ePass3000

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

ePass3000

Ludolf Holzheid-2
Hello,

I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
success so far:

 o I'm using Slackware 13.0/Linux 2.6.29.6,
 o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
 o started the ifdhandler with the rc script provided in the OpenCT
   tarball.

"openct-tool list" and "opensc-tool --list-readers" give the expected
results, but "pkcs15-init -E" fails with

> Failed to erase card: Generic reader error

In the syslog, a record

> ifdhandler[4087]: usb_bulk failed: Value too large for defined data type

appears. The token, however, seems to be 'somewhat erased', as it does
not work on USB any more until after the Feitian software touched it.
(I've installed OpenCT/OpenSC on Linux and the Feitian software on
Windows, so they do not interfere with each other.)

I tried to lower max_send_size and max_recv_size in opensc.conf to 60,
but this doesn't seem to make a difference.

Attached is a session transcript with debug messages.


Is this a known behavior?
What's to test next?


Ludolf

--

Ludolf Holzheid    [ˈluˑ.d̥oːlf ˈhɔlts.haɪd̥]
Heinrichstraße 6   [ˈhaɪn.ʀɪçˌʃtʀɑː.sə 6]
68642 Bürstadt     [68642 ˈbyːʀ.ʃtat]

PGP key fingerprint: 92DC 63E6 B2CD BCFD 8A6C  E390 6306 0DA6 4629 72FB

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

session.log (7K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Jean-Michel Pouré - GOOZE
On Sun, 2010-07-18 at 20:33 +0200, Ludolf Holzheid wrote:
> I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
> success so far:
>
>  o I'm using Slackware 13.0/Linux 2.6.29.6,
>  o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
>  o started the ifdhandler with the rc script provided in the OpenCT
>    tarball.

Which version of the ePass3000 are you using? I may have a demo token at
hand for testing.
--
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Ludolf Holzheid-2
On 2010-07-18 11:50 -0700, Jean-Michel Pouré - GOOZE wrote:

> On Sun, 2010-07-18 at 20:33 +0200, Ludolf Holzheid wrote:
> > I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
> > success so far:
> >
> >  o I'm using Slackware 13.0/Linux 2.6.29.6,
> >  o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
> >  o started the ifdhandler with the rc script provided in the OpenCT
> >    tarball.
>
> Which version of the ePass3000 are you using? I may have a demo token at
> hand for testing.

There's nothing printed on the device but ePass3000. The Feitian
software (on Windows) says 2.01 for hardware and firmware version of
the token and "cardos-info" gives

>> Running cardos-tool --info
>> Using reader with a card: FT SCR2000A
>> 3b:0f:00:65:46:53:05:21:05:71:df:00:00:00:80:6a:82
>> Received (SW1=0x6D, SW2=0x00)

Ludolf

--

Ludolf Holzheid    [ˈluˑ.d̥oːlf ˈhɔlts.haɪd̥]
Heinrichstraße 6   [ˈhaɪn.ʀɪçˌʃtʀɑː.sə 6]
68642 Bürstadt     [68642 ˈbyːʀ.ʃtat]

PGP key fingerprint: 92DC 63E6 B2CD BCFD 8A6C  E390 6306 0DA6 4629 72FB
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Xiaoshuo Wu
In reply to this post by Ludolf Holzheid-2
On Mon, 19 Jul 2010 02:33:45 +0800, Ludolf Holzheid  
<[hidden email]> wrote:

> Hello,
>
> I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
> success so far:
>
>  o I'm using Slackware 13.0/Linux 2.6.29.6,
>  o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
There is better support for ePass3000 in the latest SVN repository.
Would you please try to uninstall stock OpenCT 0.6.20, and use the latest  
SVN version OpenCT & OpenSC?

Regards, Xiaoshuo
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Ludolf Holzheid
On Mon, 2010-07-19 10:30:23 +0800, Xiaoshuo Wu wrote:

> On Mon, 19 Jul 2010 02:33:45 +0800, Ludolf Holzheid  
> <[hidden email]> wrote:
>
> > Hello,
> >
> > I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
> > success so far:
> >
> >  o I'm using Slackware 13.0/Linux 2.6.29.6,
> >  o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
> There is better support for ePass3000 in the latest SVN repository.
> Would you please try to uninstall stock OpenCT 0.6.20, and use the latest  
> SVN version OpenCT & OpenSC?

The SVN version of OpenCT made the difference. Now erasing the token
and creating the PKCS#15 structure works, thank you.

However, my first attempt to create a key pair on the token
failed. Maybe I did something wrong - I'll read the documentation and
try again.

Again, thanks for your help.

Ludolf

--

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: [hidden email]
D-68199 Mannheim, Germany
---------------------------------------------------------------

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Ludolf Holzheid-2
On 2010-07-20 10:00 +0200, Ludolf Holzheid wrote:

> On Mon, 2010-07-19 10:30:23 +0800, Xiaoshuo Wu wrote:
> > On Mon, 19 Jul 2010 02:33:45 +0800, Ludolf Holzheid  
> > <[hidden email]> wrote:
> >
> > > Hello,
> > >
> > > I'm trying to use a Feitian ePass3000 with OpenSC/OpenCT, but with no
> > > success so far:
> > >
> > >  o I'm using Slackware 13.0/Linux 2.6.29.6,
> > >  o installed OpenCT 0.6.20 and OpenSC 0.11.13 from source and
> > There is better support for ePass3000 in the latest SVN repository.
> > Would you please try to uninstall stock OpenCT 0.6.20, and use the latest  
> > SVN version OpenCT & OpenSC?
>
> The SVN version of OpenCT made the difference. Now erasing the token
> and creating the PKCS#15 structure works, thank you.
Hello again,

I found time to do some more testing (with OpenCT 0.6.21-svn-r1185 and
OpenSC 0.12.0-svn-r4577) and have some new questions now:

 o There are some functions that fail with a 'not supported' message
   (e.g. 'openct-tool read', the 'ls' command in opensc-explorer,
   'opensc-tool --list-files' and 'pkcs15-tool --delete object').

   Are they expected to work with the ePass3000?

 o I still can't generate a key pair /on the token/:

   'pkcs15-init --generate-key' fails with 'Generic reader error'. The
   token stops working and is not usable any more (on Linux) until
   after it was presented to the Feitian driver (on Windows).

   On failure, the following records appear in the syslog:

   > ifdhandler[<pid>]: usb_bulk failed: Value too large for defined data type
   > ifdhandler[<pid>]: usb_bulk failed: Connection timed out

   This seems to be exactly the same failure as the one I got when I
   tried to erase the token with 'pkcs15-init -E' using OpenCT 0.6.20.

   Could it be the same fix is needed on different places too?


Besides that, I managed to use the token with stunnel (key generated
off-board) and I'm confident to make it work with OpenVPN too. So I
already have all I need for what I want the token to use for. Thank
you for your work on OpenCT, OpenSC et al..


Ludolf


P.S.: Attached is a patch fixing a couple of typos I came across (the
      missing element in the option_help[] vector of cardos-tool.c
      could cause a segfault, though).

--

Ludolf Holzheid    [ˈluˑ.d̥oːlf ˈhɔlts.haɪd̥]
Heinrichstraße 6   [ˈhaɪn.ʀɪçˌʃtʀɑː.sə 6]
68642 Bürstadt     [68642 ˈbyːʀ.ʃtat]

PGP key fingerprint: 92DC 63E6 B2CD BCFD 8A6C  E390 6306 0DA6 4629 72FB

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user

opensc-0.12.0-svn-r4577.patch (4K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Xiaoshuo Wu
On Mon, 26 Jul 2010 07:50:44 +0800, Ludolf Holzheid
<[hidden email]> wrote:

> I found time to do some more testing (with OpenCT 0.6.21-svn-r1185 and
> OpenSC 0.12.0-svn-r4577) and have some new questions now:
>
>  o There are some functions that fail with a 'not supported' message
>    (e.g. 'openct-tool read', the 'ls' command in opensc-explorer,
>    'opensc-tool --list-files' and 'pkcs15-tool --delete object').
>
>    Are they expected to work with the ePass3000?
Currently, deleting and listing files are not supported by ePass3000, so
these commands not work.

