Daer Jan,
> recently I bought a Feitian ePAss + SCR301 card + cardreader from gooze
> and I've been struggling with it ever since.
To date, we don't sell ePass sticks and you probably did not get it from
us.
> The gooze tutorial suggests to use the pcsc driver so I grabbed
> pcsc-lite-1.5.6-svn-4874 and ccid-1.3.11-svn-4874 from Ludovic's site
> and compiled them; with a little bit of effort I can now use the pcsc
> driver to access the Feitian card:
Gooze tutorials suggest you should never use OpenCT and OpenSC+libccid
at the same time. Because ftsafe driver was added recently, recent fixes
are in OpenSC svn.
> - initializing the card works
> - storing a private key and certificate works
> - generating a 1024 bit rsa onboard works
> - generating a 2048 bit rsa onboard now works - good!
> but signing a certificate request using the card still fails (error -1200).
The problem is probably OpenSC compatibility with OpenSSL.
> Here are the commands I've used to initialize the card and store the
> cert+privkey:
> pkcs15-init -E
> pkcs15-init --create-pkcs15 --profile pkcs15+onepin
> --use-default-transport-key --pin 123456 --puk 123456 --label "JJK2"
> pkcs15-init -S userkey.pem --auth-id 01
> pkcs15-init -X usercert.pem --auth-id 01
> (yes I know I am listing the pin+puk but this is for testing purposes
> anyways and it's a bogus certificate)
>
> The certificate signing fails when using
> openssl x509 -req \
> -engine pkcs11 -CAkeyform engine \
> -in $PROXYREQ \
> -CA $PROXYUSERCERT \
> -CAkey ${SLOT:+$SLOT:}$CERT_ID \
> -out $PROXYCERT \
> -set_serial $PROXY_SERIAL -sha1 -days $DAYS \
> -extfile openssl-opensc.conf
>
> in combination with this openssl-opensc.cnf file:
>
> openssl_conf = openssl_def
>
> [ openssl_def ]
> engines = engine_section
>
> [ engine_section ]
> pkcs11 = pkcs11_section
>
> [ pkcs11_section ]
> engine_id = pkcs11
> dynamic_path =
> /home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
> MODULE_PATH =
> /home/janjust/src/opensc-0.11.13/src/pkcs11/.libs/opensc-pkcs11.so
> init = 0
>
> [ req ]
> distinguished_name = req_distinguished_name
>
> [ req_distinguished_name ]
>
> but I can get the same error when using pkcs15-crypt
>
> I have set the debugging level in opensc to 9 and have recorded the APDU
> commands using
> pcscd --apdu
> but these log files are too big for this list. You can find them here:
> http://www.nikhef.nl/~janjust/feitian/opensc-debug.log
> http://www.nikhef.nl/~janjust/feitian/opensc-error.log
> http://www.nikhef.nl/~janjust/feitian/pcscd-apdu.log
>
> It's this part which worries me (and which also failed when using the
> openct driver):
You should not be using OpenCT and OpenSC+ccid at the same time. It
cannot work and I experienced severe problem.
Teaching OpenSC+ccid and OpenCT to collaborate should be OpenSC primary
goal.
> Outgoing APDU data [ 134 bytes] =====================================
> 00 2A 86 80 80 00 01 FF FF FF FF FF FF FF FF FF .*..............
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
> FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 ..0!0...+.......
> 14 CA EF BF 7C 48 82 4F 02 17 52 7A 7E 28 A2 9C ....|H.O..Rz~(..
> 93 01 A8 3D E8 00 ...=..
> ======================================================================
> [opensc-pkcs11] reader-pcsc.c:161:pcsc_internal_transmit: called
> [opensc-pkcs11] apdu.c:184:sc_apdu_log:
> Incoming APDU data [ 2 bytes] =====================================
> 69 84 i.
> ======================================================================
> [opensc-pkcs11] card.c:312:sc_unlock: called
> [opensc-pkcs11] card-entersafe.c:371:entersafe_transmit_apdu: returning
> with: 0
> [opensc-pkcs11] card.c:312:sc_unlock: called
> [opensc-pkcs11] card.c:312:sc_unlock: called
> [opensc-pkcs11] framework-pkcs15.c:2299:pkcs15_prkey_sign: Sign
> complete. Result -1200.
> [opensc-pkcs11] misc.c:80:sc_to_cryptoki_error: opensc error: Card
> command failed (-1200)
> [opensc-pkcs11] pkcs11-object.c:554:C_Sign: Signing result was 5
>
>
> Does anybody have any clues what to try next? Otherwise I'd have to
> declare the Feitian card useless for my purposes...
I am sending you today a free CCID reader, so you can compare results.
Please leave the OpenSC and Feitian folks some time to analyze your
problem. Make sure that we will enquire. I am passing the information to
a Feitian consultant.
Kind regards,
Jean-Michel
--
Jean-Michel Pouré - Gooze - http://www.gooze.eu
_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel
