pkcs15-init --create-pkcs15 returns [Unsupported INS byte in APDU]

[code-with-amitk]

Problem Description

Using smart-card=Atos CardOS V5.3 and gemalto USB reader

$ pkcs15-init --create-pkcs15
Using reader with a card: Gemalto PC Twin Reader 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Failed to create PKCS #15 meta structure: Unsupported INS byte in APDU

This means card connected, driver is found.

$ pkcs15-init --create-pkcs15 -vvvvv
https://gist.github.com/amitkumar50/ef2d4601b6af3ec56597915788d088f3

iso7816.c:555:iso7816_select_file: returning with: -1204 (Unsupported INS byte in APDU)
#define SC_ERROR_INS_NOT_SUPPORTED -1204

How to enroll cert and key using pkcs15-init?
What is meaning of unsupported instruction code in APDU?

Proposed Resolution

No at moment

Logs

https://gist.github.com/amitkumar50/ef2d4601b6af3ec56597915788d088f3

[frankmorgner]

In #1434 you've stated that this card is not supported. That may explain the problem...

@Jakuje do we have support for CardOS 5.3?

[Jakuje]

We have support for reading the enrolled CardOS 5.3 cards, but not for enrolling them. For entrolling would be needed cardos-tool, which lacks support for CardOS 5+, because of problems with license/NDA with Siemens/Atos: #283

[code-with-amitk]

Hello @Jakuje I added master...Jakuje:cardos-tokeninfo-ecc to my local build.
$ /usr/local/bin/pkcs11-tool -L
Available slots:
Slot 0 (0x0): Amit matched: Siemens CardOS
Gemalto PC Twin Reader 00 00
token state: uninitialized

$ /usr/local/bin/cardos-tool -i -v
Using reader with a card: Gemalto PC Twin Reader 00 00
Connecting to card in reader Gemalto PC Twin Reader 00 00...
Using card driver Siemens CardOS.
Card ATR:
3B D2 18 00 81 31 FE 58 C9 03 16 ;....1.X...
Info : CardOS V5.3, 2014
Serial number: 02 05 a1 55 00 19 16 31
OS Version: 201.3 (that's CardOS V5.3)
Current life cycle: 52 (manufacturing)
Security Status of current DF:
Free memory : 13315
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 7, Eeprom size: 83, cpu type: 78, chip config: 63, chip manufacturer: 5
Free eeprom memory: 84826
Current Maximum Data Field Length: 384
Complete chip production data:
CC 78 33 CE 01 00 01 00 0E 00 00 01 0B 02 00 00 .x3.............
00 00 00 00 00 00 00 61 75 38 30 FF FF FF FF 78 .......au80....x
01 51 41 78 05 16 07 00 00 83 12 05 E7 55 21 02 .QAx.........U!.
01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
00 00 00 00 00 00 00 00 00 00 00 00 ............
System keys: PackageLoadKey (version 0x00, retries 10)
System keys: StartKey (version 0x00, retries 10)
Some error occurred. Use '-v' several times to enable debug output.

But cannot enroll with pkcs15-init
$ /usr/local/bin/pkcs15-init --create-pkcs15
Using reader with a card: Gemalto PC Twin Reader 00 00
New Security Officer PIN (Optional - press return for no PIN).
Please enter Security Officer PIN:
Failed to create PKCS #15 meta structure: Unsupported INS byte in APDU

What changes should be done to enroll it?

[Jakuje]

These commits are already merged in master. You don't need to merge them again. The output confirms that it is really cardos 5.3 card detected.

I have no idea how to enroll this card. I have only enrolled cards that I can confirm work as expected. You should probably check with the vendor/shop if he will be able to provide you some guidance or specification. Based on that, we can have a look what are the missing bits for enrolling, but I don't want to promise anything.

[frankmorgner]

Closing this issue due to inactivity. Please re-open the ticket if more input is available.