Siemens CardOS alternatives

Discussion:

Goetz Bock

2008-12-01 10:03:34 UTC

Dear list,

my first try still awaits moderator approval, but I've now subscribed to
the ML.

To skip all the context, search for QUESTION.

The Client-Side seems to be nice, and I already got a Siemens CardOS
4.3B-Smartcard. Unfortunately this card is not initialised and still
in manufacture-mode.
right now you need some official siemens tool to do that for you.
I'm asking siemens if we can use (and thus publish the command in
source).
not much hope here, but we can ask.

Gues what, I've a simmilar problem, my card is CardOS 4.2b and also in
manufacturing mode.

I'm using
- Debian 4.0
- OmniKey 3821 reader
- pcscd 1.4.99, pcsc-omnikey 3.4, opensc 0.11.4, openct 0.6.14 all from
backports40+1

output from cardos-info
| iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
| iso7816.c:458:iso7816_select_file: returning with: Unsupported INS byte in APDU
| card.c:563:sc_select_file: returning with: Unsupported INS byte in APDU
| 3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
| Info : CardOS V4.2B (C) Siemens AG 1994-2005
| Chip type: 123
| Serial number: xx xx xx xx xx xx
| Full prom dump:
| 33 66 00 45 CB CB CB CB 7B FF 25 B5 85 0F 06 27 3f.E....{.%....'
| 00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
| OS Version: 200.9 (that's CardOS M4.2b)
| Current life cycle: 52 (manufacturing)
| Security Status of current DF:
| Free memory : 13321
| ATR Status: 0x0 ROM-ATR
| Packages installed:
| Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
| Free eeprom memory: 32620
| System keys: PackageLoadKey (version 0x00, retries 10)
| System keys: StartKey (version 0x00, retries 10)
| Unable to determine current DF:
| Received (SW1=0x6D, SW2=0x00)
| iso7816.c:99:iso7816_check_sw: Instruction code not supported or invalid
| iso7816.c:458:iso7816_select_file: returning with: Unsupported INS byte in APDU
| card.c:563:sc_select_file: returning with: Unsupported INS byte in APDU

I've no idea where the errors come from, maybe from beeing
uninitialised.

opensc-tool only knows the card, when i specify the driver

opensc-tool -a -v
| Connecting to card in reader OMNIKEY CardMan 3821 00 00...
| Using card driver Default driver for unknown cards.
| Card ATR:
| 3B F2 18 00 02 C1 0A 31 FE 58 C8 09 75 ;......1.X..u
| Card name: Unidentified card

opensc-tool -a -v -c cardos
| Connecting to card in reader OMNIKEY CardMan 3821 00 00...
| Using card driver Siemens CardOS.
| Card ATR:
| 3B F2 18 00 02 C1 0A 31 FE 58 C8 09 75 ;......1.X..u
| Card name: CardOS M4

I also have a TCOS card, but that seams to be unsupported, too.

opensc-tool -a -v
| Connecting to card in reader OMNIKEY CardMan 3821 00 00...
| Using card driver TCOS 2.0.
| Card ATR:
| 3B BA 96 00 81 31 86 5D 00 64 05 60 02 03 31 80 ;....1.].d.`..1.
| 90 00 66 ..f
| Card name: TCOS

pkcs15-tool -c
| PKCS#15 initialization failed: Unsupported card

opensc-tool -f
| 3f00 [\xD2v\x00\x00\x03] type: DF, size: 0
| select[NONE] lock[NONE] delete[N/A] create[NONE] rehab[NONE] inval[NONE] list[NONE] sec: Segmentation fault

Now to my QUESTIONs:
- where can I get an "official siemens tool" to initialise my card
- Andreas did Siemens reply to you request to write an initialisation
tool?
- can I somehow initalise the TCOS card?

Thanks a lot,
Goetz.

--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2008 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]

Andreas Jellinghaus

2008-12-03 09:39:58 UTC

Permalink

Post by Goetz Bock
Dear list,
my first try still awaits moderator approval, but I've now subscribed to
the ML.

can you repost? that would be easier than searching for the one valid mail
in hundreds of spams.

Post by Goetz Bock
output from cardos-info
| Info : CardOS V4.2B (C) Siemens AG 1994-2005
| OS Version: 200.9 (that's CardOS M4.2b)
| Current life cycle: 52 (manufacturing)

ok, looks like the usual new card (without checking
in detail. not sure if I kept any card/token here in
manufacturing mode...).

Post by Goetz Bock
I also have a TCOS card, but that seams to be unsupported, too.

only initialized TCOS cards are supported, as far as I know.
also there are different tcos versions IIRC. peter koch is
the expert on those cards.

