IAS/ECC, iasecc_select_mf and AID

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

IAS/ECC, iasecc_select_mf and AID

Kaspars Dambis
Hello!

I'm trying to understand why this legacy version of OpenSC [1] is able to recognize my Latvia eID card (IAS/ECC) while my efforts of porting the support for the card to the latest version of OpenSC [2] is currently failing.

Here is the relevant debug log from both versions:

It appears that iasecc_select_mf is using the wrong file path after having received the same APDU response. The working version selects the following:

> card-iasecc.c:603:iasecc_select_file: iasecc_select_file(card:0x1018005e0) path.len 16; path.type 1; aid_len 0
> card-iasecc.c:604:iasecc_select_file: iasecc_select_file() path:a000000077010800070000fe00000100::

while the non-working version does this:

> card-iasecc.c:943:iasecc_select_file: iasecc_select_file(card:0x7ffd94801000) path.len 10; path.type 1; aid_len 0
> card-iasecc.c:944:iasecc_select_file: iasecc_select_file() path:4c41545649412d654944::

I would appreciate any tips or suggestion on where to put debug pointers to be able to resolve this. Here are the complete logs [3] if that would help.

Thanks!
Kaspars

p.s. please note that I've spent only a few month looking into smart cards and have a very basic understanding of C.


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IAS/ECC, iasecc_select_mf and AID

Douglas E Engert
Basic answer is OpenSC used to assume one one application per card, and the ATR determined the driver.
Modern approach is to use an application AID to select the application on the card.

On 10/29/2015 9:15 AM, Kaspars Dambis wrote:

> Hello!
>
> I'm trying to understand why this legacy version of OpenSC [1] is able to recognize my Latvia eID card (IAS/ECC) while my efforts of porting the support for the card to the latest version of OpenSC
> [2] is currently failing.
>
> Here is the relevant debug log from both versions:
> https://gist.github.com/kasparsd/66cf8b145b7e3ae8d120
>
> It appears that iasecc_select_mf is using the wrong file path after having received the same APDU response. The working version selects the following:
>
>  > card-iasecc.c:603:iasecc_select_file: iasecc_select_file(card:0x1018005e0) path.len 16; path.type 1; aid_len 0
>  > card-iasecc.c:604:iasecc_select_file: iasecc_select_file() path:a000000077010800070000fe00000100::
>
> while the non-working version does this:
>
>  > card-iasecc.c:943:iasecc_select_file: iasecc_select_file(card:0x7ffd94801000) path.len 10; path.type 1; aid_len 0
>  > card-iasecc.c:944:iasecc_select_file: iasecc_select_file() path:4c41545649412d654944::

This looks like
100      //proprietary ATR to match
  101      static struct sc_aid LatviaEid_ATR_MATCH = {
  102     {0x4C,0x41,0x54,0x56,0x49,0x41,0x2D,0x65,0x49,0x44}, 10
  103     };

A ATR is a not path to a file. The above looks like "LATVIA-Eid"
what code called select_file with 4c41545649412d654944?

An ATR may have historic bytes that may contain an AID. But a vendor can put anything in the historic bytes.



>
> I would appreciate any tips or suggestion on where to put debug pointers to be able to resolve this. Here are the complete logs [3] if that would help.
>
> Thanks!
> Kaspars
>
> p.s. please note that I've spent only a few month looking into smart cards and have a very basic understanding of C.
>
> [1] https://github.com/kasparsd/latvian-eid-opensc/commit/d615c91843f04d2df09a275cd6e513920a8fc497
> [2] https://github.com/kasparsd/OpenSC-Latvia-eID
> [3] https://gist.github.com/kasparsd/acea5c71f543bda88b5e
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IAS/ECC, iasecc_select_mf and AID

Kaspars Dambis
Thanks for that explanation, Douglas! I really appreciate it!

My understanding is that all of the init functions do the following:

1. Set a few card specific flags
2. Parse the ATR iasecc_parse_ef_atr(card) to confirm ATR card match
3. Select the AID
4. Select the MF file

while the legacy init for Latvia eID (which works) does the following:

1. Piggy back on iasecc_init_oberthur() which does everything for its spec.
2. Shortcircuits iasecc_oberthur_match() with iasecc_LATVIA_EID_match() which matches the ATR value and then sets OberthurIASECC_AID (!)
3. Selects the MF file

My question is -- what is the MF file and how does it relate to the selected AID. What should happen after the AID has been selected when running "opensc-tools -a", for example.

Thanks!
Kaspars


------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IAS/ECC, iasecc_select_mf and AID

Douglas E Engert
I see:
  https://github.com/eID-LV
was created in 2014 by http://www.pmlp.gov.lv
This looks like the Lativa gov published the code. It is based on OpenSC-0-12.2
Looks like no change have ever been made.

