kammi cazze wrote: >> From: Karsten Ohme <[EMAIL PROTECTED]> >> Reply-To: MUSCLE <[email protected]> >> To: MUSCLE <[email protected]> >> Subject: Re: [Muscle] muscleTool 2.1.0 & gpshell problem >> Date: Thu, 09 Feb 2006 01:52:09 +0100 >> >> kammi cazze wrote: >> > Hi Karsten, >> > >> >> From: Karsten Ohme <[EMAIL PROTECTED]> >> >> Reply-To: MUSCLE <[email protected]> >> >> To: MUSCLE <[email protected]> >> >> Subject: Re: [Muscle] muscleTool 2.1.0 & gpshell problem >> >> Date: Tue, 07 Feb 2006 21:53:17 +0100 >> >> >> >> kammi cazze wrote: >> >> > Hi, >> >> > >> >> > after some long vacation, i started to work on the smartcard stuff >> >> > again, but still have some problems with the tools :( >> >> > >> >> > I compile muscletool-2.1.0 succesfully, but if i run the program and >> >> ask >> >> > for tokens, the processor raise to 99% and stays there. >> >> > I tried the same with muscleTool-0.9.2, but didn't had that problem. >> >> >> >> This problem is fixed with the new release of pcsclite (and the >> >> contained libmusclecard). If you compile it with gcc3.3 it works. It >> >> seems GCC 4.0 does some stuff different then GCC 3.3. >> > >> > >> > I did compile with 3.4.4 so no 4.0 stuff. By the new release, do you >> > mean beta10 ? >> >> Yes the beta10 release. That the problem was something to do with the >> GCC 4.0 compiler is only a assumption. It was working before, so >> something must have changed maybe GCC 3.4.4 also has this new "feature", >> before I used GCC 3.3. > > > I installed beta10 and recompiled muscletool against it, but it still > gives me the same problem. Can i do something more to give more > information to trace the bug? I am no coder so if i should debug > something please explain me clearly what to do ;)
This should not happen. I have no glue, what's going on. At Ludovic and my Debian system it works. (Windows also) I guess it uses some wrong libraries in the linking step. Have you compiled pcsclite on your own? Important is the file libpcsclite.a and libmusclecard.a (The library needed for linking). It must be also up to date. If you complied pcsclite on your own it should. On my system I had the following problem: Usually the libpcsclite.so and libmusclecard.so is placed in /usr/lib (in Debian) but for some reason there were also versions under /usr/local/lib. I had to remove these file (libpcsclite.* and libmusclecard.*). This also applies to binary in /usr/local/bin. If you compile it (in SVN under svn://svn.debian.org/pcsclite/trunk/PCSC): Run ./configure with these switches: ./configure --prefix=/usr/lib --enable-usbdropdir=/usr/lib/pcsc/drivers --enable-debugatr --enable-muscledropdir=/usr/lib/pcsc/services --enable-musclecarddebug ./configure --help lists the available options. Other Unixes use /usr/local/lib, if you have another distribution, look what directory is more populated and replace all /usr/lib through /usr/local/lib. Karsten > >> >> > >> >> >> >> > >> >> > Another thing is with my GemXpresso Pro R3 cards. From the docs, the >> >> > card supports both gp211 and op2.0.1'. >> >> >> >> GemPlus use a key derivation scheme for getting the keys for mutual >> >> authentication. Don't repeat the script to often or you card will be >> >> locked!!!! You first must have the mother key and derive from their >> the >> >> keys ... >> >> >> >> This does not comply with the GlobalPlatform specification. >> >> >> >> Matheus Ribeiro fixed this problem. See the added diff, which you must >> >> apply and compile the result with the switch GEMPLUS enabled ... >> This is >> >> not contained in the SVN. You must do it on you own. >> >> >> >> Karsten >> > >> > >> > Will the Gemplus derivation scheme patch be applied to gpshell in the >> > future? Maybe with a config flag? >> >> Yes. >> >> > Another question, where can i get the master key? Does Gemplus have to >> > give it or is there a generic one available? >> >> Don't know. Maybe there is a master key for a each new card. Usually >> such a key is stored on a HSM (Hardware storage module) and the master >> key stays there. You only talk to this HSM give an identifier, the key >> diversification data, and get back the keys for your card. I do not have >> such a card. And I don't know how I can get such a card. Some >> manufacturers don't sell cards. I have not found a possibility to >> order it. >> >> > >> > I think both my cards are blocked now, but how can i be sure? If