:208:openct_reader_detect_card_presence: called
sc.c:146:sc_detect_card_presence: returning with: 1
Connecting to card in reader CCID Compatible...
card.c:372:sc_connect_card: called
reader-openct.c:232:openct_reader_connect: called
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
card-oberthur.c:179:auth_select_aid: serial number 324
reader-openct.c:388:openct_reader_lock: called
card.c:543:sc_unlock: Calling card logout function
reader-openct.c:415:openct_reader_unlock: called
card.c:480:sc_connect_card: card info: AuthentIC v5, 11004, 0x0
card.c:481:sc_connect_card: returning with: 0
Using card driver Oberthur AuthentIC.v2/CosmopolIC.v4.
reader-openct.c:388:openct_reader_lock: called
card.c:883:sc_card_ctl: card_ctl(4) not supported
card.c:741:sc_select_file: called; type=2, path=3f0050154946
card-oberthur.c:737:auth_select_file: path; type=2, path=3f0050154946
card-oberthur.c:739:auth_select_file: cache; type=0, path=
card-oberthur.c:716:select_file_id: selected 5015
iso7816.c:98:iso7816_check_sw: File not found
card-oberthur.c:681:select_file_id: Card returned error: File not found
card-oberthur.c:790:auth_select_file: return -1201
card.c:763:sc_select_file: returning with: -1201
profile.c:2037:parse_error: /usr/share/opensc//oberthur.profile: No
path/fileid set for parent DF
pkcs15-lib.c:342:sc_pkcs15init_bind: Failed to load profile: Syntax error
Couldn't bind to the card: Syntax error

The ATR of the card is

# opensc-tool --atr
3b:7b:18:00:00:00:31:c0:64:77:e3:03:00:82:90:00

and the USB card reader is

# lsusb
...
ID 076b:3021 OmniKey AG CardMan 3121

I'm using the openct cardman driver.

Best regards

Andreas

Tarasov Viktor wrote:

> Andreas Steffen wrote:
>
>
>>Victor, thank you very much!
>>
>>CHV2 is indeed "12345678"
>>
>>CHV1 is "9999"
>>CHV3 is "1234"
>>
>>Now the next hurdle:
>>
>>pkcs15-init --erase-card --create-pkcs15 --profile oberthur
>>
>>aborts with
>>
>>profile.c:2037:parse_error: /usr/share/opensc/oberthur.profile:
>>               No path/fileid set for parent DF
>>
>>I'm using the default oberthur profile from opensc-0.10.0.
>
>
>
> Can you try this init command without '--profile' option, please?
>
>
>>Kind regards
>>
>>Andreas
>
>
> Best regards,
> Viktor.

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Steffen-2
Hi Andreas,


doing it in two stages doesn't help either.
With --erase-card the error occurs when trying
to delete the nonexistent 2F00 EF on a virgin
card:

About to erase card.
pkcs15-oberthur.c:135:cosm_erase_card: erase file dir 2F00
pkcs15-oberthur.c:84:cosm_delete_file:  id 2F00
card.c:741:sc_select_file: called; type=2, path=3f00
card-oberthur.c:737:auth_select_file: path; type=2, path=3f00
card-oberthur.c:739:auth_select_file: cache; type=0, path=3f005015
card-oberthur.c:790:auth_select_file: return 0
card.c:763:sc_select_file: returning with: 0
pkcs15-lib.c:2936:sc_pkcs15init_authenticate: path=3f00, op=2
pkcs15-lib.c:2952:sc_pkcs15init_authenticate: unknown acl method
                                               ^^^^^^^^^^^^^^^^^^
card.c:597:sc_delete_file: called; type=0, path=2f00
card-oberthur.c:831:auth_delete_file: path; type=0, path=2f00
card-oberthur.c:832:auth_delete_file: called
iso7816.c:98:iso7816_check_sw: Security status not satisfied

Comparing the neu AuthentIC 2.2 card with an older AuthentIC
model that we worked with successfully, I see that the ACL of the
DELETE operation for the old card was "NONE" whereas the value for
the new card it is "N/A" which is clearly wrong because the
corresponding CREATE ACL is "NONE" for both cards.

Has there been a change of the ACL encoding in the new cards?
The ATRs are different.

Regards

Andreas

Andreas Jellinghaus wrote:
> btw: not sure if it helps,
> but it is better to do --erase-card
> and --create-pkcs15 in two steps.
>
> in some rare situations it causes problems.
> most likely you are not in such a situation,
> but still...
>
> Regards, Andreas

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Tarasov Viktor
Andreas Steffen wrote:

> Hi Andreas,
>
>
> doing it in two stages doesn't help either.
> With --erase-card the error occurs when trying
> to delete the nonexistent 2F00 EF on a virgin
> card:
>
> About to erase card.
> pkcs15-oberthur.c:135:cosm_erase_card: erase file dir 2F00
> pkcs15-oberthur.c:84:cosm_delete_file:  id 2F00
> card.c:741:sc_select_file: called; type=2, path=3f00
> card-oberthur.c:737:auth_select_file: path; type=2, path=3f00
> card-oberthur.c:739:auth_select_file: cache; type=0, path=3f005015
> card-oberthur.c:790:auth_select_file: return 0
> card.c:763:sc_select_file: returning with: 0
> pkcs15-lib.c:2936:sc_pkcs15init_authenticate: path=3f00, op=2
> pkcs15-lib.c:2952:sc_pkcs15init_authenticate: unknown acl method
>                                               ^^^^^^^^^^^^^^^^^^

Can you send me ATR of your card, please?

As well as the card answer to the APDU 'select MF'.
Answer of the 'normal' card for 'select MF' APDU is following:
6F 16 82 02 38 00 83 02 3F 00 85 02 03 20 86 08 00 00 00 00 00 00 00 FF
90 00 .

I am afraid, that the  ACLs of MF in your card do not allow DELETE
operation.

I have had such cards also,
and we asked Oberhtur to change the default card initalisation.

> card.c:597:sc_delete_file: called; type=0, path=2f00
> card-oberthur.c:831:auth_delete_file: path; type=0, path=2f00
> card-oberthur.c:832:auth_delete_file: called
> iso7816.c:98:iso7816_check_sw: Security status not satisfied
>
> Comparing the neu AuthentIC 2.2 card with an older AuthentIC
> model that we worked with successfully, I see that the ACL of the
> DELETE operation for the old card was "NONE" whereas the value for
> the new card it is "N/A" which is clearly wrong because the
> corresponding CREATE ACL is "NONE" for both cards.
>
> Has there been a change of the ACL encoding in the new cards?
> The ATRs are different.


>
> Regards
>
> Andreas

Kind wishes,
Viktor.

>
> Andreas Jellinghaus wrote:
>
>> btw: not sure if it helps,
>> but it is better to do --erase-card
>> and --create-pkcs15 in two steps.
>>
>> in some rare situations it causes problems.
>> most likely you are not in such a situation,
>> but still...
>>
>> Regards, Andreas
>
>
> =======================================================================
> Andreas Steffen                   e-mail: [hidden email]
> strongSec GmbH                    home:   http://www.strongsec.com
> Alter Zürichweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
> ==========================================[strong internet security]===
>
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Andreas Steffen-2
Hi Viktor,

here is the response of the new AuthentIC card
to the select 3f00 APDU:

6F 16 82 02 38 00 83 02 3F 00 85 02 02 20 86 08 00 00 00 68 00 00 00 FF
                                     --                   --

the ATR of the card is

3b:7b:18:00:00:00:31:c0:64:77:e3:03:00:82:90:00

Regards

Andreas

Tarasov Viktor wrote:

