Wolfgang Glas wrote:
Am Montag, 29. Mai 2006 22:23 schrieb Nils Larsch:
Wolfgang Glas wrote:
...
# pkcs15-init -E -C
This command asked me for the unspecified PIN 115 (0x73) and I tried to
enter the factory default SO PIN several times, which was a fatal error,
because after contacting Eutron support I received their tool to reset
the token (see: doc/euton.html in the openct ditribution), but this tool
is unable to reset the token anyways, because I obviously blocked this
factory-default transport PIN, which is undocumented and a secret of
Siemens Italia.
just out of curiosity: what does cardos-info give you ?
..
System keys: StartKey (version 0xff, retries 10)
don't know how you define "transport PIN" but the startkey doesn't
seem to be blocked (and I guess it's 0xff:0xff...:0xff hence not
really secret anymore) but I guess you've blocked the pin which
afaik protects the DELETE AC for the MF (~ root directory)
6) However, when I try to generate a private key using opensc-0.11.0 and
the PIN I generated with opensc-0.9.6, I get the follwing errors:
# pkcs15-init -G rsa/1024 -a 1 -i 46 -u sign
card-cardos.c:225:cardos_check_sw: invalid parameters in data field
card.c:376:sc_create_file: returning with: Incorrect parameters in APDU
Failed to generate key: Incorrect parameters in APDU
would be interesting to see the APDU log (note: APDU logging needs to be
enabled in the config due to security reasons) to find out what the exact
problem is
... The APDU log of the above command for my ITSEC-I is in the file
opensc-ITSEC-I.log located in the attached tar.gz archive.
ok, the creation of a temporary file has failed ... what does a
"cd 5015" + "ls" give you when using the opensc-explorer tool ?
Well, this is the traditional game over situation, so I gave up with the
ITSEC-I at this point. [cannot delete the content of the token, cannot
generate another private key :-( ]
yep, it's rather simple to make a smartcard useless
7) I switched over to the ITSEC-P token, which should be supported by
openct-0.6.7/opensc-0.11.0 and I successfully generated a pkcs15-
structure.
card-info is here:
well "cardos-info" is only useful for the cardos card os and
hence it's not surprising that it fails with a starcos token ;-)
# cardos-info
Received (SW1=0x6A, SW2=0x88)
#
8) I successfully generated a PIN on the ITSEC-P using
openct-0.6.7/opensc-0.11.0:
# pkcs15-init -P -a 1
9) However, I cannot generate any certificate using this token, here are
the corresponding errors:
# pkcs15-init -G rsa/1024 -a 1 -i 45 -u sign
Security officer PIN required.
Please enter Security officer PIN:
iso7816.c:99:iso7816_check_sw: No precise diagnosis
card.c:686:sc_card_ctl: returning with: Card command failed
Failed to generate key: Card command failed
again: a APDU log would be interesting
... The APDU log of the above command for my ITSEC-P is in the file
opensc-ITSEC-P.log located in the attached tar.gz archive.
need to take a closer look at this ....
Cheers,
Nils
