Feitian ePass2003 / Failed to erase card: Security status not satisfied

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Feitian ePass2003 / Failed to erase card: Security status not satisfied

Dirk-Willem van Gulik
Got quite a couple of ePass2003 tokens back from the field (some 12-15%) that fail reformatting with pkcs15-init -E; and give an error on the windows "format_tool_2003.exe” tool.

Any suggestions as to why this is ? They have been inited with a pkcs15+onepin without SO support and finalised before sent out to the field.

We’d like to get an idea as to what the issue is; and specifically would like to find out if this is a SW
or a HW issue/one which can be ‘caused’ by the end user.

Would anyone still have a copy of:

        http://www.gooze.eu/nl/forums/support/epass2003-recovery-tool
                http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz

stashed away somewhere ?

Dw.


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Feitian ePass2003 / Failed to erase card: Security status not satisfied

Douglas E Engert


On 3/20/2015 11:02 AM, [hidden email] wrote:

> Got quite a couple of ePass2003 tokens back from the field (some 12-15%) that fail reformatting with pkcs15-init -E; and give an error on the windows "format_tool_2003.exe” tool.
>
> Any suggestions as to why this is ? They have been inited with a pkcs15+onepin without SO support and finalised before sent out to the field.
>
> We’d like to get an idea as to what the issue is; and specifically would like to find out if this is a SW
> or a HW issue/one which can be ‘caused’ by the end user.
>
> Would anyone still have a copy of:
>
> http://www.gooze.eu/nl/forums/support/epass2003-recovery-tool
> http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz
>
> stashed away somewhere ?


No, But Google for  [Opensc-devel] ePass2003 custom so-pin profile

Sounds like there was a problem with an ACL when using one-pin, found around 8/22/2013.
Maybe you can contact the Gooze people directly, they may still have a copy of the fix_tool.



> Dw.
>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Feitian ePass2003 / Failed to erase card: Security status not satisfied

Jaroslav Imrich
In reply to this post by Dirk-Willem van Gulik
On Fri, Mar 20, 2015 at 5:02 PM, <[hidden email]> wrote:
Would anyone still have a copy of:

        http://www.gooze.eu/nl/forums/support/epass2003-recovery-tool
                http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz

stashed away somewhere ?

Found it on the CD shipped by Gooze with ePass tokens and uploaded it for you [0].
If you don't trust this tool I've also captured its STDOUT [1] while ago when I was fixing my token. Output contains APDUs so it should be possible to write your own trusted "fix_tool".

[0] http://tmp.jimrich.sk/fix_tool.tar.gz
[1] http://tmp.jimrich.sk/fix_tool.txt

Regards, Jaroslav

------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Feitian ePass2003 / Failed to erase card: Security status not satisfied

Dirk-Willem van Gulik

> On 21 Mar 2015, at 08:49, Jaroslav Imrich <[hidden email]> wrote:
>
> On Fri, Mar 20, 2015 at 5:02 PM, <[hidden email]> wrote:
> Would anyone still have a copy of:
>
>         http://www.gooze.eu/nl/forums/support/epass2003-recovery-tool
>                 http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz
>
> stashed away somewhere ?
>
> Found it on the CD shipped by Gooze with ePass tokens and uploaded it for you [0].
> If you don't trust this tool I've also captured its STDOUT [1] while ago when I was fixing my token. Output contains APDUs so it should be possible to write your own trusted "fix_tool".
>
> [0] http://tmp.jimrich.sk/fix_tool.tar.gz
> [1] http://tmp.jimrich.sk/fix_tool.txt. Thanks  that is most useful.

 I guess it is fair to assume that
       
         Enc APDU : 80 50 00 00 08 BF C3 29 11 C7 18 C3 40 1C
         SCardTransmit: Command successful.
         card response: 90 00

Would map to the CLA being 0x80 and then 0x50 as the INS code of the APDU, and p1, p2 being both 0. With a 2 byte reply expected (as the linux code seems to old for the ABI I have here).

Dw.


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: Feitian ePass2003 / Failed to erase card: Security status not satisfied

Douglas E Engert


On 3/21/2015 9:39 AM, [hidden email] wrote:

>
>> On 21 Mar 2015, at 08:49, Jaroslav Imrich <[hidden email]> wrote:
>>
>> On Fri, Mar 20, 2015 at 5:02 PM, <[hidden email]> wrote:
>> Would anyone still have a copy of:
>>
>>          http://www.gooze.eu/nl/forums/support/epass2003-recovery-tool
>>                  http://download.gooze.eu/pki/feitian/epass-2003/fix_tool.tar.gz
>>
>> stashed away somewhere ?
>>
>> Found it on the CD shipped by Gooze with ePass tokens and uploaded it for you [0].
>> If you don't trust this tool I've also captured its STDOUT [1] while ago when I was fixing my token. Output contains APDUs so it should be possible to write your own trusted "fix_tool".
>>
>> [0] http://tmp.jimrich.sk/fix_tool.tar.gz
>> [1] http://tmp.jimrich.sk/fix_tool.txt. Thanks  that is most useful.
>
>   I guess it is fair to assume that
>
> Enc APDU : 80 50 00 00 08 BF C3 29 11 C7 18 C3 40 1C
> SCardTransmit: Command successful.
> card response: 90 00
>
> Would map to the CLA being 0x80 and then 0x50 as the INS code of the APDU, and p1, p2 being both 0. With a 2 byte reply expected (as the linux code seems to old for the ABI I have here).
>
> Dw.

It looks like the fix_tool is 32 bit, and is using openct rather then pcscd to talk to the card.

The first two APDU's in the text file are not wrapped.

The first is the same as the OpenSC card-epass2003.c gen_init_key() and using the same "random" number:
    static unsigned char g_random[8] = {
           0xBF, 0xC3, 0x29, 0x11, 0xC7, 0x18, 0xC3, 0x40
   };
(Note: Why is the g_random a constant? Should it be random?)

The response is not shown, which contains the keys the card wants to use for Secure Messaging.

The second is the same as the OpenSC card-epass2003.c verify_init_key() but the data does not match
a OpenSC debug.log from a epass2003 I have.

If you can't get the fix-tool to fix run (for example because you personalized the cards that change the default transport key)
You might be able to either use GDB on fix_tool to find the unencrypted APDUs as it wraps them.
Then modify the card-epass2003.c to do something similar to what fix_tool is doing.

Good luck.

>
>
> ------------------------------------------------------------------------------
> Dive into the World of Parallel Programming The Go Parallel Website, sponsored
> by Intel and developed in partnership with Slashdot Media, is your hub for all
> things parallel software development, from weekly thought leadership blogs to
> news, videos, case studies, tutorials and more. Take a look and join the
> conversation now. http://goparallel.sourceforge.net/
> _______________________________________________
> Opensc-devel mailing list
> [hidden email]
> https://lists.sourceforge.net/lists/listinfo/opensc-devel
>

--

  Douglas E. Engert  <[hidden email]>


------------------------------------------------------------------------------
Dive into the World of Parallel Programming The Go Parallel Website, sponsored
by Intel and developed in partnership with Slashdot Media, is your hub for all
things parallel software development, from weekly thought leadership blogs to
news, videos, case studies, tutorials and more. Take a look and join the
conversation now. http://goparallel.sourceforge.net/
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel