Develop Reference

Reset OpenCryptoki SW Token

I build open cryptoki library from source and try to initialize the software token.
but when running pkcsconf -I -c 3 for initializing the token, I get the following Error message:
Enter the SO PIN:
Enter a unique token label: poef
Error initializing token: 0xA4 (CKR_PIN_LOCKED)
The token Info looks like this:
$ pkcsconf -t
Token #3 Info:
Label: IBM OS PKCS#11
Manufacturer: IBM Corp.
Model: IBM SoftTok
Serial Number: 123
Flags: 0xD80045 (RNG|LOGIN_REQUIRED|CLOCK_ON_TOKEN|USER_PIN_TO_BE_CHANGED|SO_PIN_COUNT_LOW|SO_PIN_LOCKED|SO_PIN_TO_BE_CHANGED)
Sessions: 0/18446744073709551614
R/W Sessions: 18446744073709551615/18446744073709551614
PIN Length: 4-8
Public Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Private Memory: 0xFFFFFFFFFFFFFFFF/0xFFFFFFFFFFFFFFFF
Hardware Version: 1.0
Firmware Version: 1.0
Time: 08:07:03
So as I understand I should reset the Software Token, to get a default SO PIN and could initialize the token, to use it. But I cannot find anything about that in the official docs.

To reset everything, you have to delete the content of /var/opencryptoki/swtok

Have you seen this page https://www.ibm.com/support/knowledgecenter/en/linuxonibm/com.ibm.linux.z.lxce/lxce_initializing_ep11token.html
I have no familiarity with this specific SW P11 implementation but the command sequence here seems to make sense.
The default pin is 12345678, you would want to change that, initialize the user pin, change that. Theory being that in that sequence you wont be locked.

Why java SIM card secure channel returns "do not match"?

I'm trying to install an applet on a SIM card wich supports java card V3.0.4. When I try to establish a secure channel to load the applet, the card returns an error:
mode_211
enable_trace
establish_context
card_connect
select -AID A000000151000000
Command --> 00A4040008A000000151000000
Wrapped command --> 00A4040008A000000151000000
Response <-- 6F108408A000000151000000A5049F6501FF9000
open_sc -security 1 -keyind 0 -keyver 0 -mac_key 79AA24D80FF0056101F1D9AB6DCAF0E6
-enc_key 79AA24D80FF0056101F1D9AB6DCAF0E6
Command --> 80CA006600
Wrapped command --> 80CA006600
Response <-- 664A734806072A864886FC6B01600B06092A864886FC6B020202630906072A86488
6FC6B03640B06092A864886FC6B048000640B06092A864886FC6B040255640B06092A864886FC6B0
481079000
Command --> 8050000008F05E65BF5254BC9F00
Wrapped command --> 8050000008F05E65BF5254BC9F00
Response <-- 00005147A5190C5352322002001C1F47B6C76BABFD305EBBC2CD1BB39000
mutual_authentication() returns 0x8030F00A (The Secure Channel Protocol passed and reported do not match.)
I'm using GPShell-1.4.4. I guess the problem is using wrong key set! Am I true or there is something else I cannot guess what?!
Thanks for your response,

(I am partly reusing an answer I wrote for your previous question which you suddenly deleted)
Error code GP211_ERROR_INCONSISTENT_SCP means that GPShell's intended SCP version mismatches with the real SCP version given by the card (see here).
Check the 12th byte of card response to INITIALIZE UPDATE -- Secure Channel Protocol identifier (see e.g. GP Card Specification 2.3, section E5.1.6) and use parameter -scp.
Alternatively you might want to use GlobalPlatformPro as GPShell is quite outdated...
Beware that you can block your card by issuing multiple INITIALIZE UPDATE commands without successful authentication!
As your current question contains the complete log it is possible to parse the Card Data tag giving (according to GP 2.2.1):
66 Card Data
73 Card Recognition Data / Discretionary Data Objects
06 OID
2A864886FC6B01 {globalPlatform 1} // Card Recognition Data
60 Application Tag 0
06 OID
2A864886FC6B020202 {globalPlatform 2 2 2} // GP 2.2 Card
63 Application Tag 3
06 OID
2A864886FC6B03 {globalPlatform 3} // Card Identification Scheme
64 Application Tag 4
06 OID
2A864886FC6B048000 {globalPlatform 4 128 0x00} // SCP80 i=0x00
64 Application Tag 4
06 OID
2A864886FC6B040255 {globalPlatform 4 2 0x55} // SCP02 i=0x55
64 Application Tag 4
06 OID
2A864886FC6B048107 {globalPlatform 4 129 0x07} // SCP81 i=0x07
So you might want to use -scp 2 -scpimpl 0x55 or -scp 2 -scpimpl 85 (which happens to be the same).
Or use GlobalPlatformPro.
Alternatively -scpimpl 0x15 should work as well as the Well-known pseudo-random algorithm
(card challenge) bit in 'i' should not matter...
Good luck!

