ePass2003 custom so-pin profile

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ePass2003 custom so-pin profile

Jean-Michel Pouré - GOOZE
Dear all,

The ePass2003 does not work when initialized with SO-PIN in OpenSC.

GOOZE requested technical documentation from Feitian, but never received
the list of APDU command or any useful documentation.

A GOOZE user did some research and found the following trick:

The issue is not in SO PIN itself. It's caused by incorrect ACL flags
arising from not using the ACL flags defined in "onepin" profile. If you
add a profile referring SOPIN into /usr/share/opensc/epass2003.profile
(e.g. before line "option onepin") and use it, pkcs15-init won't "brick"
token anymore:

option sopinacl {
macros {
so-pin-flags = local, initialized, soPin;
pin-flags = local, initialized, needs-padding;
df_acl = *=$SOPIN, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE;
ef_acl = *=NEVER, READ=NONE, UPDATE=NONE, WRITE=NONE, DELETE=NONE;
sf_acl = *=NEVER, UPDATE=NONE;
protected = *=NEVER,READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
}

I would welcome the feedback from OpenSC community and would like to
know if this works for you and/or would be useful in OpenSC itself.

Maybe Feitian itself could comment on this proposal of fix in reply on
OpenSC mailing list.

Kind regards,
Jean-Michel Pouré
--

                      GOOZE - http://www.gooze.eu
                   High quality cryptographic tools
                  for GNU/Linux, Mac OS X and Windows
     POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France
       Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90
         Registry: FR 527 672 448 00018 - VAT: FR54527672448
     CAcert root certificate: http://www.cacert.org/index.php?id=3
                          ID PGP/GPG: 084F2584

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ePass2003 custom so-pin profile

JP Szikora-2
Hi Jean-Michel,

Have you tried the latest version of OpenSC version from GitHub ? There is a patch (https://github.com/OpenSC/OpenSC/commit/de4dd056bfc95935198528c4e7ddcd8cbbb7b8c1) fixing a problem existing in 0.13 but not in 0.12.2.

Best Regards,

Jean-Pierre

Le 22 août 2013 à 17:00, Jean-Michel Pouré - GOOZE a écrit :

Dear all,

The ePass2003 does not work when initialized with SO-PIN in OpenSC.

GOOZE requested technical documentation from Feitian, but never received
the list of APDU command or any useful documentation.

A GOOZE user did some research and found the following trick:

The issue is not in SO PIN itself. It's caused by incorrect ACL flags
arising from not using the ACL flags defined in "onepin" profile. If you
add a profile referring SOPIN into /usr/share/opensc/epass2003.profile
(e.g. before line "option onepin") and use it, pkcs15-init won't "brick"
token anymore:

option sopinacl {
macros {
so-pin-flags = local, initialized, soPin;
pin-flags = local, initialized, needs-padding;
df_acl = *=$SOPIN, CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE;
ef_acl = *=NEVER, READ=NONE, UPDATE=NONE, WRITE=NONE, DELETE=NONE;
sf_acl = *=NEVER, UPDATE=NONE;
protected = *=NEVER,READ=NONE, UPDATE=$PIN, DELETE=$PIN;
}
}

I would welcome the feedback from OpenSC community and would like to
know if this works for you and/or would be useful in OpenSC itself.

Maybe Feitian itself could comment on this proposal of fix in reply on
OpenSC mailing list.

Kind regards,
Jean-Michel Pouré
--

                     GOOZE - http://www.gooze.eu
                  High quality cryptographic tools
                 for GNU/Linux, Mac OS X and Windows
    POURE SASU - 17 rue Saint Jacques - 95160 Montmorency - France
      Tel : +33 (0)9 72 13 53 90 - Mobile : +33 (0)6 51 99 37 90
        Registry: FR 527 672 448 00018 - VAT: FR54527672448
    CAcert root certificate: http://www.cacert.org/index.php?id=3
                         ID PGP/GPG: 084F2584
------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

--
Dr Jean-Pierre Szikora e-mail: [hidden email]
tel: 32-2-764.75.00
75, av. Hippocrate, bte B1.74.03 fax: 32-2-764.65.65
1200 Brussels - Belgium





------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ePass2003 custom so-pin profile

Jean-Michel Pouré - GOOZE
Le jeudi 22 août 2013 à 17:54 +0200, Jean-Pierre Szikora a écrit :
> (https://github.com/OpenSC/OpenSC/commit/de4dd056bfc95935198528c4e7ddcd8cbbb7b8c1) fixing a problem existing in 0.13 but not in 0.12.2.

Dear Jean-Pierre,

Yes, I have been using OpenSC latest version.

Under Windows, the ePass2003 supports SO-PIN, but not under OpenSC.
Moreover, the ePass2003 is bricked with using SO-PIN initialization.

Example:
pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin
--use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000
--so-puk  111111 --label "François Pérou"
Using reader with a card: Feitian ePass2003 00 00
Failed to create PKCS #15 meta structure: Not allowed

This is an undocumented problem which we were never able to solve
ourselves. Recently, a GOOZE user proposed that SO-PIN ***could** be
declared in ePass2003 profile.

I could test these settings successfully:

/usr/share/opensc/epass2003.profile
option onepin {
        macros {
                pin-flags                = local, initialized,
needs-padding;
                so-pin-flags             = local, initialized, soPin;
                df_acl                   = *=$PIN, *=$SOPIN,
CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE;
                df_acl                   = *=NEVER, CRYPTO=NONE,
FILES=NONE, CREATE=NONE, DELETE=NONE;
                ef_acl                   = *=NEVER, READ=NONE,
UPDATE=NONE, WRITE=NONE, DELETE=NONE;
                sf_acl                   = *=NEVER, UPDATE=NONE;
                protected                = *=NEVER,READ=NONE, UPDATE=
$PIN, DELETE=$PIN;
        unprotected      = *=NONE;
                dir-size                 = 112;
                tinfo-size               = 128;
                unusedspace-size = 128;
                odf-size                 = 512;
                aodf-size                = 256;
                cdf-size                 = 2048;
                prkdf-size               = 1024;
                pukdf-size               = 1024;
                dodf-size                = 256;
                info-size                = 128;
                maxPin-size      = 2;
        }
}

I simply added the line:

so-pin-flags             = local, initialized, soPin;
# Warning: ePass2003 does not support SO-PIN for undocumented reasons.

Now, the ePass2003 can initialize:
pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin
--use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000
--so-puk  111111 --label "François Pérou"

But still SO-PIN and SO-PUK are not initialized.

This failure to initialize the ePass2003 with SO-PIN support under
OpenSC is the reason for GOOZE stopping distribution of the ePass2003 as
of 22 August 2013.

Read:
http://www.gooze.eu/forums/support/epass2003-sales-suspended

To enquire more, I would like to know whether this ONEPIN one line fix
is acceptable, at least to avoid breakage. This is only to continue
supporting our user base of ePass2003 users.

Kind regards,
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

------------------------------------------------------------------------------
Introducing Performance Central, a new site from SourceForge and
AppDynamics. Performance Central is your source for news, insights,
analysis and resources for efficient Application Performance Management.
Visit us today!
http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clktrk
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel

smime.p7s (7K) Download Attachment