i try >> > to do a get_status to get the life-cycle, i get a 6985 response, >> command >> > not allowed. >> >> This is shit. You only have (had) 10 tries. You must execute a >> successful authentication in between. GemXpresso has the GemXpresso RAD >> III Kit for managing the card content. I have not found how to buy it. >> Usually something like this is very well-priced. Maybe the JCOP Tools >> from IBM for Eclipse can do it. But I hope it will be working with >> GPShell in a while. >> >> To get the life cycle you must have executed a successful authentication. >> >> > >> > I can do a get_data to get the CPLC data. >> >> This command does not need a secure channel (which is created with >> mutual authentication.) >> >> Karsten >> > >> > Regards, >> > >> > Pierre >> > >> >> > >> >> > I tried this script with gpshell 1.2, both with mode_211 and >> mode_201 >> >> > >> >> > mode_201 (mode_211) >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > card_disconnect >> >> > release_context >> >> > >> >> > and got this back for both modes: >> >> > >> >> > mode_201 (mode_211) >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > --> 00A4040007A000000018434D >> >> > <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000 >> >> > card_disconnect >> >> > release_context >> >> > >> >> > If i now want to use the next script, i get different responce back >> >> from >> >> > both modes, all failing :( >> >> > >> >> > mode_201 >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> >> > 404142434445464748494a4b4c4d4e4f -enc_key >> >> > 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> > get_status -element e0 >> >> > card_disconnect >> >> > release_context >> >> > >> >> > i get this back: >> >> > >> >> > mode_201 >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > --> 00A4040007A000000018434D >> >> > <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000 >> >> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> >> > 404142434445464748494a4b4c4d4e4f -enc_key >> >> > 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> > --> 8050000008425A1BDDA8BC472300 >> >> > <-- 434D10159416191223C10D01C671894151329DA516BDD69A278053809000 >> >> > mutual_authentication() returns 0x80302000 (The verification of the >> >> card >> >> > cryptogram failed.) >> >> > >> >> > and for the 211 script: >> >> > >> >> > mode_211 >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> >> > 404142434445464748494a4b4c4d4e4f -enc_key >> >> > 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> > get_status -element 20 >> >> > card_disconnect >> >> > release_context >> >> > >> >> > i got this back: >> >> > >> >> > mode_211 >> >> > enable_trace >> >> > establish_context >> >> > card_connect >> >> > select -AID a000000018434d >> >> > --> 00A4040007A000000018434D >> >> > <-- 6F188407A000000018434DA50D9F6E061291035633309F6501FF9000 >> >> > open_sc -security 1 -keyind 0 -keyver 0 -mac_key >> >> > 404142434445464748494a4b4c4d4e4f -enc_key >> >> > 404142434445464748494a4b4c4d4e4f // Open secure channel >> >> > --> 00CA006600 >> >> > <-- 6E00 >> >> > --> 8050000008FCF70277F3E05F1C00 >> >> > <-- 434D10159416191223C10D01861F156B46ED8FF3BC529AD43D11B5709000 >> >> > mutual_authentication() returns 0x8030F006 (The Secure Channel >> Protocol >> >> > Implementation is invalid.) >> >> > >> >> > I tried this all with different cards, but they all gave me the same >> >> > result. Does this mean my cards are blocked? How can i see it if >> they >> >> > are blocked? Which of the 2 modes is better to use if it support >> >> both (i >> >> > think so but am not sure getting the above result with gp211)? >> >> > >> >> > Any ID? >> >> > >> >> > Regards, >> >> > >> >> > Pierre >> >> > >> >> > >> >> > _______________________________________________ >> >> > Muscle mailing list >> >> > [email protected] >> >> > http://lists.drizzle.com/mailman/listinfo/muscle >> >> >> > >> > >> >> 2412,2413d2411 >> >> < /* Switch on, if R-MAC is only applied to last command of >> >> session. */ >> >> < secInfo->securityLevel |= GP211_SCP02_SECURITY_LEVEL_R_MAC; >> >> 4882a4881,4905 >> >> > #ifdef GEMPLUS >> >> > /** >> >> > * Generate a daughter key based on the mother key, as Gemplus >> spec. >> >> > */ >> >> > static LONG create_daughter_key(BYTE motherKey[16], BYTE >> >> derivationData[16], BYTE daughterKey[16]){ >> >> > LONG result; >> >> > unsigned char derivation_data[16]; >> >> > int outl; >> >> > BYTE