3

I'm working on Polish e-identity card which is protected by CAN code. It is required to provide this code to unlock the card and be able to list the tokens.

I'm not able to find any information about it.

When using official app https://www.gov.pl/web/e-dowod you are prompted for this number after inserting the card.

According to logs, mysterious function C_SetCAN from e-dowod-pkcs11-64.so is invoked. It is not documented in http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html and also not present in https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/pkcs11-global.c#L320 where it should be according to the logs

0x7f9bca95c700 23:18:32.251 [opensc-pkcs11] pkcs11-global.c:320:C_SetCAN: C_SetCAN(0x5)
0x7f9bca95c700 23:18:32.251 [opensc-pkcs11] pkcs11-global.c:329:C_SetCAN: C_SetCAN() get slot rv 0

It make me thing that it might be some custom extension, but as opensc is on LGPL, sources of it should also be provided, right?

When I've tried to break on it with gdb, but I've landed in:

#0  0x00007fffeadd5b70 in C_SetCAN () from /opt/e-dowod/e-dowod-pkcs11-64.so
#1  0x000000000041d49c in ?? ()
#2  0x0000000000418907 in ?? ()
#3  0x00000000004199bc in ?? ()
#4  0x000000000041ed58 in ?? ()
#5  0x00007ffff686e0e1 in QObject::event(QEvent*) () from /opt/e-dowod/./libQt5Core.so.5
#6  0x00007ffff7691e2c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /opt/e-dowod/./libQt5Widgets.so.5

Why there is no caller and arguments information?

I've also tried to use https://github.com/OpenSC/OpenSC/blob/master/src/tools/npa-tool.c which seems to have desired functionality, but quite probably without success.

P:91478; T:0x140627504822080 17:59:48.916 [npa-tool] sm-eac.c:643:eac_gen_auth_1_encrypted_nonce: 
General authenticate (Encrypted Nonce) response data (20 bytes):
00 02 7C 12 80 10 D1 0A 98 E5 3B DC 7C F5 DC FA ..|.......;.|...
58 60 24 BA                                     X`$.
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:647:eac_gen_auth_1_encrypted_nonce: Could not parse general authenticate response data.
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:1176:perform_pace: Could not get encrypted nonce from card (General Authenticate step 1 failed).
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:1364:perform_pace: returning with: -1400 (Internal error)
4

2 回答 2

2

这让我觉得它可能是一些自定义扩展,但由于 opensc 在 LGPL 上,也应该提供它的来源,对吧?

是的,你说得对,这C_SetCAN似乎是供应商定义的扩展方法。如果您的政府分发的 PKCS#11 库基于LGPL 2.1许可的 OpenSC 代码,那么他们必须提供包含所有更改的源代码。IMO 你所要做的就是要求它。你是否?

于 2019-10-21T16:17:20.570 回答
0

罐号印在电子身份证上。当我收到卡时,我必须在密码键盘上输入密码。

于 2020-01-01T20:41:27.507 回答