List Info

Thread: Card locked up after a single failure to enter SOPIN
Card locked up after a single failure to enter SOPIN
user name
 2007-11-13 16:44:49 
Hi, I have an Aladdin eToken PRO 64K on linux using the
latest opensc
(11.4 - i also tried 11.3).  I am trying to automate
configuring of the
smartcards to build a PKI tool.  I use Perl's Expect to
'chat' with the
tools for simplicity.

When/if a command line tool like pkcs15-init fails, I try to
exit
gracefully by sending various signals.  I've tried TERM,
HUP, and KILL.
I've also tried sending Ctrl-D a couple of times first.  In
all cases,
if pkcs15-init is killed while prompting me for the SO PIN
while adding
a new user pin to a freshly formatted card (made with
'pkcs15-init -C'
and an SO PIN) it permanently 'locks' the card from taking
new pins.
All subsequent calls to 'pkcs15-init -P' on that card fail
right before
prompting for the SO PIN.  The errors printed are :

	cardos_check_sw: required access right not granted

and then

	sc_card_ctl: returning with: Security status not satisfied

is there any way I can abort the addition of a pin, while
the SO PIN
prompt is displayed *without* my card getting into this
state? How can i
get my card out of this state? (pkcs15-init -E DOES work,
but is a
little less than ideal when there are other data on the
card).

thanks!
Adam Rosenstein
Red Condor


$ openct-control -v
OpenCT 0.6.14

$ openct-tool list
  0 Aladdin eToken PRO 64k

$ /usr/bin/pkcs15-init --reader 0 -P -a 01 -l pin01
New User PIN.
Please enter User PIN:                 
PINtest1<Enter>
Please type again to verify:           
PINtest1<Enter>
Unblock Code for New User PIN (Optional - press return for
no PIN).
Please enter User unblocking PIN (PUK): <Enter> 
Security officer PIN required.
Please enter Security officer PIN:      ^D
[pkcs15-init] sec.c:201:sc_pin_cmd: returning with: PIN code
or key incorrect
[pkcs15-init] pkcs15-lib.c:3105:do_get_and_verify_secret:
Failed to verify SO PIN (ref=0x1)
Failed to store PIN: PIN code or key incorrect

$ /usr/bin/pkcs15-init --reader 0 -P -a 01 -l pin01
New User PIN.
Please enter User PIN:                 
PINtest1<Enter>
Please type again to verify:           
PINtest1<Enter>
Unblock Code for New User PIN (Optional - press return for
no PIN).
Please enter User unblocking PIN (PUK): <Enter> 
[pkcs15-init] card-cardos.c:255:cardos_check_sw: required
access right not granted
[pkcs15-init] card-cardos.c:945:cardos_put_data_oci: Card
returned error: Security status not satisfied
[pkcs15-init] card.c:678:sc_card_ctl: returning with:
Security status not satisfied
Failed to store PIN: Security status not satisfied

$ /usr/bin/pkcs15-init --reader 0 -P -a 02 -l pin02
New User PIN.
Please enter User PIN:                 
PINtest2<Enter>
Please type again to verify:           
PINtest2<Enter>
Unblock Code for New User PIN (Optional - press return for
no PIN).
Please enter User unblocking PIN (PUK): <Enter> 
[pkcs15-init] card-cardos.c:255:cardos_check_sw: required
access right not granted
[pkcs15-init] card-cardos.c:945:cardos_put_data_oci: Card
returned error: Security status not satisfied
[pkcs15-init] card.c:678:sc_card_ctl: returning with:
Security status not satisfied
Failed to store PIN: Security status not satisfied

Here's a log snipped starting a few lines before the first
diff(1)
between a good pin add log and one of these "Security
status not
satisfied"  problems.

[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] card-cardos.c:883:cardos_lifecycle_get:
returning with: 0
[pkcs15-init] card.c:678:sc_card_ctl: returning with: 0
[pkcs15-init] card.c:668:sc_card_ctl: called
[pkcs15-init] card-cardos.c:929:cardos_put_data_oci: called
[pkcs15-init] apdu.c:516:sc_transmit_apdu: called
[pkcs15-init] card.c:285:sc_lock: called
[pkcs15-init] apdu.c:184:sc_apdu_log: 
Outgoing APDU data [   34 bytes]
=====================================
00 DA 01 6E 1D 83 02 00 03 85 08 02 03 87 03 FF
...n............
FF 00 04 86 03 00 03 FF 8F 08 50 49 4E 74 65 73
..........PINtes
74 31                                           t1
============================================================
==========
[pkcs15-init] apdu.c:184:sc_apdu_log: 
Incoming APDU data [    2 bytes]
=====================================
69 82 i.
============================================================
==========
[pkcs15-init] card.c:312:sc_unlock: called
[pkcs15-init] asn1.c:1234:asn1_encode_entry: encoding
'TokenInfo'
[pkcs15-init] asn1.c:1240:asn1_encode_entry: type=129,
tag=0x1000010, parm=0xbfe694d4, len=0
[pkcs15-init] asn1.c:1234:asn1_encode_entry:  encoding
'version'
[pkcs15-init] asn1.c:1240:asn1_encode_entry:  type=2,
tag=0x02, parm=0xbfe696e8, len=0
[pkcs15-init] asn1.c:1410:asn1_encode_entry:  length of
encoded item=3
[pkcs15-init] asn1.c:1234:asn1_encode_entry:  encoding
'serialNumber'

_______________________________________________
opensc-user mailing list
opensc-userlists.opensc-project.org
http://www.opensc-project.org/mailman/listinfo/opensc-
user
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )