Quantcast

eToken PRO 64K CardOS V4.2B + opensc trouble

classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

eToken PRO 64K CardOS V4.2B + opensc trouble

Sven-49
Hi everyone,

I'm trying to get a pre-installed Aladdin eToken Pro 64k to work
with Ubuntu + opensc + gnupg. The eToken was prepared by my company
with the proprietary Aladdin Software I think.

I got opensc to recognize the eToken, but now I'm stuck, some details:

opensc version: 0.11.8-1ubuntu2
Ubuntu 64-Bit Karmic Koala

# uname -a
Linux opdfd126n 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC 2010 x86_64 GNU/Linux

# lsusb
Bus 002 Device 003: ID 413c:8147 Dell Computer Corp.
Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
Bus 003 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 004 Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub
Bus 007 Device 004: ID 0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2)
[...]

# opensc-tool --name
Using reader with a card: Aladdin eToken PRO 64k
CardOS M4

# cardos-info n
Running cardos-tool --info n
Using reader with a card: Aladdin eToken PRO 64k
3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
Info : CardOS V4.2B (C) Siemens AG 1994-2005
Chip type: 124
Serial number: 28 47 7e 08 17 1a
Full prom dump:
33 66 00 22 9A 9A 9A 9A 7C FF 28 47 7E 08 17 1A 3f."....|.(G~...
00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
OS Version: 200.9 (that's CardOS M4.2B)
Current life cycle: 32 (administration)
Security Status of current DF:
Free memory : 1024
ATR Status: 0x0 ROM-ATR
Packages installed:
Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63
Free eeprom memory: 30094
System keys: PackageLoadKey (version 0xfe, retries 10)
System keys: StartKey (version 0xff, retries 10)
Path to current DF:

Also opensc-tool -f shows lots of data on the token. When I try with gnupg-pkcs11-scd to
read the keys it shows none:

# cat gnupg-pkcs11-scd.conf
providers p1
provider-p1-library /usr/lib/opensc-pkcs11.so
debug-all

# gpg-agent --server
OK Pleased to meet you
SCD LEARN
gnupg-pkcs11-scd[9960.544741104]: version: 0.06
gnupg-pkcs11-scd[9960.544741104]: config: debug=1, verbose=0
gnupg-pkcs11-scd[9960.544741104]: config: pin_cache=-1
gnupg-pkcs11-scd[9960.544741104]: config: provider: name=p1, library=/usr/lib/opensc-pkcs11.so, allow_protected=0, cert_is_private=0, private_mask=00000000
gnupg-pkcs11-scd[9960.544741104]: run_mode: 2
gnupg-pkcs11-scd[9960.544741104]: crypto: openssl
gnupg-pkcs11-scd[9960.544741104]: Listening to socket '/tmp/gnupg-pkcs11-scd.PFHert/agent.S'
S SERIALNO 504B435323313120544F4B454E 0
S APPTYPE PKCS11
OK

Hopefully someone can answer my questions or point me into the right direction:

1. I received a PIN number with this eToken, do I maybe have to unlock the eToken first somehow to access the keys using opensc-pkcs11.so?

2. Is it even possible to use the eToken with the prepared PKCS#11 structure using opensc-pkcs11.so or is this only possible after re-initialization using opensc tools?

3. If I need to re-initialize the eToken is there a way to backup the certificates/keys and re-use them with the new structure? The certificates on the token are signed by
our company CA, therefore creating new ones from scratch is not an option.

4. I tried the middleware libraries supplied by Aladdin, but they did not work at all - with opensc the token is recognized and the red light is on.

Regards,
Sven





 

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Dan Peterson [ESnet]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenSC will not see a partition created by Aladdin..
OpenSC  = PKCS15
Aladdin = PKCS11

You can format the token with opensc and not interfere with the Aladdin
partition in other words the token can have both.
If you need instruction to format with openSC I can provide some....



- --
Dan

>-----Original Message-----
>From: [hidden email] [mailto:opensc-user-
>[hidden email]] On Behalf Of Sven
>Sent: Wednesday, April 28, 2010 9:51 AM
>To: [hidden email]
>Subject: [opensc-user] eToken PRO 64K CardOS V4.2B + opensc trouble
>
>Hi everyone,
>
>I'm trying to get a pre-installed Aladdin eToken Pro 64k to work with
>Ubuntu + opensc + gnupg. The eToken was prepared by my company with the
>proprietary Aladdin Software I think.
>
>I got opensc to recognize the eToken, but now I'm stuck, some details:
>
>opensc version: 0.11.8-1ubuntu2
>Ubuntu 64-Bit Karmic Koala
>
># uname -a
>Linux opdfd126n 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC
>2010 x86_64 GNU/Linux
>
># lsusb
>Bus 002 Device 003: ID 413c:8147 Dell Computer Corp.
>Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003
>Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device
>001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 007 Device 004: ID
>0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2) [...]
>
># opensc-tool --name
>Using reader with a card: Aladdin eToken PRO 64k CardOS M4
>
># cardos-info n
>Running cardos-tool --info n
>Using reader with a card: Aladdin eToken PRO 64k
>3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
>Info : CardOS V4.2B (C) Siemens AG 1994-2005 Chip type: 124 Serial
>number: 28 47 7e 08 17 1a Full prom dump:
>33 66 00 22 9A 9A 9A 9A 7C FF 28 47 7E 08 17 1A 3f."....|.(G~...
>00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
>OS Version: 200.9 (that's CardOS M4.2B)
>Current life cycle: 32 (administration)
>Security Status of current DF:
>Free memory : 1024
>ATR Status: 0x0 ROM-ATR
>Packages installed:
>Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom
>memory: 30094 System keys: PackageLoadKey (version 0xfe, retries 10)
>System keys: StartKey (version 0xff, retries 10) Path to current DF:
>
>Also opensc-tool -f shows lots of data on the token. When I try with
>gnupg-pkcs11-scd to read the keys it shows none:
>
># cat gnupg-pkcs11-scd.conf
>providers p1
>provider-p1-library /usr/lib/opensc-pkcs11.so debug-all
>
># gpg-agent --server
>OK Pleased to meet you
>SCD LEARN
>gnupg-pkcs11-scd[9960.544741104]: version: 0.06
>gnupg-pkcs11-scd[9960.544741104]: config: debug=1, verbose=0
>gnupg-pkcs11-scd[9960.544741104]: config: pin_cache=-1
>gnupg-pkcs11-scd[9960.544741104]: config: provider: name=p1,
>library=/usr/lib/opensc-pkcs11.so, allow_protected=0, cert_is_private=0,
>private_mask=00000000
>gnupg-pkcs11-scd[9960.544741104]: run_mode: 2
>gnupg-pkcs11-scd[9960.544741104]: crypto: openssl
>gnupg-pkcs11-scd[9960.544741104]: Listening to socket '/tmp/gnupg-
>pkcs11-scd.PFHert/agent.S'
>S SERIALNO 504B435323313120544F4B454E 0
>S APPTYPE PKCS11
>OK
>
>Hopefully someone can answer my questions or point me into the right
>direction:
>
>1. I received a PIN number with this eToken, do I maybe have to unlock
>the eToken first somehow to access the keys using opensc-pkcs11.so?
>
>2. Is it even possible to use the eToken with the prepared PKCS#11
>structure using opensc-pkcs11.so or is this only possible after re-
>initialization using opensc tools?
>
>3. If I need to re-initialize the eToken is there a way to backup the
>certificates/keys and re-use them with the new structure? The
>certificates on the token are signed by our company CA, therefore
>creating new ones from scratch is not an option.
>
>4. I tried the middleware libraries supplied by Aladdin, but they did
>not work at all - with opensc the token is recognized and the red light
>is on.
>
>Regards,
>Sven
>
>
>
>
>
>



-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.9.1 (Build 287)
Charset: us-ascii

wj8DBQFL2HP15chTNtilRz8RAiIXAJ9bhJtoN0hi1ixROVoQCf0bAPUNSgCgnvkd
V7w0g0/EuNHkJYfhmGwXSpU=
=uKRD
-----END PGP SIGNATURE-----
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Sven-49
2010/4/28 Dan Peterson <[hidden email]>:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> OpenSC will not see a partition created by Aladdin..
> OpenSC  = PKCS15
> Aladdin = PKCS11

I see, thanks - but

# opensc-tool -f

lists lots of files on the token and with opensc-explorer I can see
some sort of structure:

# opensc-explorer
OpenSC Explorer version 0.11.8
Using reader with a card: Aladdin eToken PRO 64k
OpenSC [3F00]> ls
FileID Type  Size
[6666]  DF   256 Name: AKS
OpenSC [3F00]> cd 6666
OpenSC [3F00/6666]> ls
FileID Type  Size
[1000]  DF     0
[1001]  DF  5120
[1002]  DF     0
[1003]  DF   512
[1004]  DF     0
[5000]  DF     0
[6000]  DF     0

> You can format the token with opensc and not interfere with the Aladdin
> partition in other words the token can have both.

I would have to find a way to export the certificates/keys with the
Aladdin software and
reimport using opensc and PKCS#15 if this is even possible. Creating
new keys is not
an option unfortunately...

Sven




> If you need instruction to format with openSC I can provide some....
>
>
>
> - --
> Dan
>
>>-----Original Message-----
>>From: [hidden email] [mailto:opensc-user-
>>[hidden email]] On Behalf Of Sven
>>Sent: Wednesday, April 28, 2010 9:51 AM
>>To: [hidden email]
>>Subject: [opensc-user] eToken PRO 64K CardOS V4.2B + opensc trouble
>>
>>Hi everyone,
>>
>>I'm trying to get a pre-installed Aladdin eToken Pro 64k to work with
>>Ubuntu + opensc + gnupg. The eToken was prepared by my company with the
>>proprietary Aladdin Software I think.
>>
>>I got opensc to recognize the eToken, but now I'm stuck, some details:
>>
>>opensc version: 0.11.8-1ubuntu2
>>Ubuntu 64-Bit Karmic Koala
>>
>># uname -a
>>Linux opdfd126n 2.6.31-20-generic #58-Ubuntu SMP Fri Mar 12 04:38:19 UTC
>>2010 x86_64 GNU/Linux
>>
>># lsusb
>>Bus 002 Device 003: ID 413c:8147 Dell Computer Corp.
>>Bus 002 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub Bus 003
>>Device 001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 004 Device
>>001: ID 1d6b:0001 Linux Foundation 1.1 root hub Bus 007 Device 004: ID
>>0529:0600 Aladdin Knowledge Systems eToken Pro 64k (4.2) [...]
>>
>># opensc-tool --name
>>Using reader with a card: Aladdin eToken PRO 64k CardOS M4
>>
>># cardos-info n
>>Running cardos-tool --info n
>>Using reader with a card: Aladdin eToken PRO 64k
>>3b:f2:18:00:02:c1:0a:31:fe:58:c8:09:75
>>Info : CardOS V4.2B (C) Siemens AG 1994-2005 Chip type: 124 Serial
>>number: 28 47 7e 08 17 1a Full prom dump:
>>33 66 00 22 9A 9A 9A 9A 7C FF 28 47 7E 08 17 1A 3f."....|.(G~...
>>00 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 ................
>>OS Version: 200.9 (that's CardOS M4.2B)
>>Current life cycle: 32 (administration)
>>Security Status of current DF:
>>Free memory : 1024
>>ATR Status: 0x0 ROM-ATR
>>Packages installed:
>>Ram size: 4, Eeprom size: 64, cpu type: 66, chip config: 63 Free eeprom
>>memory: 30094 System keys: PackageLoadKey (version 0xfe, retries 10)
>>System keys: StartKey (version 0xff, retries 10) Path to current DF:
>>
>>Also opensc-tool -f shows lots of data on the token. When I try with
>>gnupg-pkcs11-scd to read the keys it shows none:
>>
>># cat gnupg-pkcs11-scd.conf
>>providers p1
>>provider-p1-library /usr/lib/opensc-pkcs11.so debug-all
>>
>># gpg-agent --server
>>OK Pleased to meet you
>>SCD LEARN
>>gnupg-pkcs11-scd[9960.544741104]: version: 0.06
>>gnupg-pkcs11-scd[9960.544741104]: config: debug=1, verbose=0
>>gnupg-pkcs11-scd[9960.544741104]: config: pin_cache=-1
>>gnupg-pkcs11-scd[9960.544741104]: config: provider: name=p1,
>>library=/usr/lib/opensc-pkcs11.so, allow_protected=0, cert_is_private=0,
>>private_mask=00000000
>>gnupg-pkcs11-scd[9960.544741104]: run_mode: 2
>>gnupg-pkcs11-scd[9960.544741104]: crypto: openssl
>>gnupg-pkcs11-scd[9960.544741104]: Listening to socket '/tmp/gnupg-
>>pkcs11-scd.PFHert/agent.S'
>>S SERIALNO 504B435323313120544F4B454E 0
>>S APPTYPE PKCS11
>>OK
>>
>>Hopefully someone can answer my questions or point me into the right
>>direction:
>>
>>1. I received a PIN number with this eToken, do I maybe have to unlock
>>the eToken first somehow to access the keys using opensc-pkcs11.so?
>>
>>2. Is it even possible to use the eToken with the prepared PKCS#11
>>structure using opensc-pkcs11.so or is this only possible after re-
>>initialization using opensc tools?
>>
>>3. If I need to re-initialize the eToken is there a way to backup the
>>certificates/keys and re-use them with the new structure? The
>>certificates on the token are signed by our company CA, therefore
>>creating new ones from scratch is not an option.
>>
>>4. I tried the middleware libraries supplied by Aladdin, but they did
>>not work at all - with opensc the token is recognized and the red light
>>is on.
>>
>>Regards,
>>Sven
>>
>>
>>
>>
>>
>>
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Desktop 9.9.1 (Build 287)
> Charset: us-ascii
>
> wj8DBQFL2HP15chTNtilRz8RAiIXAJ9bhJtoN0hi1ixROVoQCf0bAPUNSgCgnvkd
> V7w0g0/EuNHkJYfhmGwXSpU=
> =uKRD
> -----END PGP SIGNATURE-----
>
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Andreas Jellinghaus-2
Am Mittwoch 28 April 2010 20:25:20 schrieb Sven:
> I would have to find a way to export the certificates/keys with the
> Aladdin software and
> reimport using opensc and PKCS#15 if this is even possible. Creating
> new keys is not
> an option unfortunately...

no, export is not possible, as smart cards don't let you export private
keys.

but you could figure out what file contains what content - propably
that isn't very hard, I'm told - and then implement an emulation
driver for opensc. we emulate already a number of non-pkcs#15 cards,
so the infrastructure is there.

Regards, Andreas
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Sven-49
In reply to this post by Sven-49
Andreas Jellinghaus <aj <at> dungeon.inka.de> writes:

> but you could figure out what file contains what content - propably
> that isn't very hard, I'm told - and then implement an emulation
> driver for opensc. we emulate already a number of non-pkcs#15 cards,
> so the infrastructure is there.
>
> Regards, Andreas


I'd be willing to try this, however certain fields cannot be read, due
to security restrictions:

[opensc-tool] card-cardos.c:259:cardos_check_sw: required access right not
granted
[opensc-tool] iso7816.c:129:iso7816_read_binary: returning with: Security
status not satisfied
[opensc-tool] card.c:430:sc_read_binary: returning with: Security status not
satisfied
3f00666650000201c103 type: wEF, ef structure: transpnt, size: 42
read[CHV1] update[NEVR] write[CHV1] erase[NEVR] rehab[NEVR] inval[NEVR]
sec: 01:01:FF:FF:FF:01 prop: 00

I received a PIN with the eToken, and "verify" seems to be what I want:

OpenSC [3F00]> verify
Usage: verify <key type><key ref> [<key in hex>]
Possible values of <key type>:
CHV
KEY
AUT
PRO
Example: verify CHV2 31:32:33:34:00:00:00:00
If key is omitted, card reader's keypad will be used to collect PIN.
OpenSC [3F00]>

but I'm not sure which type to use, for (as I understand) I only have
3 attempts ;-)

Sven
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Jozsef Dojcsak
Sven wrote:

> Andreas Jellinghaus <aj <at> dungeon.inka.de> writes:
>
>  
>> but you could figure out what file contains what content - propably
>> that isn't very hard, I'm told - and then implement an emulation
>> driver for opensc. we emulate already a number of non-pkcs#15 cards,
>> so the infrastructure is there.
>>
>> Regards, Andreas
>>    
>
>
> I'd be willing to try this, however certain fields cannot be read, due
> to security restrictions:
>
> [opensc-tool] card-cardos.c:259:cardos_check_sw: required access right not
> granted
> [opensc-tool] iso7816.c:129:iso7816_read_binary: returning with: Security
> status not satisfied
> [opensc-tool] card.c:430:sc_read_binary: returning with: Security status not
> satisfied
> 3f00666650000201c103 type: wEF, ef structure: transpnt, size: 42
> read[CHV1] update[NEVR] write[CHV1] erase[NEVR] rehab[NEVR] inval[NEVR]
> sec: 01:01:FF:FF:FF:01 prop: 00
>
> I received a PIN with the eToken, and "verify" seems to be what I want:
>
> OpenSC [3F00]> verify
> Usage: verify <key type><key ref> [<key in hex>]
> Possible values of <key type>:
> CHV
> KEY
> AUT
> PRO
> Example: verify CHV2 31:32:33:34:00:00:00:00
> If key is omitted, card reader's keypad will be used to collect PIN.
> OpenSC [3F00]>
>
> but I'm not sure which type to use, for (as I understand) I only have
> 3 attempts ;-)
>
> Sven
>  
AFAIK, you should use the CHV (card holder verification, aka PIN), but
you also have to specify the PIN ID (1,2, ..). See your PINs with
"pkcs15-tool --list-pins".
You should have received a PUK code as well, which could be used to
unblock the PIN if you fail with the verify.

Cheers
Jozsef
_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: eToken PRO 64K CardOS V4.2B + opensc trouble

Peter Koch-5
In reply to this post by Sven-49
Hi Sven!

2010/4/29 Sven <[hidden email]>
Andreas Jellinghaus <aj <at> dungeon.inka.de> writes:

> but you could figure out what file contains what content - propably
> that isn't very hard, I'm told - and then implement an emulation
> driver for opensc. we emulate already a number of non-pkcs#15 cards,
> so the infrastructure is there.

I'd be willing to try this, however certain fields cannot be read, due
to security restrictions:

Writing an emulation would be relativley easy - just duplicate one of the
existing emulations and do some minor changes - that's it.
Finding out where the keys, certificates and pins are located within
the 6666-DF is easy too. There are some people on this list that
can provide you with this information.

But here are the bad news: The private keys are NOT protected by
a PIN but Aladdin uses a challenge-response mechanism instead.
In order to use a private key the Aladdin middleware requests an
eight-byte challenge from the eToken and then calculates the
response using the password. This has two consequences:

1) The eToken-password is never sent to the eToken so you
can use an eToken over an insecure connection.

2) You MUST use the Aladdin middleware to use a private
key that was created by the Aladdin middleware since only
the Aladdin middleware knows how to calculate the response
from the challenge and the password.

[opensc-tool] card-cardos.c:259:cardos_check_sw: required access right not
granted
[opensc-tool] iso7816.c:129:iso7816_read_binary: returning with: Security
status not satisfied
[opensc-tool] card.c:430:sc_read_binary: returning with: Security status not
satisfied
3f00666650000201c103 type: wEF, ef structure: transpnt, size: 42
read[CHV1] update[NEVR] write[CHV1] erase[NEVR] rehab[NEVR] inval[NEVR]
sec: 01:01:FF:FF:FF:01 prop: 00

I received a PIN with the eToken, and "verify" seems to be what I want:

You did not receve a PIN but the above mentioned password. Doing
a regular PIN-verification with this password will not work.

Peter

_______________________________________________
opensc-user mailing list
[hidden email]
http://www.opensc-project.org/mailman/listinfo/opensc-user
Loading...