left_diversifier[8]; >> >> > BYTE right_diversifier[8]; >> >> > BYTE diversifier[16]; >> >> > >> >> > LOG_START(_T("create_daughter_key")); >> >> > >> >> > result = calculate_enc_ecb_two_key_triple_des(motherKey, >> >> derivationData, 16, daughterKey, &outl); >> >> > if (result != OPGP_ERROR_SUCCESS) { >> >> > goto end; >> >> > } >> >> > { result = OPGP_ERROR_SUCCESS; goto end; } >> >> > end: >> >> > LOG_END(_T("create_daughter_key"), result); >> >> > return result; >> >> > } >> >> > #endif >> >> > >> >> 4897c4920,4924 >> >> < >> >> --- >> >> > // matheus: teste >> >> > BYTE left_diversifier[8]; >> >> > BYTE right_diversifier[8]; >> >> > BYTE diversifier[16]; >> >> > >> >> 4898a4926,4934 >> >> > #if 1 >> >> > // matheus: create diversifier >> >> > memcpy(left_diversifier, cardChallenge+4, 4); >> >> > memcpy(left_diversifier+4, hostChallenge, 4); >> >> > memcpy(right_diversifier, cardChallenge, 4); >> >> > memcpy(right_diversifier+4, hostChallenge+4, 4); >> >> > memcpy(diversifier, left_diversifier, 8); >> >> > memcpy(diversifier+8, right_diversifier, 8); >> >> > #else >> >> 4902a4939 >> >> > #endif >> >> 4904c4941 >> >> < result = calculate_enc_ecb_two_key_triple_des(key, >> >> derivation_data, 16, sessionKey, &outl); >> >> --- >> >> > result = calculate_enc_ecb_two_key_triple_des(key, >> >> diversifier/*derivation_data*/, 16, sessionKey, &outl); >> >> 4913a4951 >> >> > >> >> 4945a4984,5003 >> >> > /* >> >> > static LONG calculate_3des_sessionkey(BYTE diversifier[8], BYTE >> >> staticKey[16], BYTE outKey[16]){ >> >> > LONG result; >> >> > int i,outl; >> >> > EVP_CIPHER_CTX ctx; >> >> > >> >> > // initialize context >> >> > EVP_CIPHER_CTX_init(&ctx); >> >> > if (result != 1) { >> >> > { result = OPGP_OPENSSL_ERROR; goto end; } >> >> > } >> >> > >> >> > end: >> >> > if (EVP_CIPHER_CTX_cleanup(&ctx) != 1) { >> >> > { result = OPGP_OPENSSL_ERROR; goto end; } >> >> > } >> >> > LOG_END(_T("calculate_enc_ecb_two_key_triple_des"), result); >> >> > return result; >> >> > >> >> > }*/ >> >> 5431c5489 >> >> < // random for host challenge >> >> --- >> >> > >> >> 5496a5555,5556 >> >> > >> >> > >> >> 5596a5657,5678 >> >> > #ifdef GEMPLUS >> >> > // daughter key >> >> > BYTE daughterKey[16]; >> >> > // this comes from card diversification >> >> > BYTE derivationData[16]; >> >> > >> >> > // derivation left >> >> > memcpy(derivationData, key_diversification_data, 2); >> >> > memcpy(derivationData+2, key_diversification_data+4, 4); >> >> > derivationData[6] = 0xF0; >> >> > derivationData[7] = 0x01; >> >> > // derivation right >> >> > memcpy(derivationData+8, key_diversification_data, 2); >> >> > memcpy(derivationData+10, key_diversification_data+4, >> 4); >> >> > derivationData[14] = 0x0F; >> >> > derivationData[15] = 0x01; >> >> > >> >> > // generate daughter key >> >> > result = create_daughter_key(S_ENC, derivationData, >> >> daughterKey); >> >> > // and session key >> >> > result = create_session_key_SCP01(daughterKey, >> >> cardChallengeSCP01, hostChallenge, secInfo->encryptionSessionKey); >> >> > #else >> >> 5597a5680,5681 >> >> > #endif >> >> > >> >> 5602a5687,5699 >> >> > #ifdef GEMPLUS >> >> > // left derivation for MAC >> >> > derivationData[6] = 0xF0; >> >> > derivationData[7] = 0x02; >> >> > // right derivation for MAC >> >> > derivationData[14] = 0x0F; >> >> > derivationData[15] = 0x02; >> >> > >> >> > // daughter key >> >> > result = create_daughter_key(S_MAC, derivationData, >> >> daughterKey); >> >> > // and session key >> >> > result = create_session_key_SCP01(daughterKey, >> >> cardChallengeSCP01, hostChallenge, secInfo->C_MACSessionKey); >> >> > #else >> >> 5603a5701 >> >> > #endif >> > >> > >> > >> >> _______________________________________________ >> >> Muscle mailing list >> >> [email protected] >> >> http://lists.drizzle.com/mailman/listinfo/muscle >> > >> > >> > >> > _______________________________________________ >> > Muscle mailing list >> > [email protected] >> > http://lists.drizzle.com/mailman/listinfo/muscle >> >> _______________________________________________ >> Muscle mailing list >> [email protected] >> http://lists.drizzle.com/mailman/listinfo/muscle > > > > _______________________________________________ > Muscle mailing list > [email protected] > http://lists.drizzle.com/mailman/listinfo/muscle _______________________________________________ Muscle mailing list [email protected] http://lists.drizzle.com/mailman/listinfo/muscle
