Problem with Aventra MyEID and multiple PINs / auth-id mismatch

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Problem with Aventra MyEID and multiple PINs / auth-id mismatch

Leonardo Brondani Schenkel-2
Hi,

I found an issue with Aventra MyEID card and multiple PINs. I tried
OpenSC 0.13.0 and latest master (72bf7a8593a4) and both have the same
issue.

When more than one PIN is present on the card, and a key is
generated/imported, OpenSC always asks for the *first* PIN no matter
what "--auth-id" is specified. Entering the first PIN succeeds (and
any other PIN fails); the strange thing is that "pkcs15-tool -D" shows
that the key has the auth-id given, but any attempt to use this key
fails (using either PIN).

Keys generated/imported with the auth-id of the first PIN work.

Steps to reproduce this issue (attached to this e-mail there's a shell
script with the steps below and a the output with OPENSC_DEBUG=9):

1. pkcs15-init -C --so-pin 0000 --so-puk 9999 --pin 0000
2. pkcs15-init -P --so-pin 0000 --pin 1111 --puk 9999 --id 1 --label "PIN 1"
3. pkcs15-init -P --so-pin 0000 --pin 2222 --puk 9999 --id 2 --label "PIN 2"
4. pkcs15-init -F
5. pkcs15-init -G rsa/1024 --key-usage sign,decrypt -a 1 --pin 1111
--label "Key 1"
6. pkcs15-init -G rsa/1024 --key-usage sign,decrypt -a 2 --pin 2222
--label "Key 2"

Step 6 above will fail (no key gets created):
Failed to generate key: PIN code or key incorrect

7. pkcs15-init -G rsa/1024 --key-usage sign,decrypt -a 2 --pin 1111
--label "Key 2"

Step 7 will succeed, indicating that the card was authenticated with PIN 1.

8. pkcs15-init -D

Private RSA Key [Key 2]
        Object Flags   : [0x3], private, modifiable
        Usage          : [0x2E], decrypt, sign, signRecover, unwrap
        Access Flags   : [0x1D], sensitive, alwaysSensitive, neverExtract, local
        ModLength      : 1024
        Key ref        : 2 (0x2)
        Native         : yes
        Path           : 3f0050154b02
        Auth ID        : 02
        ID             : fc1ee21d833c9462c5c0b17419df038ffcce60a1
        MD:guid        : {c7aba3fb-3c23-9dda-5e0e-2ce9d0760573}
          :cmap flags  : 0x0
          :sign        : 0
          :key-exchange: 0

Note that "Key 2" has an auth id "02", but it was created by
authenticating using PIN 1.

8. pkcs11-tool --module opensc-pkcs11.so --login --slot 1 --test --pin 1111

This works.

9. pkcs11-tool --module opensc-pkcs11.so --login --slot 2 --test --pin 2222

This fails with:
error: PKCS11 function C_SignFinal failed: rv = CKR_USER_NOT_LOGGED_IN (0x101)

To me this looks like a bug in OpenSC. Is there anybody else with this
same card experiencing this issue?

// Leonardo.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

steps.sh (968 bytes) Download Attachment
debug.txt.gz (275K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Aventra MyEID and multiple PINs / auth-id mismatch

NdK-3
Il 11/02/2014 08:37, Leonardo Brondani Schenkel ha scritto:

> To me this looks like a bug in OpenSC. Is there anybody else with this
> same card experiencing this issue?
A lot of time have passed since I could play with Aventra cards, but I
remember a similar problem with old OpenSC 0.12.x, too.
It's probably a bug in MyEID.profile .

BYtE,
 Diego.

------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Problem with Aventra MyEID and multiple PINs / auth-id mismatch

Leonardo Brondani Schenkel-2
On 11/02/2014 10:52, NdK wrote:
> Il 11/02/2014 08:37, Leonardo Brondani Schenkel ha scritto:
>
>> To me this looks like a bug in OpenSC. Is there anybody else with this
>> same card experiencing this issue?
> A lot of time have passed since I could play with Aventra cards, but I
> remember a similar problem with old OpenSC 0.12.x, too.
> It's probably a bug in MyEID.profile .

Hi Diego/NdK,

I found your old thread "--insecure" (later: "Profiles"). It is *very*
informative: your issue was exactly what I'm experiencing, and I fully
agree with your conclusions.

>From a user perspective, there's a fundamental mismatch between what
"--auth-id" in "pkcs15init" actually does and what it is expected to do.
In the current (and IMHO broken) form, in any scenario where there's
more than one user PIN and the card profile uses CRYPTO=$PIN in ACLs,
any creation of protected objects with an "--auth-id" referencing a PIN
that is different than what $PIN resolves to will result on a mismatch
between the ACL in the card and what is described on the PKCS#15 data
structures. At least according to my tests this makes the object
unusable from a PKCS#11 application.

Back then there was some discussion about changing this behaviour; was
anything ever done?

Cheers,
// Leonardo.

>
> BYtE,
>  Diego.
>
>
------------------------------------------------------------------------------
> Android apps run on BlackBerry 10
> Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
> Now with support for Jelly Bean, Bluetooth, Mapview and more.
> Get your Android app in front of a whole new audience.  Start now.
>
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
>



------------------------------------------------------------------------------
Android apps run on BlackBerry 10
Introducing the new BlackBerry 10.2.1 Runtime for Android apps.
Now with support for Jelly Bean, Bluetooth, Mapview and more.
Get your Android app in front of a whole new audience.  Start now.
http://pubads.g.doubleclick.net/gampad/clk?id=124407151&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel