FT ePass2003 - "token not recognized"

[alhashash]

I cannot use ePass2003 token with OpenSC v0.22.0:

$ pkcs11-tool --module /usr/lib64/opensc-pkcs11.so -L
Available slots:
Slot 0 (0x0): FT ePass2003Auto 00 00
  (token not recognized)

$ opensc-tool -i
OpenSC 0.22.0 [gcc  11.2.1 20210728 (Red Hat 11.2.1-1)]
Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1)

$ lsusb |grep Feitian
Bus 001 Device 035: ID 096e:080a Feitian Technologies, Inc. USB TOKEN

It does work using the FT binary driver libcastle.so.1.0.0

$ pkcs11-tool --module /tmp/libcastle.so.1.0.0  -L 
Available slots:
Slot 0 (0x1): ES SLOT 1
  token label        : <removed>
  token manufacturer : EnterSafe
  token model        : ePass2003
  token flags        : login required, rng, token initialized, PIN initialized, user PIN to be changed
  hardware version   : 16.50
  firmware version   : 16.50
  serial num         : <removed>
  pin min/max        : 8/255

The latest version of the FT driver (v2) does NOT work too!:

$ pkcs11-tool --module /tmp/libcastle_v2.so.1.0.0  -L 
Available slots:
Slot 0 (0x1): ES SLOT 1
C_GetTokenInfo() failed: rv = CKR_GENERAL_ERROR

I hope to use OpenSC as I need to run it on ARM architecture which is not supported by FT driver.

@FeitianSmartcardReader

[dengert]

See: https://github.com/OpenSC/OpenSC/issues/2397 and https://github.com/OpenSC/OpenSC/pull/2403

See if this looks like your problem.

The fix has been approved, but not committed to master. You could try building from GIT with the pull request.

[alhashash]

@dengert Thanks for your suggestion. Unfortunately, #2403 does not fix this problem.

$ cd /tmp/OpenSC-epass2003-init/src
$ tools/pkcs11-tool --module pkcs11/.libs/opensc-pkcs11.so  -L
Available slots:
Slot 0 (0x0): FT ePass2003Auto 00 00
  (token not recognized)

[dengert]

Can you provide an opensc-debug.log

On Thu, Oct 28, 2021, 10:10 AM Mohammad Alhashash @.***> wrote:

@dengert https://github.com/dengert Thanks for your suggestion. Unfortunately, #2403 https://github.com/OpenSC/OpenSC/pull/2403 does not fix this problem.

$ pkcs11-tool --module /tmp/OpenSC-epass2003-init/src/pkcs11/.libs/opensc-pkcs11.so -L Available slots: Slot 0 (0x0): FT ePass2003Auto 00 00 (token not recognized)

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/OpenSC/OpenSC/issues/2424#issuecomment-953940482, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAGTIMM26DAIJKR5MOYL5Z3UJFRUVANCNFSM5G43XUTA . Triage notifications on the go with GitHub Mobile for iOS https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Android https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.

[alhashash]

Here is the debug output: debug.log (OPENSC_DEBUG=9)

@dengert

[frankmorgner]

@FeitianSmartcardReader ?

[FeitianSmartcardReader]

Yes, Alhashash already contact us by mail, our engineer is working on it, thanks for reminder

[FeitianSmartcardReader]

@alhashash did you format the token to P15 format? opensc-tool --list-readers
pkcs15-init --erase-card pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label “epass2003” pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt pkcs15-tool -D pkcs11-tool --login --test pkcs11-tool --module /usr/local/lib/pkcs11/onepin-opensc-pkcs11.so -t -l pkcs11-tool --login --pin 1234 --change-pin --new-pin 123456 pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 --keypairgen --key-type rsa:1024 --id 10

[dengert]

@FeitianSmartcardReader To be fair, where would I find in Feitian web pages that I would need to "format the token to P15 format"?

https://www.ftsafe.com/download/files/Brochure/PKI_Identification/Flyer_ePass2003_A1+.pdf says: "With combined compatibility of Microsoft Minidriver and OpenSC, the ePass2003 is compatible with applications running on Windows, Linux and Mac"

But from your web site, I can not find any reference for an AUTO device that says: "To use with OpenSC..."

searching using Google with: site:www.ftsafe.com OpenSC shows 4 references. Onlyhttps://www.ftsafe.com/article/447.html that says: "FEITIAN ePass3000 OpenSC Wiki web page can be found at www.opensc-project.org." but that is not the device @alhashash has. And the www.opensc-project.org web site is for sale! OpenSC is now at https://github.com/OpenSC/OpenSC/wiki

The "AUTO" devices say they come with middleware so not other software is needed. So with an "AUTO" device I would not expect I would need additional software on any system.

Searching https://github.com/OpenSC/OpenSC/wiki shows 4 web pages: https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass-PKI-token https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass2003 https://github.com/OpenSC/OpenSC/wiki/Feitian-ePass3000 https://github.com/OpenSC/OpenSC/wiki/Feitian-PKI-card

These are out of date, and the ePass2003 page refers to http://www.gooze.eu/ which does not exist anymore. I got my epass2003 in 2014 from Gooze that came with good instructions for example:

"Formatting a smart card with pkcs15 file structure"

"The Feitian PKI card has only one PIN code. Feitian PKI card and token do not have System Officer PIN code (also called SOPIN). This is not a limitation from the card, which supports several PINs, but from the entersafe driver. This limitation might not exist in a short future."

"Presently, you can only initialize the card using the pkcs15+onepin option: pkcs15-init --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 -- label "François Pérou""

@nmav had updated some of these pages in the pass.

@FeitianSmartcardReader can you please update your documentation on what is and is not supported by OpenSC and at least add a page that lists:

opensc-tool --list-readers
pkcs15-init --erase-card
pkcs15-init --create-pkcs15 --profile pkcs15+onepin --label “epass2003”
pkcs15-init --auth-id 1 --generate-key rsa/2048 --key-usage sign,decrypt
pkcs15-tool -D
pkcs11-tool --login --test
pkcs11-tool --module /usr/local/lib/pkcs11/onepin-opensc-pkcs11.so -t -l
pkcs11-tool --login --pin 1234 --change-pin --new-pin 123456
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -l --pin 123456 --keypairgen --key-type rsa:1024 --id 10

Thanks.

[alhashash]

@FeitianSmartcardReader I did not format it myself. This is an official token issued by a government agency to sign tax invoices.

The token is working using the old driver libcastle.so.1.0.0 but the newer driver and OpenSC do not work. I'm trying to use OpenSC to access the token from Raspberry Pi which I could not find a driver for it.

We are developing a middleware that runs on a Raspberry Pi or similar SBCs.

[dengert]

Is your intent to have users use their "This is an official token issued by a government agency to sign tax invoices." on a Raspberry Pi? The "government agency" may have initialized the card to their own specifications, different from the Feitian's or OpenSC's specification.

Or are you just using your own personal "government agency token" for testing? With the intent to issue tokens to users in which case you could initialize new ePass2003 tokens to use OpenSC. Or you could use a different token for a different vendor.

[dengert]

Aah, Google for: 1PAY.SYS.DDF01 Looks like it is EMV card, more like a credit card then a "smartcard"

The debug log has:

card-epass2003.c:1914:epass2003_process_fci: processing FCI bytes
card-epass2003.c:1918:epass2003_process_fci:   file identifier: 0x3F00
 card-epass2003.c:1989:epass2003_process_fci: type DF, EF structure 56
card-epass2003.c:1998:epass2003_process_fci: 
File name (16 bytes):
31 50 41 59 2E 53 59 53 2E 44 44 46 30 31 00 00 1PAY.SYS.DDF01..
...
card.c:844:sc_select_file: called; type=2, path=3f005031
...
pkcs15.c:1050:sc_pkcs15_bind_internal: EF(ODF) not found in '3f005031'

You can also try and use the opensc-explorer

./opensc-explorer -c epass2003
OpenSC Explorer version 0.22.0
Using reader with a card: Feitian ePass2003 00 00
OpenSC [3F00]> help
(read the help, and then try:)
OpenSC [3F00]> ls
FileID  Type  Size
 2F00    wEF     0
[5015]    DF     0  Name: \xA0\x00\x00\x00cPKCS-15
OpenSC [3F00]> cd 5015
OpenSC [3F00/5015]> ls
FileID  Type  Size
 9F00    wEF     2
 5031    wEF   512
 5032    wEF   128
 5033    wEF   128
 4401    wEF  4864
 4402    wEF  1024
 4403    wEF  1024
 4404    wEF  2048
 4405    wEF  4864
 4946    wEF   128
 3000    wEF   270
OpenSC [3F00/5015]>

You card is able to do Secure messaging, so it is somewhat compatible, but does not have the PKCS15 structures the OpenSC expects.

[alhashash]

@dengert Your first assumption is right; I'm developing a middleware to sign invoices using the "government-issued tokens" to be run Raspberry Pi or similar SBCs. I'm not going to initialize any new tokens.

I can use the old binary driver to sign digests using the token private key but it is available only for i386 and x64 architectures. Is this use case outside the scope of OpenSC? is PKCS15 required to run OpenSC?

[alhashash]

@dengert

$ tools/opensc-explorer -c epass2003
OpenSC Explorer version 0.22.0
Using reader with a card: FT ePass2003Auto 00 00
OpenSC [3F00]> ls
FileID  Type  Size
 2F01    wEF    15
[2003]    DF     0  Name: ENTERSAFE-ESPK\x00\x00
OpenSC [3F00]> cd 2003
OpenSC [3F00/2003]> ls
FileID  Type  Size
 6F01    wEF  1500
 9F00    wEF     2
 2400    wEF  3072
 2420    wEF  1024
 2440    wEF    16
 2460    wEF    40
 8000    iEF     0
 2480    wEF   493
 24A0    wEF   526
 24C0    wEF  2041

[dengert]

Sounds similar to https://github.com/OpenSC/OpenSC/issues/1397

Your token appears to be outside the scope of OpenSC. The file structure does not agree with PKCS15. With documentation on what is in those file, it could be possible to write an OpenSC driver. Are you interested in becoming an OpenSC developer?

@alhashash I see you have forked some Python based git repros.

If the token is EMV based, have a look at https://pypi.org/project/emv/

Also Google for: emv open source

Also note the RaspberryPi 4 can run Ubuntu.

[frankmorgner]

please use your contact to the @FeitianSmartcardReader technican to solve this issue. if possible provide a fix via pull requests.

[M-Dahab]

@alhashash Did you manage to find a fix for this?

Also, would you kindly share how can I get "FT binary driver libcastle.so.1.0.0" and if that's available for windows, please.

[alhashash]

@M-Dahab No. Unfortunately. @FeitianSmartcardReader offered to help at first. Then, they involved their Egyptian partner, who was reluctant to help.

The Linux driver is available over the Internet from several distributors. Look for EnterSafe-castle-linux-20120801.

You may extract the Windows dll from the downloadable driver from any Egyptian company that issues EInvoice certificates, such as https://egypttrust.com/en/other-drivers/. Extract or install the executable and search for eps2003csp1164.dll.

I do not know if I can post these drivers here or distribute them in any way. Maybe @FeitianSmartcardReader could help.

[M-Dahab]

Thank you very much @alhashash!

I've managed to extract eps2003csp1164.dll from ePass2003-Setup 1 17.exe which's available here and it's working fine for ePass2003 🥳

[alhashash]

@M-Dahab To avoid confusing others who may read this issue, these old drivers are required only to access specific non-pkcs15 ePass2003 tokens (like those we have to use in Egypt to sign invoices).

If you manage your own PKI, you should better reformat the tokens as pkcs15 for compatibility with standard OpenSC and recent Feitian drivers.