How to erase e-gate

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How to erase e-gate

jari.heikkinen
Answering to my own question, please find below a way to erase a blocked
card. The problem is that if you put --pin option to "pkcs15-init -E -C",
then it somehow uses the old pin. If you enter the pin codes to the
prompts, it seems to work. Also I was able to get rid of so-pin/so-puk by
just pressing enter to the prompt.

E.g. this works:
        pkcs15-init -E -C -P -a 01 --label jaripin -T
        pkcs15-init -G rsa/2048 -u sign,decrypt -a 01

This does not work if the pin code is blocked (commands go through but pin
is still blocked, so unusable):
        pkcs15-init -E -C -P --pin 12345678 --puk 33333333 -a 01 --label
jaripin --so-pin 234567890--so-puk 33333333 -T
        pkcs15-init -G rsa/2048 -a 01 --pin 12345678 --so-pin 234567890 -u
sign,decrypt

Also the same applies to unblocking the pin with pkcs15-tool.

The following works
        pkcs15-tool --unblock
The following does not work
        pkcs15-tool --unblock --new-pin xxxx --puk xxxx


Below is a log for what works.

j3 crypto # pkcs15-init -E -C -P -a 01 --label jaripin -T
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN: <pressed enter>
New User PIN. <12345678>
Please enter User PIN: <12345678>
Please type again to verify:<12345678>
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK): <22222222>
Please type again to verify: <22222222>

j3 crypto # pkcs15-init -G rsa/2048 -u sign,decrypt -a 01
User PIN required.
Please enter User PIN: <12345678>


j3 crypto # openssl<<EOF
> engine dynamic -pre SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
> req -engine pkcs11 -new -key id_45 -keyform engine -out ${username}.pem
-x509 -days 9999 -sha1

> FI
> FI
> Helsinki
> Modirum
>
> Jari
>
>
>
>
> EOF
OpenSSL> (dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine "pkcs11" set.
SmartCard PIN: <12345678>
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company)
[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section)
[]:Common Name (eg, YOUR name) []:Email Address []:OpenSSL> OpenSSL>
OpenSSL> OpenSSL>

j3 crypto # openssl<<EOF
> engine dynamic -pre SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so -pre
ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre
MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
> req -engine pkcs11 -new -key id_45 -keyform engine -out ${username}.pem
-x509 -days 9999 -sha1

> FI
> FI
> Helsinki
> Modirum
>
> jari
>
>
>
>
> EOF
OpenSSL> (dynamic) Dynamic engine loading support
[Success]: SO_PATH:/usr/local/lib/opensc/engine_pkcs11.so
[Success]: ID:pkcs11
[Success]: LIST_ADD:1
[Success]: LOAD
[Success]: MODULE_PATH:/usr/local/lib/pkcs11/opensc-pkcs11.so
Loaded: (pkcs11) pkcs11 engine
OpenSSL> engine "pkcs11" set.
SmartCard PIN:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a
DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:State or Province Name (full name)
[Some-State]:Locality Name (eg, city) []:Organization Name (eg, company)
[Internet Widgits Pty Ltd]:Organizational Unit Name (eg, section)
[]:Common Name (eg, YOUR name) []:Email Address []:OpenSSL> OpenSSL>
OpenSSL> OpenSSL>


j3 crypto # pkcs15-init -X jari.pem -f pem -a 01

# now the key is in card, test it

j3 crypto # /usr/local/bin/ssh-keygen -D 0
>>/home/jari/.ssh/authorized_keys

j3 crypto # /usr/local/bin/ssh-agent >.agent
j3 crypto # source .agent
j3 crypto # /usr/local/bin/ssh-add -D
All identities removed.
j3 crypto # /usr/local/bin/ssh-add -s0
Enter passphrase for smartcard:
Card added: 0
ssh jari@localhost




Best Regards,

JARI HEIKKINEN

MODIRUM
Mobile +358 40 555 0125 Fax +358 9 251 66100
Tel. +358 9 25123737, +372 644 4205,
+1 650 557 2064, +44 20 7871 3122, +852 8199 0064
Mannerheimintie 12 B, FIN-00100 Helsinki, FINLAND
[hidden email] www.modirum.com

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc.org/cgi-bin/mailman/listinfo/opensc-user