ePass2003 status

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ePass2003 status

NdK-3
Hello all.

Seems the wiki page on github is quite inaccurate regarding ePass2003
support:
- there's no mention of the so-pin problems (and seems so-pin
functionality is not -yet- present)
- GOOZE (IIUC) is no more actively involved after discontinuing the
distribution

Overall, at least for me, it seems more an ad page than a technical one.

IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but
SM was not yet present in opensc when the epass2003 driver got added.
Did that change?

PS: pkcs15-init -F always reports "Failed to delete object(s): Not
supported". Is that normal? Is the card finalized anyway? Is the
finalize step actually required on ePass2003?

BYtE,
 Diego

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ePass2003 status

Dirk-Willem van Gulik

> On 10 Aug 2016, at 12:44, NdK <[hidden email]> wrote:
>
> Hello all.
>
> Seems the wiki page on github is quite inaccurate regarding ePass2003
> support:
> - there's no mention of the so-pin problems (and seems so-pin
> functionality is not -yet- present)
> - GOOZE (IIUC) is no more actively involved after discontinuing the
> distribution
>
> Overall, at least for me, it seems more an ad page than a technical one.
>
> IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but
> SM was not yet present in opensc when the epass2003 driver got added.
> Did that change?
>
> PS: pkcs15-init -F always reports "Failed to delete object(s): Not
> supported". Is that normal? Is the card finalized anyway? Is the
> finalize step actually required on ePass2003?

Below script does the trick for me (key generated ‘off line’ — as to circumvent the 512 len limit).

Dw.

#!/bin/sh
#
# Copyright (c) 2012 Dirk-Willem van Gulik <[hidden email]>, All Rights Reserved.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
#
# You may obtain a copy of the License at
#
#       http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
#
# See the License for the specific language governing permissions and
# limitations under the License.
#
set -e

#
# Load an existing p12/pem onto a card - protected by a PIN
# of sorts; set by the (end) user or a random one.
#
PIN=${PIN:-`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’  | cut -c 1-6`}
LABEL=feitian001
PUK=${PUK:-`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’  | cut -c 1-8`}

SUBJ="/emailAddress=foobar/C=XX/L=Foobar/O=Something Nice and Lengthy/OU=Positively bizantine and so on"
TMPFILE=x-fred

function cleanup {
        srm $TMPFILE.key || rm $TMPFILE.key
        exit
}
       
trap  cleanup  SIGHUP SIGINT SIGTERM

# Self signed root
#
openssl req -new -x509 -set_serial 1 -subj "$SUBJ/CN=Da Root of it all" -out $TMPFILE-ca.pem -nodes -keyout $TMPFILE-ca.key || exit 1

# CSR and sign with above root
#
# Unfortunately we cannot do this on the card - as anything beyond 512 length will time out the USB on linux and OSX.
# pkcs11-tool --module /usr/lib/opensc-pkcs11.so --slot 1 --keypairgen --key-type rsa:2048 --pin $PIN --login
#
openssl req -new -subj "$SUBJ/CN=Fred Himself" -keyout $TMPFILE.key -out $TMPFILE.csr -nodes  || exit 1
openssl x509 -CA $TMPFILE-ca.pem -CAkey $TMPFILE-ca.key -req -set_serial 2 -in $TMPFILE.csr -out $TMPFILE.pem || exit 1

# Initialise a blank key
echo
echo "Insert a single EPass2003 (blue or red); and press return to start wiping and re-initilaizing it (or press ctrl-C)”
echo
read nope

pkcs15-init -E || exit 1
pkcs15-init --create-pkcs15   --profile pkcs15+onepin --use-default-transport-key --puk 111111 --label $LABEL --pin 1234 || exit 1

if true; then
        # This works -- as we set decent labels.
        #
        pkcs15-init --store-private-key $TMPFILE.key --format PEM --auth-id 01 --pin $PIN || exit 1
        pkcs15-init --store-certificate $TMPFILE.pem --format PEM --auth-id 01 --pin $PIN --label fred || exit 1
        pkcs15-init --store-certificate $TMPFILE-ca.pem --format PEM --auth-id 01 --pin $PIN --label root   --authority  || exit 1
else
        # Transport password.
        #
        PASSWD=`openssl rand 16 | hexdump -d | awk '{ print $2 $3 }’  | cut -c 1-8`
        # And this fails/confuses tokend - as the labels are now DN's with the / in it.
        #
        # Package up in PKCS#12
        openssl pkcs12 -chain -export -out $TMPFILE.p12 -in $TMPFILE.pem -CAfile $TMPFILE-ca.pem -inkey $TMPFILE.key -nodes -passout pass:$PASSWD || exit 1
       
        # Show what we netted:
        openssl pkcs12 -in $TMPFILE.p12 -noout -passin pass:$PASSWD -info

        # Store.
        pkcs15-init --store-private-key $TMPFILE.p12  --format pkcs12 --auth-id 01 --pin $PIN --passphrase $PASSWD || exit 1
fi

cleanup

echo
echo Done. The PIN is $PIN, the PUK is $PUK



------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel
Reply | Threaded
Open this post in threaded view
|

Re: ePass2003 status

NdK-3
Il 11/08/2016 14:53, Dirk-Willem van Gulik ha scritto:

>> IIRC SO-PIN on the ePass2003 requires secure messaging to be used, but
>> SM was not yet present in opensc when the epass2003 driver got added.
>> Did that change?
From your answer it seems it didn't change. :(

> Below script does the trick for me (key generated ‘off line’ — as to circumvent the 512 len limit).
No need to do that, unless you need to backup the private key. For me, a
plain
pkcs15-init -G rsa:2048 --auth-id 1 -l "key label"
does the job. Once the keypair is there, associating a certificate is
not a problem.

BTW, in your script it could be better to use a tmpfs instead of a
normal file. But there are other risks anyway, unless you're using it on
an offlined single-user machine.

> pkcs15-init -E || exit 1
Erase, ok.

> pkcs15-init --create-pkcs15   --profile pkcs15+onepin --use-default-transport-key --puk 111111 --label $LABEL --pin 1234 || exit 1
Init with onepin option, so you're not using SOPIN, just the User-PIN.

>> PS: pkcs15-init -F always reports "Failed to delete object(s): Not
>> supported". Is that normal? Is the card finalized anyway? Is the
>> finalize step actually required on ePass2003?
In the script you don't finalize the token. For Aventra MyEID the
pkcs15-init -F
step is needed to activate access control, but ePass2003 seems not to
need it. Good to know -- could be useful to have it on the wiki page?
And maybe opensc could avoid generating an error?

BYtE,
 Diego

------------------------------------------------------------------------------
What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic
patterns at an interface-level. Reveals which users, apps, and protocols are
consuming the most bandwidth. Provides multi-vendor support for NetFlow,
J-Flow, sFlow and other flows. Make informed decisions using capacity
planning reports. http://sdm.link/zohodev2dev
_______________________________________________
Opensc-devel mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/opensc-devel