So this may be you best source of information.

On 10/29/2015 2:02 PM, Kaspars Dambis wrote:
> Thanks for that explanation, Douglas! I really appreciate it!
>
> My understanding is that all of the init functions do the following:
>
> 1. Set a few card specific flags
> 2. Parse the ATR iasecc_parse_ef_atr(card) to confirm ATR card match
> 3. Select the AID
> 4. Select the MF file

Yes sort of. But first there are the match routines. This look for card ATRs or AIDs
and then set the driver. The Init functions then setup for using the driver.

There are some drivers that only look for the AID in the match functions, and don't look at the ATR
other then to handle bugs between different card and/or applet inplementations.

The AID should define the applet, or the specifications of the applet. This then allows
for the same AID to be used for different implementations of the applet and
on different cards.

>
> while the legacy init for Latvia eID (which works) does the following:
>
> 1. Piggy back on iasecc_init_oberthur() which does everything for its spec.
> 2. Shortcircuits iasecc_oberthur_match() with iasecc_LATVIA_EID_match() which matches the ATR value and then sets OberthurIASECC_AID (!)
> 3. Selects the MF file
>
> My question is -- what is the MF file and how does it relate to the selected AID. What should happen after the AID has been selected when running "opensc-tools -a", for example.


Applets with the same AID should use the same file structure on the card.

But an applet controls the location data. It should be in the applets specs or readable from the card.
(PKCS#15 for example defines how to store certs, keys and other objects and attributes on a card.)
(AIDs are registered and the 0xA0,0x00,0x00,0x00,0x77,0x01.0x08 appears to be registerd to Operthur.)

ISO 7816-4 defines all the commands, and path info. MF is like the root directory of the file system.

Google for: iso78160-4
The Cardwerk.com is fairly good. You can also purchase a copy from ISO.
See:
Section 5.1.1 File organization

Back to the eID-LV...
That code was from 2010, placed in github.com in 2014 and never modified. Since then they may have
started using a different card or card vendor. So it is not clear if it still works or not.
I would assume that if you used the Oberthur AID it will still work.

(AIDs are registered and the 0xA0,0x00,0x00,0x00,0x77,0x01.0x08 appears to be registered to Oberthur.)

>
> Thanks!
> Kaspars
>
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IAS/ECC, iasecc_select_mf and AID

Kaspars Dambis
In reply to this post by Kaspars Dambis
Looks like the LatviaEid_AID is used for ATR matching only while the actual AID is the GlobalPlatform_CardManager_AID. I fixed my issue by adding SC_CARD_TYPE_IASECC_LATVIAEID to iasecc_select_file() (L993 of card-iassecc.c) where it uses card->type to verify a valid card type:


$ ./opensc-tool -a -v  
Using reader with a card: OMNIKEY AG Smart Card Reader
Connecting to card in reader OMNIKEY AG Smart Card Reader...
Using card driver IAS-ECC.
Card ATR:
3B DD 18 00 81 31 FE 45 90 4C 41 54 56 49 41 2D ;....1.E.LATVIA-
65 49 44 90 00 8C                               eID...

Here is dump from pkcs15-tool:

Thank you once again!
Kaspars

------------------------------------------------------------------------------

_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: IAS/ECC, iasecc_select_mf and AID

Douglas E Engert
Good to hear. LatviaEid_AID is incorrectly named. Its in not an AID, but the string the vendor put in the ATR.

On 10/29/2015 3:30 PM, Kaspars Dambis wrote:

> Looks like the LatviaEid_AID is used for ATR matching only while the actual AID is the GlobalPlatform_CardManager_AID. I fixed my issue by adding SC_CARD_TYPE_IASECC_LATVIAEID to iasecc_select_file()
> (L993 of card-iassecc.c) where it uses card->type to verify a valid card type:
>
> https://github.com/kasparsd/OpenSC-Latvia-eID/commit/0c86db2e9731edcc306cbce1fecfea73f680729f
>
>     $ ./opensc-tool -a -v
>     Using reader with a card: OMNIKEY AG Smart Card Reader
>     Connecting to card in reader OMNIKEY AG Smart Card Reader...
>     Using card driver IAS-ECC.
>     Card ATR:
>     3B DD 18 00 81 31 FE 45 90 4C 41 54 56 49 41 2D ;....1.E.LATVIA-
>     65 49 44 90 00 8C                               eID...
>
>
> Here is dump from pkcs15-tool:
> https://gist.github.com/kasparsd/ed3a874173cbfc6d3981
>
> Thank you once again!
> Kaspars
>
>
> ------------------------------------------------------------------------------
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel