opensc-explorer, PIN length 10

classic Classic list List threaded Threaded
15 messages Options
Reply | Threaded
Open this post in threaded view
|

opensc-explorer, PIN length 10

Johannes Becker-5

Hello,

 

I have a CardOS V4.3B chipcard that works with Firefox.

 

But the command

verify CHV81 30:34:35:32:39:31:FF:FF:FF:FF

fails with

Unable to verify PIN code: Invalid arguments

 

The command

verify CHV81 30:34:35:32:39:31:FF:FF

fails with

Unable to verify PIN code: Card command failed

 

pkcs15-tool says

 

PIN [User Pin]

Object Flags : [0x3], private, modifiable

Auth ID : 02

ID : 01

Flags : [0x133], case-sensitive, local, initialized, needs-padding, disable_allowed

Length : min_len:4, max_len:10, stored_len:10

Pad char : 0xFF

Reference : 129 (0x81)

Type : ascii-numeric

Path : 3f005015

 

 

Johannes

 


------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Martin Paljak-4
Hello,


On Fri, May 3, 2013 at 1:46 PM, Johannes Becker
<[hidden email]> wrote:

> I have a CardOS V4.3B chipcard that works with Firefox.
> But the command
> verify CHV81 30:34:35:32:39:31:FF:FF:FF:FF
>
> fails with
>
> Unable to verify PIN code: Invalid arguments
>
>
>
> The command
>
> verify CHV81 30:34:35:32:39:31:FF:FF
>
> fails with
>
> Unable to verify PIN code: Card command failed

Keep in mind that CHVXX seems to take *decimal* input, and that cardos
driver actually seems to use max length 8, so:

verify CHV129 30:34:35:32:39:31:FF:FF

Should give "OK" (maybe you need to have the necessary folder selected
before as well)

Martin

------------------------------------------------------------------------------
Get 100% visibility into Java/.NET code with AppDynamics Lite
It's a free troubleshooting tool designed for production
Get down to code-level detail for bottlenecks, with <2% overhead.
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap2
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Johannes Becker-5

Am Freitag 03 Mai 2013 schrieb Martin Paljak <[hidden email]>:

 

>

> Keep in mind that CHVXX seems to take *decimal* input, and that cardos

> driver actually seems to use max length 8, so:

>

> verify CHV129 30:34:35:32:39:31:FF:FF

>

> Should give "OK" (maybe you need to have the necessary folder selected

> before as well)

 

Yes, selecting the folder makes a difference, but it seems that the card expects length 10.

opensc-explorer now produces:

 

OpenSC [3F00]> cd 5015

OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF

Incorrect code.

OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF:FF:FF

Unable to verify PIN code: Invalid arguments

 

The PIN is accepted when using Firefox.

 

Johannes

 

 


------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Martin Paljak-4
On Mon, May 6, 2013 at 10:44 AM, Johannes Becker
<[hidden email]> wrote:
> OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF
>
> Incorrect code.
>
> OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF:FF:FF
>
> Unable to verify PIN code: Invalid arguments
> The PIN is accepted when using Firefox.

As said before: do have a peek at the log of an actual verification
performed by Firefox.

------------------------------------------------------------------------------
Introducing AppDynamics Lite, a free troubleshooting tool for Java/.NET
Get 100% visibility into your production application - at no cost.
Code-level diagnostics for performance bottlenecks with <2% overhead
Download for free and get started troubleshooting in minutes.
http://p.sf.net/sfu/appdyn_d2d_ap1
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Viktor Tarasov-3
Le 06/05/2013 16:28, Martin Paljak a écrit :
> On Mon, May 6, 2013 at 10:44 AM, Johannes Becker
> <[hidden email]> wrote:
>> OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF
>>
>> Incorrect code.
PIN value is invalid.

>> OpenSC [3F00/5015]> verify CHV129 30:34:35:32:39:31:FF:FF:FF:FF
>>
>> Unable to verify PIN code: Invalid arguments
PIN length is invalid


Probably the PKCS15 AOF descriptor do not correspond to the real format of your PIN
(length, padding character, ...??) .

Try to pad PIN value with "00" -- at least it's the padding character in the OpenSC profile for CardOS card.:w

>> The PIN is accepted when using Firefox.
> As said before: do have a peek at the log of an actual verification
> performed by Firefox.
Best way.

