Closed alhashash closed 1 year ago
See: https://github.com/OpenSC/OpenSC/issues/2397 and https://github.com/OpenSC/OpenSC/pull/2403
See if this looks like your problem.
The fix has been approved, but not committed to master. You could try building from GIT with the pull request.
@dengert Thanks for your suggestion. Unfortunately, #2403 does not fix this problem.
$ cd /tmp/OpenSC-epass2003-init/src
$ tools/pkcs11-tool --module pkcs11/.libs/opensc-pkcs11.so -L
Available slots:
Slot 0 (0x0): FT ePass2003Auto 00 00
(token not recognized)
Can you provide an opensc-debug.log
On Thu, Oct 28, 2021, 10:10 AM Mohammad Alhashash @.***> wrote:
@dengert https://github.com/dengert Thanks for your suggestion. Unfortunately, #2403 https://github.com/OpenSC/OpenSC/pull/2403 does not fix this problem.
$ pkcs11-tool --module /tmp/OpenSC-epass2003-init/src/pkcs11/.libs/opensc-pkcs11.so -L Available slots: Slot 0 (0x0): FT ePass2003Auto 00 00 (token not recognized)
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenSC/OpenSC/issues/2424#issuecomment-953940482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTIMM26DAIJKR5MOYL5Z3UJFRUVANCNFSM5G43XUTA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
Here is the debug output: debug.log (OPENSC_DEBUG=9)
@dengert
@FeitianSmartcardReader ?
Yes, Alhashash already contact us by mail, our engineer is working on it, thanks for reminder
@alhashash did you format the token to P15 format?
opensc-tool --list-readers
pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label “epass2003”
pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt
pkcs15-tool -D
pkcs11-tool --login --test
pkcs11-tool --module /usr/local/lib/pkcs11/onepin-opensc-pkcs11.so -t -l
pkcs11-tool --login --pin 1234 --change-pin --new-pin 123456
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 --keypairgen --key-type rsa:1024 --id 10
@FeitianSmartcardReader To be fair, where would I find in Feitian web pages that I would need to "format the token to P15 format"?
https://www.ftsafe.com/download/files/Brochure/PKI_Identification/Flyer_ePass2003_A1+.pdf says: "With combined compatibility of Microsoft Minidriver and OpenSC, the ePass2003 is compatible with applications running on Windows, Linux and Mac"
But from your web site, I can not find any reference for an AUTO device that says: "To use with OpenSC..."
searching using Google with: site:www.ftsafe.com OpenSC shows 4 references. Onlyhttps://www.ftsafe.com/article/447.html that says: "FEITIAN ePass3000 OpenSC Wiki web page can be found at www.opensc-project.org." but that is not the device @alhashash has. And the www.opensc-project.org web site is for sale! OpenSC is now at https://github.com/OpenSC/OpenSC/wiki
The "AUTO" devices say they come with middleware so not other software is needed. So with an "AUTO" device I would not expect I would need additional software on any system.
Searching https://github.com/OpenSC/OpenSC/wiki shows 4 web pages: https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass-PKI-token https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass2003 https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass3000 https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card
These are out of date, and the ePass2003 page refers to http://www.gooze.eu/ which does not exist anymore. I got my epass2003 in 2014 from Gooze that came with good instructions for example:
"Formatting a smart card with pkcs15 file structure"
"The Feitian PKI card has only one PIN code. Feitian PKI card and token do not have System Officer PIN code (also called SOPIN). This is not a limitation from the card, which supports several PINs, but from the entersafe driver. This limitation might not exist in a short future."
"Presently, you can only initialize the card using the pkcs15+onepin option:
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 -- label "François Pérou"
"
@nmav had updated some of these pages in the pass.
@FeitianSmartcardReader can you please update your documentation on what is and is not supported by OpenSC and at least add a page that lists:
opensc-tool --list-readers
pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label “epass2003”
pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt
pkcs15-tool -D
pkcs11-tool --login --test
pkcs11-tool --module /usr/local/lib/pkcs11/onepin-opensc-pkcs11.so -t -l
pkcs11-tool --login --pin 1234 --change-pin --new-pin 123456
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 --keypairgen --key-type rsa:1024 --id 10
Thanks.
@FeitianSmartcardReader I did not format it myself. This is an official token issued by a government agency to sign tax invoices.
The token is working using the old driver libcastle.so.1.0.0
but the newer driver and OpenSC do not work. I'm trying to use OpenSC to access the token from Raspberry Pi which I could not find a driver for it.
We are developing a middleware that runs on a Raspberry Pi or similar SBCs.
Is your intent to have users use their "This is an official token issued by a government agency to sign tax invoices." on a Raspberry Pi? The "government agency" may have initialized the card to their own specifications, different from the Feitian's or OpenSC's specification.
