[opensc-devel] Feitian ePass+SCR301 problem

Fri, 07 May 2010 02:23:39 -0700 

hi list,

recently I bought a Feitian ePAss + SCR301 card + cardreader from gooze 
and I've been struggling with it ever since.
I'm running Fedora 12 on my laptop which comes with openssl 1.0 (see an 
earlier post on the problems with opensc + openssl 1.0) .

First of all the Feitian SCR301 reader is not supported by the fedora 
version of pcsc-lite (1.5.2) nor by the latest released version (1.5.5). 
So initially I resorted to using the openct driver. I'm using opensc 
0.11.13 , openct 0.6.18

- initializing the card works
- storing a private key and certificate works
- generating a 1024 bit rsa onboard works
- generating a 2048 bit rsa onboard *FAILS*
but worst of all, signing a certificate request using the card fails 
(error -1200) .

The gooze tutorial suggests to use the pcsc driver so I grabbed 
pcsc-lite-1.5.6-svn-4874 and ccid-1.3.11-svn-4874 from Ludovic's site 
and compiled them; with a little bit of effort I can now use the pcsc 
driver to access the Feitian card:

- initializing the card works
- storing a private key and certificate works
- generating a 1024 bit rsa onboard works
- generating a 2048 bit rsa onboard now works - good!
but signing a certificate request using the card still fails (error -1200).

Here are the commands I've used to initialize the card and store the 
cert+privkey:
  pkcs15-init -E
  pkcs15-init --create-pkcs15 --profile pkcs15+onepin 
--use-default-transport-key --pin 123456 --puk 123456 --label "JJK2"
  pkcs15-init -S userkey.pem  --auth-id 01
  pkcs15-init -X usercert.pem  --auth-id 01
(yes I know I am listing the pin+puk but this is for testing purposes 
anyways and it's a bogus certificate)

The certificate signing fails when using
  openssl x509 -req \
         -engine pkcs11 -CAkeyform engine \
         -in $PROXYREQ \
         -CA $PROXYUSERCERT \
         -CAkey ${SLOT:+$SLOT:}$CERT_ID \
         -out $PROXYCERT \
         -set_serial $PROXY_SERIAL -sha1 -days $DAYS \
         -extfile openssl-opensc.conf

in combination with this openssl-opensc.cnf file:

openssl_conf = openssl_def

[ openssl_def ]
engines = engine_section

[ engine_section ]
pkcs11 = pkcs11_section

[ pkcs11_section ]
engine_id = pkcs11
dynamic_path = 
/home/janjust/src/engine_pkcs11-0.1.5/src/.libs/engine_pkcs11.so
MODULE_PATH = 
/home/janjust/src/opensc-0.11.13/src/pkcs11/.libs/opensc-pkcs11.so
init = 0

[ req ]
distinguished_name = req_distinguished_name

[ req_distinguished_name ]

but I can get the same error when using pkcs15-crypt

I have set the debugging level in opensc to 9 and have recorded the APDU 
commands using
  pcscd --apdu
but these log files are too big for this list. You can find them here:
  http://www.nikhef.nl/~janjust/feitian/opensc-debug.log
  http://www.nikhef.nl/~janjust/feitian/opensc-error.log
  http://www.nikhef.nl/~janjust/feitian/pcscd-apdu.log

It's this part which worries me (and which also failed when using the 
openct driver):

Outgoing APDU data [  134 bytes] =====================================
00 2A 86 80 80 00 01 FF FF FF FF FF FF FF FF FF .*..............
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF 00 30 21 30 09 06 05 2B 0E 03 02 1A 05 00 04 ..0!0...+.......
14 CA EF BF 7C 48 82 4F 02 17 52 7A 7E 28 A2 9C ....|H.O..Rz~(..
93 01 A8 3D E8 00                               ...=..
======================================================================
[opensc-pkcs11] reader-pcsc.c:161:pcsc_internal_transmit: called
[opensc-pkcs11] apdu.c:184:sc_apdu_log:
Incoming APDU data [    2 bytes] =====================================
69 84 i.
======================================================================
[opensc-pkcs11] card.c:312:sc_unlock: called
[opensc-pkcs11] card-entersafe.c:371:entersafe_transmit_apdu: returning 
with: 0
[opensc-pkcs11] card.c:312:sc_unlock: called
[opensc-pkcs11] card.c:312:sc_unlock: called
[opensc-pkcs11] framework-pkcs15.c:2299:pkcs15_prkey_sign: Sign 
complete. Result -1200.
[opensc-pkcs11] misc.c:80:sc_to_cryptoki_error: opensc error: Card 
command failed (-1200)
[opensc-pkcs11] pkcs11-object.c:554:C_Sign: Signing result was 5


Does anybody have any clues what to try next? Otherwise I'd have to 
declare the Feitian card useless for my purposes...

thanks,

JJK / Jan Just Keijser

_______________________________________________
opensc-devel mailing list
[email protected]
http://www.opensc-project.org/mailman/listinfo/opensc-devel

Reply via email to