SE050 VerifySessionUserID APDU returns SW 6B00 error

krisztian_stancz · ‎06-16-2021

Hi,

I'm trying to open a session with a previously added user id on SE050 (OM-SE050ARD board), but when it comes to the VerifySessionUserID APDU, it returns a 6B00 error: Wrong parameter(s) P1-P2.

The APDU header is constructed according to AN12413 section 4.5.2.1. I've also double checked the values in the MW source code (se05x_enums.h) and they seem to be identical.

CLA: 0x80, INS: MGMT (0x04), P1: P1_DEFAULT (0x00), P2: P2_SESSION_USERID (0x2C)

Am I missing something?

The transaction:

--- Select applet
C-APDU: 00 a4 04 00 10 a0 00 00 03 96 54 53 00 00 00 01 03 00 00 00 00 00
R-APDU: 03 01 00 6f ff 01 0b 90 00
--- ret: 0

--- Get version
C-APDU: 80 04 00 20 0b
R-APDU: 41 82 00 07 03 01 00 6f ff 01 0b 90 00
--- Version: 3.1.0
--- ret: 0

--- Create session
C-APDU: 80 04 00 1b 06 41 04 00 00 00 15 0c
R-APDU: 41 82 00 08 01 d5 5f 77 5c 04 cf c4 90 00
--- session id: 01 d5 5f 77 5c 04 cf c4
--- ret: 0

--- Verify session user id
C-APDU: 80 04 00 2c 08 41 06 75 73 65 72 31 00
R-APDU: 6b 00
--- user id: user1
--- ret: -6

Kan_Li · ‎06-20-2021

Hi @krisztian_stancz ,

You have to use a ProcessSessionCommand in which the VerifySessionUserID command is wrapped , just as shown in the section UserID session in the APDU spec .

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------

View solution in original post

krisztian_stancz · ‎06-21-2021

@Kan_Li

Thank you, that indeed solved it!

Well, that figure (and the other two as well) is a bit confusing. Appart from the typo (the APDU name should be ProcessSessionCmd), why does it talk about the MiddleWare, when this is an APDU specification?

Also, it contradicts to point 3.6.2 in the same document (page 21) which reads:

To open an (authenticated) applet session, a user must do the following:
1. Call CreateSession, passing an Authentication Object identifier as input and getting an 8-byte unique session identifier as response. At this point the session is not yet opened and commands should not be wrapped yet until authentication succeeded.
2. Depending on the type of Authentication Object, authentication needs to occur.
3. Once successfully authenticated, the session is opened. Commands sent within a session are wrapped in a ProcessSessionCmd APDU where the 1st argument is the session identifier and the 2nd argument is the APDU to be handled.

In my reading this means that ProcessSessionCmd should be only used after a plain VerifySessionUserID was successful. But obvisouly that is not the case. Maybe this should be better clarified.

Kind regards,

Krisztian

Kan_Li · ‎06-20-2021

Hi @krisztian_stancz ,

You have to use a ProcessSessionCommand in which the VerifySessionUserID command is wrapped , just as shown in the section UserID session in the APDU spec .

Have a great day,
Kan

-------------------------------------------------------------------------------
Note:
- If this post answers your question, please click the "Mark Correct" button. Thank you!
- We are following threads for 7 weeks after the last post, later replies are ignored
Please open a new thread and refer to the closed one, if you have a related question at a later point in time.
-------------------------------------------------------------------------------