>  o I still can't generate a key pair /on the token/:
>
>    'pkcs15-init --generate-key' fails with 'Generic reader error'. The
>    token stops working and is not usable any more (on Linux) until
>    after it was presented to the Feitian driver (on Windows).
>
>    On failure, the following records appear in the syslog:
>
>    > ifdhandler[<pid>]: usb_bulk failed: Value too large for defined  
> data type
>    > ifdhandler[<pid>]: usb_bulk failed: Connection timed out
>
>    This seems to be exactly the same failure as the one I got when I
>    tried to erase the token with 'pkcs15-init -E' using OpenCT 0.6.20.
>
>    Could it be the same fix is needed on different places too?
I got similar output while generating 2048 bit RSA key on board:
Jul 26 16:54:31 localhost ifdhandler[8107]: ifd_protocol_transceive: cmd:  
00 46 00 00 02 08 00
Jul 26 16:54:31 localhost ifdhandler[8107]: epass3k_send:  
ifd-epass3k.c:205 epass3k_send()
Jul 26 16:54:31 localhost ifdhandler[8107]: usb_send: usb send to=x02
Jul 26 16:54:31 localhost ifdhandler[8107]: usb_send: send  52 36 00 02 00  
07 00 46 00 00 02 08 00
Jul 26 16:54:31 localhost ifdhandler[8107]: epass3k_recv:  
ifd-epass3k.c:242 epass3k_recv()
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_recv: usb recv from=x81
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_recv: recv  52 36 00 00 00  
02 90 00
Jul 26 16:54:57 localhost ifdhandler[8107]: ifd_protocol_transceive: resp:  
90 00
Jul 26 16:54:57 localhost ifdhandler[8107]: epass3k_card_status:  
ifd-epass3k.c:196 epass3k_card_status()
Jul 26 16:54:57 localhost ifdhandler[8107]: ifdhandler_process:  
ifdhandler_process(cmd=CT_CMD_TRANSACT, unit=0)
Jul 26 16:54:57 localhost ifdhandler[8107]: ifd_protocol_transceive: cmd:  
80 e6 2a 01 00
Jul 26 16:54:57 localhost ifdhandler[8107]: epass3k_send:  
ifd-epass3k.c:205 epass3k_send()
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_send: usb send to=x02
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_send: send  52 36 00 02 00  
05 80 e6 2a 01 00
Jul 26 16:54:57 localhost ifdhandler[8107]: epass3k_recv:  
ifd-epass3k.c:242 epass3k_recv()
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_bulk failed: Value too  
large for defined data type
Jul 26 16:54:57 localhost ifdhandler[8107]: ifd_protocol_transceive:  
transceive error: Generic error
Jul 26 16:54:57 localhost ifdhandler[8107]: ifdhandler_process:  
ifdhandler_process(cmd=CT_CMD_UNLOCK, unit=0)
Jul 26 16:54:57 localhost ifdhandler[8107]: ifdhandler_unlock: released  
excl lock 2 for slot 0 by uid=1000
Jul 26 16:54:57 localhost ifdhandler[8107]: ifdhandler_process:  
ifdhandler_process(cmd=CT_CMD_RESET, unit=0)
Jul 26 16:54:57 localhost ifdhandler[8107]: epass3k_card_reset:  
ifd-epass3k.c:127 epass3k_card_reset()
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_send: usb send to=x02
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_send: send  52 36 00 01 00  
00
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_recv: usb recv from=x81
Jul 26 16:54:57 localhost ifdhandler[8107]: usb_recv: recv  08 6d 08 fc 00  
56 ae 0e 02 59 b4 90 00
and I'll look into this.

Here I recommend a better way, to use ePass3000 with OpenSC+PCSC, see
http://www.gooze.eu/howto/smartcard-quickstarter-guide
for more details.

>
> Besides that, I managed to use the token with stunnel (key generated
> off-board) and I'm confident to make it work with OpenVPN too. So I
> already have all I need for what I want the token to use for. Thank
> you for your work on OpenCT, OpenSC et al..
>
> Ludolf
>
>
> P.S.: Attached is a patch fixing a couple of typos I came across (the
>       missing element in the option_help[] vector of cardos-tool.c
>       could cause a segfault, though).
>
Glad to hear these, thank you for your attentiveness.

Regards, Xiaoshuo
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Ludolf Holzheid
On Mon, 2010-07-26 17:23:07 +0800, Xiaoshuo Wu wrote:
> On Mon, 26 Jul 2010 07:50:44 +0800, Ludolf Holzheid <[hidden email]> wrote:
>
> > [..]
> >
> >    Are they expected to work with the ePass3000?
> Currently, deleting and listing files are not supported by ePass3000, so
> these commands not work.

Ah, o.k.

I thought this is the case (as the messages are clear), but asking
doesn't hurt ...
 
> >  o I still can't generate a key pair /on the token/:
> >
> > [..]
> I got similar output while generating 2048 bit RSA key on board:
> [..]
> and I'll look into this.

Thank you.
 
> Here I recommend a better way, to use ePass3000 with OpenSC+PCSC, see
> http://www.gooze.eu/howto/smartcard-quickstarter-guide
> for more details.

I'll try this. But, as I don't really _need_ to generate the keys
on-board, I'll maybe stick to OpenCT since it is leaner and it already
works for me.

Ludolf

--

---------------------------------------------------------------
Ludolf Holzheid             Tel:    +49 621 339960
Bihl+Wiedemann GmbH         Fax:    +49 621 3392239
Floßwörthstraße 41          e-mail: [hidden email]
D-68199 Mannheim, Germany
---------------------------------------------------------------

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Martin Paljak-2
In reply to this post by Ludolf Holzheid-2
Hello,

On Jul 26, 2010, at 2:50 AM, Ludolf Holzheid wrote:
> o There are some functions that fail with a 'not supported' message
>   (e.g. 'openct-tool read', the 'ls' command in opensc-explorer,
>   'opensc-tool --list-files' and 'pkcs15-tool --delete object').
>
>   Are they expected to work with the ePass3000?
openct functionality should not be mixed with opensc functionality.

The "Not supported" messages are correct.


> P.S.: Attached is a patch fixing a couple of typos I came across (the
>      missing element in the option_help[] vector of cardos-tool.c
>      could cause a segfault, though).
Thanks. cardos-tool requires a big fat warning that this is a tool for Siemens CardOS cards, not a generic "Card OS" tool as well...


--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|

Re: ePass3000

Martin Paljak-2
In reply to this post by Ludolf Holzheid-2

On Jul 26, 2010, at 2:50 AM, Ludolf Holzheid wrote:
>
>
> P.S.: Attached is a patch fixing a couple of typos I came across (the
>      missing element in the option_help[] vector of cardos-tool.c
>      could cause a segfault, though).

Thanks, applied.

cardos-tool handling of --debug/--verbose/--help was broken.

As I've seen other people trying cardos-tool/cardos-info with arbitrary cards, I added a warning to the --help output of the command, that this tools is for Siemens cards, not a generic "card operating system tool".
--
Martin Paljak
@martinpaljak.net
+3725156495

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user