Menu
▾
▴
Re: [Opensc-devel] Cannot delete data object on Feitian ePass2003
|
From: Ondrej M. <ond...@ni...> - 2013-03-29 13:52:15
|
On 03/29/2013 10:46 AM, Florent Deybach wrote: > |I can answer myself my question about tuning the ACL in the profile file : > | > > The "*" character is for the attributes which are not defined after, correct? Yes, I think the wildcard character affects all other ACL that are not explicitly listed. > So if I want to add the possibility to delete it: > |*=NEVER,READ=$PIN,UPDATE=$PIN,DELETE=$PIN That should work (...provided that there's not some other bug). Though note that if you try to delete a PIN-protected file in opensc-explorer, you'll need to "cd 5015" before using "verify CHV1" for some reason. At least the "verify" doesn't work for me when I'm in the MF 3F00, but works once I "cd 5015". > |Still, why does opensc-explorer list "N/A" for the ACL for READ and UPDATE? IIRC it's part of the epass2003 driver that's not finished. It always lists N/A for epass2003. The real ACLs are in the last line starting with "Security attributes", like in your example below: > Security attributes: 96 96 FF 9F FF FF FF FF Each byte is a bitwise-or from the macros EPASS2003_AC_* defined in src/libopensc/cardctl.h. The low nybble can be: #define EPASS2003_AC_EVERYONE 0x00 #define EPASS2003_AC_USER 0x06 #define EPASS2003_AC_SO 0x08 #define EPASS2003_AC_NOONE 0x0F which stands for "no pin needed", "user PIN needed", "SO-PIN needed", "forbidden" (not sure about the SO-PIN, never really made it work). The high nybble is a bit mysterious to me, as well, I've only seen the 0x90 ever used: #define EPASS2003_AC_MAC_UNEQUAL 0x80 #define EPASS2003_AC_MAC_NOLESS 0x90 #define EPASS2003_AC_MAC_LESS 0xA0 #define EPASS2003_AC_MAC_EQUAL 0xB0 The order of the "Security attributes" printed out is: READ, UPDATE, ??, DELETE, ??... (It comes from the contents of incoming APDU that is token's response to "SELECT FILE" APDU, instruction 0xA4) Some ACLs are not ever used for epass2003, e.g. INVALIDATE and REHABILITATE, since the token does not support the corresponding APDU instructions. I've never found any official documentation on epass2003, the stuff about ACLs is what I discovered by trial/error and reading the driver's source. Ondrej |
