Is ePass2000-FT12 supported?

classic Classic list List threaded Threaded
20 messages Options
Reply | Threaded
Open this post in threaded view
|

Is ePass2000-FT12 supported?

Kaiwang Chen-2
Hello,


I got an empty ePass2000, installed driver ePass2000-FT12
(http://www.epass.nl/download/ePass2000_FT12_Middleware_V1.20.zip),
and initialized it with ePass2012 PKI Initialization
Tool(http://www.epass.nl/download/ePass2000_FT12_Init_V1.2.zip).

Looks like it was detected by opensc-tool but not supported, according
to QuickStart(http://www.opensc-project.org/opensc/wiki/QuickStart), I
rechecked its absence from the list in
http://www.opensc-project.org/opensc/wiki/SupportedHardware.

C:\Program Files\OpenSC Project\OpenSC>opensc-tool -l
# Detected readers (pcsc)
Nr.  Card  Features  Name
0    Yes             Broadcom Corp Contacted SmartCard 0
1    Yes             FT SCR2000C 0
2    Yes             FT SCR2000C 1

C:\Program Files\OpenSC Project\OpenSC>opensc-tool -r2 -a
3f:0f:00:65:46:53:05:32:06:71:df:00:00:00:00:00:00

C:\Program Files\OpenSC Project\OpenSC>opensc-tool -r2 --name
Unsupported card

Then I read opensc may not understand vendor-initialized stick, so
tried to erase and it simply croaked.

C:\Program Files\OpenSC Project\OpenSC>pkcs15-init.exe -E
Using reader with a card: Broadcom Corp Contacted SmartCard 0
Failed to connect to card: Card not present


So is it one of the poorly supported, or am I missing something? The
bad news is I have to use ePass2000 rather than ePass3000. And I wish
I can use it with Firefox under both Windows and Linux, too.


Thanks,
kaiwang
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4

On Feb 18, 2011, at 5:11 PM, Kaiwang Chen wrote:
> Then I read opensc may not understand vendor-initialized stick, so
> tried to erase and it simply croaked.
Correct.


>
> C:\Program Files\OpenSC Project\OpenSC>pkcs15-init.exe -E
> Using reader with a card: Broadcom Corp Contacted SmartCard 0
> Failed to connect to card: Card not present
You need to specify the reader here as well (the broadcom driver seems to be buggy as it advertises a card even though it does not seem to be present)

>

--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4
In reply to this post by Kaiwang Chen-2
Hello,

On Feb 18, 2011, at 5:11 PM, Kaiwang Chen wrote:
> So is it one of the poorly supported, or am I missing something? The
> bad news is I have to use ePass2000 rather than ePass3000. And I wish
> I can use it with Firefox under both Windows and Linux, too.
I mis-read your e-mail the first time, understanding that you moved to ePass3k from ePass2k. ePass2000 should contain a G&D smartcard [1], which *could* be supported by OpenSC but will for sure need some tweaking. Most probably it won't work with proprietary Windows drivers and OpenSC at the same time.

[1] http://www.opensc-project.org/opensc/wiki/STARCOS
--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Jean-Michel Pouré - GOOZE
In reply to this post by Kaiwang Chen-2
Dear Kaiwang,

The ePass 2001 FT11 (not FT12 which I don't know very well) series
support Windows, Mac OS X and GNU/Linux.

It features PKCS#11 and MS crypto API support. But no OpenSC support to
my knowledge. The initialization and key transfer is done in a nice GUI.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
2011/2/20 Jean-Michel Pouré - GOOZE <[hidden email]>:
> Dear Kaiwang,
>
> The ePass 2001 FT11 (not FT12 which I don't know very well) series
> support Windows, Mac OS X and GNU/Linux.
>
> It features PKCS#11 and MS crypto API support. But no OpenSC support to
> my knowledge. The initialization and key transfer is done in a nice GUI.

