How to initialize ePass2003 using pkcs11-tool?

[ghost]

I'm trying to initialize a token using epass2003 in order to offload some cryptographic operations onto device. However, I wasn't successful.

OpenSC 0.19.0 - default conf
Ubuntu 19.04

Here is what I tried:

$ pkcs11-tool --module=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so -L

Available slots:
Slot 0 (0x0): Feitian ePass2003 00 00
  (empty)


$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --init-token --label test_token

error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0)
Aborting.

Detailed debug log is here: Debug log

Then, I tried initializing PKCS15 by

$ pkcs15-init -E -T

Using reader with a card: Feitian ePass2003 00 00

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --init-token --label test_token

error: PKCS11 function C_GetTokenInfo failed: rv = CKR_TOKEN_NOT_PRESENT (0xe0)
Aborting.

But it failed as well. Lastly, I tried:

$ pkcs15-init -E -T

Using reader with a card: Feitian ePass2003 00 00

$ pkcs15-init -C -p pkcs15+onepin --pin 1234 --puk 123456

Using reader with a card: Feitian ePass2003 00 00

$ pkcs11-tool --module /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so --slot 0 --init-token --label test_token

Please enter the new SO PIN: 
Please enter the new SO PIN (again): 
error: PKCS11 function C_InitToken failed: rv = CKR_FUNCTION_NOT_SUPPORTED (0x54)
Aborting.

This time there was an Ubuntu notification saying Smart card is ready to use and asked for SO pin, only to fail after setting SO_PIN. The debug log writes:

[opensc-pkcs11] framework-pkcs15.c:1909:pkcs15_initialize: init token error -1408
[opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1408 (Not supported)
[opensc-pkcs11] pkcs11-global.c:639:C_InitToken: C_InitToken(pLabel='test_token                      ') returns 0x54

[frankmorgner]

@FeitianSmartcardReader ?

[Djalmar]

@batuhanceylan did you find any solution to this issue ?

[ghost]

@batuhanceylan did you find any solution to this issue ?

Nor really, sorry.

[frankmorgner]

please contact the vendor directly, @FeitianSmartcardReader seems to be non-responsive.

[frankmorgner]

[email protected]

[akirashimosoeda]

I think this is a module issue. It should work fine with the module given by the manufacturer (Feitian). The specific module I use is libcastle.so.1.0.0.

[FeitianSmartcardReader]

Missed this issue, will check engineer after CNY, should be back on 3th, Feb, will follow up on this issue, thanks

[xaqfan]

I have checked opensc code. This function should be that opensc module has not been added。

[Edward2k]

Is there any update on this? I am running into similar issues

[popovec]

@Edward2k

This issue is quite old. Try to specify where exactly the problem occurs... Which version of OpenSC are you using? (opensc-tool -i )

Most of the token reinitialization issues were resolved using the commit 5a369a8 (commit date Wed Sep 23 08:37:09 2020 +0200). This commit is part of OpenSC version 0.21 and later.

The following procedure should work without problems:

1. try to erase epass2003 token.. pkcs15-init -E -T
2. initialization: pkcs15-init -C -T -p pkcs15+onepin --pin 1234 --puk 123456
3. generate a RSA key pkcs15-init --generate-key rsa/2048 --key-usage sign,decrypt --pin 1234 --auth-id 01

Thanks for testing.

[Edward2k]

Hey @popovec,

Thanks for getting back to me so quickly. The problem occurs when trying to initialize the token with pkcs15-init. When calling pkcs15-init -C -T -p pkcs15+onepin --pin 1234 --puk 123456, I get the following error:

$ pkcs15-init -C -T -p pkcs15+onepin --pin 1234 --puk 123456
sing reader with a card: Feitian ePass2003 00 00
PKCS#15 binding failed: Unsupported card

I have the latest OpenSC version from apt (v0.20.0-3). I'll try building from source and see if that resolves my problems :).

Thanks again and I'll keep you posted.

[Edward2k]

@popovec

Well, now I feel like a fool. It works. Always check versions and never trust aptitude to use the most up-to-date version. I do have one question: epass2003 supports rsa4096. It seems even this newer version of OpenSC does not present this. Any idea as to why?

[popovec]

I have no information about epass2003 being able to use an RSA key longer than 2048 bits. Newer epass2003 tokens, however, support elliptical keys. You can try to generate an elliptical key as follows:

pkcs15-init --generate-key ec/prime256v1 --pin 1234 --auth-id 01

Unfortunately, my epass2003 key does not support elliptic keys (over all, OpenSC signalize support for elliptic cryptography for epass2003, which is bad, but due to the lack of epass2003 documentation, I don't know how to fix it).

[Edward2k]

I'm afraid that I have to use rsa4096. The epass2003 documentation is lacking and somewhat contradictory---I've seen some spec sheets mention 4096 and other 2048 for the exact same hardware. Regardless, thanks for the help. I really appreciate it.

EDIT: I've raised this question with support