usage set to 0x0B indicates symmetric key operation, this is used in entersafe_write_key().Hello,On Feb 20, 2011, at 10:59 AM, Jean-Michel Pouré - GOOZE wrote:Interesting, the original e-mail with the patch does show up in list archive but I can't find it in any of my inboxes or spamboxes....Le vendredi 18 février 2011 à 13:59 +0800, Xiaoshuo Wu a écrit :I've added SC_PIN_CMD_GET_INFO handling in entersafe_pin_cmd(), C_GetTokenInfo() will get PIN retries now, you can run "pkcs11-tool --test-hotplug" to see if PIN is locked. Regards, XiaoshuoCould anyone apply this patch to trunk?I thus copy the patch inline with comments: Index: src/pkcs15init/pkcs15-entersafe.c =================================================================== --- src/pkcs15init/pkcs15-entersafe.c (revision 5121) +++ src/pkcs15init/pkcs15-entersafe.c (working copy) @@ -276,7 +276,8 @@ data.key_id=pin_info->reference; data.usage=0x0B;
As for now only "user pin/puk" is treated as "symmetric key" at entersafe driver in OpenSC. entersafe_write_symmetric_key() and entersafe_pin_cmd() use ins 0xf4, this APDU needs EC(Error Count)||ver||pin as data field, so "struct symmetric" has these data member in order to talk with COS. EC's high 4 bit accords to pin max tries, low 4 bit accords to pin tries left.- data.key_data.symmetric.EC=0x33; + data.key_data.symmetric.EC= (pin_info->tries_left << 4) + + pin_info->tries_left; Can you describe the data structure or the the value format?
ver is hard coded to 0x00.
Index: src/libopensc/card-entersafe.c =================================================================== --- src/libopensc/card-entersafe.c (revision 5121) +++ src/libopensc/card-entersafe.c (working copy) @@ -953,10 +953,23 @@ + r = entersafe_transmit_apdu(card, &apdu, 0, 0, 0, 0);Use of entersafe_transmit_apdu is redundant here and in 13 other places where it is a straight passthrough to sc_transmit_apdu (called with 0,0,0,0). For one it makes following the code more difficult and it also generates twice as much log (if logging is enabled as identical APDU-s get logged twice).
Sorry for that, only to see the plain APDU before secure message.
As the wrapper is used for built-in APDU ciphering and mac-ing, you should instead propose a solution for the secure messaging infrastructure in OpenSC (ItaCNS, DNIe, IAS/ECC, Feitian have code that deals with it). As you use builtin keys for only specific APDU-s this should be the simplest case.
Yes, you're right. Juan's proposal is very neat: http://www.opensc-project.org/pipermail/opensc-devel/2010-October/015199.html Thanks to him, I'm implementing similar infrastructure in new model driver. Here attach the latest patch, slight modified: Index: src/pkcs15init/pkcs15-entersafe.c =================================================================== --- src/pkcs15init/pkcs15-entersafe.c (revision 5212) +++ src/pkcs15init/pkcs15-entersafe.c (working copy) @@ -276,7 +276,8 @@ data.key_id=pin_info->reference; data.usage=0x0B; - data.key_data.symmetric.EC=0x33; + data.key_data.symmetric.EC= (pin_info->tries_left << 4) + + pin_info->tries_left; data.key_data.symmetric.ver=0x00; /* pad pin with 0 */memset(data.key_data.symmetric.key_val, 0, sizeof(data.key_data.symmetric.key_val));
Index: src/libopensc/card-entersafe.c
===================================================================
--- src/libopensc/card-entersafe.c (revision 5212)
+++ src/libopensc/card-entersafe.c (working copy)
@@ -953,14 +953,27 @@
entersafe_init_pin_info(&data->pin2,1);
data->flags |= SC_PIN_CMD_NEED_PADDING;
- if(data->cmd!=SC_PIN_CMD_UNBLOCK)
+ if(data->cmd == SC_PIN_CMD_GET_INFO)
{
+ sc_apdu_t apdu;
+ u8 pin_ec[0x01] = {0};
+ sc_format_apdu(card, &apdu, SC_APDU_CASE_2_SHORT, 0xfc, 0x04,
data->pin_reference);
+ apdu.cla = 0x80;
+ apdu.le = apdu.resplen = 0x01;
+ apdu.resp = pin_ec;
+ r = entersafe_transmit_apdu(card, &apdu, 0, 0, 0, 0);
+ SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit
failed");
+ data->pin1.max_tries = (pin_ec[0] >> 4);
+ data->pin1.tries_left = (pin_ec[0] & 0x0f);
+ }
+ else if(data->cmd!=SC_PIN_CMD_UNBLOCK)
+ {
r = iso_ops->pin_cmd(card,data,tries_left);
- sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Verify rv:%i", r);
+ sc_debug(card->ctx, SC_LOG_DEBUG_NORMAL, "Verify/Change rv:%i, tries
left:%i", r, *tries_left);
}
- else
+ else /* unblock pin */
{
- {/*verify*/
+ {/* verify user puk */
sc_apdu_t apdu;
u8 sbuf[0x10]={0};
@@ -973,12 +986,13 @@
SC_TEST_RET(card->ctx, SC_LOG_DEBUG_NORMAL, r, "APDU transmit
failed");
}
- {/*change*/
+ {/* change user pin */
sc_apdu_t apdu;
u8 sbuf[0x12]={0};
- sbuf[0] = 0x33;
- sbuf[1] = 0x00;
+ sbuf[0] = ((data->pin1.tries_left << 4) |
+ (data->pin1.tries_left & 0x0f)); /* EC */
+ sbuf[1] = 0x00; /* ver */
memcpy(sbuf+2,data->pin2.data,data->pin2.len);
sc_format_apdu(card, &apdu,
SC_APDU_CASE_3_SHORT,0xF4,0x0B,data->pin_reference);
apdu.cla = 0x84;
trunk.5212.entersafe_pin_retries.diff
Description: Binary data
_______________________________________________ opensc-devel mailing list opensc-devel@lists.opensc-project.org http://www.opensc-project.org/mailman/listinfo/opensc-devel
