Menu
▾
▴
Re: [Opensc-devel] Cannot delete data object on Feitian ePass2003
|
From: Florent D. <fde...@gm...> - 2013-03-29 09:46:55
|
Edit:
I can answer myself my question about tuning the ACL in the profile file :
The "*" character is for the attributes which are not defined after, correct?
So if I want to add the possibility to delete it:
*=NEVER,READ=$PIN,UPDATE=$PIN,DELETE=$PIN
Still, why does opensc-explorer list "N/A" for the ACL for READ and UPDATE?
2013/3/29 Florent Deybach <fde...@gm...>
> Hello Ondrej,
>
> Thanks very much for taking the time to explain this to me.
>
> I guessed it was an ACL problems, I even tried to modify the profile file
> but in the wrong section.
> And as you precised, the ACL are applied when a file is created on token.
> I thought they would be applied during the PKCS15 initialization once and
> for all. It seems I was wrong!
>
> However, opensc-explorer doesn't give me much information about the ACL.
> Or do I need to "decrypt" the security attributes?
>
> florent@ubuntu12-10:~# opensc-explorer
>> OpenSC Explorer version 0.13.0rc1
>>
>> Using reader with a card: Feitian ePass2003 00 00
>> OpenSC [3F00]> cd 5015
>> OpenSC [3F00/5015]> info 3400
>>
>> Elementary File ID 3400
>>
>> File path: 3F00/5015/3400
>> File size: 64 bytes
>> EF structure: Transparent
>> ACL for READ: N/A
>> ACL for UPDATE: N/A
>> ACL for DELETE: N/A
>> ACL for WRITE: N/A
>> ACL for REHABILITATE: N/A
>> ACL for INVALIDATE: N/A
>> ACL for LIST FILES: N/A
>> ACL for CRYPTO: N/A
>> Security attributes: 96 96 FF 9F FF FF FF FF
>>
>
> So I guess it is possible to modify the ACL, right ?
>
> By the way how do I read the ACL? Does the first one takes precedence over
> the others? i.e. the "NEVER" directive is for READ and UPDATE action, no?
>
>> *=NEVER,READ=$PIN,UPDATE=$PIN;
>>
>
> But if I can't read it I will never be able to use my object, right?
>
> Would it be possible to use the following ACL, then?
>
> ACL = READ=$PIN,UPDATE=NEVER;
>>
>
> What would be the collateral consequences of that? I mean, will other
> objects be affected by this change?
>
> Again, thanks,
>
> Cheers
>
>
>
> 2013/3/28 Ondrej Mikle <ond...@ni...>
>
>> On 03/28/2013 09:19 AM, Florent Deybach wrote:
>> > *As you can see, the object is present :*
>> > **
>> > *
>> >
>> > *root@ubuntu12-10:~# pkcs15-tool --dump*
>> >
>> > *Using reader with a card: Feitian ePass2003 00 00*
>> >
>> > *[...]*
>> > *Data object 'cleTruecrypt'*
>> > *applicationName: cleTruecrypt*
>> > *Path: 3f0050153400*
>> > *Auth ID: 01*
>>
>> My guess would be that the default ACLs prevent deleting the file. If you
>> look
>> at /usr/share/opensc/epass2003.profile, there is the following part
>> describing
>> ACLs for 3f00/5015/34xx files:
>>
>> # data objects are stored in transparent EFs.
>> EF privdata {
>> file-id = 3400;
>> structure = transparent;
>> ACL =
>> *=NEVER,READ=$PIN,UPDATE=$PIN;
>> }
>>
>> That means the ACL for delete is NEVER, i.e. even PIN authorization won't
>> suffice for deletion of this file. It would be consistent with the log you
>> posted - the authenticate APDU instruction goes through OK, but erasing
>> in the
>> last APDU fails with SW 0x69 0x82 "security status not satisfied".
>>
>> AFAIK you won't be able to delete the file without erasing the card
>> (pkcs15-init
>> -E) or erasing the parent DF 5015.
>>
>> Note that the ACLs from the profile are applied at the moment a file is
>> created
>> on token (like key or data object).
>>
>> Ondrej
>>
>>
>> ------------------------------------------------------------------------------
>> Own the Future-Intel® Level Up Game Demo Contest 2013
>> Rise to greatness in Intel's independent game demo contest.
>> Compete for recognition, cash, and the chance to get your game
>> on Steam. $5K grand prize plus 10 genre and skill prizes.
>> Submit your demo by 6/6/13. http://p.sf.net/sfu/intel_levelupd2d
>> _______________________________________________
>> Opensc-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>>
>
>
|