------------------------------------------------------------------------------
Learn Graph Databases - Download FREE O'Reilly Book
"Graph Databases" is the definitive new guide to graph databases and
their applications. This 200-page book is written by three acclaimed
leaders in the field. The early access version is available now.
Download your free book today! http://p.sf.net/sfu/neotech_d2d_may
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Johannes Becker-5
In reply to this post by Martin Paljak-4

Am Montag 06 Mai 2013 schrieb Martin Paljak <[hidden email]>:

 

>

> As said before: do have a peek at the log of an actual verification

> performed by Firefox.

 

Firefox, pkcs11-tool and pkcs15-tool work with the card.

They send the pin with lenth 10, padded with FF (see below).

 

It is only opensc-explorer, that doesn't pass the pin with length 10

 

I guess now I have to learn how to write the certificat to the card using pkcs11-tool

 

I tested with opensc 0.12.2

 

Johannes

 

-----

 

0x7f05005d3700 10:11:20.803 [opensc-pkcs11] apdu.c:184:sc_apdu_log:

Outgoing APDU data [ 15 bytes] =====================================

00 20 00 81 0A 30 34 35 32 39 31 FF FF FF FF . ...045291....

======================================================================

0x7f05005d3700 10:11:20.803 [opensc-pkcs11] reader-pcsc.c:176:pcsc_internal_transmit: called

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] apdu.c:184:sc_apdu_log:

Incoming APDU data [ 2 bytes] =====================================

90 00 ..

======================================================================

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] sec.c:204:sc_pin_cmd: returning with: 0 (Success)

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] pkcs15-pin.c:509:sc_pkcs15_pincache_add: called

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] pkcs15-pin.c:543:sc_pkcs15_pincache_add: PIN(User Pin) cached

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called

0x7f05005d3700 10:11:20.856 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock: called

0x7f05005d3700 10:11:20.861 [opensc-pkcs11] pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)


------------------------------------------------------------------------------
AlienVault Unified Security Management (USM) platform delivers complete
security visibility with the essential security capabilities. Easily and
efficiently configure, manage, and operate all of your security controls
from a single console and one unified framework. Download a free trial.
http://p.sf.net/sfu/alienvault_d2d
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10

Martin Paljak-4
Hello,

Keep in mind that opensc-explorer is a "low level tool". Your best
option is to compare the actual commands (opensc-explorer -vvv) to
what succeeds above (00 20 00 81 0A 30 34 35 32 39 31 FF FF FF FF).
Also, if the PKCS#11 module selects some DF-s beforehand, you need to
manually do that with opensc-explorer.

Martin
--
Martin
+372 5156495


On Fri, May 17, 2013 at 12:48 PM, Johannes Becker
<[hidden email]> wrote:

> Am Montag 06 Mai 2013 schrieb Martin Paljak <[hidden email]>:
>
>
>
>>
>
>> As said before: do have a peek at the log of an actual verification
>
>> performed by Firefox.
>
>
>
> Firefox, pkcs11-tool and pkcs15-tool work with the card.
>
> They send the pin with lenth 10, padded with FF (see below).
>
>
>
> It is only opensc-explorer, that doesn't pass the pin with length 10
>
>
>
> I guess now I have to learn how to write the certificat to the card using
> pkcs11-tool
>
>
>
> I tested with opensc 0.12.2
>
>
>
> Johannes
>
>
>
> -----
>
>
>
> 0x7f05005d3700 10:11:20.803 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
>
> Outgoing APDU data [ 15 bytes] =====================================
>
> 00 20 00 81 0A 30 34 35 32 39 31 FF FF FF FF . ...045291....
>
> ======================================================================
>
> 0x7f05005d3700 10:11:20.803 [opensc-pkcs11]
> reader-pcsc.c:176:pcsc_internal_transmit: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] apdu.c:184:sc_apdu_log:
>
> Incoming APDU data [ 2 bytes] =====================================
>
> 90 00 ..
>
> ======================================================================
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] sec.c:204:sc_pin_cmd: returning
> with: 0 (Success)
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11]
> pkcs15-pin.c:509:sc_pkcs15_pincache_add: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11]
> pkcs15-pin.c:543:sc_pkcs15_pincache_add: PIN(User Pin) cached
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] card.c:330:sc_unlock: called
>
> 0x7f05005d3700 10:11:20.856 [opensc-pkcs11] reader-pcsc.c:548:pcsc_unlock:
> called
>
> 0x7f05005d3700 10:11:20.861 [opensc-pkcs11]
> pkcs15-pin.c:296:sc_pkcs15_verify_pin: returning with: 0 (Success)

