pinpad entry support in Git repository

Martin Paljak martin at martinpaljak.net
Wed Jan 11 10:01:03 CET 2012


Hello,

On Thu, Jan 5, 2012 at 03:37, NIIBE Yutaka <gniibe at fsij.org> wrote:
> Happy New Year, everyone!
>
> On 2011-12-19 at 12:59 +0900, NIIBE Yutaka wrote:
>> Thus, I wrote a python script.  Attached is a program which tests PIN
>> entry using pinpad of card reader.  It requires "Pyscard", smartcard
>> library for python.  See http://pyscard.sourceforge.net/ for Pyscard.
>>
>> This test program assumes that OpenPGP card v2 is inserted to it.
>
> I updated the test program for pinpad entry.  It is also renamed (with
> no hyphen in the filename).  Attached is the newest version, which is
> also available at:
>
>   http://www.gniibe.org/gitweb?p=gnuk.git;a=blob;f=tool/pinpadtest.py
>
> It is extensively tested with Vasco DIGIPASS 920.  Note that the
> reader has firewall feature which doesn't allow VERIFY or CHANGE
> REFERENCE DATA command with data from host, but only allows pinpad
> entry by the reader.  With no pinpad entry support, this reader were
> useless at all.  It works well except --unblock --admin.
>
> I also tested with Gemalto's GemPC PinPad Smart Card Reader
> (08e6:3478) which has the firmware "GemTwRC2-V2.10-GL04".
> Unfortunately, it seems that this reader doesn't support variable
> length PIN.
>
> Please test your readers, it they come with pinpad.  And let me know
> the result.  Thanks again, in advance.

Did some testing with three readers that were not mentioned, which I
had available. Attached a small "report".
Reader 1: ACS non-CCID reader ACR83, with the vnedor-provided modified
CCID driver. Did not work at all.
Reader 2: Gemalto Ezio Shield (variant): PIN commands worked as
expected (with pinmax up to 32, I did not type 32 digits though),
plaintext PIN commands were disallowed with 6d00
Reader 3: Omnikey 3821: worked as expected with pinpad.

Also a small patch against pinpadtest.py as I have several readers I
can't disconnect.

It might make sense to make a "probing script" that would discover
deficiencies in reader firmwares (like require certain message bits
(some of them are fixed in the CCID driver) or require fixed PIN
lengths etc)

Hope this helps,

Martin
-------------- next part --------------
Bus 002 Device 052: ID 072f:90d2 Advanced Card Systems, Ltd 
some ACS reader with their modified CCID driver. Does not work, do not
fiddle with properties.

$ ./pinpadtest.py
Reader/Token: ACS ACR83U 01 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
Please input User's PIN
Traceback (most recent call last):
  File "./pinpadtest.py", line 340, in <module>
    main(who, method, add_a_byte, pinmin, pinmax, change_by_two_steps)
  File "./pinpadtest.py", line 209, in main
    card.cmd_verify_pinpad(who)
  File "./pinpadtest.py", line 123, in cmd_verify_pinpad
    raise ValueError, ("cmd_verify_pinpad %02x %02x" % (sw1, sw2))
ValueError: cmd_verify_pinpad 6b 80

Bus 002 Device 054: ID 08e6:34c2 Gemplus 
Gemplus Ezio Shield (might be a development snapshot)
pinpad works as expected, 6d00 means "firewalled"

./pinpadtest.py --unblock2
Reader/Token: Gemalto Ezio Shield PinPad 01 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
Please input reset code from keyboard: 
Please input New User's PIN from keyboard: 
Traceback (most recent call last):
  File "./pinpadtest.py", line 340, in <module>
    main(who, method, add_a_byte, pinmin, pinmax, change_by_two_steps)
  File "./pinpadtest.py", line 236, in main
    card.cmd_reset_retry_counter(who,resetcode+newpin)
  File "./pinpadtest.py", line 164, in cmd_reset_retry_counter
    raise ValueError, ("cmd_reset_retry_counter %02x %02x" % (sw1, sw2))
ValueError: cmd_reset_retry_counter 6d 00

Bus 002 Device 055: ID 076b:3821 OmniKey AG CardMan 3821
Works as expected:
 $ ./pinpadtest.py --change --pinmax 31 --pinmin 1
Reader/Token: OmniKey CardMan 3821 01 00
ATR: 3B DA 18 FF 81 B1 FE 75 1F 03 00 31 C5 73 C0 01 40 00 90 00 0C
Please input User's PIN
and New User's PIN twice
OK.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-pinpadtest-allow-working-with-more-than-a-single-con.patch
Type: text/x-patch
Size: 1097 bytes
Desc: not available
URL: </pipermail/attachments/20120111/c3f1f181/attachment-0001.bin>


More information about the Gnupg-devel mailing list