> Andreas Steffen wrote:
>
>
>>Hi Andreas,
>>
>>
>>doing it in two stages doesn't help either.
>>With --erase-card the error occurs when trying
>>to delete the nonexistent 2F00 EF on a virgin
>>card:
>>
>>About to erase card.
>>pkcs15-oberthur.c:135:cosm_erase_card: erase file dir 2F00
>>pkcs15-oberthur.c:84:cosm_delete_file:  id 2F00
>>card.c:741:sc_select_file: called; type=2, path=3f00
>>card-oberthur.c:737:auth_select_file: path; type=2, path=3f00
>>card-oberthur.c:739:auth_select_file: cache; type=0, path=3f005015
>>card-oberthur.c:790:auth_select_file: return 0
>>card.c:763:sc_select_file: returning with: 0
>>pkcs15-lib.c:2936:sc_pkcs15init_authenticate: path=3f00, op=2
>>pkcs15-lib.c:2952:sc_pkcs15init_authenticate: unknown acl method
>>                                              ^^^^^^^^^^^^^^^^^^
>
>
> Can you send me ATR of your card, please?
>
> As well as the card answer to the APDU 'select MF'.
> Answer of the 'normal' card for 'select MF' APDU is following:
> 6F 16 82 02 38 00 83 02 3F 00 85 02 03 20 86 08 00 00 00 00 00 00 00 FF
> 90 00 .
>
> I am afraid, that the  ACLs of MF in your card do not allow DELETE
> operation.
>
> I have had such cards also,
> and we asked Oberhtur to change the default card initalisation.
>
>
>>card.c:597:sc_delete_file: called; type=0, path=2f00
>>card-oberthur.c:831:auth_delete_file: path; type=0, path=2f00
>>card-oberthur.c:832:auth_delete_file: called
>>iso7816.c:98:iso7816_check_sw: Security status not satisfied
>>
>>Comparing the neu AuthentIC 2.2 card with an older AuthentIC
>>model that we worked with successfully, I see that the ACL of the
>>DELETE operation for the old card was "NONE" whereas the value for
>>the new card it is "N/A" which is clearly wrong because the
>>corresponding CREATE ACL is "NONE" for both cards.
>>
>>Has there been a change of the ACL encoding in the new cards?
>>The ATRs are different.
>
>
>
>>Regards
>>
>>Andreas
>
>
> Kind wishes,
> Viktor.

=======================================================================
Andreas Steffen                   e-mail: [hidden email]
strongSec GmbH                    home:   http://www.strongsec.com
Alter Zürichweg 20                phone:  +41 1 730 80 64
CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
==========================================[strong internet security]===
_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Default PINs of the Oberthur AuthentIC 2.2 card?

Tarasov Viktor
Andreas Steffen wrote:

> Hi Viktor,
>
> here is the response of the new AuthentIC card
> to the select 3f00 APDU:
>
> 6F 16 82 02 38 00 83 02 3F 00 85 02 02 20 86 08 00 00 00 68 00 00 00 FF
>                                     --                   --

There is a result of the Oberthur's clumsy effort to protect smartcard
contents.

DELETE operation need secure channel (86 08 00 00 00 68 00 00 00).
So, without keyset of your smartcard, DELETE operation on MF level is
not accessible.

To use this card, it's possible to change slightly 'erase' procedure of
OpenSC pkcs15init,
and to keep DFs of the first level.
But in this case, with the current profiles, you will not be able to
re-initialize User PIN
(and to set new PUK(s) value).

To be able reinitialize PIN, you can change profile and use
PIN-protected DF on the second level.

Kind wishes,
Viktor.


>
> the ATR of the card is
>
> 3b:7b:18:00:00:00:31:c0:64:77:e3:03:00:82:90:00
>
> Regards
>
> Andreas
>
> =======================================================================
> Andreas Steffen                   e-mail: [hidden email]
> strongSec GmbH                    home:   http://www.strongsec.com
> Alter Z?richweg 20                phone:  +41 1 730 80 64
> CH-8952 Schlieren (Switzerland)   fax:    +41 1 730 80 65
> ==========================================[strong internet security]===
>
>

_______________________________________________
opensc-devel mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-devel