> ----Mensaje original----
> De: andre.zepeza...@student.uni-halle.de
> Fecha: 03/02/2011 13:06
> Para: <jons...@terra.es>
>CC: <opensc-devel@lists.opensc-project.org>
> Asunto: Re: [opensc-devel] DNIe driver: Needs Information on writing
> pkcs15-xxxx files
>On Thu, 2011-02-03 at 12:03 +0100, jons...@terra.es wrote:
>> Hi All:
>>
>> I've concluded that DNIe card is not so pkcs15 compliant as
>> promissed...
>> I think I need rewriting of several file permissions and paths, as
>> information
>> provided in card pkcs15 structure seems to be wrong or incomplete
>>
>> I've studying the source code of provided drivers, but still unsure on
>> how to process.
>>
>> Is there any kind of information about how to write pkcs15-xxx files?
>> specifically,
>> to specify visibility flags of public keys and rewriting paths in CDF
>> file
>Please send the following dumps:
>pkcs15-tool -D
>opensc-tool -f
>Explain what should be fixed. If there are only minor issues (i.e. some
>wrong flags or paths) then you can go with a very lightweight emulator.
>I will explain later.
Here it comes:
Notice that there is an "official DNIe driver" released under GPL license
(thus cannot be integrated into OpenSC mainstream), by spanish authorities
that (partially) works
DNIe contains 5 Certificates:
At DF 3F006081
- User certificate for Authentication
- User certificate for Signing
- CA Certificate for User certificate validation
At EF 3F00601F
- ICC Certificate to stablish cwa14890 Secure Messaging channel
At EF 3F006020
-Intermediate CA Cert for ICC cert validation
-------------------------------------------------------------------------------------------
[jantonio@drake libopensc]$ pkcs11-tool --login -O
^^^^ Official DGP's published GPL driver does not require "--login".
Using slot 1 with a present token (0x1)
Logging in to "DNI electrónico (PIN1)".
Please enter User PIN:
Private Key Object; RSA
label: KprivAutenticacion
ID: 4130364236323435383832383133323230313031313131313634303236
Usage: sign
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv =
CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Public Key Object; RSA 0 bits
^^^^^^^ an error: RSA key object should show 2048 bits not zero
label: KpuAutenticacion
ID: 4130364236323435383832383133323230313031313131313634303236
Usage: verify
Certificate Object, type = X.509 cert
label: CertAutenticacion
ID: 4130364236323435383832383133323230313031313131313634303236
Private Key Object; RSA
label: KprivFirmaDigital
ID: 4630364236323435383832383133323230313031313131313634303236
Usage: sign
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv =
CKR_ATTRIBUTE_TYPE_INVALID (0x12)
Public Key Object; RSA 0 bits
^^^^^^^ Same error: RSA key object should show 2048 bits not zero
label: KpuFirmaDigital
ID: 4630364236323435383832383133323230313031313131313634303236
Usage: verify
Certificate Object, type = X.509 cert
label: CertFirmaDigital
ID: 4630364236323435383832383133323230313031313131313634303236
Data object 136525816
label: 'ADMIN_DatosFiliacion'
application: '0000'
app_id: -1
flags: modifiable private
Data object 136525864
label: 'ADMIN_ImagenFacial'
application: '0000'
app_id: -1
flags: modifiable private
Data object 136522528
label: 'ADMIN_ImagenFirma'
application: '0000'
app_id: -1
flags: modifiable private
^^^^^
Notice that ICC Certificate and ICC CA Cert are not shown (it does in Official
driver)
-------------------------------------------------------------------------
[jantonio@drake libopensc]$ pkcs15-tool -D
Using reader with a card: OmniKey CardMan 4321 00 00
PKCS#15 Card [DNI electrónico]:
Version : 0
Serial number : 06B62458828132
Manufacturer ID: DGP-FNMT
Flags : Login required, PRN generation
PIN [PIN1]
Object Flags : [0x3], private, modifiable
ID : 01
Flags : [0x211], case-sensitive, initialized, integrity-protected
Length : min_len:4, max_len:16, stored_len:8
Pad char : 0x00
Reference : 1
Type : ascii-numeric
Private RSA Key [KprivAutenticacion]
Object Flags : [0x3], private, modifiable
Usage : [0xC], sign, signRecover
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f0050153f110101
^^^^^^^^^
All the paths shown are wrong: real path is (in this case) 3f003f110101
My feeling is that DNIe doesn't store absolute paths, just relative, and my
driver
just appends data to current path (that is 3f005015+DataFromCard)
ID : 4130364236323435383832383133323230313031313131313634303236
Private RSA Key [KprivFirmaDigital]
Object Flags : [0x3], private, modifiable
Usage : [0x20C], sign, signRecover, nonRepudiation
Access Flags : [0x1D], sensitive, alwaysSensitive, neverExtract, local
ModLength : 2048
Key ref : 2
Native : yes
Path : 3f0050153f110102
ID : 4630364236323435383832383133323230313031313131313634303236
Public RSA Key [KpuAutenticacion]
Object Flags : [0x3], private, modifiable
Usage : [0xC0], verify, verifyRecover
Access Flags : [0x12], extract, local
ModLength : 2048
Key ref : 1
Native : yes
Path : 3f0050153f110101
ID : 4130364236323435383832383133323230313031313131313634303236
Public RSA Key [KpuFirmaDigital]
Object Flags : [0x3], private, modifiable
Usage : [0x2C0], verify, verifyRecover, nonRepudiation
Access Flags : [0x12], extract, local
ModLength : 2048
Key ref : 2
Native : yes
Path : 3f0050153f110102
ID : 4630364236323435383832383133323230313031313131313634303236
X.509 Certificate [CertAutenticacion]
Object Flags : [0x3], private, modifiable
Authority : no
Path : 3f00501560817004
ID : 4130364236323435383832383133323230313031313131313634303236
X.509 Certificate [CertFirmaDigital]
Object Flags : [0x3], private, modifiable
Authority : no
Path : 3f00501560817005
ID : 4630364236323435383832383133323230313031313131313634303236
X.509 Certificate [CertCAIntermediaDGP]
Object Flags : [0x2], modifiable
Authority : no
Path : 3f00501560617006
ID : 5330364236323435383832383133323230313031313131313634303236
Reading data object <0>
applicationName: 0000
Label: ADMIN_DatosFiliacion
applicationOID: NONE
Path: 3f00501560317001
Data object read failed: File not found
^^^^^ This is correct: these data are used internally at Police Station and are
not
accesible by "mortal users"
Reading data object <1>
applicationName: 0000
Label: ADMIN_ImagenFacial
applicationOID: NONE
Path: 3f00501560317002
Data object read failed: File not found
Reading data object <2>
applicationName: 0000
Label: ADMIN_ImagenFirma
applicationOID: NONE
Path: 3f00501560317003
Data object read failed: File not found
--------------------------------------------------------------------------
[jantonio@drake libopensc]$ opensc-tool -f
Using reader with a card: OmniKey CardMan 4321 00 00
3f00 [Master.File] type: DF, size: 11
select[N/A] lock[N/A] delete[NEVR] create[NEVR] rehab[NEVR] inval[NEVR]
list[N/A]
^^^^^
Provided documentation shows little info about permissions. I need to look
deeper
for check correctness of this flags
prop: 38:3F:00:00:0B:FF:FF:FF:FF:FF
sc_list_files() failed: Not supported
^^^^ I have no documentation for APDU's to list DF's. Official driver also does
not support
this command. If you're interested, I can just write a dnie_select_file() that
just iterates
over every posible file... btw ¿what's the expected response format for this
command?
[jantonio@drake libopensc]$
------------------------------------------------------------------------
This is all. As you can see I have poor and little documentation either in
OpenSC or DNIe.
Most of the code has been written in the assumption that DNIe is close to
standards...
but at this momment I'm blocked and don't know how to continue. First of all, I
need
to correct parse public key length and fix correct path to pkcs15 objects.
Secure channel
is working fine, most card_operations also does... but if card says me wrong
data I'm stalled
Thanks for your time and attention.
Regards
Juan Antonio
PS: evidently DNIe won't be ready at FOSDEM.... sorry
_______________________________________________
opensc-devel mailing list
opensc-devel@lists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-devel