------------------------------------------------------------------------------
Try New Relic Now & We'll Send You this Cool Shirt
New Relic is the only SaaS-based application performance monitoring service
that delivers powerful full stack analytics. Optimize and monitor your
browser, app, & servers with just a few lines of code. Try New Relic
and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

opensc-explorer, PIN length 10 / sequel

Johannes Becker-5
In reply to this post by Johannes Becker-5

Hello,

 

finally I found time to produce log files for the following problem:

 

chipcard CardOS V4.3B

OpenSC 0.13.0

 

opensc-explorer fails to verify the PIN:

 

$ opensc-explorer

OpenSC Explorer version 0.13.0

Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00

OpenSC [3F00]> cd 5015

OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF:FF:FF

Unable to verify PIN code: Invalid arguments

OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF

Incorrect code.

OpenSC [3F00/5015]> exit

 

On the other hand pkcs15-tool has no problems with the command

pkcs15-tool --change-pin --pin 234567 --new-pin 234567

 

The log files are

http://www.uni-giessen.de/~g013/opensc/opensc-explorer.log

http://www.uni-giessen.de/~g013/opensc/pkcs15-tool.log

 

Below the output of pkcs15-tool --dump

 

Regards

Johannes

 

 

 

pkcs15-tool --dump

Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00

PKCS#15 Card [Test Card]:

Version : 0

Serial number : 7BFF203BF6052E35

Manufacturer ID: cv cryptovision gmbh (c) v1.0n

Flags : Login required, PRN generation, EID compliant

 

PIN [User Pin]

Object Flags : [0x3], private, modifiable

Auth ID : 02

ID : 01

Flags : [0x133], case-sensitive, local, initialized, needs-padding, disable_allowed

Length : min_len:4, max_len:10, stored_len:10

Pad char : 0xFF

Reference : 129 (0x81)

Type : ascii-numeric

Path : 3f005015

 

PIN [SO Pin]

Object Flags : [0x3], private, modifiable

ID : 02

Flags : [0x1BB], case-sensitive, local, unblock-disabled, initialized, needs-padding, soPin, disable_allowed

Length : min_len:4, max_len:10, stored_len:10

Pad char : 0xFF

Reference : 130 (0x82)

Type : ascii-numeric

Path : 3f005015

 

AuthKey [Challenge Response Key]

Object Flags : [0x3], private, modifiable

ID : 02

Derived : 1

SecretKeyID : 01

 

Private RSA Key [JLUSIGNCERT]

Object Flags : [0x3], private, modifiable

Usage : [0x6], decrypt, sign

Access Flags : [0x9], sensitive, neverExtract

ModLength : 2048

Key ref : 1 (0x1)

Native : yes

Path : 3f00501550724b21

Auth ID : 01

ID : 45

GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0}

 

Private RSA Key [JLUAUTHCERT]

Object Flags : [0x3], private, modifiable

Usage : [0x6], decrypt, sign

Access Flags : [0x9], sensitive, neverExtract

ModLength : 2048

Key ref : 1 (0x1)

Native : yes

Path : 3f00501550724b22

Auth ID : 01

ID : 46

GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70}

 

Public RSA Key [JLUSIGNCERT]

Object Flags : [0x2], modifiable

Usage : [0x41], encrypt, verify

Access Flags : [0x0]

ModLength : 2048

Key ref : 1 (0x1)

Native : no

Path : 3f00501550754b21

ID : 45

DirectValue : <absent>

 

Public RSA Key [JLUAUTHCERT]

Object Flags : [0x2], modifiable

Usage : [0x41], encrypt, verify

Access Flags : [0x0]

ModLength : 2048

Key ref : 1 (0x1)

Native : no

Path : 3f00501550754b22

ID : 46

DirectValue : <absent>

 

X.509 Certificate [JLUSIGNCERT]

Object Flags : [0x2], modifiable

Authority : no

Path : 3f00501543044301

ID : 45

GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0}

Encoded serial : 02 07 1599ED6129A5C1

X.509 Certificate [JLUAUTHCERT]

Object Flags : [0x2], modifiable

Authority : no

Path : 3f00501543044302

ID : 46

GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70}

Encoded serial : 02 07 1599ED65D8554B

X.509 Certificate [Deutsche Telekom Root CA 2]

Object Flags : [0x2], modifiable

Authority : no

Path : 3f00501543044303

ID : 50

GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}

Encoded serial : 02 01 26

X.509 Certificate [DFN-Verein PCA Global - G01]

