Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Problems with the driver #9

Closed
Ctibor opened this issue Nov 20, 2021 · 1 comment
Closed

Problems with the driver #9

Ctibor opened this issue Nov 20, 2021 · 1 comment

Comments

@Ctibor
Copy link

Ctibor commented Nov 20, 2021
edited
Loading

Hi,
thank you for your effort! I dug out my CryptoMate64 and tried to get it work with your driver. I have successfully built it on Gentoo Linux and configured opensc v0.22.0 to use libacos5.so and libacos5_pkcs15.so. I have also initialized the card with your scripts card_initialization.scriptor and V2_00_TokenInfo_file_customization.scriptor.

The files are installed like this:

/usr/lib64/libacos5_pkcs15.so
/usr/lib64/libacos5.so
/usr/share/opensc/acos5_external.profile (along with other profiles provided by opensc itself)

opensc-tool -n shows:

Using reader with a card: ACS CryptoMate64 00 00
ACOS5-64 V2.00: Smart Card or CryptoMate64

So I think it should work with your driver, but I unable to change the pin or generate certificates on the card per your instructions.

When I try to change the user PIN with opensc-explorer I get "Unable to change PIN code: Invalid arguments"
Using pkcs15-tool --change-pin allows me to enter old and new PIN but ends with "PIN code change failed: Invalid arguments."

Opensc log while running opensc-explorer: opensc-debug.txt

Trying pkcs15-init --generate-key rsa/4096 --auth-id 01 --id 01 --label github_key --key-usage sign
fails with malloc(): unaligned tcache chunk detected and SIGABRT

Opensc log while running pkcs15-init: opensc-debug.txt

I tried opensc v0.21.0 too with the same results. Older versions are not available on my distro.

dmesg shows:
opensc-explorer[14473]: segfault at 7fde00000082 ip 00007fde00000082 sp 00007ffe289b5218 error 14 in locale-archive[7fdec4851000+6d4000]
pkcs15-init[17118]: segfault at 560ecb770 ip 00007f67662be348 sp 00007fffe9d75450 error 4 in libc-2.33.so[7f6766258000+148000]
@carblue
Copy link
Owner

carblue commented Jun 28, 2024
edited
Loading

Hello Ctibor,
sorry for my late reply, I was absent here for years...

From my side, we could figure out now, what happened.
Meanwhile a lot of code changed - so we should start from the current code base -, but, sadly, Your input (both opensc-debug.txt) didn't help much getting closer to the point of failure, and the second ends, when it gets interesting.
Both show, that compiling, installing, configuring opensc.conf all is okay, and further, that You request from the driver: SC_CARDCTL_LIFECYCLE_SET. What setting the life cycle has to do with changing a pin? You might get an answer when digging into code of tool opensc-explorer. (Anyway, my driver never did nor will allow setting the life cycle ! (calling acos5_card_ctl with command=4 == SC_CARDCTL_LIFECYCLE_SET) It will result in SC_ERROR_NOT_SUPPORTED).
The next problem: I don't know what exactly You entered in opensc-explorer. I did this:

OpenSC [3F00/4100]> pin_info CHV129
Logged out.
8 tries left.
OpenSC [3F00/4100]> verify CHV129
Please enter PIN: 12345678
Code correct.
OpenSC [3F00/4100]> change CHV129 12345678 23456789
Incorrect code, 8 tries left.
Unable to change PIN code: PIN code or key incorrect
OpenSC [3F00/4100]> change CHV129
Unable to change PIN code: Invalid arguments
OpenSC [3F00/4100]> exit

So, it looks like opensc-explorer is buggy or I used it in a wrong way?
CHV129 is the User Pin in file 4101 (local pin)
CHV1 is the SO Pin in file 0001 (global pin)
Why 129 as pin-ref for the user? It's a local pin for acos
You have written to file 4101 the content in bytes hexadecimal:
C1 88 08 31 32 33 34 35 36 37 38 88 08 31 32 33 34 35 36 37 38
C1 says its a valid pin with id 01. For local, in conversion to a pin-ref, the most significant bit gets set: 0x80 + id 1 = hexadecimal 81=129 decimal. (ref. man.: If MSb is set, use the CHV file under the currently selected DF, else
use the CHV file under the MF). How do I know that? From the reference manual and inspecting OpenSC code.
Where these subtleties get explained for users: I don't know.
Update: Users might deduce it from output of 'opensc-tool -f' if they know, which is the relevant CHV file:
3f0041004101 type: iEF, ef structure: linear-fixed, size: 21
read[NEVR] update[CHV129] erase[CHV1] write[CHV129] rehab[CHV1] inval[CHV1]