Post by Goetz Bock
opensc-tool -f
| 3f00 [\xD2v\x00\x00\x03] type: DF, size: 0
| select[NONE] lock[NONE] delete[N/A] create[NONE] rehab[NONE] inval[NONE]
| list[NONE] sec: Segmentation fault

hmm, that should not happen. if you have some free time,
can you check where the segfault happends?

Post by Goetz Bock
- where can I get an "official siemens tool" to initialise my card

I mostly had aladdin etoken pro (they have cardos cards inside), so I used
the aladdin format tool.

Post by Goetz Bock
- Andreas did Siemens reply to you request to write an initialisation
tool?

nope. got an ID but never any answer.

Post by Goetz Bock
- can I somehow initalise the TCOS card?

preformatted cards can be used at least partially - check with peter
for details. if you have blank cards: someone would need to write a
driver for them (and thus need to have access to the full documentation).
most likely noone will have enough time for that.

also there are cards with full documentation and vendor support out there
waiting for someone to write a driver (e.g. acos5).

Regards, Andreas
p.s. check your mail reader, I received your email with this bogus line:
Reply-To: ***@dungeon.inka.de
or did kmail/kontact something stupid with your email? strange.

Goetz Bock

2008-12-18 16:05:23 UTC

Permalink

Post by Goetz Bock
my first try still awaits moderator approval,

can you repost? >

This mail was the repost.

I'm now finaly using a CardOS card to do signing with.

Here a summary how to get there.

I'm using CardOS v4.3b as the CardOS 4.2b is not (yet?) supported by the
Siemens CardOS API Software.

Starting from a card in manufracturing mode

Info : CardOS V4.3B (C) Siemens AG 1994-2004
Chip type: 124
Serial number: 26 xx xx xx xx xx
33 66 00 1B 5B 5B 5B 5B 7C FF 26 xx xx xx xx xx 3f..[[[[|.&...%.
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.8 (that's CardOS M4.3b)
Current life cycle: 52 (manufacturing)
Free memory : 13320
ATR Status: 0x0 ROM-ATR
Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63
Free eeprom memory: 49005
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0x00, retries 7)
Received (SW1=0x6D, SW2=0x00)

you first have to format it using the "CardOS API - Viewer" under
windows. The CardOS API is available for an reasonable price (my first
license asked about 20 Euros, but I later found a "CardOS trial" with a
CardOS v4.3b card an a license for the CardOS API for a total of 20
Euros.)

Info : CardOS V4.3B (C) Siemens AG 1994-2004
Chip type: 123
Serial number: 28 xx xx xx xx xx
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.8 (that's CardOS M4.3b)
Current life cycle: 16 (operational)
Free memory : 879
ATR Status: 0x0 ROM-ATR
E1 09 01 04 13 03 C8 08 8F 01 01 ...........
Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
Free eeprom memory: 25043
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)

during initialisation you have to enter a user PIN and PUK and a "sec.
auth" PIN and PUK. You don't get to enter a SO-PIN/PUK. Therefore you're
not able to generate keys or add keys or certificates.

Version : 1
Serial number : xxxxxxxxxxxxxxxxxx
Manufacturer ID: Siemens AG (C)
Flags : Login required, PRN generation
PIN [PIN]
Com. Flags: 0x3
ID : 01
Flags : [0x11], case-sensitive, initialized
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 129
Type : UTF-8
PIN [SO-PIN]
Com. Flags: 0x3
ID : 02
Flags : [0x99], case-sensitive, unblock-disabled, initialized, soPin
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 130
Type : UTF-8
PIN [Secondary Authentication PIN]
Com. Flags: 0x3
ID : 03
Flags : [0x13], case-sensitive, local, initialized
Length : min_len:4, max_len:16, stored_len:0
Pad char : 0x00
Reference : 144
Type : UTF-8

So there is an SO-PIN, but you don't know what it is.

As the windows software only supports import of PKCS#12 files, you have
to generate them somewhere else (e.g. using openssl on your linux box).

# openssl genrsa 1024 > host.key
# openssl req -new -x509 -nodes -sha1 -days 3650 -key host.key > host.cert
# cat host.key host.cert | openssl pkcs12 -export -password pass:1234 > host.p12
[ ... ]
Private RSA Key [Tester]
Com. Flags : 3
Usage : [0x126], decrypt, sign, unwrap, derive
Access Flags: [0x9], sensitive, neverExtract
ModLength : 1024
Key ref : 1
Native : yes
Path : 3f00501550724b015501
Auth ID : 01
ID : 43fa0f66ae31f25690eb04b53f13f527
X.509 Certificate [Tester]
Flags : 2
Authority: no
Path : 3f00501543044301
ID : 43fa0f66ae31f25690eb04b53f13f527

This RSA-Key can be used with pkcs15-crypt using the user-pin you
specified during format.

That's what I wanted to do, mission accomplished. Unfortunately the
private key is also known to the linux box where I generated it on and
on the windows system used for importing. ...

I've already physically destroyed the harddisks ;-)

otoh I can now generate a clone of my smartcard and don't have to
encrypt for two keys.

or did kmail/kontact something stupid with your email? strange.

It should have been an in-reply-to header, my mistake.

Cu,
G. Bock.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2008 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]

Kevin Oberman

2008-12-18 16:44:19 UTC

Permalink

Date: Thu, 18 Dec 2008 17:05:23 +0100

Post by Goetz Bock
my first try still awaits moderator approval,

can you repost? >

This mail was the repost.
I'm now finaly using a CardOS card to do signing with.
Here a summary how to get there.
I'm using CardOS v4.3b as the CardOS 4.2b is not (yet?) supported by the
Siemens CardOS API Software.

You say that CardOS v4.2B is not supported. Do you really mean Aladdin V4.2B
eTokens? My tokens report CardOS M4.

I have previously posted that I was unable to use any of our 4.2B
eTokens and received a response that they were fine and it most be a
local issue.

I was unaware that some newer version might work with OpenSC. Can
someone confirm whether that 4.3 or any newer version of the eToken
works with OpenSC? We are running low on 4.2 tokens and would love to be
able to buy new ones that will work on our Unix systems.

--
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: ***@es.net Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751

Goetz Bock

2008-12-18 17:48:42 UTC

Permalink

Post by Kevin Oberman

Post by Goetz Bock
I'm using CardOS v4.3b as the CardOS 4.2b is not (yet?) supported by
the Siemens CardOS API Software.

You say that CardOS v4.2B is not supported. Do you really mean Aladdin
V4.2B eTokens? My tokens report CardOS M4.

I was talking about CardOS 4.2b not beeing supported by the Siemens
"CardOS API v3.2" (basically drivers with a "Viewer" application for
Windows).

This has nothing to do with the CardOS card inside the Aladdin eTokens
(what ever version they might be, try cardos-info or cardos-tool) nor
with the CardOS support in opensc.

And CardOS 4.2b is more recent than CardOS 4.3b. The version history is
something like this:

CardOS M4.0
CardOS M4.01
CardOS M4.2
CardOS M4.3
CardOS M4.3b
CardOS M4.2b

IIRC this was listed in the wikipedia article to cardos.

Cu,
G. Bock.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2007 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]

Kevin Oberman

2008-12-18 18:05:09 UTC

Permalink

Date: Thu, 18 Dec 2008 18:48:42 +0100

Post by Kevin Oberman

Post by Goetz Bock
I'm using CardOS v4.3b as the CardOS 4.2b is not (yet?) supported by
the Siemens CardOS API Software.

You say that CardOS v4.2B is not supported. Do you really mean Aladdin
V4.2B eTokens? My tokens report CardOS M4.

Many thanks. I'm still a bit confused, but I will read what Wikipedia
has to say and maybe I will start to understand it. I had never noticed
cardos-info before. (I have no cardos-tool.)

Alparslan Ozturk

2008-12-19 07:45:36 UTC

Permalink

Post by Kevin Oberman

Date: Thu, 18 Dec 2008 18:48:42 +0100

Post by Kevin Oberman

Post by Goetz Bock
I'm using CardOS v4.3b as the CardOS 4.2b is not (yet?) supported by
the Siemens CardOS API Software.

You say that CardOS v4.2B is not supported. Do you really mean Aladdin
V4.2B eTokens? My tokens report CardOS M4.

Many thanks. I'm still a bit confused, but I will read what Wikipedia
has to say and maybe I will start to understand it. I had never noticed
cardos-info before. (I have no cardos-tool.)
------------------------------------------------------------------------
_______________________________________________
opensc-user mailing list
http://www.opensc-project.org/mailman/listinfo/opensc-user

***@aozturk ~]$ rpm -qf `which cardos-info`
opensc-0.11.6-1.fc10.x86_64

I'm using cardOS 4.3.B card but I can't format a empty card because I
can't change from manufacturer mode to operational mode in linux

Goetz Bock

2008-12-19 10:09:06 UTC

Permalink

Hi Alparslan,

[ try to learn how to quote, please ]

Post by Alparslan Ozturk
opensc-0.11.6-1.fc10.x86_64
I'm using cardOS 4.3.B card but I can't format a empty card because I
can't change from manufacturer mode to operational mode in linux

Nobody can. Siemens does not tell us what commands are required to
change the start key, and all the commands we (as in opensc, as far as i
could gether) know are encrypted for a start key of 0xff.

If anyone would figure out the SO-Pin for the cards initialised by the
Siemens CardOS API software, we could use them fully, once initialised.

As I don't know anything about the lowlevel smartcard communication,
this might be totaly wrong (e.g. if the communication is protected
against replay), but:

To get the SO-Pin you'd have to reverse the windows binary or sniff the
communication with the smartcard.

Both should be doable, and would not even be illegal in (parts of)
Europe.

While you're at it, you could also sniff the whole initialistion and we
would get the set-0xff command as well as the commands used for
initialistaion.

But the later ones should be the same as the commands already known in
cardos-tool.

So long,
G. Bock.

Andreas Jellinghaus

2008-12-19 09:18:28 UTC

Permalink

Post by Goetz Bock
I was talking about CardOS 4.2b not beeing supported by the Siemens
"CardOS API v3.2" (basically drivers with a "Viewer" application for
Windows).

can you post the cardos-info output once you initialized a card with it?
most interesting: does that tool change the startkey to 0xff (with the
value of 16 bytes 0xff)?

if so, it could be possible to format the card and initialize it with
opensc. in latest trunk we have code to format the card, if the startkey
was already changed to 0xff.

but maybe not - if there are PINs maybe the card can only be erased if
you know the start key and the PIN - not sure if it can be configured
that way, but I guess it can and usualy is.

so, it would be quite interesting to find out if that software package
could be used as a way to format cards, so they can then be used with
opensc. but beware: experiments may kill your card (I don't think so,
but I better warn than regret later).

also - only checking - the siemens software has no mode where it can
erase a card without creating a new structure? too bad, aladdin has that
in their etoken utility, at least the version I used many years ago.

Thanks for giving us feedback!

Regards, Andreas

Goetz Bock

2008-12-19 09:59:23 UTC

Permalink

Hi Andreas,

Post by Andreas Jellinghaus

Post by Goetz Bock
I was talking about CardOS 4.2b not beeing supported by the Siemens
"CardOS API v3.2" (basically drivers with a "Viewer" application for
Windows).

can you post the cardos-info output once you initialized a card with it?
most interesting: does that tool change the startkey to 0xff (with the
value of 16 bytes 0xff)?

I already included the output of cardos-info in my first mail on

Post by Andreas Jellinghaus

Post by Goetz Bock
Info : CardOS V4.3B (C) Siemens AG 1994-2004
Chip type: 123
Serial number: 28 xx xx xx xx xx
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.8 (that's CardOS M4.3b)
Current life cycle: 16 (operational)
Free memory : 879
ATR Status: 0x0 ROM-ATR
E1 09 01 04 13 03 C8 08 8F 01 01 ...........
Ram size: 4, Eeprom size: 32, cpu type: 66, chip config: 63
Free eeprom memory: 25043
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0xff, retries 10)

if so, it could be possible to format the card and initialize it with
opensc. in latest trunk we have code to format the card, if the startkey
was already changed to 0xff.

While the startkey is 0xff But there are packages installed.

I've hacked cardos-tool from CVS/SVN to ignore all errors, but it still
fails. I don't have any output from my hacked version, maybe I'll
recreate this version and capture all ouput ... but not this year.

Post by Andreas Jellinghaus
so, it would be quite interesting to find out if that software package
could be used as a way to format cards, so they can then be used with
opensc. but beware: experiments may kill your card (I don't think so,
but I better warn than regret later).

The cards can be used, but you can not "manage" them. You can use
existing keys and change the user pins. But you can not add or generate
keys or certificates.
(BTW: I was unable to use the pinpad to change a pin. I had to disable
this feature in opensc.conf and than change the pins using the cli, bad
but I can boot from a ro-cd to change keys so this is ok)

Post by Andreas Jellinghaus
also - only checking - the siemens software has no mode where it can
erase a card without creating a new structure?

I did not find any.

Post by Andreas Jellinghaus
Thanks for giving us feedback!

sure, this is the least i could do.

Cu,
Goetz.
--
/"\ Goetz Bock at blacknet dot de -- secure mobile Linux everNETting
\ / (c) 2008 Creative Commons, Attribution-ShareAlike 2.0 de
X [ 1. Use descriptive subjects - 2. Edit a reply for brevity - ]
/ \ [ 3. Reply to the list - 4. Read the archive *before* you post ]

Andreas Jellinghaus

2008-12-19 14:44:24 UTC

Permalink

Hi Goetz,

thanks for your response.

if there are packages installed, we can't do anything.
format would delete the packages and we can't publish the
instructions to install them, even if we knew.
(After all it is (encrypted) code owned by siemens...)

sorry.

so you need to use the siemens software for all changes
to the card, including initialization. the initialized
card should then work read-only/use-only with opensc,
i.e. reading certs, signing and decrypting should work,
most likely also pin unblocking. but every bigger change
like adding data, certs, keys or pins would most likely
need the siemens software again.

if there is any problem with such simple operations
like signing or reading public data, please file a
bug report. I hope that someone will have a look
at it and ca fix it. (but very few opensc developers
are still active and the core is mostly unmaintained...)

Regards, Andreas