search

CardContact / sc-hsm-embedded

PKCS#11 and CSP-Minidriver library for the SmartCard-HSM and STARCOS based signature cards
BSD 3-Clause "New" or "Revised" License
95 stars 31 forks source link

Identive SCT3522CC [CCID Interface] token not utilized on Linux (neither OpenSC or Smart Card Shell can utilize it) #41

Closed vessokolev closed 6 months ago

vessokolev commented 6 months ago

I got this token:

https://www.cardomatic.de/en/p/utrust-token-pro

in fact, four of it. The token (with idVendor=04e6 and idProduct=5817) is recognized by the PCSC Lite properly. As suggested, I also applied the script:

https://github.com/CardContact/sc-hsm-embedded/blob/master/etc/add-sc-hsm-usb-id.sh

to upgrade the PCSC Lite drivers' database to the most recent one that supports the token, but it appears that database was already up-to-date (pcsc-lite-1.9.4-1.el9.x86_64 package, officially bundled and packaged by Red Hat for Red Hat Enterprise Linux 9). The OpenSC package (opensc-0.23.0) cannot recognize the token:

$ pkcs15-tool -T
Using reader with a card: Identive SCT3522CC token [CCID Interface] (55521904600919) 00 00
Failed to connect to card: Card is invalid or cannot be handled
$ pkcs11-tool -L
Available slots:
Slot 0 (0x0): Identive SCT3522CC token [CCID Interface] (55521904600919) 00 00
  (token not recognized)

I compiled OpenSC 0.24.0 and tried with that version. The result displayed by running pkcs15-tool and pkcs11-tool repeats what is shown above. No improvement.

The Smart Card Shell (latest) cannot recognize that token either:

>_scsh3.setProperty("reader","Identive SCT3522CC token [CCID Interface] (55521904600919) 00 00");
>load("keymanager/keymanager.js");
GPError: Card (CARD_INVALID_SW/27270) - "Unexpected SW1/SW2=6A86 (Checking error: Incorrect P1-P2) received" in /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
    at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#1436
    at /home/vesso/CardContact/scsh3/scsh/sc-hsm/SmartCardHSM.js#94
    at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#198
    at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#42
    at /home/vesso/CardContact/scsh3/keymanager/keymanager.js#2457

>

The PKI-as-a-service portal at https://www.pki-as-a-service.net also cannot recognize the token:

"The card in your reader or the attached USB-Token is not a valid SmartCard-HSM."

Note that at the same time all tools and platforms mentioned perfectly recognize and work with Identiv uTrust 3512 SAM slot Token [CCID Interface] (idVendor=04e6, idProduct=5816).

So the question is how can one utilize Identive SCT3522CC [CCID Interface] tokens on Linux?

CardContact commented 6 months ago

The token you are referring to has a build-in secure element, but does not contain the SmartCard-HSM applet software. It is just a plain JCOP 2.4.1 secure element from NXP, which we used 10 years ago as platform for the SmartCard-HSM product. We currently use a uTrust Token Standard with a JCOP 4.0 SIM inserted.

You could get a SIM card reader and a SmartCard-HSM SIM version to build your own, but the uTrust Token Pro does not get you anywhere, if you are looking for a SmartCard-HSM.

vessokolev commented 6 months ago

"Excellent" news, which puts a huge stain on the seller. Having this one:

https://www.smartcard-hsm.com/2015/11/20/Building-a-SmartCard-HSM-Cluster.html

on-line without specifying that is outdated and the hardware used is no more supported, shows that you do not care about the content correctness, which is quite disrespectful to your customers. You just lost a loyal customer.

CardContact commented 6 months ago

From what information in the above blog do you derive, that a plain card reader is automatically a SmartCard-HSM ?

As the name implies, a SmartCard-HSM is a smart card, not a card reader. And a SmartCard-HSM token is nothing more that a smart card in SIM format stick into a SIM card reader. There happen to be readers with embedded smart card chip, but that alone does not make them a SmartCard-HSM.

I guess you just picked the wrong article in the webshop. You should have chosen the SmartCard-HSM instead.

vessokolev commented 6 months ago

"To find out how well cryptographic processing scales in a cluster, we equipped a myUTN-80 with 8 SmartCard-HSM EA+ token." And the tokens are listed:

Port VID    PID    Manufacturer                  Product
.--- ------ ------ ----------------------------- -----------------------------
1    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
2    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
3    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
4    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
5    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
6    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
7    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token
8    0x04e6 0x5817 Identiv                       uTrust 3522 embd SE Token

and they correspond to uTrust Token Pro.

CardContact commented 6 months ago

I've taken the opportunity and fixed the misleading blog post.

vessokolev commented 6 months ago

Thanks. I hope that fix will stop any further confusion. Note that the blog post in its original form was not offending, it was misleading.