Impossible to initialise feitian PKI (entersafe driver)

[jmpoure]

Hello,

After compiling OpenSC with latest SVN version, here is what happens when trying to erase the card:

pkcs15-init -E -vvv
2010-01-30 16:48:48.072 [pkcs15-init] sc.c:199:sc_detect_card_presence: called
2010-01-30 16:48:48.072 [pkcs15-init] sc.c:204:sc_detect_card_presence: returning with: 1
Using reader with a card: OmniKey CardMan 4321 00 00
2010-01-30 16:48:48.072 [pkcs15-init] sc.c:199:sc_detect_card_presence: called
2010-01-30 16:48:48.073 [pkcs15-init] sc.c:204:sc_detect_card_presence: returning with: 1
Connecting to card in reader OmniKey CardMan 4321 00 00...
2010-01-30 16:48:48.073 [pkcs15-init] card.c:110:sc_connect_card: called
2010-01-30 16:48:48.084 [pkcs15-init] reader-pcsc.c:533:pcsc_connect: After connect protocol = 2
2010-01-30 16:48:48.115 [pkcs15-init] muscle.c:276:msc_select_applet: returning with: -1200
2010-01-30 16:48:48.115 [pkcs15-init] card-piv.c:1757:piv_match_card: called
2010-01-30 16:48:48.115 [pkcs15-init] card-piv.c:493:piv_find_aid: called
2010-01-30 16:48:48.121 [pkcs15-init] iso7816.c:99:iso7816_check_sw: Conditions of use not satisfied
2010-01-30 16:48:48.137 [pkcs15-init] iso7816.c:99:iso7816_check_sw: Conditions of use not satisfied
2010-01-30 16:48:48.137 [pkcs15-init] card-piv.c:576:piv_find_aid: returning with: -1208
2010-01-30 16:48:48.137 [pkcs15-init] card-entersafe.c:101:entersafe_match_card: called
2010-01-30 16:48:48.137 [pkcs15-init] card-entersafe.c:114:entersafe_init: called
2010-01-30 16:48:48.137 [pkcs15-init] card.c:221:sc_connect_card: card info: entersafe, 19002, 0x0
2010-01-30 16:48:48.137 [pkcs15-init] card.c:222:sc_connect_card: returning with: 0
Using card driver entersafe.
2010-01-30 16:48:48.137 [pkcs15-init] card.c:675:sc_card_ctl: called
2010-01-30 16:48:48.137 [pkcs15-init] card-entersafe.c:1531:entersafe_card_ctl_2048: called
2010-01-30 16:48:48.137 [pkcs15-init] card.c:682:sc_card_ctl: card_ctl(4) not supported
2010-01-30 16:48:48.137 [pkcs15-init] card.c:539:sc_select_file: called; type=2, path=3f0050154946
2010-01-30 16:48:48.137 [pkcs15-init] card-entersafe.c:641:entersafe_select_file: called
2010-01-30 16:48:48.142 [pkcs15-init] iso7816.c:99:iso7816_check_sw: Conditions of use not satisfied
2010-01-30 16:48:48.142 [pkcs15-init] iso7816.c:462:iso7816_select_file: returning with: -1209
2010-01-30 16:48:48.142 [pkcs15-init] card-entersafe.c:467:entersafe_select_fid: APDU transmit failed: Not allowed
2010-01-30 16:48:48.142 [pkcs15-init] card-entersafe.c:628:entersafe_select_path: SELECT FILE (DF-ID) failed: Not allowed
2010-01-30 16:48:48.142 [pkcs15-init] card.c:561:sc_select_file: returning with: -1209
2010-01-30 16:48:48.142 [pkcs15-init] profile.c:323:sc_profile_load: Using profile directory '/usr/share/opensc'.
2010-01-30 16:48:48.142 [pkcs15-init] profile.c:335:sc_profile_load: Trying profile file /usr/share/opensc/pkcs15.profile
2010-01-30 16:48:48.143 [pkcs15-init] profile.c:343:sc_profile_load: profile /usr/share/opensc/pkcs15.profile loaded ok
2010-01-30 16:48:48.143 [pkcs15-init] profile.c:323:sc_profile_load: Using profile directory '/usr/share/opensc'.
2010-01-30 16:48:48.143 [pkcs15-init] profile.c:335:sc_profile_load: Trying profile file /usr/share/opensc/entersafe.profile
2010-01-30 16:48:48.144 [pkcs15-init] profile.c:343:sc_profile_load: profile /usr/share/opensc/entersafe.profile loaded ok
About to erase card.
2010-01-30 16:48:48.144 [pkcs15-init] pkcs15.c:700:sc_pkcs15_bind: called
2010-01-30 16:48:48.144 [pkcs15-init] pkcs15.c:718:sc_pkcs15_bind: PKCS#15 options: use_file_cache=0 use_pin_cache=1 pin_cache_counter=10
2010-01-30 16:48:48.144 [pkcs15-init] card.c:539:sc_select_file: called; type=2, path=3f002f00
2010-01-30 16:48:48.144 [pkcs15-init] card-entersafe.c:641:entersafe_select_file: called
2010-01-30 16:48:48.152 [pkcs15-init] iso7816.c:99:iso7816_check_sw: Conditions of use not satisfied
2010-01-30 16:48:48.152 [pkcs15-init] iso7816.c:462:iso7816_select_file: returning with: -1209
2010-01-30 16:48:48.152 [pkcs15-init] card-entersafe.c:467:entersafe_select_fid: APDU transmit failed: Not allowed
2010-01-30 16:48:48.152 [pkcs15-init] card-entersafe.c:628:entersafe_select_path: SELECT FILE (DF-ID) failed: Not allowed
2010-01-30 16:48:48.152 [pkcs15-init] card.c:561:sc_select_file: returning with: -1209
2010-01-30 16:48:48.152 [pkcs15-init] pkcs15.c:537:sc_pkcs15_bind_internal: unable to enumerate apps: Not allowed
2010-01-30 16:48:48.152 [pkcs15-init] pkcs15-syn.c:112:sc_pkcs15_bind_synthetic: called
2010-01-30 16:48:48.152 [pkcs15-init] pkcs15-syn.c:153:sc_pkcs15_bind_synthetic: no emulator list in config file, trying all builtin emulators
2010-01-30 16:48:48.152 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying westcos
2010-01-30 16:48:48.153 [pkcs15-init] p15emu-westcos.c:252:sc_pkcs15emu_westcos_init_ex: sc_pkcs15_init_func_ex westcos
2010-01-30 16:48:48.153 [pkcs15-init] p15emu-westcos.c:239:westcos_detect_card: westcos_detect_card (entersafe)
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying openpgp
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying infocamere
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying starcert
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying tcos
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying esteid
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying postecert
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying PIV-II
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-piv.c:513:sc_pkcs15emu_piv_init_ex: called
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-piv.c:100:piv_detect_card: called
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying gemsafeGPK
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-gemsafeGPK.c:511:sc_pkcs15emu_gemsafeGPK_init_ex: Entering sc_pkcs15emu_gemsafeGPK_init_ex
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-gemsafeGPK.c:163:gemsafe_detect_card: called
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying gemsafeV1
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying actalis
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying atrust-acos
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying tccardos
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-syn.c:155:sc_pkcs15_bind_synthetic: trying entersafe
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-esinit.c:77:sc_pkcs15emu_entersafe_init_ex: called
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-esinit.c:33:entersafe_detect_card: called
2010-01-30 16:48:48.153 [pkcs15-init] pkcs15-esinit.c:49:sc_pkcs15emu_entersafe_init: called
2010-01-30 16:48:48.153 [pkcs15-init] card.c:675:sc_card_ctl: called
2010-01-30 16:48:48.153 [pkcs15-init] card-entersafe.c:1531:entersafe_card_ctl_2048: called
2010-01-30 16:48:48.153 [pkcs15-init] card-entersafe.c:1357:entersafe_get_serialnr: called
2010-01-30 16:48:48.153 [pkcs15-init] card-entersafe.c:322:entersafe_transmit_apdu: called
2010-01-30 16:48:48.159 [pkcs15-init] card.c:685:sc_card_ctl: returning with: 0
2010-01-30 16:48:48.159 [pkcs15-init] pkcs15-entersafe.c:64:entersafe_erase_card: called
2010-01-30 16:48:48.159 [pkcs15-init] card.c:675:sc_card_ctl: called
2010-01-30 16:48:48.159 [pkcs15-init] card-entersafe.c:1531:entersafe_card_ctl_2048: called
2010-01-30 16:48:48.159 [pkcs15-init] card-entersafe.c:1001:entersafe_erase_card: called
2010-01-30 16:48:48.159 [pkcs15-init] card-entersafe.c:322:entersafe_transmit_apdu: called
2010-01-30 16:48:48.163 [pkcs15-init] card-entersafe.c:322:entersafe_transmit_apdu: called
2010-01-30 16:48:48.163 [pkcs15-init] card-entersafe.c:229:entersafe_mac_apdu: called
2010-01-30 16:48:48.163 [pkcs15-init] card-entersafe.c:150:entersafe_gen_random: called
2010-01-30 16:48:48.173 [pkcs15-init] card-entersafe.c:164:entersafe_gen_random: returning with: 0
2010-01-30 16:48:48.178 [pkcs15-init] iso7816.c:99:iso7816_check_sw: Conditions of use not satisfied
2010-01-30 16:48:48.178 [pkcs15-init] card.c:685:sc_card_ctl: returning with: -1209
Failed to erase card: Not allowed
2010-01-30 16:48:48.182 [pkcs15-init] card.c:236:sc_disconnect_card: called
2010-01-30 16:48:48.223 [pkcs15-init] card.c:251:sc_disconnect_card: returning with: 0
2010-01-30 16:48:48.223 [pkcs15-init] ctx.c:746:sc_release_context: called

[jmpoure]

Okay, I understand.

A card needs to be formated before it is erased.

pkcs15-init --create-pkcs15

I think this does not comply with Unix standards. One rule is that what works should not return an error.

If the card is already "blank" or "pristine", then pkcs15-init -E should not return an error.

This problems makes regression test fail.

If you could fix it, I could go back to testing regression tests and maybe helping rewriting some of them.

[jmpoure]

maybe pkcs15-init --create-pkcs15 should also blank the card if needed.

For example, under Linux, mkfs.ext3 is a single command. I don't see the point of having to blank a card prior to initialisation and the converse.

At least, could someone explain the idea behing this blanking issue?

[aj]

I think we should not always erase cards without asked.

the problem is: IIRC some cards erase files (i.e. load pkcs#15 profile and remove all files mentioned there, then remove the directories we would normaly create, remove the *df files, remove the 5015 directory and remove the 2f00 file).

But IIRC on other cards you can't do that, as the pkcs#15 structure is often finalized for security reasons. So always trying an erase won't help at all.

And with some cards you can format the card - i.e. reset it to manufacturing state. But that would also remove non-pkcs#15 structures, thus we shouldn't do that either, unless asked to do so.

So blindly removing is not an option from my point of view.

But maybe there are typical errors that need a better handling / checking / instructions for our users?

[jmpoure]

Okay, I understand that create-pkcs15 should not erase the card. Thanks.

The problems behind my question are the regression tests, which fail during blanking. I would like to be able to run in any cases :

pkcs15-init -E --create-pkcs15 (erase and initialize) and pkcs15-init -E (only erase)

I understand that some cards are in manufacturing state and cannot be fully erased. If erasing is not possible for any reason, then return an error.

Under Unix, as successful operation should never complain. Also, if you ask for an operation and it is already in the state, do not complain.

For example, if a card is already blank, we should be able to blank it without error. Presently if a card is blank, you cannot blank it again, which is against common Unix rules.

What do you think? Did I misunderstood your explanations?

[aj]

please run first erase, then init plus whatever else you want to do.

why? with erase and init: is the pin/sopin etc. related to the old structures to be deleted or for the new structures to be created?

handling init and erase with one pkcs15-init code cleanly with regards to issues like that would be so complex, it isn't worth the work. in fact I'm changing the code right now to disallow combining erase with any other action. that way you need to run pkcs15-init twice, and there are a lot less issues to worry about.

I guess the code to allow several actions with one pkcs15-init call was implemented when cards and readers were slow, and running pkcs15-init twice would take a lot of times (10 to 30 seconds per pkcs15-init call). but now cards and readers are fast, so connecting to a card, reading the pkcs#15 structures and doing something all together is still under a second. no need to optimize I think.

[jmpoure]

Thank you, I could see the code in SVN.

Out of information, I tried to erase twice. Erasing a blank card fails when the card is blank:

pkcs15-init -E 
Using reader with a card: OmniKey CardMan 4321 00 00
jmpoure@acer:~/logiciels/opensc$ pkcs15-init -E 
Using reader with a card: OmniKey CardMan 4321 00 00
Failed to erase card: Not allowed

Think of first time users receiving a blank card. Also I have in mind the regression tests where a blank card could be used.

In the Unix tradition, it should be allowed to blank a card which is already blank. Maybe do nothing but then we should do not display an error message.

Maybe I am wrong, I hope to point something interesting for you. All this is out of scope for me, so feel free to close this ticket if you feel OpenSC behaves normally.

Kind regards, Jean-Michel

[aj]

the reference to unix semantics is bogus. with unix you can't "rm foo" twice, the second will fail. whether "pkcs15-init --erase" is an erasing of files or formatting the card, that is card dependend.

but the rules for the regression suite are easy:

• start with a blank card.
• if all works, the result is a blank card.
• if some test fails, the card is not blank.you can look at logs and the card, and once your analysis is done, run ./erase to erase it. the result is a blank card.
• if erase fails, the situation is undefined. maybe the card is broken.
• every usage has the potential to break the card completely forever.

example: it is easy to break cryptoflex cards if you remove them during card initialization. or use ctrl-c to abort such a procedure. the result is incomplete data structures on the card, that most likely can't be removed ever, thus the card is now broken and not useable with opensc.

also I'm not sure if your problem is part of the entersafe driver or generic. i guess it is entersafe related, at least I don't remember anyone using entersafe for a full regression test with success. so maybe the driver simply doesn't allow that yet.

[jmpoure]

OpenSC now does not allow erase and init at the same time, which is more comprehensible. Closing bug. Thank you for explanations!