How to change applet's privilege and the card Historical Bytes?

I already thought that changing Historical bytes is limited to Pre-Personalization step. But, I found a method named setATRHistBytes in the GlobalPlatform APIs today.
This is its description(GlobalPlatform 2.2 Page 172) :
setATRHistBytes
public static boolean setATRHistBytes(byte[] baBuffer, short sOffset, bytebLength)
For contact cards according to ISO/IEC 7816-4 and Type A contactless cards according to ISO/IEC 14443-3, this method sets the historical bytes. The sequence of bytes will be visible on a subsequent power-up or reset.
Notes:
• The OPEN locates the entry of the current applet context in the GlobalPlatform Registry and verifies that the Application has the Card Reset privilege for the current card I/O interface;
• The OPEN is responsible for synchronizing the length of historical bytes in Format Character T0 of the ATR.
Parameters:
baBuffer - the source byte array containing the historical bytes. Must be a global array.
sOffset - offset of the historical bytes within the source byte array.
bLength - the number of historical bytes.
Returns:
true if historical bytes set, false if the Application does not have the required privilege
Now I want to change the Historical Bytes of my card. So I wrote the below program and convert it to its cap file successfully :
... /imports
public class HistoricalBytesChanger extends Applet {
public static byte[] state = { (byte) 0, (byte) 0 };
public static byte[] HistByteArray = { (byte) 0x01, (byte) 0x02,
(byte) 0x03, (byte) 0x04, (byte) 0x05, (byte) 0x06, (byte) 0x07,
(byte) 0x08, (byte) 0x09, (byte) 0x0a };
public static void install(byte[] bArray, short bOffset, byte bLength) {
new HistoricalBytesChanger().register(bArray, (short) (bOffset + 1), bArray[bOffset]);
}
public void process(APDU apdu) {
if (selectingApplet()) {
return;
}
byte[] buf = apdu.getBuffer();
switch (buf[ISO7816.OFFSET_INS]) {
case (byte) 0x00:
GPSystem.setATRHistBytes(HistByteArray, (short) 0, (byte) 10);
HistByteArray[0] = (byte) (HistByteArray[0] + 1);
break;
default:
ISOException.throwIt(ISO7816.SW_INS_NOT_SUPPORTED);
}
}
}
As you see above it is written in way that assign 0102030405060708090A to Historical Bytes on reception of any APDU command with INS=0X00.
The problem is I don't have any idea how to set Card Reset privilege to this applet. I know that I must specify the privilege in the installation step, but I don't know how! Normally I upload my applets using GlobalPlatformPro tool. In the parameters that it support I couldn't see any related parameter :
E:\GP> gp -h
Option Description
------ -----------
-V, --version Show information about the program
-a, --apdu Send raw APDU (hex)
--all Work with multiple readers
--applet <AID> Applet AID
--cap <File> Use a CAP file as source
--create <AID> Create new instance of an applet
-d, --debug Show PC/SC and APDU trace
--default Indicate Default Selected privilege
--delete [AID] Delete something
--deletedeps Also delete dependencies
--dump <File> Dump APDU communication to <File>
--emv Use EMV diversification
--enc <GPKeySet$GPKey> Specify ENC key
-h, --help Shows this help string
-i, --info Show information
--install [File] Install applet(s) from CAP
--instance <AID> Instance AID
--kek <GPKeySet$GPKey> Specify KEK key
--key <GPKeySet$GPKey> Specify master key
--keyid <Integer> Specify key ID
--keyver <Integer> Specify key version
-l, --list List the contents of the card
--load <File> Load a CAP file
--lock <GPKeySet> Set new key
--lock-applet <AID> Lock specified applet
--mac <GPKeySet$GPKey> Specify MAC key
--make-default <AID> Make AID the default
--mode <GlobalPlatform$APDUMode> APDU mode to use (mac/enc/clr)
--new-keyver <Integer> key version for the new key
--nofix Do not try to fix PCSC/Java/OS issues
--package <AID> Package AID
--params Installation parameters
-r, --reader Use specific reader
--reinstall Remove card content during installation
--relax Relaxed error checking
--replay <File> Replay APDU responses from <File>
-s, --secure-apdu Send raw APDU (hex) via SCP
--scp <Integer> Force the use of SCP0X
--sdaid <AID> ISD AID
--sdomain Indicate Security Domain privilege
--terminate Indicate Card Lock+Terminate privilege
--uninstall <File> Uninstall applet/package
--unlock Set default key
--unlock-applet <AID> Lock specified applet
-v, --verbose Be verbose about operations
--virgin Card has virgin keys
--visa2 Use VISA2 diversification
E:\GP>
Note that I installed the applet normally, but while it return 0x9000 in reception of that command, it can't change Historical Bytes and I need to set the Card Reset privilege to my applet :
OpenSC: osc -a
Using reader with a card: ACS CCID USB Reader 0
3b:68:00:00:00:73:c8:40:12:00:90:00
OpenSC: osc -s 00A4040006010203040101 -s 00000000
Using reader with a card: ACS CCID USB Reader 0
Sending: 00 A4 04 00 06 01 02 03 04 01 01
Received (SW1=0x90, SW2=0x00)
Sending: 00 00 00 00
Received (SW1=0x90, SW2=0x00)
OpenSC: osc -a
Using reader with a card: ACS CCID USB Reader 0
3b:68:00:00:00:73:c8:40:12:00:90:00
OpenSC:
Questions:
1- How can I change/set the privilege of my applet?
2- Why the card return 0x9000 on reception of 0x00 0x00 x00 0x00? (I expect it to return an exception, because it is mentioned in description of setATRHistBytes that this method returns false in cases that applet privilege is not Card Reset)