Bad news is epass.nl does not provide such a GUI program to intialize
and set SO PIN. There is a console
program(ePass2000_FT12_Init_V1.2.zip) displaying "Press any key to
init the token,or ESC to exit......", and it requires middleware
installed, otherwise croaks with "Load ngp11v211.dll Error!"

ePass2000_FT12_Manager_Enduser_V3.2.zip is limited, and does not allow
setting SO PIN.

ftsafe.com does provide a download page
http://www.ftsafe.com.cn/download/epass2000ft12.html, however, it is
really not responsive to a  download request.

Is there any download link available?

>
> Kind regards,
> --
>                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
>
> _______________________________________________
> opensc-user mailing list
> [hidden email]
> http://www.opensc-project.org/mailman/listinfo/opensc-user

Thanks,
kaiwang
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
In reply to this post by Martin Paljak-4
Any tweaking guide?

Does OpenSC provide a PS/SC driver or something? or is the middleware
the only option under Windows platform?

Thanks,
kaiwang

2011/2/20 Martin Paljak <[hidden email]>:

> Hello,
>
> On Feb 18, 2011, at 5:11 PM, Kaiwang Chen wrote:
>> So is it one of the poorly supported, or am I missing something? The
>> bad news is I have to use ePass2000 rather than ePass3000. And I wish
>> I can use it with Firefox under both Windows and Linux, too.
> I mis-read your e-mail the first time, understanding that you moved to ePass3k from ePass2k. ePass2000 should contain a G&D smartcard [1], which *could* be supported by OpenSC but will for sure need some tweaking. Most probably it won't work with proprietary Windows drivers and OpenSC at the same time.
>
> [1] http://www.opensc-project.org/opensc/wiki/STARCOS
> --
> @MartinPaljak.net
> +3725156495
>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
2011/2/21 Kaiwang Chen <[hidden email]>:
> Any tweaking guide?
>
> Does OpenSC provide a PS/SC driver or something? or is the middleware
> the only option under Windows platform?

the driver is not shipped with the installer?
http://www.opensc-project.org/files/opensc/OpenSC-0.12.0.win32.exe

>
> Thanks,
> kaiwang
>
> 2011/2/20 Martin Paljak <[hidden email]>:
>> Hello,
>>
>> On Feb 18, 2011, at 5:11 PM, Kaiwang Chen wrote:
>>> So is it one of the poorly supported, or am I missing something? The
>>> bad news is I have to use ePass2000 rather than ePass3000. And I wish
>>> I can use it with Firefox under both Windows and Linux, too.
>> I mis-read your e-mail the first time, understanding that you moved to ePass3k from ePass2k. ePass2000 should contain a G&D smartcard [1], which *could* be supported by OpenSC but will for sure need some tweaking. Most probably it won't work with proprietary Windows drivers and OpenSC at the same time.
>>
>> [1] http://www.opensc-project.org/opensc/wiki/STARCOS
>> --
>> @MartinPaljak.net
>> +3725156495
>>
>>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4

OpenSC provides only software for working with a smart card, no reader/token drivers. For a proprietary usb token you need the proprietary vendor driver as well.

Sent from mobile.

On Feb 21, 2011 10:59 AM, "Kaiwang Chen" <[hidden email]> wrote:
> 2011/2/21 Kaiwang Chen <[hidden email]>:
>> Any tweaking guide?
>>
>> Does OpenSC provide a PS/SC driver or something? or is the middleware
>> the only option under Windows platform?
>
> the driver is not shipped with the installer?
> http://www.opensc-project.org/files/opensc/OpenSC-0.12.0.win32.exe
>
>>
>> Thanks,
>> kaiwang
>>
>> 2011/2/20 Martin Paljak <[hidden email]>:
>>> Hello,
>>>
>>> On Feb 18, 2011, at 5:11 PM, Kaiwang Chen wrote:
>>>> So is it one of the poorly supported, or am I missing something? The
>>>> bad news is I have to use ePass2000 rather than ePass3000. And I wish
>>>> I can use it with Firefox under both Windows and Linux, too.
>>> I mis-read your e-mail the first time, understanding that you moved to ePass3k from ePass2k. ePass2000 should contain a G&D smartcard [1], which *could* be supported by OpenSC but will for sure need some tweaking. Most probably it won't work with proprietary Windows drivers and OpenSC at the same time.
>>>
>>> [1] http://www.opensc-project.org/opensc/wiki/STARCOS
>>> --
>>> @MartinPaljak.net
>>> +3725156495
>>>
>>>
>>