Object Flags : [0x2], modifiable

Authority : no

Path : 3f00501543044304

ID : 50

GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}

Encoded serial : 02 02 00C7

X.509 Certificate [JLUCACERT]

Object Flags : [0x2], modifiable

Authority : no

Path : 3f00501543044305

ID : 50

GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}

Encoded serial : 02 04 109C4834

Data object 'cardid'

applicationName: cvmd

Path: 3f0050156377

Data (16 bytes): 36ED3BC2D4AF7D41A4632F4026C27D6F

Data object 'cardcf'

applicationName: cvmd

Path: 3f0050156378

Data (6 bytes): 010109000A00

Data object 'cardapps'

applicationName: cvmd

Path: 3f00501544444401

Data (8 bytes): 6D73637000000000

Data object 'mscp\'

applicationName: cvmd

Path: 3f00501544444402

Data (0 bytes):

Data object 'mscp\cmapfile'

applicationName: cvmd

Path: 3f00501544444403

Data (0 bytes):

Data object 'CARDVERSION'

applicationName:

Path: 3f00501544444404

Data (3 bytes): 322E30

 

 


------------------------------------------------------------------------------
See everything from the browser to the database with AppDynamics
Get end-to-end visibility with application monitoring from AppDynamics
Isolate bottlenecks and diagnose root cause in seconds.
Start your free trial of AppDynamics Pro today!
http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Ludovic Rousseau
2013/7/26 Johannes Becker <[hidden email]>:

> Hello,
>
>
>
> finally I found time to produce log files for the following problem:
>
>
>
> chipcard CardOS V4.3B
>
> OpenSC 0.13.0
>
>
>
> opensc-explorer fails to verify the PIN:
>
>
>
> $ opensc-explorer
>
> OpenSC Explorer version 0.13.0
>
> Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00
>
> OpenSC [3F00]> cd 5015
>
> OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF:FF:FF
>
> Unable to verify PIN code: Invalid arguments
>
> OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF
>
> Incorrect code.
>
> OpenSC [3F00/5015]> exit

>From your log:

0x7f43e335d700 13:28:27.211 [opensc-explorer]
reader-pcsc.c:182:pcsc_internal_transmit: called
0x7f43e335d700 13:28:27.240 [opensc-explorer] apdu.c:185:sc_apdu_log:
Incoming APDU data [   49 bytes] =====================================
6F 2D 81 02 02 00 82 06 38 B5 00 FE 00 07 83 02 o-......8.......
50 15 84 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 P.......cPKCS-15
85 03 00 2A 6C 86 08 00 05 05 FF FF 73 FF 05 90 ...*l.......s...
00                                              .
======================================================================
0x7f43e335d700 13:28:27.240 [opensc-explorer]
apdu.c:524:sc_single_transmit: returning with: 0 (Success)
0x7f43e335d700 13:28:27.240 [opensc-explorer] apdu.c:676:sc_transmit:
returning with: 0 (Success)
0x7f43e335d700 13:28:27.240 [opensc-explorer] card.c:353:sc_unlock: called
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:321:iso7816_process_fci: processing FCI bytes
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:325:iso7816_process_fci:   file identifier: 0x5015
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:338:iso7816_process_fci:   bytes in file: 512
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:349:iso7816_process_fci:   shareable: no
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:368:iso7816_process_fci:   type: DF
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:369:iso7816_process_fci:   EF structure: 0
0x7f43e335d700 13:28:27.240 [opensc-explorer]
iso7816.c:379:iso7816_process_fci:   File name: A0 00 00 00 63 50 4B
43 53 2D 31 35 ....cPKCS-15
0x7f43e335d700 13:28:27.240 [opensc-explorer]
card-cardos.c:443:cardos_select_file: returning with: 0 (Success)
0x7f43e335d700 13:28:27.240 [opensc-explorer]
card.c:638:sc_select_file: returning with: 0 (Success)
0x7f43e335d700 13:28:35.587 [opensc-explorer] sec.c:157:sc_pin_cmd: called
0x7f43e335d700 13:28:35.587 [opensc-explorer] sec.c:204:sc_pin_cmd:
returning with: -1300 (Invalid arguments)

The 10-bytes long PIN is rejected by OpenSC, not by the card.
Unfortunately we do not have more details.

