From df92a132a4a78a7498d517ec2ad6fc8ffac3ece8 Mon Sep 17 00:00:00 2001 From: Peter Popovec Date: Fri, 22 Dec 2023 09:30:36 +0100 Subject: [PATCH] Fixed AID for file 5015 in oseid.profile new file: download/oseid.profile new file: download/oseid_0.24.profile modified: tools/OsEID-tool --- download/oseid.profile | 231 ++++++++++++++++++++++++++++++++++++ download/oseid_0.24.profile | 231 ++++++++++++++++++++++++++++++++++++ tools/OsEID-tool | 29 ++--- 3 files changed, 477 insertions(+), 14 deletions(-) create mode 100644 download/oseid.profile create mode 100644 download/oseid_0.24.profile diff --git a/download/oseid.profile b/download/oseid.profile new file mode 100644 index 0000000..ebb1aa4 --- /dev/null +++ b/download/oseid.profile @@ -0,0 +1,231 @@ +# +# PKCS15 r/w profile for MyEID cards +# +cardinfo { + label = "OsEID"; + manufacturer = "Atmel at/x mega"; + min-pin-length = 4; + max-pin-length = 8; + pin-encoding = ascii-numeric; + pin-pad-char = 0xFF; +} + +# +# The following controls some aspects of the PKCS15 we put onto +# the card. +# +pkcs15 { + # Put certificates into the CDF itself? + direct-certificates = no; + # Put the DF length into the ODF file? + encode-df-length = no; + # Have a lastUpdate field in the EF(TokenInfo)? + do-last-update = no; +} + +option default { + macros { + #protected = READ=NONE, UPDATE=CHV1, DELETE=CHV2; + #unprotected = READ=NONE, UPDATE=CHV1, DELETE=CHV1; + + unusedspace-size = 510; + odf-size = 255; + aodf-size = 255; + cdf-size = 1530; + cdf-trusted-size = 510; + prkdf-size = 1530; + pukdf-size = 1530; + skdf-size = 1530; + dodf-size = 1530; + } +} + +# Define reasonable limits for PINs and PUK +# Note that we do not set a file path or reference +# here; that is done dynamically. +PIN user-pin { + reference = 1; + min-length = 4; + max-length = 8; + attempts = 3; + flags = initialized, needs-padding; +} + +PIN user-puk { + min-length = 4; + max-length = 8; + attempts = 10; + flags = needs-padding; +} + +PIN so-pin { + reference = 3; + auth-id = FF; + min-length = 4; + max-length = 8; + attempts = 3; + flags = initialized, soPin, needs-padding; +} + +PIN so-puk { + min-length = 4; + max-length = 8; + attempts = 10; + flags = needs-padding; +} + +# Additional filesystem info. +# This is added to the file system info specified in the +# main profile. +filesystem { + DF MF { + path = 3F00; + type = DF; + acl = CREATE=$PIN, DELETE=$SOPIN; + + # This is the DIR file + EF DIR { + file-id = 2F00; + structure = transparent; + size = 128; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + DF PKCS15-AppDF { + type = DF; + file-id = 5015; + aid = A0:00:00:00:63:50:4B:43:53:2D:31:35; + acl = DELETE=$PIN, CREATE=$PIN; + + EF PKCS15-ODF { + file-id = 5031; + structure = transparent; + size = $odf-size; + acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-TokenInfo { + file-id = 5032; + size = 160; + structure = transparent; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-UnusedSpace { + file-id = 5033; + structure = transparent; + size = $unusedspace-size; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-AODF { + file-id = 4401; + structure = transparent; + size = $aodf-size; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-PrKDF { + file-id = 4402; + structure = transparent; + size = $prkdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-PuKDF { + file-id = 4404; + structure = transparent; + size = $pukdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-SKDF { + file-id = 4407; + structure = transparent; + size = $skdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-CDF { + file-id = 4403; + structure = transparent; + size = $cdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-CDF-TRUSTED { + file-id = 4405; + structure = transparent; + size = $cdf-trusted-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-DODF { + file-id = 4406; + structure = transparent; + size = $dodf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF template-private-key { + type = internal-ef; + file-id = 4B01; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-secret-key { + type = internal-ef; + file-id = 4D01; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-public-key { + structure = transparent; + file-id = 5501; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-certificate { + file-id = 4301; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + + template key-domain { + # This is a dummy entry - pkcs15-init insists that + # this is present + EF private-key { + file-id = 4B01; + type = internal-ef; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + EF public-key { + file-id = 5501; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + EF secret-key { + file-id = 4D01; + type = internal-ef; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + # Certificate template + EF certificate { + file-id = 4301; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + EF privdata { + file-id = 4501; + structure = transparent; + acl = READ=$PIN, UPDATE=$PIN, DELETE=$PIN; + } + EF data { + file-id = 4601; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + } + } + } +} diff --git a/download/oseid_0.24.profile b/download/oseid_0.24.profile new file mode 100644 index 0000000..ebb1aa4 --- /dev/null +++ b/download/oseid_0.24.profile @@ -0,0 +1,231 @@ +# +# PKCS15 r/w profile for MyEID cards +# +cardinfo { + label = "OsEID"; + manufacturer = "Atmel at/x mega"; + min-pin-length = 4; + max-pin-length = 8; + pin-encoding = ascii-numeric; + pin-pad-char = 0xFF; +} + +# +# The following controls some aspects of the PKCS15 we put onto +# the card. +# +pkcs15 { + # Put certificates into the CDF itself? + direct-certificates = no; + # Put the DF length into the ODF file? + encode-df-length = no; + # Have a lastUpdate field in the EF(TokenInfo)? + do-last-update = no; +} + +option default { + macros { + #protected = READ=NONE, UPDATE=CHV1, DELETE=CHV2; + #unprotected = READ=NONE, UPDATE=CHV1, DELETE=CHV1; + + unusedspace-size = 510; + odf-size = 255; + aodf-size = 255; + cdf-size = 1530; + cdf-trusted-size = 510; + prkdf-size = 1530; + pukdf-size = 1530; + skdf-size = 1530; + dodf-size = 1530; + } +} + +# Define reasonable limits for PINs and PUK +# Note that we do not set a file path or reference +# here; that is done dynamically. +PIN user-pin { + reference = 1; + min-length = 4; + max-length = 8; + attempts = 3; + flags = initialized, needs-padding; +} + +PIN user-puk { + min-length = 4; + max-length = 8; + attempts = 10; + flags = needs-padding; +} + +PIN so-pin { + reference = 3; + auth-id = FF; + min-length = 4; + max-length = 8; + attempts = 3; + flags = initialized, soPin, needs-padding; +} + +PIN so-puk { + min-length = 4; + max-length = 8; + attempts = 10; + flags = needs-padding; +} + +# Additional filesystem info. +# This is added to the file system info specified in the +# main profile. +filesystem { + DF MF { + path = 3F00; + type = DF; + acl = CREATE=$PIN, DELETE=$SOPIN; + + # This is the DIR file + EF DIR { + file-id = 2F00; + structure = transparent; + size = 128; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + DF PKCS15-AppDF { + type = DF; + file-id = 5015; + aid = A0:00:00:00:63:50:4B:43:53:2D:31:35; + acl = DELETE=$PIN, CREATE=$PIN; + + EF PKCS15-ODF { + file-id = 5031; + structure = transparent; + size = $odf-size; + acl = READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-TokenInfo { + file-id = 5032; + size = 160; + structure = transparent; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-UnusedSpace { + file-id = 5033; + structure = transparent; + size = $unusedspace-size; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-AODF { + file-id = 4401; + structure = transparent; + size = $aodf-size; + acl = READ=NONE, UPDATE=$SOPIN, DELETE=$SOPIN; + } + + EF PKCS15-PrKDF { + file-id = 4402; + structure = transparent; + size = $prkdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-PuKDF { + file-id = 4404; + structure = transparent; + size = $pukdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-SKDF { + file-id = 4407; + structure = transparent; + size = $skdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-CDF { + file-id = 4403; + structure = transparent; + size = $cdf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-CDF-TRUSTED { + file-id = 4405; + structure = transparent; + size = $cdf-trusted-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF PKCS15-DODF { + file-id = 4406; + structure = transparent; + size = $dodf-size; + acl = *=NEVER, READ=NONE, UPDATE=$PIN, DELETE=$SOPIN; + } + + EF template-private-key { + type = internal-ef; + file-id = 4B01; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-secret-key { + type = internal-ef; + file-id = 4D01; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-public-key { + structure = transparent; + file-id = 5501; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + EF template-certificate { + file-id = 4301; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + + template key-domain { + # This is a dummy entry - pkcs15-init insists that + # this is present + EF private-key { + file-id = 4B01; + type = internal-ef; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + EF public-key { + file-id = 5501; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + EF secret-key { + file-id = 4D01; + type = internal-ef; + acl = CRYPTO=$PIN, UPDATE=$PIN, DELETE=$PIN, GENERATE=$PIN; + } + + # Certificate template + EF certificate { + file-id = 4301; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + EF privdata { + file-id = 4501; + structure = transparent; + acl = READ=$PIN, UPDATE=$PIN, DELETE=$PIN; + } + EF data { + file-id = 4601; + structure = transparent; + acl = READ=NONE, UPDATE=$PIN, DELETE=$PIN; + } + } + } + } +} diff --git a/tools/OsEID-tool b/tools/OsEID-tool index f8dfc78..826cfee 100755 --- a/tools/OsEID-tool +++ b/tools/OsEID-tool @@ -503,25 +503,26 @@ fi if [ $mode == "INIT" ]; then boldecho "card init" boldecho "---------" +if [ $CARD_INIT -eq 1 ]; then + warnecho "Your card is already initialized!" + exit 0 +fi +echo "running pkcs15-init, SOPIN=00000000 SOPUK=00000000" #pin and puk is not used in this command, but specifying this prevent driver from unnecessarily asking for it several times if [ $CARD_TYPE == "MyEID" ]; then - echo "running pkcs15-init, SOPIN=00000000 SOPUK=00000000" PKCS15-INIT -C --so-pin 00000000 --so-puk 00000000 --pin 11111111 else - if [ $CARD_INIT -eq 1 ]; then - warnecho "Your card is already initialized!" - exit 0 - fi - echo "running pkcs15-init, SOPIN=00000000 SOPUK=00000000" - if [ ! -f /usr/share/opensc/oseid_$OPENSC_VER.profile ]; then - warnecho "Using myeid profile for OsEID card, please install /usr/share/opensc/oseid_$OPENSC_VER.profile " - warnecho "Press ENTER continue, or CTRL-C to abort" - read a - PKCS15-INIT -C --so-pin 00000000 --so-puk 00000000 --pin 11111111 - else - PKCS15-INIT -C -c oseid_$OPENSC_VER --so-pin 00000000 --so-puk 00000000 --pin 11111111 - fi + if [ -f /usr/share/opensc/oseid_$OPENSC_VER.profile ]; then + PKCS15-INIT -C -c oseid_$OPENSC_VER --so-pin 00000000 --so-puk 00000000 --pin 11111111 + elif [ -f /usr/share/opensc/oseid.profile ]; then + PKCS15-INIT -C -c oseid --so-pin 00000000 --so-puk 00000000 --pin 11111111 + else + warnecho "Using myeid profile for OsEID card, please install /usr/share/opensc/oseid.profile" + warnecho "Press ENTER continue, or CTRL-C to abort" + read a + PKCS15-INIT -C --so-pin 00000000 --so-puk 00000000 --pin 11111111 + fi fi if [ $? -ne 0 ]; then failecho "init fail"