2

All, I am trying to access opensc dll(latest version) on windows 7 64 bit. I am trying to access a ePass2003 token. The opensc-tool is able to detect the token and can get name and other information. So the token is found by OpenSC. Then I am loading the opensc dll from another program and call standard PKCS#11 functions. C_GetSlotList is returning slot 0 ID as -1 and slot 1 ID as 1. The C_GetFunctionList is returning me pointers to functions. The problem is when I call C_GetMechanismList I am getting a crash with c0000005 error.

I also have accessed the token through the ePass dll provided with the token, it works perfectly.

I am unable to track this problem as it is looking like through the opensc dll, opensc is unable to interface with the card but then opensc-tool also should have the same problem but it does not.

If someone can help it would be great.

TRACE : pkcs11-tool

Trace #1:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -I
Cryptoki version 2.20
Manufacturer     OpenSC (www.opensc-project.org)
Library          Smart card PKCS#11 API (ver 0.0)
Using slot 1 with a present token (0x1)

Trace #2:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -L
Available slots:
Slot 0 (0xffffffff): Virtual hotplug slot
  (empty)
Slot 1 (0x1): FS USB Token 0
  token state:   uninitialized

Trace #3:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -T
Available slots:
No slots.

Trace #4:

C:\Program Files\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -M
Using slot 1 with a present token (0x1)

Same result crash with c0000005

jariq
  • 11,681
  • 3
  • 33
  • 52
Ironluca
  • 3,402
  • 4
  • 25
  • 32
  • Could you please try to perform the same action with pkcs11-tool (available in OpenSC installation folder) just to be sure there is no problem with your code? The command should be `pkcs11-tool.exe --module opensc-pkcs11.dll --list-mechanisms` – jariq Jul 28 '14 at 08:48
  • @jariq, sure, I shall try it and post – Ironluca Jul 28 '14 at 08:56
  • trace from pkcs11-tool – Ironluca Jul 28 '14 at 15:26

1 Answers1

0

OpenSC PKCS#11 library sees your token as "uninitialized". If I remember correctly ePass token initialized with Feitian middleware cannot be used with OpenSC, and vice versa. So if you want to use ePass with opensc-pkcs11.dll then you will need to use pkcs15-init.exe application shipped with OpenSC to initialize your token.

Documentation references:

OpenSC wiki mentions requirement for reinitialization on ePass3000 page but not on ePass2003 page. European distributor gooze.eu also states that reinitialization is required:

The reason is that the ePass2003 is pre-initialized to be recognised under Windows7 by Feitian priprietary software. To be usable, the ePass2003 need to be initialized by OpenSC.

Practical examples:

I have initialized my ePass2003 token with Feitian middleware and tested with proprietary eps2003csp11.dll library - it was working fine:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module eps2003csp11.dll -M
Using slot 0 with a present token (0x1)
Supported mechanisms:
  RSA-PKCS-KEY-PAIR-GEN, keySize={1024,2048}, hw, encrypt, decrypt, sign, verify, generate_key_pair
  RSA-PKCS, keySize={512,2048}, hw, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
  RSA-X-509, keySize={512,2048}, encrypt, decrypt, sign, sign_recover, verify, verify_recover, wrap, unwrap
  MD2-RSA-PKCS, keySize={512,2048}, sign, verify
  MD5-RSA-PKCS, keySize={512,2048}, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  DH-PKCS-KEY-PAIR-GEN, keySize={128,2048}, generate_key_pair
  DH-PKCS-DERIVE, keySize={128,2048}, derive
  SHA256-RSA-PKCS, keySize={512,2048}, hw, sign, verify
  SHA384-RSA-PKCS, keySize={512,2048}, sign, verify
  SHA512-RSA-PKCS, keySize={1024,2048}, sign, verify
  mechtype-70, keySize={512,2048}, sign, verify
  RC2-KEY-GEN, keySize={8,1024}, generate
  RC2-ECB, keySize={8,1024}, encrypt, decrypt
  RC2-CBC, keySize={8,1024}, encrypt, decrypt
  RC2-CBC-PAD, keySize={8,1024}, encrypt, decrypt
  RC4-KEY-GEN, keySize={8,2048}, generate
  RC4, keySize={8,2048}, encrypt, decrypt
  DES-KEY-GEN, keySize={56,56}, generate
  DES-ECB, keySize={64,64}, hw, encrypt, decrypt
  DES-CBC, keySize={64,64}, hw, encrypt, decrypt
  DES-CBC-PAD, keySize={64,64}, encrypt, decrypt
  DES3-KEY-GEN, keySize={112,112}, generate
  DES3-ECB, keySize={128,192}, hw, encrypt, decrypt
  DES3-CBC, keySize={128,192}, hw, encrypt, decrypt
  DES3-CBC-PAD, keySize={128,192}, encrypt, decrypt
  MD2, digest
  MD5, digest
  SHA-1, keySize={512,512}, hw, digest, sign, verify
  SHA-1-HMAC, keySize={8,2048}, sign, verify
  SHA256, keySize={512,512}, hw, digest, sign, verify
  mechtype-597, digest
  SHA384, digest
  SHA512, digest
  GENERIC-SECRET-KEY-GEN, keySize={8,2048}, generate
  AES-KEY-GEN, keySize={128,256}, generate
  AES-ECB, keySize={128,256}, hw, encrypt, decrypt
  AES-CBC, keySize={128,256}, hw, encrypt, decrypt
  AES-CBC-PAD, keySize={128,256}, encrypt, decrypt