0x7f43e335d700 13:28:42.835 [opensc-explorer] sec.c:157:sc_pin_cmd: called
0x7f43e335d700 13:28:42.835 [opensc-explorer]
apdu.c:687:sc_transmit_apdu: called
0x7f43e335d700 13:28:42.835 [opensc-explorer] card.c:315:sc_lock: called
0x7f43e335d700 13:28:42.835 [opensc-explorer] apdu.c:654:sc_transmit: called
0x7f43e335d700 13:28:42.835 [opensc-explorer]
apdu.c:509:sc_single_transmit: called
0x7f43e335d700 13:28:42.835 [opensc-explorer]
apdu.c:514:sc_single_transmit: CLA:0, INS:20, P1:0, P2:81, data(8)
0x7fffd3933c60
0x7f43e335d700 13:28:42.835 [opensc-explorer]
reader-pcsc.c:249:pcsc_transmit: reader 'Dell Dell Smart Card Reader
Keyboard 00 00'
0x7f43e335d700 13:28:42.835 [opensc-explorer] apdu.c:185:sc_apdu_log:
Outgoing APDU data [   13 bytes] =====================================
00 20 00 81 08 32 33 34 35 36 37 FF FF . ...234567..
======================================================================
0x7f43e335d700 13:28:42.835 [opensc-explorer]
reader-pcsc.c:182:pcsc_internal_transmit: called
0x7f43e335d700 13:28:42.875 [opensc-explorer] apdu.c:185:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
63 00 c.
======================================================================

The 8-bytes long PIN is correctly sent to the card.


You will have to debug from sc_pin_cmd() in sec.c to find why the
"long" PIN is rejected.

Bye

--
 Dr. Ludovic Rousseau

------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Viktor Tarasov-3
In reply to this post by Johannes Becker-5
Hello,

Le 26/07/2013 14:17, Johannes Becker a écrit :

>
>
> finally I found time to produce log files for the following problem:
>
>  
>
> chipcard CardOS V4.3B
>
> OpenSC 0.13.0
>
>  
>
> opensc-explorer fails to verify the PIN:
>
>  
>
> $ opensc-explorer
>
> OpenSC Explorer version 0.13.0
>
> Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00
>
> OpenSC [3F00]> cd 5015
>
> OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF:FF:FF
>
> Unable to verify PIN code: Invalid arguments
>
> OpenSC [3F00/5015]> verify CHV129 32:33:34:35:36:37:FF:FF
>
> Incorrect code.
>
> OpenSC [3F00/5015]> exit
>
>  
>
> On the other hand pkcs15-tool has no problems with the command
>
> pkcs15-tool --change-pin --pin 234567 --new-pin 234567
>
>  
>
> The log files are
>
> http://www.uni-giessen.de/~g013/opensc/opensc-explorer.log
>
> http://www.uni-giessen.de/~g013/opensc/pkcs15-tool.log
>
>  
>
> Below the output of pkcs15-tool --dump
>

As it currently implemented, in opensc-explorer,
you cannot use 'verify' command to verify CardOS PIN with the length other then 8 bytes.
At the low (card driver) level, when there is no info about the PIN max/min, the padding length is set to 8.
 
Card itself do not support (afaik) the 'get-pin-info' facility and the only way to get this info is the PKCS#15 data.
That's why it works when PIN is verified in PKCS#15 context.
'Opensc-explorer' is the low level tool, and it do not parse the on-card PKCS#15 data.

In opensc-explorer I propose you to not use the 'verify' command but direct 'apdu' one.
So that you pass-by the formatting of the PIN data by cardos driver.

vtarasov@sequoia:~/projects/sc/github/viktorTarasov-OpenSC$ ./build/bin/opensc-explorer
OpenSC Explorer version 0.13.0
Using reader with a card: OmniKey CardMan 3121 01 00
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> apdu 00 20 00 83 0A 39 39 39 39 00 00 00 00 00 00
Sending: 00 20 00 83 0A 39 39 39 39 00 00 00 00 00 00
Received (SW1=0x90, SW2=0x00)
Success!
OpenSC [3F00/5015]>

 
>
> Regards
>
> Johannes
>

Kind wishes,
Viktor.


>  
>
>  
>
>  
>
> pkcs15-tool --dump
>
> Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00
>
> PKCS#15 Card [Test Card]:
>
> Version : 0
>
> Serial number : 7BFF203BF6052E35
>
> Manufacturer ID: cv cryptovision gmbh (c) v1.0n
>
> Flags : Login required, PRN generation, EID compliant
>
>  
>
> PIN [User Pin]
>
> Object Flags : [0x3], private, modifiable
>
> Auth ID : 02
>
> ID : 01
>
> Flags : [0x133], case-sensitive, local, initialized, needs-padding, disable_allowed
>
> Length : min_len:4, max_len:10, stored_len:10
>
> Pad char : 0xFF
>
> Reference : 129 (0x81)
>
> Type : ascii-numeric
>
> Path : 3f005015
>
>  
>
> PIN [SO Pin]
>
> Object Flags : [0x3], private, modifiable
>
> ID : 02
>
> Flags : [0x1BB], case-sensitive, local, unblock-disabled, initialized, needs-padding, soPin, disable_allowed
>
> Length : min_len:4, max_len:10, stored_len:10
>
> Pad char : 0xFF
>
> Reference : 130 (0x82)
>
> Type : ascii-numeric
>
> Path : 3f005015
>
>  
>
> AuthKey [Challenge Response Key]
>
> Object Flags : [0x3], private, modifiable
>
> ID : 02
>
> Derived : 1
>
> SecretKeyID : 01
>
>  
>
> Private RSA Key [JLUSIGNCERT]
>
> Object Flags : [0x3], private, modifiable
>
> Usage : [0x6], decrypt, sign
>
> Access Flags : [0x9], sensitive, neverExtract
>
> ModLength : 2048
>
> Key ref : 1 (0x1)
>
> Native : yes
>
> Path : 3f00501550724b21
>
> Auth ID : 01
>
> ID : 45
>
> GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0}
>
>  
>
> Private RSA Key [JLUAUTHCERT]
>
> Object Flags : [0x3], private, modifiable
>
> Usage : [0x6], decrypt, sign
>
> Access Flags : [0x9], sensitive, neverExtract
>
> ModLength : 2048
>
> Key ref : 1 (0x1)
>
> Native : yes
>
> Path : 3f00501550724b22
>
> Auth ID : 01
>
> ID : 46
>
> GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70}
>
>  
>
> Public RSA Key [JLUSIGNCERT]
>
> Object Flags : [0x2], modifiable
>
> Usage : [0x41], encrypt, verify
>
> Access Flags : [0x0]
>
> ModLength : 2048
>
> Key ref : 1 (0x1)
>
> Native : no
>
> Path : 3f00501550754b21
>
> ID : 45
>
> DirectValue : <absent>
>
>  
>
> Public RSA Key [JLUAUTHCERT]
>
> Object Flags : [0x2], modifiable
>
> Usage : [0x41], encrypt, verify
>
> Access Flags : [0x0]
>
> ModLength : 2048
>
> Key ref : 1 (0x1)
>
> Native : no
>
> Path : 3f00501550754b22
>
> ID : 46
>
> DirectValue : <absent>
>
>  
>
> X.509 Certificate [JLUSIGNCERT]
>
> Object Flags : [0x2], modifiable
>
> Authority : no
>
> Path : 3f00501543044301
>
> ID : 45
>
> GUID : {6c9dc6ad-b7fa-c10c-0ff7-c385ad72d3f0}
>
> Encoded serial : 02 07 1599ED6129A5C1
>
> X.509 Certificate [JLUAUTHCERT]
>
> Object Flags : [0x2], modifiable
>
> Authority : no
>
> Path : 3f00501543044302
>
> ID : 46
>
> GUID : {d9fe0a11-3ec7-eda5-ac52-9a721aff8e70}
>
> Encoded serial : 02 07 1599ED65D8554B
>
> X.509 Certificate [Deutsche Telekom Root CA 2]
>
> Object Flags : [0x2], modifiable
>
> Authority : no
>
> Path : 3f00501543044303
>
> ID : 50
>
> GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}
>
> Encoded serial : 02 01 26
>
> X.509 Certificate [DFN-Verein PCA Global - G01]
>
> Object Flags : [0x2], modifiable
>
> Authority : no
>
> Path : 3f00501543044304
>
> ID : 50
>
> GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}
>
> Encoded serial : 02 02 00C7
>
> X.509 Certificate [JLUCACERT]
>
> Object Flags : [0x2], modifiable
>
> Authority : no
>
> Path : 3f00501543044305
>
> ID : 50
>
> GUID : {6f74f832-4ebb-257d-0ae1-97ad6b19b2ae}
>
> Encoded serial : 02 04 109C4834
>
> Data object 'cardid'
>
> applicationName: cvmd
>
> Path: 3f0050156377
>
> Data (16 bytes): 36ED3BC2D4AF7D41A4632F4026C27D6F
>
> Data object 'cardcf'
>
> applicationName: cvmd
>
> Path: 3f0050156378
>
> Data (6 bytes): 010109000A00
>
> Data object 'cardapps'
>
> applicationName: cvmd
>
> Path: 3f00501544444401
>
> Data (8 bytes): 6D73637000000000
>
> Data object 'mscp\'
>
> applicationName: cvmd
>
> Path: 3f00501544444402
>
> Data (0 bytes):
>
> Data object 'mscp\cmapfile'
>
> applicationName: cvmd
>
> Path: 3f00501544444403
>
> Data (0 bytes):
>
> Data object 'CARDVERSION'
>
> applicationName:
>
> Path: 3f00501544444404
>
> Data (3 bytes): 322E30
>
>  
>
>  
>
>
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Johannes Becker-5