The reset privilege was known before as the default selected privilege. This means you can just use the --default switch for your card - the same bit it flipped in the INSTALL for INSTALL privilege bytes if you do that.
Sometimes a card expects a cold reset (i.e. removing the card from the field or terminal) before the change in ATR bytes is communicated. This can also be a reader problem - not all readers perform a reset when reconnected, or they may cache the ATR bytes.

To set card reset privilege to an applet you need to set bit3 of first privilege byte in Install and make selectable command of the applet. If the applet is only being installed and not made selectable with the same INSTALL command the Card Reset privilege cannot be set
Actually if the card is GP201/GP211 compliance then we refer Card Reset privilege as Default Selected privilege.
If Default Selected privilege is set in GP201/GP211 compliance card then it provides two functionalities to the applet as:
The applet can modify the historical bytes
The applet will be default selected applet on basic logical channel after cold reset.
If Card Reset privilege is set in GP22 or above version of compliance card then it provides following functionalities to the applet as:
The applet can modify the historical bytes
The applet can be implicit selectability on basic logical channel if it has not been awarded to another Application by setting implicit selectable parameters to tat applet.

SensorTag, detect pressed buttons using gatttool

I would like to detect if a botton is pushed on my SensorTag using the gatttool, but I'm not able to do that.
In http://processors.wiki.ti.com/index.php/SensorTag_User_Guide TI reports that in order to read the pressed buttons, you should:
1) Enable test mode by writing the value 0x80 to the AA62 (CONFIGURATION) attribute.
I did that with the command:
[CON][BC:6A:29:AE:CD:E5][LE]> char-write-req 0x67 80
[CON][BC:6A:29:AE:CD:E5][LE]> Characteristic value was written successfully
Now I should be in test mode, and:
2) Enable Simple keys notification
Looking at the http://processors.wiki.ti.com/index.php/File:BLE_SensorTag_GATT_Server.pdf
and at the bluepy lib it seems I've to write 0100 in 0x60 for doing that. But
[CON][BC:6A:29:AE:CD:E5][LE]> char-write-req 0x60 0100
[CON][BC:6A:29:AE:CD:E5][LE]> Characteristic Write Request failed: Attribute can't be written
I observed that 0x61 is writtable and accept the value 0100, but I'm still not able to
detect if a key is pressed.
Any suggestion?

