Re: [Opensc-devel] ePass2003 custom so-pin profile

[Jean-Michel P. - G. <jm...@go...>]

Le jeudi 22 août 2013 à 17:54 +0200, Jean-Pierre Szikora a écrit :
> (https://github.com/OpenSC/OpenSC/commit/de4dd056bfc95935198528c4e7ddcd8cbbb7b8c1) fixing a problem existing in 0.13 but not in 0.12.2.

Dear Jean-Pierre,

Yes, I have been using OpenSC latest version.

Under Windows, the ePass2003 supports SO-PIN, but not under OpenSC.
Moreover, the ePass2003 is bricked with using SO-PIN initialization.

Example:
pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin
--use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000
--so-puk  111111 --label "François Pérou"
Using reader with a card: Feitian ePass2003 00 00
Failed to create PKCS #15 meta structure: Not allowed

This is an undocumented problem which we were never able to solve
ourselves. Recently, a GOOZE user proposed that SO-PIN ***could** be
declared in ePass2003 profile.

I could test these settings successfully:

/usr/share/opensc/epass2003.profile
option onepin {
        macros {
                pin-flags                = local, initialized,
needs-padding;
                so-pin-flags             = local, initialized, soPin;
                df_acl                   = *=$PIN, *=$SOPIN,
CRYPTO=NONE, FILES=NONE, CREATE=NONE, DELETE=NONE;
                df_acl                   = *=NEVER, CRYPTO=NONE,
FILES=NONE, CREATE=NONE, DELETE=NONE;
                ef_acl                   = *=NEVER, READ=NONE,
UPDATE=NONE, WRITE=NONE, DELETE=NONE;
                sf_acl                   = *=NEVER, UPDATE=NONE;
                protected                = *=NEVER,READ=NONE, UPDATE=
$PIN, DELETE=$PIN;
        unprotected      = *=NONE;
                dir-size                 = 112;
                tinfo-size               = 128;
                unusedspace-size = 128;
                odf-size                 = 512;
                aodf-size                = 256;
                cdf-size                 = 2048;
                prkdf-size               = 1024;
                pukdf-size               = 1024;
                dodf-size                = 256;
                info-size                = 128;
                maxPin-size      = 2;
        }
}

I simply added the line:

so-pin-flags             = local, initialized, soPin;
# Warning: ePass2003 does not support SO-PIN for undocumented reasons.

Now, the ePass2003 can initialize:
pkcs15-init -E--create-pkcs15 --profile pkcs15+onepin
--use-default-transport-key --pin 0000 --puk 111111 --so-pin 0000
--so-puk  111111 --label "François Pérou"

But still SO-PIN and SO-PUK are not initialized.

This failure to initialize the ePass2003 with SO-PIN support under
OpenSC is the reason for GOOZE stopping distribution of the ePass2003 as
of 22 August 2013.

Read:
http://www.gooze.eu/forums/support/epass2003-sales-suspended

To enquire more, I would like to know whether this ONEPIN one line fix
is acceptable, at least to avoid breakage. This is only to continue
supporting our user base of ePass2003 users.

Kind regards,
-- 
                  Jean-Michel Pouré - Gooze - http://www.gooze.eu