Hello,

 

Am Samstag 03 August 2013 schrieb Viktor Tarasov <[hidden email]>:

 

> In opensc-explorer I propose you to not use the 'verify' command but direct 'apdu' one.

 

Thanks, that works!

I could log in and I could overwrite a certificate.

 

Now there's a new problem. I cannot delete the certificate from the card

and therefore I cannot set a new certificate length.

 

This is what happens:

 

OpenSC Explorer version 0.13.0

Using reader with a card: KOBIL KAAN Advanced (E_043208292) 02 00

OpenSC [3F00]> cd 5015

OpenSC [3F00/5015]> cd 4304

OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF

Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF

Received (SW1=0x90, SW2=0x00)

Success!

OpenSC [3F00/5015/4304]> rm 4302

DELETE FILE failed: Unsupported INS byte in APDU

 

I put the log for this to

http://www.uni-giessen.de/~g013/opensc/remove-fails.log

 

@Ludovic:

Unfortunately I don't know how to debug in sec.c .

 

Kind regards

Johannes

 


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Viktor Tarasov-3
Strange. I don't sufficiently know this card.
Have no this kind of problems with the one that I have -- also CardOS 4.3b.

Does it formatted with OpenSC?

Question aside,
why do you manually erase the certificate file? After that you will need, also manually, update the PKCS#15 CDF data?
Would it be better for you to use the pkcs15-init tool? It knows what to do with these data.



 


On Mon, Aug 5, 2013 at 1:07 PM, Johannes Becker <[hidden email]> wrote:

Hello,

 

Am Samstag 03 August 2013 schrieb Viktor Tarasov <[hidden email]>:

 

> In opensc-explorer I propose you to not use the 'verify' command but direct 'apdu' one.

 

Thanks, that works!

I could log in and I could overwrite a certificate.

 

Now there's a new problem. I cannot delete the certificate from the card

and therefore I cannot set a new certificate length.

 

This is what happens:

 

OpenSC Explorer version 0.13.0

Using reader with a card: KOBIL KAAN Advanced (E_043208292) 02 00

OpenSC [3F00]> cd 5015

OpenSC [3F00/5015]> cd 4304

OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A <a href="tel:32%2033%2034%2035%2036" value="+13233343536" target="_blank">32 33 34 35 36 37 FF FF FF FF

Sending: 00 20 00 81 0A <a href="tel:32%2033%2034%2035%2036" value="+13233343536" target="_blank">32 33 34 35 36 37 FF FF FF FF

Received (SW1=0x90, SW2=0x00)

Success!

OpenSC [3F00/5015/4304]> rm 4302

DELETE FILE failed: Unsupported INS byte in APDU

 

I put the log for this to

http://www.uni-giessen.de/~g013/opensc/remove-fails.log

 

@Ludovic:

Unfortunately I don't know how to debug in sec.c .

 

Kind regards

Johannes

 


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel



------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Johannes Becker-5

Am Dienstag 06 August 2013 schrieb Viktor Tarasov:

> Strange. I don't sufficiently know this card.

> Have no this kind of problems with the one that I have -- also CardOS 4.3b.

>

> Does it formatted with OpenSC?

 

No, it's formatted by cryptovision.

I have a log of cryptovision's scManger replacing the certificate:

http://www.uni-giessen.de/~g013/opensc/scMan-Import-Cert.txt

 

There you have the line

00000050 APDU: 00 E4 00 00 02 43 02

which - I presume - deletes the file 4302.

 

If I try to send this apdu with opensc-explorer, I again get the INS-error:

$ opensc-explorer

OpenSC Explorer version 0.13.0

Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00

OpenSC [3F00]> cd 5015

OpenSC [3F00/5015]> cd 4304

OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF

Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF

Received (SW1=0x90, SW2=0x00)

Success!

OpenSC [3F00/5015/4304]> apdu 00 E4 00 00 02 43 02

Sending: 00 E4 00 00 02 43 02

Received (SW1=0x6D, SW2=0x00)

Failure: Unsupported INS byte in APDU

 

 

 

> Question aside,

> why do you manually erase the certificate file? After that you will need,

> also manually, update the PKCS#15 CDF data?

> Would it be better for you to use the pkcs15-init tool? It knows what to do

> with these data.

>

 

There the PIN is not accepted:

 

$ pkcs15-init --pin 234567 --id 46 --update-certificate Testperson1117-46.pem

Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00

Failed to store data object: PIN code or key incorrect

 

I suppose this is because the maximal PIN length is 10.

 

Kind regards

Johannes

 

 


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Andreas Schwier (ML)
With CardOS you always need to switch to ADMINSTRATIVE mode before you
can delete or create files:

Try issuing a

80 10 00 00

before the delete.

And btw: If the card has been personalized using crytovision's
scManager, then there is not guarantee that the PKCS15 structure is
compatible with OpenSC. Reading a CV PKCS15 structure might work with
OpenSC, but updates to the PKCS15 structure and then reading it again
with the CV middleware will most likely fail.

Andreas Schwier


On 08/06/2013 11:52 AM, Johannes Becker wrote:

> Am Dienstag 06 August 2013 schrieb Viktor Tarasov:
>> Strange. I don't sufficiently know this card.
>> Have no this kind of problems with the one that I have -- also CardOS 4.3b.
>>
>> Does it formatted with OpenSC?
>
> No, it's formatted by cryptovision.
> I have a log of cryptovision's scManger replacing the certificate:
> http://www.uni-giessen.de/~g013/opensc/scMan-Import-Cert.txt
>
> There you have the line
>  00000050 APDU: 00 E4 00 00 02 43 02
> which - I presume - deletes the file 4302.
>
> If I try to send this apdu with opensc-explorer, I again get the INS-error:
>   $ opensc-explorer
>  OpenSC Explorer version 0.13.0
>  Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00
>  OpenSC [3F00]> cd 5015
>  OpenSC [3F00/5015]> cd 4304
>  OpenSC [3F00/5015/4304]> apdu 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF
>  Sending: 00 20 00 81 0A 32 33 34 35 36 37 FF FF FF FF
>  Received (SW1=0x90, SW2=0x00)
>  Success!
>  OpenSC [3F00/5015/4304]> apdu  00 E4 00 00 02 43 02
>  Sending: 00 E4 00 00 02 43 02
>  Received (SW1=0x6D, SW2=0x00)
>  Failure: Unsupported INS byte in APDU
>
>
>
>> Question aside,
>> why do you manually erase the certificate file? After that you will need,
>> also manually, update the PKCS#15 CDF data?
>> Would it be better for you to use the pkcs15-init tool? It knows what to do
>> with these data.
>>
>
> There the PIN is not accepted:
>
> $ pkcs15-init --pin 234567 --id 46 --update-certificate  Testperson1117-46.pem
> Using reader with a card: Dell Dell Smart Card Reader Keyboard 00 00
> Failed to store data object: PIN code or key incorrect
>
> I suppose this is because the maximal PIN length is 10.
>
> Kind regards
>   Johannes
>
>
>
>
> ------------------------------------------------------------------------------
> Get your SQL database under version control now!
> Version control is standard for application code, but databases havent
> caught up. So what steps can you take to put your SQL databases under
> version control? Why should you start doing it? Read more to find out.
> http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
>
>
>
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>


------------------------------------------------------------------------------
Get your SQL database under version control now!
Version control is standard for application code, but databases havent
caught up. So what steps can you take to put your SQL databases under
version control? Why should you start doing it? Read more to find out.
http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: opensc-explorer, PIN length 10 / sequel

Johannes Becker-5
Am Dienstag, 6. August 2013 schrieb Andreas Schwier
<[hidden email]>:
> With CardOS you always need to switch to ADMINSTRATIVE mode before you
> can delete or create files:
>
> Try issuing a
>
> 80 10 00 00
>
> before the delete.

That works. Thank you very much!


> And btw: If the card has been personalized using crytovision's
> scManager, then there is not guarantee that the PKCS15 structure is
> compatible with OpenSC. Reading a CV PKCS15 structure might work with
> OpenSC, but updates to the PKCS15 structure and then reading it again
> with the CV middleware will most likely fail.

Yes. But it seems that after a certificate update you can go on using the card
with opensc. I hope, there are no more traps...


Regards
 Johannes


------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel