renzhi

Today, I found an old ePass3000 token in a drawer, a token that I used for developing crypto applications on Windows a while ago. Well, let’s see if that hardware works on Linux. After taking a look, it seems that this specific token is supported by OpenSC and OpenCT. Let’s install the packages first:

$ sudo apt-get install opensc openct

Start up OpenCT now:

$ sudo /etc/init.d/openct start

Now, plug in the token, and let’s see if we can find it, with the following command:

$ opensc-tool --list-readers

It shows the following information:

Readers known about:
Nr.    Driver     Name
0      openct     FT SCR2000A
1      openct     OpenCT reader (detached)


Ok, we found something in the first slot (slot #0).  Use the following command to show the name of the token, to see if we really get the right:

$ opensc-tool --reader 0 --name

And the information shown is:

entersafe

Ok, that confirmed it. Entersafe is a division of Feitian Technologies Ltd., which is the manufacturer of the token.

Since the token has been left in the drawer for a while now, so I don’t quite remember the PIN any more. That shouldn’t be a problem, as OpenSC provides the tool initialise the token. I’m going to re-initialise the token, wiping out all keys and certificates inside. That’s alright, as it contains only test keys.

$ pkcs15-init -E

This wiped out the internal proprietary structure created by Feitian’s software, prior to creating the PKCS #15 structure. The command executed without any error. Now it’s time to create the internal basic structure with the command:

$ pkcs15-init --create-pkcs15
Using reader with a card: FT SCR2000A
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:


This command required us to enter a new PIN and a PUK (or unblock PIN, or security office (SO) PIN). The SO PIN is optional, but it is good to set it anyway, just in case you forget the PIN and need to reset it. Everything looked good so far. The next step is to create a user and a PIN, which will be needed for using the keys that we are going to create later:

$ pkcs15-init --reader 0 --store-pin --auth-id 01 --label "xp"

And I got:

[pkcs15-init] pkcs15-lib.c:3816:sc_pkcs15init_parse_info: OpenSC info file corrupted
Couldn't bind to the card: Generic PKCS #15 initialization error


Huh? What is going on? Looking in the log file, I saw something like this:

...
May 13 21:09:25 shanghai kernel: [ 2564.627377] usb 4-5: configuration #1 chosen from 1 choice
May 13 21:10:12 shanghai kernel: [ 2612.041088] usb 4-5: usbfs: process 3243 (ifdhandler) did not claim interface 0 before use
May 13 21:10:53 shanghai kernel: [ 2652.292470] usb 4-5: USB disconnect, address 4
May 13 21:11:03 shanghai kernel: [ 2662.660079] usb 4-5: new low speed USB device using ohci_hcd and address 5
...


That’s strange. What does it mean? Using the opensc-tool command to check it, and it seemed to be working fine. Let’s see if we could do a listing with the following command:

opensc-tool --reader 0 -f

And we got:

3f00 [\x7F\x00\x00\x80\xE3\xAD] type:  DF, size: 0
select[N/A] lock[N/A] delete[N/A] create[N/A] rehab[N/A] inval[N/A] list[N/A]
prop: 88:01:00

[opensc-tool] card.c:343:sc_list_files: returning with: Not supported
sc_list_files() failed: Not supported


Ok, so that token does not support the ls command. Well, unplug the token, restart openct, plug in the token again, and try to create a user and a PIN again.

Same error!

After googling for information about the ePass3000 support, I found this wiki , which said that the ePass3000 should be initialised with the following command:

$ pkcs15-init -p pkcs15+onepin -C

The onepin profile should be specified, which we didn’t during the token initialisation phase. Bad idea, we should’ve looked at the documentation before doing any work. Well, all we have to do is to wipe it out and re-initialise again, right? So, let’s issue the command again:

$ pkcs15-init -E

Surprise, surprise, we got the same error. Unplugged the token, rebooted the system, and tried it again, with the same old error.

So, no way to erase it to start from the beginning again. Well, time to go to bed, this should be left for a good weekend hacking.