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Jean-Michel Pouré - GOOZE
In reply to this post by Kaiwang Chen-2
Le lundi 21 février 2011 à 16:50 +0800, Kaiwang Chen a écrit :
> Is there any download link available?

OpenSC mailing list is not the place to ask. Contact your reseller,
which will provide you a CD with an installer and tools for all
platforms. As for the SDK version, which contains the admin tools.

At Gooze, we don't have ePass2000-FT12, otherwize I would have provided
myself. We only have the ePass-2000-FT11 and CDs for all platforms.

Again, contact your reseller. Feitian is very responsive and will handle
any request through your reseller. When we contact them they reply in 24
hours sharp.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
In reply to this post by Martin Paljak-4
2011/2/21 Martin Paljak <[hidden email]>:
> OpenSC provides only software for working with a smart card, no reader/token
> drivers. For a proprietary usb token you need the proprietary vendor driver
> as well.

I see.

Noticed the OpenCT subproject(http://www.opensc-project.org/openct )
provides driver implementation, linux-specific though

>
> Sent from mobile.
>
> On Feb 21, 2011 10:59 AM, "Kaiwang Chen" <[hidden email]> wrote:
>> 2011/2/21 Kaiwang Chen <[hidden email]>:
>>> Any tweaking guide?
>>>
>>> Does OpenSC provide a PS/SC driver or something? or is the middleware
>>> the only option under Windows platform?
>>
>> the driver is not shipped with the installer?
>> http://www.opensc-project.org/files/opensc/OpenSC-0.12.0.win32.exe
>>
>>>
(snipped)

Thanks,
kaiwang
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
In reply to this post by Jean-Michel Pouré - GOOZE
Thanks. I understand ePass2000-FT12 is not OpenSC friendly, and the
OpenSC project does not provide Windows driver.
I will try to get a copy of the tools from the agent.

Thanks again, both of you.

kaiwang

2011/2/21 Jean-Michel Pouré - GOOZE <[hidden email]>:

> Le lundi 21 février 2011 à 16:50 +0800, Kaiwang Chen a écrit :
>> Is there any download link available?
>
> OpenSC mailing list is not the place to ask. Contact your reseller,
> which will provide you a CD with an installer and tools for all
> platforms. As for the SDK version, which contains the admin tools.
>
> At Gooze, we don't have ePass2000-FT12, otherwize I would have provided
> myself. We only have the ePass-2000-FT11 and CDs for all platforms.
>
> Again, contact your reseller. Feitian is very responsive and will handle
> any request through your reseller. When we contact them they reply in 24
> hours sharp.
>
> Kind regards,
> --
>                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Jean-Michel Pouré - GOOZE
Le lundi 21 février 2011 à 19:28 +0800, Kaiwang Chen a écrit :
> Thanks. I understand ePass2000-FT12 is not OpenSC friendly, and the
> OpenSC project does not provide Windows driver.

Each Feitian token come with a CD-ROM, either for end-users or
administrators.

Ask your Feitian reseller to provide you the administrator CD (called
SDK), which includes ePass2000_FT12 Administrator utility. It will also
contain all information for cross-platform installation.

Without answer from your reseller within 24 or 48 hours, contact me back
and I will get you the CD.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
Thank you Jean-Michel, with your help I finally got a copy of ePassNG
PKI Manager (Administrator) V1.1, although not a whole copy of SDK CD.

I used openssl easy-rsa (OpenSSL 0.9.8i 15 Sep 2008) to generate a
_4096_ bit RSA key and corresponding public key strored in pkcs12
(right?) format,
C:\Program Files\OpenVPN\easy-rsa>vars
C:\Program Files\OpenVPN\easy-rsa>build-key-pkcs12.bat kc5

I confirmed that the generated kc5.p12 can be imported into Fireforx
3.6.13 then used to access a https server using the same CA( I built
it self signed). However, when I tried to import the kc5.p12 file into
the token:

1) Clicked "Data Management" then "Import", the "import certificate"
dialog popped up
2) for "certificate path" input, located "kc5.p12"  and selected "PKX
Files and P12 Files(*.PFX, *.P12)
3  for "certficate path" input, typed the export password in the last
step of build-key-pkcs12.bat

the ePassNG PKI Manager alerts "Unsupported secret key length or
certificate content!"

What's the problem?

Noticed the "token detail" pane displays:
Model: ePass2000_FT12
Public space: 15040
Free public space: 12736
Private space:  9936
Free private space: 9840
Hardware version: 3.02
Firmware version: 3.02

Thanks,
kaiwang


2011/2/21 Jean-Michel Pouré - GOOZE <[hidden email]>:

> Le lundi 21 février 2011 à 19:28 +0800, Kaiwang Chen a écrit :
>> Thanks. I understand ePass2000-FT12 is not OpenSC friendly, and the
>> OpenSC project does not provide Windows driver.
>
> Each Feitian token come with a CD-ROM, either for end-users or
> administrators.
>
> Ask your Feitian reseller to provide you the administrator CD (called
> SDK), which includes ePass2000_FT12 Administrator utility. It will also
> contain all information for cross-platform installation.
>
> Without answer from your reseller within 24 or 48 hours, contact me back
> and I will get you the CD.
>
> Kind regards,
> --
>                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Jean-Michel Pouré - GOOZE
Le jeudi 24 février 2011 à 17:41 +0800, Kaiwang Chen a écrit :
> the ePassNG PKI Manager alerts "Unsupported secret key length or
> certificate content!"
>
> What's the problem?

There is no problem.

The ePass 2000/2001 series support 1024 bit key lenght.
The ePass 3000 series support 2048 bit key lenght series.
THe ePass PKI supports 2048 bit key lenght.

Actually, no standard PKCS#11 USB token goes beyond 2048 bit key lenght
on the market. Actually, 4096 key lenght is for CA management, not
end-users.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4
In reply to this post by Kaiwang Chen-2

On Feb 24, 2011, at 11:41 AM, Kaiwang Chen wrote:
> I used openssl easy-rsa (OpenSSL 0.9.8i 15 Sep 2008) to generate a
> _4096_ bit RSA key and corresponding public key strored in pkcs12
> (right?) format,
I doubt the hardware supports key sizes above 2048 bits...


> the ePassNG PKI Manager alerts "Unsupported secret key length or
> certificate content!"
... which is also confirmed by the message.


--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4
In reply to this post by Jean-Michel Pouré - GOOZE

On Feb 24, 2011, at 11:57 AM, Jean-Michel Pouré - GOOZE wrote:

> Le jeudi 24 février 2011 à 17:41 +0800, Kaiwang Chen a écrit :
>> the ePassNG PKI Manager alerts "Unsupported secret key length or
>> certificate content!"
>>
>> What's the problem?
>
> There is no problem.

There *is* a problem: the device does not support the desired key length.

> Actually, no standard PKCS#11 USB token goes beyond 2048 bit key lenght
> on the market. Actually, 4096 key lenght is for CA management, not
> end-users.
There's no such thing as a "PKCS#11 USB token" (PKCS#11 is a software interface), at least key size is definitely not limited by PKCS#11.

Crypto Stick [1] hardware supports RSA 3k keys and the underlying hardware does support 4k as well. Unfortunately the OpenPGP v2 specification which is implemented by the token is not yet fully implemented by OpenSC.

I'm not a cryptographer but other experts say that 2048 should be good enough for the next few years at least. I'd expect EC to be more important than RSA by that time. But as always, the necessary key size depends on application requirements...

Also some JavaCard-s can already now do 3k keys (even though the list of symbolic  API constants stops at 2048)

[1] http://www.privacyfoundation.de/crypto_stick/crypto_stick_english/
--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
In reply to this post by Jean-Michel Pouré - GOOZE
Everything is OK with 1024 bit key length. When I use IE to access the
https server, a dialog popped for me to choose the certificate in the
token,  and after the Use PIN having been checked in the next prompt,
the web page showed up. Great.

I'd like to keep private key in token. How can Firefox use keys in
Microsoft Certificate Store, instead of its own store.
Looks like NSS Internal PKCS #11 Modules provide such ability. I
searched a lot days ago, failed to figure out something meaningful.
What's such a module? Is it something specific to token vendor, so is
there one for ePass2000-FT12 ?

Thanks,
kaiwang

2011/2/24 Jean-Michel Pouré - GOOZE <[hidden email]>:

> Le jeudi 24 février 2011 à 17:41 +0800, Kaiwang Chen a écrit :
>> the ePassNG PKI Manager alerts "Unsupported secret key length or
>> certificate content!"
>>
>> What's the problem?
>
> There is no problem.
>
> The ePass 2000/2001 series support 1024 bit key lenght.
> The ePass 3000 series support 2048 bit key lenght series.
> THe ePass PKI supports 2048 bit key lenght.
>
> Actually, no standard PKCS#11 USB token goes beyond 2048 bit key lenght
> on the market. Actually, 4096 key lenght is for CA management, not
> end-users.
>
> Kind regards,
> --
>                  Jean-Michel Pouré - Gooze - http://www.gooze.eu
>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Martin Paljak-4

On Feb 24, 2011, at 1:36 PM, Kaiwang Chen wrote:
> Looks like NSS Internal PKCS #11 Modules provide such ability. I
> searched a lot days ago, failed to figure out something meaningful.
> What's such a module? Is it something specific to token vendor, so is
> there one for ePass2000-FT12 ?

Your token is proprietary and is not supported by OpenSC.
If the vendor provides a proprietary PKCS#11 module you can load that into Firefox.
But the functioning of that module should be discussed at the vendor forum or something similar - OpenSC can't change if it works or not.

--
@MartinPaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Jean-Michel Pouré - GOOZE
In reply to this post by Kaiwang Chen-2
Le jeudi 24 février 2011 à 19:36 +0800, Kaiwang Chen a écrit :
> How can Firefox use keys in
> Microsoft Certificate Store, instead of its own store.
> Looks like NSS Internal PKCS #11 Modules provide such ability. I
> searched a lot days ago, failed to figure out something meaningful.
> What's such a module? Is it something specific to token vendor, so is
> there one for ePass2000-FT12 ?

Follow GOOZE tutorial and adapt it to Feitian framework:
http://www.gooze.eu/howto/iceweasel-firefox-smartcard-howto

You should load Feitian pkcs11 library instead of OpenSC and this will
work fine.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: Is ePass2000-FT12 supported?

Kaiwang Chen-2
In reply to this post by Martin Paljak-4
Thanks, the problem is solved by SDK from vendor.

kaiwang

2011/2/24 Martin Paljak <[hidden email]>:

>
> On Feb 24, 2011, at 1:36 PM, Kaiwang Chen wrote:
>> Looks like NSS Internal PKCS #11 Modules provide such ability. I
>> searched a lot days ago, failed to figure out something meaningful.
>> What's such a module? Is it something specific to token vendor, so is
>> there one for ePass2000-FT12 ?
>
> Your token is proprietary and is not supported by OpenSC.
> If the vendor provides a proprietary PKCS#11 module you can load that into Firefox.
> But the functioning of that module should be discussed at the vendor forum or something similar - OpenSC can't change if it works or not.
>
> --
> @MartinPaljak.net
> +3725156495
>
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user