search

carblue / acos5

ACS ACOS5 Smart Card / CryptoMate64 / CryptoMate Nano: Driver and pkcs15init shared libraries for the OpenSC framework.
GNU Lesser General Public License v2.1
13 stars 3 forks source link

Problems with the driver #9

Closed Ctibor closed 3 weeks ago

Ctibor commented 2 years ago

Hi, thank you for your effort! I dug out my CryptoMate64 and tried to get it work with your driver. I have successfully built it on Gentoo Linux and configured opensc v0.22.0 to use libacos5.so and libacos5_pkcs15.so. I have also initialized the card with your scripts card_initialization.scriptor and V2_00_TokenInfo_file_customization.scriptor.

The files are installed like this:

/usr/lib64/libacos5_pkcs15.so
/usr/lib64/libacos5.so
/usr/share/opensc/acos5_external.profile (along with other profiles provided by opensc itself)

opensc-tool -n shows:

Using reader with a card: ACS CryptoMate64 00 00
ACOS5-64 V2.00: Smart Card or CryptoMate64

So I think it should work with your driver, but I unable to change the pin or generate certificates on the card per your instructions.

When I try to change the user PIN with opensc-explorer I get "Unable to change PIN code: Invalid arguments" Using pkcs15-tool --change-pin allows me to enter old and new PIN but ends with "PIN code change failed: Invalid arguments."

Opensc log while running opensc-explorer: opensc-debug.txt

Trying pkcs15-init --generate-key rsa/4096 --auth-id 01 --id 01 --label github_key --key-usage sign fails with malloc(): unaligned tcache chunk detected and SIGABRT

Opensc log while running pkcs15-init: opensc-debug.txt

I tried opensc v0.21.0 too with the same results. Older versions are not available on my distro.

dmesg shows: opensc-explorer[14473]: segfault at 7fde00000082 ip 00007fde00000082 sp 00007ffe289b5218 error 14 in locale-archive[7fdec4851000+6d4000] pkcs15-init[17118]: segfault at 560ecb770 ip 00007f67662be348 sp 00007fffe9d75450 error 4 in libc-2.33.so[7f6766258000+148000]

carblue commented 1 month ago

Hello Ctibor, sorry for my late reply, I was absent here for years...

From my side, we could figure out now, what happened. Meanwhile a lot of code changed - so we should start from the current code base -, but, sadly, Your input (both opensc-debug.txt) didn't help much getting closer to the point of failure, and the second ends, when it gets interesting. Both show, that compiling, installing, configuring opensc.conf all is okay, and further, that You request from the driver: SC_CARDCTL_LIFECYCLE_SET. What setting the life cycle has to do with changing a pin? You might get an answer when digging into code of tool opensc-explorer. (Anyway, my driver never did nor will allow setting the life cycle ! (calling acos5_card_ctl with command=4 == SC_CARDCTL_LIFECYCLE_SET) It will result in SC_ERROR_NOT_SUPPORTED). The next problem: I don't know what exactly You entered in opensc-explorer. I did this:

OpenSC [3F00/4100]> pin_info CHV129 Logged out. 8 tries left. OpenSC [3F00/4100]> verify CHV129 Please enter PIN: 12345678 Code correct. OpenSC [3F00/4100]> change CHV129 12345678 23456789 Incorrect code, 8 tries left. Unable to change PIN code: PIN code or key incorrect OpenSC [3F00/4100]> change CHV129 Unable to change PIN code: Invalid arguments OpenSC [3F00/4100]> exit

So, it looks like opensc-explorer is buggy or I used it in a wrong way? CHV129 is the User Pin in file 4101 (local pin) CHV1 is the SO Pin in file 0001 (global pin) Why 129 as pin-ref for the user? It's a local pin for acos You have written to file 4101 the content in bytes hexadecimal: C1 88 08 31 32 33 34 35 36 37 38 88 08 31 32 33 34 35 36 37 38 C1 says its a valid pin with id 01. For local, in conversion to a pin-ref, the most significant bit gets set: 0x80 + id 1 = hexadecimal 81=129 decimal. (ref. man.: If MSb is set, use the CHV file under the currently selected DF, else use the CHV file under the MF). How do I know that? From the reference manual and inspecting OpenSC code. Where these subtleties get explained for users: I don't know. Update: Users might deduce it from output of 'opensc-tool -f' if they know, which is the relevant CHV file: 3f0041004101 type: iEF, ef structure: linear-fixed, size: 21 read[NEVR] update[CHV129] erase[CHV1] write[CHV129] rehab[CHV1] inval[CHV1]

Using this changed my User pin: $ pkcs15-tool --change-pin --auth-id 01 --pin 12345678 --new-pin 23456789 Using reader with a card: ACS CryptoMate64 00 00 Connecting to card in reader ACS CryptoMate64 00 00... Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO). $ pkcs15-tool --change-pin --auth-id 01 --pin 23456789 --new-pin 12345678 Using reader with a card: ACS CryptoMate64 00 00 Connecting to card in reader ACS CryptoMate64 00 00... Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO). $ Before reassigning my original user pin I did check that it was changed to the new, temporary value 23456789 ! --auth-id 02 will let You change the SO Pin

If You are still there, then we can go through the remaining: Generate an RSA key pair, it works for me, my exact command: $ pkcs15-init --generate-key rsa/4096 --auth-id 01 --id 09 --label github_key2 --key-usage sign Using reader with a card: ACS CryptoMate64 00 00 Connecting to card in reader ACS CryptoMate64 00 00... Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO). User PIN [User] required. Please enter User PIN [User]: 12345678 $ $ pkcs15-tool --read-ssh-key 09 Using reader with a card: ACS CryptoMate64 00 00 Connecting to card in reader ACS CryptoMate64 00 00... Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO). ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAD60cyXbVeb7AlF+md2goXkWo5fFMvdoSj21P3O8aQOqVTxZ2/YerSvyth9BJxNzlxbstaFf3kpmcmpVrjCRstnduVsmQcq7wtNIpNARTqvqJAKtq8oSPLys+6mBGIV4qwVdIaXYraaNCcjDSPGd/87g5fSwILZwFU8LLbyQy99Lr/AVjNb56caiazLMfHnTUrJaLJJwA+3JOjDWQIK9RZt4ENbUrOjGm6s7KzvzmIFaBBRkxSwh85rJeLYbJKX4qvMhiuLXeXRNBxwa+iPgl2PTxCR1hy9cr8OVhs++3eMDx6VAxJiGQ7X2EGv2sBWxkMRcJvzB9Y85zjddtcFB0AdHq10LW90LiPzw5m5yoNVexTZri9mgLNys1bAz1Q5/kammOH3focrNwM4jOTzyT4XHOQX8ttt5OKRGM4BWo047dj8RiG9ZAUsYCyPUz8LFXsotzsh23ntEkTS2+J+iD9YI7LQf1lsBHRmTQv3RUqr6Xofi6fO1tPrVepi3TwCzYyH+/dRChWMHSFNXDgIeOKwOLwny74ExCjV6vQxxaDatiMDxXCxrEolSIfDmZUhTWyKWWjYaSGb0lyxQyLXKbsfisZ9qWVj2IYDSI2LBSw1LVhjCY274CbpKsZlzuhhQQO3ryJP0YTJuoYdYoa6FmFc0be75sPmgDFLF3N/bTDx7 github_key2 $ (I gave no instructions about generating a certificate on card. Years ago I generated a certificate for a key on card with an openssl tool (look at carblue/acos5/info/howto/HOWTO_Create_Your_own_CA_root_hierarchy_on_Linux) and then imported that PEM-formated certificate to the card, but forgot, how I did that. Maybe, there is work for me to do left).

Well, to summarize, IMHO Your issue title should better read: Problems with using OpenSC tools. And You get a thumbs up from me for that title at the correct address: I'm still fiddling with ECC named curve details for something like this for the EVO card: $ pkcs15-init --generate-key ec/nistp521 --auth-id 01 --id 0A --label github_key3 --key-usage sign

You can reopen this whenever You like, but I tend to close after some time of no reaction