I'm working on Polish e-identity card which is protected by CAN code. It is required to provide this code to unlock the card and be able to list the tokens.
I'm not able to find any information about it.
When using official app https://www.gov.pl/web/e-dowod you are prompted for this number after inserting the card.
According to logs, mysterious function C_SetCAN
from e-dowod-pkcs11-64.so
is invoked. It is not documented in http://docs.oasis-open.org/pkcs11/pkcs11-base/v2.40/pkcs11-base-v2.40.html and also not present in https://github.com/OpenSC/OpenSC/blob/master/src/pkcs11/pkcs11-global.c#L320 where it should be according to the logs
0x7f9bca95c700 23:18:32.251 [opensc-pkcs11] pkcs11-global.c:320:C_SetCAN: C_SetCAN(0x5)
0x7f9bca95c700 23:18:32.251 [opensc-pkcs11] pkcs11-global.c:329:C_SetCAN: C_SetCAN() get slot rv 0
It make me thing that it might be some custom extension, but as opensc is on LGPL, sources of it should also be provided, right?
When I've tried to break on it with gdb
, but I've landed in:
#0 0x00007fffeadd5b70 in C_SetCAN () from /opt/e-dowod/e-dowod-pkcs11-64.so
#1 0x000000000041d49c in ?? ()
#2 0x0000000000418907 in ?? ()
#3 0x00000000004199bc in ?? ()
#4 0x000000000041ed58 in ?? ()
#5 0x00007ffff686e0e1 in QObject::event(QEvent*) () from /opt/e-dowod/./libQt5Core.so.5
#6 0x00007ffff7691e2c in QApplicationPrivate::notify_helper(QObject*, QEvent*) () from /opt/e-dowod/./libQt5Widgets.so.5
Why there is no caller and arguments information?
I've also tried to use https://github.com/OpenSC/OpenSC/blob/master/src/tools/npa-tool.c which seems to have desired functionality, but quite probably without success.
P:91478; T:0x140627504822080 17:59:48.916 [npa-tool] sm-eac.c:643:eac_gen_auth_1_encrypted_nonce:
General authenticate (Encrypted Nonce) response data (20 bytes):
00 02 7C 12 80 10 D1 0A 98 E5 3B DC 7C F5 DC FA ..|.......;.|...
58 60 24 BA X`$.
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:647:eac_gen_auth_1_encrypted_nonce: Could not parse general authenticate response data.
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:648:eac_gen_auth_1_encrypted_nonce: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:1176:perform_pace: Could not get encrypted nonce from card (General Authenticate step 1 failed).
P:91478; T:0x140627504822080 17:59:48.917 [npa-tool] sm-eac.c:1364:perform_pace: returning with: -1400 (Internal error)
It make me thing that it might be some custom extension, but as opensc is on LGPL, sources of it should also be provided, right?
Yes, you are right that C_SetCAN
seems to be vendor defined extension method. If PKCS#11 library distributed by your government is based on LGPL 2.1 licensed OpenSC code, then they have to provide source code with all the changes. IMO all you have to do is to ask for it. Did you?