That PDF document may be out of date... I just tried using gatttool on my SensorTag and got button notifications with the following command: char-write-req 0x6c 0100
I'd stick with just the TI wiki for the SensorTag as it's probably more likely to be kept up-to-date. The wiki says you only need to do that "test mode" step if you want to get notifications when the side button is pressed (because normally it just activates the advertising).
Also, you probably have to figure out what handle to use on your specific device as every firmware will cause the handles to move around. What shouldn't change between firmwares is the UUID. Try the primary and characteristics commands in gatttool to get the details of the services on the device.
My primary showed this:
attr handle: 0x005e, end grp handle: 0x0068 uuid: f000aa50-0451-4000-b000-000000000000
attr handle: 0x0069, end grp handle: 0x006d uuid: 0000ffe0-0000-1000-8000-00805f9b34fb
attr handle: 0x006e, end grp handle: 0x0074 uuid: f000aa60-0451-4000-b000-000000000000
ffe0 is the UUID of the simple key service (though the wiki says it's f000ffe0, it's not on mine). So, all the handles you want to look at are from 0x69 to 0x6d
char-read-uuid 0x2902 0x69 0x6d will show all CCC (Client Characteristic Configuration) in that range:
handle: 0x006c value: 01 00
Setting that handle to 0100 will turn on notifications for that service.

Confusion with snmp trap

I am new to snmp and after some readings I have 2 questions:-
1) Does net-snmp AUTOMATICALLY sends trap when we configure agent's snmpd.conf file with directives like trapsink, monitor, etc. for inbuilt OIDs like cpu and disk??
I am asking because I am trying to send a trap when cpu goes beyond 90%.
My agent and master are on the same linux box.
My snmptrad.conf file:-
authCommunity log aaa
authCommunity log public
My snmpd.conf file (removing extra comment lines):-
master agentx com2sec notConfigUser default public
group notConfigGroup v1 notConfigUser group
notConfigGroup v2c notConfigUser
view systemview included .1.3.6.1.2.1.1 view systemview
included .1.3.6.1.2.1.25.1.1 view all included .1 view mib2
included .iso.org.dod.internet.mgmt.mib-2 fc
access notConfigGroup "" any noauth exact systemview
none none
createUser internalMonitoringName SHA mysecretpassword AES rouser
internalMonitoringName iquerySecName internalMonitoringName
com2sec local localhost aaa
com2sec net-27 10.0.0.0/8 aaa
com2sec net-46 10.9.46.0/24 aaa
com2sec net-60 10.9.60.0/24 aaa
com2sec net-10 10.20.0.0/16 aaa
group MyRWGroup any local
group MyROGroup any net-27
group MyROGroup any net-46
group MyROGroup any net-60
group MyROGroup any net-10
access MyROGroup "" any noauth 0 all none none
access MyRWGroup "" any noauth 0 all mib2 mib2
syslocation "Somewhere in testlab"
syscontact Root root#localhost
dontLogTCPWrappersConnects yes
trap2sink localhost aaa
monitor -r 30 machineTooBusy hrProcessorLoad > 90
When I run some process to increase cpu load, the cpu load goes beyond 90% (I can see that in top command) but I can't see the trap message in /var/log/messages.
What I am doing wrong here?
2) Also, my next question is, if I have a custom MIB file for which I have wrtten an agent, Can I add the variable/OID from that custom MIB with "monitor" directive in snmpd.conf file to send trap AUTOMATICALLY? OR I must send trap from within my agent???
Please help on my confusion...

No, it doesn't send anything automatically. You have two steps to follow:
1) define where you want to send traps or informs. That's what the trapsink and similar lines do.
2) then define what you want sent. That's what the monitor and similar directives do. The monitor directive can be used to monitor just about anything, including your own custom MIB variables.
When you include both of these, then it'll send out traps automatically (by doing internal monitoring, and then sending a trap to each configured trapsink or other destination).