Then I have tested with opensc-pkcs11.dll and got the same crash you are describing:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -M
Using slot 1 with a present token (0x1)

OpenSC command line tool stopped working

So I have erased the card..

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init.exe --erase-card
Using reader with a card: FS USB Token 0

..initialized with OpenSC pkcs15-init application..

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs15-init.exe --create-pkcs15 --profile pkcs15+onepin --use-default-transport-key --pin 0000 --puk 111111 --label "ePass2003"
Using reader with a card: FS USB Token 0
2014-07-29 22:35:08.208 cannot lock memory, sensitive data may be paged to disk
2014-07-29 22:35:08.442 cannot lock memory, sensitive data may be paged to disk
2014-07-29 22:35:08.882 cannot lock memory, sensitive data may be paged to disk
2014-07-29 22:35:10.059 cannot lock memory, sensitive data may be paged to disk
2014-07-29 22:35:10.497 cannot lock memory, sensitive data may be paged to disk

..and then opensc-pkcs11.dll started working:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module opensc-pkcs11.dll -M
Using slot 1 with a present token (0x1)
Supported mechanisms:
  SHA-1, digest
  SHA256, digest
  SHA384, digest
  SHA512, digest
  MD5, digest
  RIPEMD160, digest
  GOSTR3411, digest
  RSA-X-509, keySize={512,2048}, hw, decrypt, sign, verify
  RSA-PKCS, keySize={512,2048}, hw, decrypt, sign, verify
  SHA1-RSA-PKCS, keySize={512,2048}, sign, verify
  SHA256-RSA-PKCS, keySize={512,2048}, sign, verify
  MD5-RSA-PKCS, keySize={512,2048}, sign, verify
  RIPEMD160-RSA-PKCS, keySize={512,2048}, sign, verify
  RSA-PKCS-KEY-PAIR-GEN, keySize={512,2048}, generate_key_pair

However eps2003csp11.dll distributed by Feitian stopped working as expected:

C:\Program Files (x86)\OpenSC Project\OpenSC\tools>pkcs11-tool.exe --module eps2003csp11.dll -M
No slot with a token was found.
jariq
  • 11,681
  • 3
  • 33
  • 52
  • thanks, however, I am slightly unsure of how this would work. As per what I understand, once the token is initialized with OpenSC, the token is not accessible from Freitian tools. Now, the toke I am using has PrvtK & PubK would those objects also be affected? Any way, since OpenSC has ePass drivers why would it be required to initialize it? Is there any other work around to connect to ePass from OpenSC -- thanks for your patience – Ironluca Jul 29 '14 at 04:58
  • @Ironluca It is not unusual that two different middlewares initialize card with different and incompatible structure (something like a file system). OpenSC uses PKCS#15 card structure (think of it as of NTFS) and Feitian middleware probably uses some different structure (let's think of it as of FAT). NTFS driver (OpenSC) cannot be used for reading of FAT (Feitian) filesystem, and vice versa. I think that you will need to choose between the OpenSC and Feitian middleware and stick to the one you have chosen. BTW card objects (keys) are usually lost during the (re)initialization process. – jariq Jul 29 '14 at 07:01
  • thanks, one more clarification, for my understanding. As per OpenSC website, Freitian provides a driver to OpenSC project for ePass2003. I was of the impression that the provided driver and the one that which comes with ePass(mini driver) are same for a platform and the actual interaction from opensc dll happens through this driver. In that case the driver will actually access the hardware with opensc dispatching the function calls and opensc will be able to access the hardware without initializing for opensc. If you could kindly clarify this point. - thanks – Ironluca Jul 29 '14 at 08:06
  • @Ironluca I have updated my answer with more detailed information. – jariq Jul 29 '14 at 21:05
  • thanks for taking the time to answer the question and clarifying the points. Since re-initializing the token is not an option in my case (as it contains production keys/certs), I shall use the approach suggested by accessing it through the Freitian DLL, for the other keys (in this case TrustKey), I shall try for OpenSC as I feel that OpenSC support is necessary for this library. Thanks once again. – Ironluca Jul 30 '14 at 05:17