Or are you just using your own personal "government agency token" for testing? With the intent to issue tokens to users in which case you could initialize new ePass2003 tokens to use OpenSC. Or you could use a different token for a different vendor.
Aah, Google for: 1PAY.SYS.DDF01 Looks like it is EMV card, more like a credit card then a "smartcard"
The debug log has:
card-epass2003.c:1914:epass2003_process_fci: processing FCI bytes
card-epass2003.c:1918:epass2003_process_fci: file identifier: 0x3F00
card-epass2003.c:1989:epass2003_process_fci: type DF, EF structure 56
card-epass2003.c:1998:epass2003_process_fci:
File name (16 bytes):
31 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00 00 1PAY.SYS.DDF01..
...
card.c:844:sc_select_file: called; type=2, path=3f005031
...
pkcs15.c:1050:sc_pkcs15_bind_internal: EF(ODF) not found in '3f005031'
You can also try and use the opensc-explorer
./opensc-explorer -c epass2003
OpenSC Explorer version 0.22.0
Using reader with a card: Feitian ePass2003 00 00
OpenSC [3F00]> help
(read the help, and then try:)
OpenSC [3F00]> ls
FileID Type Size
2F00 wEF 0
[5015] DF 0 Name: \xA0\x00\x00\x00cPKCS-15
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> ls
FileID Type Size
9F00 wEF 2
5031 wEF 512
5032 wEF 128
5033 wEF 128
4401 wEF 4864
4402 wEF 1024
4403 wEF 1024
4404 wEF 2048
4405 wEF 4864
4946 wEF 128
3000 wEF 270
OpenSC [3F00/5015]>
You card is able to do Secure messaging, so it is somewhat compatible, but does not have the PKCS15 structures the OpenSC expects.
@dengert Your first assumption is right; I'm developing a middleware to sign invoices using the "government-issued tokens" to be run Raspberry Pi or similar SBCs. I'm not going to initialize any new tokens.
I can use the old binary driver to sign digests using the token private key but it is available only for i386 and x64 architectures. Is this use case outside the scope of OpenSC? is PKCS15 required to run OpenSC?
@dengert
$ tools/opensc-explorer -c epass2003
OpenSC Explorer version 0.22.0
Using reader with a card: FT ePass2003Auto 00 00
OpenSC [3F00]> ls
FileID Type Size
2F01 wEF 15
[2003] DF 0 Name: ENTERSAFE-ESPK\x00\x00
OpenSC [3F00]> cd 2003
OpenSC [3F00/2003]> ls
FileID Type Size
6F01 wEF 1500
9F00 wEF 2
2400 wEF 3072
2420 wEF 1024
2440 wEF 16
2460 wEF 40
8000 iEF 0
2480 wEF 493
24A0 wEF 526
24C0 wEF 2041
Sounds similar to https://github.com/OpenSC/OpenSC/issues/1397
Your token appears to be outside the scope of OpenSC. The file structure does not agree with PKCS15. With documentation on what is in those file, it could be possible to write an OpenSC driver. Are you interested in becoming an OpenSC developer?
@alhashash I see you have forked some Python based git repros.
If the token is EMV based, have a look at https://pypi.org/project/emv/
Also Google for: emv open source
Also note the RaspberryPi 4 can run Ubuntu.
please use your contact to the @FeitianSmartcardReader technican to solve this issue. if possible provide a fix via pull requests.
@alhashash Did you manage to find a fix for this?
Also, would you kindly share how can I get "FT binary driver libcastle.so.1.0.0" and if that's available for windows, please.
@M-Dahab No. Unfortunately. @FeitianSmartcardReader offered to help at first. Then, they involved their Egyptian partner, who was reluctant to help.
The Linux driver is available over the Internet from several distributors. Look for EnterSafe-castle-linux-20120801
.
You may extract the Windows dll from the downloadable driver from any Egyptian company that issues EInvoice certificates, such as https://egypttrust.com/en/other-drivers/. Extract or install the executable and search for eps2003csp1164.dll
.
I do not know if I can post these drivers here or distribute them in any way. Maybe @FeitianSmartcardReader could help.
Thank you very much @alhashash!
I've managed to extract eps2003csp1164.dll
from ePass2003-Setup 1 17.exe
which's available here and it's working fine for ePass2003 🥳
@M-Dahab To avoid confusing others who may read this issue, these old drivers are required only to access specific non-pkcs15 ePass2003 tokens (like those we have to use in Egypt to sign invoices).
If you manage your own PKI, you should better reformat the tokens as pkcs15 for compatibility with standard OpenSC and recent Feitian drivers.
I cannot use ePass2003 token with OpenSC v0.22.0:
It does work using the FT binary driver
libcastle.so.1.0.0
The latest version of the FT driver (v2) does NOT work too!:
I hope to use OpenSC as I need to run it on ARM architecture which is not supported by FT driver.
@FeitianSmartcardReader