Using this changed my User pin:
$ pkcs15-tool --change-pin --auth-id 01 --pin 12345678 --new-pin 23456789
Using reader with a card: ACS CryptoMate64 00 00
Connecting to card in reader ACS CryptoMate64 00 00...
Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO).
$ pkcs15-tool --change-pin --auth-id 01 --pin 23456789 --new-pin 12345678
Using reader with a card: ACS CryptoMate64 00 00
Connecting to card in reader ACS CryptoMate64 00 00...
Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO).
$
Before reassigning my original user pin I did check that it was changed to the new, temporary value 23456789 !
--auth-id 02 will let You change the SO Pin

If You are still there, then we can go through the remaining:
Generate an RSA key pair, it works for me, my exact command:
$ pkcs15-init --generate-key rsa/4096 --auth-id 01 --id 09 --label github_key2 --key-usage sign
Using reader with a card: ACS CryptoMate64 00 00
Connecting to card in reader ACS CryptoMate64 00 00...
Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO).
User PIN [User] required.
Please enter User PIN [User]: 12345678
$
$ pkcs15-tool --read-ssh-key 09
Using reader with a card: ACS CryptoMate64 00 00
Connecting to card in reader ACS CryptoMate64 00 00...
Using card driver 'acos5_external', supporting ACOS5 Smart Card V2.00 (CryptoMate64), V3.00 (CryptoMate Nano), EVO V4.X0 (CryptoMate EVO).
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAD60cyXbVeb7AlF+md2goXkWo5fFMvdoSj21P3O8aQOqVTxZ2/YerSvyth9BJxNzlxbstaFf3kpmcmpVrjCRstnduVsmQcq7wtNIpNARTqvqJAKtq8oSPLys+6mBGIV4qwVdIaXYraaNCcjDSPGd/87g5fSwILZwFU8LLbyQy99Lr/AVjNb56caiazLMfHnTUrJaLJJwA+3JOjDWQIK9RZt4ENbUrOjGm6s7KzvzmIFaBBRkxSwh85rJeLYbJKX4qvMhiuLXeXRNBxwa+iPgl2PTxCR1hy9cr8OVhs++3eMDx6VAxJiGQ7X2EGv2sBWxkMRcJvzB9Y85zjddtcFB0AdHq10LW90LiPzw5m5yoNVexTZri9mgLNys1bAz1Q5/kammOH3focrNwM4jOTzyT4XHOQX8ttt5OKRGM4BWo047dj8RiG9ZAUsYCyPUz8LFXsotzsh23ntEkTS2+J+iD9YI7LQf1lsBHRmTQv3RUqr6Xofi6fO1tPrVepi3TwCzYyH+/dRChWMHSFNXDgIeOKwOLwny74ExCjV6vQxxaDatiMDxXCxrEolSIfDmZUhTWyKWWjYaSGb0lyxQyLXKbsfisZ9qWVj2IYDSI2LBSw1LVhjCY274CbpKsZlzuhhQQO3ryJP0YTJuoYdYoa6FmFc0be75sPmgDFLF3N/bTDx7 github_key2
$
(I gave no instructions about generating a certificate on card. Years ago I generated a certificate for a key on card with an openssl tool (look at carblue/acos5/info/howto/HOWTO_Create_Your_own_CA_root_hierarchy_on_Linux) and then imported that PEM-formated certificate to the card, but forgot, how I did that. Maybe, there is work for me to do left).

Well, to summarize, IMHO Your issue title should better read: Problems with using OpenSC tools.
And You get a thumbs up from me for that title at the correct address:
I'm still fiddling with ECC named curve details for something like this for the EVO card:
$ pkcs15-init --generate-key ec/nistp521 --auth-id 01 --id 0A --label github_key3 --key-usage sign

You can reopen this whenever You like, but I tend to close after some time of no reaction

@carblue carblue closed this as completed Jul 13, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Ctibor @carblue