Unsupported SafeNet eToken (the only device now in Singapore that can legally sign contracts) #1320
Description
The device and how its signatures are required by the local government
The device comes from netrust.com, afaik the only accredited certificate authority in Singapore for electronic transaction signing.
Windows driver: https://www.netrust.net/download/
They only have one office with only one type of device to choose from (the old device iKey was discontinued). It already has been initialised and carries the digital certificate with it (but not root ca and chain ca) when issued, ready to be used for signing contracts - several types of building contracts are required to be signed with such keys for government's automatic archiver to process.
the existing driver works
I attempted the proprietary driver from here on my Ubuntu 16.04 LTS:
https://www.vleeuwen.net/2016/07/install-safenet-etoken-pro-on-ubuntu-16-04-lts
Whose device in picture look different than mine but the driver works as expected - liting up the light on the device, making it blinks and adding a dæmon called SACSrv plus a "SafeNet Authentication Client Tools" to the desktop's notification area, which allows me to rename token, check how many certificates are there in the token (they are correctly displayed), delete token, change token password etc.
It even works on signing stuff with pkcs11-tool:
$ pkcs11-tool --module /lib/libeToken.so.9 -l -O
Please enter User PIN:
Private Key Object; RSA
[.... detail cut off for security reasons ...]
$ pkcs11-tool --id decafbaddecafbad -s -m SHA256-RSA-PKCS --module /lib/libeToken.so.9 -i data -o data.sig
Using slot 0 with a present token (0x0)
Using signature algorithm SHA256-RSA-PKCS
$ openssl rsautl -verify -inkey pubkey.pem -in data.sig -pubin | openssl asn1parse -inform DER
0:d=0 hl=2 l= 49 cons: SEQUENCE
2:d=1 hl=2 l= 13 cons: SEQUENCE
4:d=2 hl=2 l= 9 prim: OBJECT :sha256
15:d=2 hl=2 l= 0 prim: NULL
17:d=1 hl=2 l= 32 prim: OCTET STRING [HEX DUMP]:5A80CE695303328CCF80DA606EEE7F1042767BD189C4D99932F6F25323F9F2EA
$ sha256sum data
5a80ce695303328ccf80da606eee7f1042767bd189c4d99932f6f25323f9f2ea data
# sha256sum matches.
the issue with opensc-tool
opensc-tool doesn't seem to recognise it:
$ cardos-tool -i
Using reader with a card: AKS ifdh [eToken 5110 SC] 00 00
Failed to connect to card: Card is invalid or cannot be handled
$ opensc-tool -l
# Detected readers (pcsc)
Nr. Card Features Name
0 Yes AKS ifdh [eToken 5110 SC] 00 00
$ opensc-tool -a
Using reader with a card: AKS ifdh [eToken 5110 SC] 00 00
3b:d5:18:00:81:31:3a:7d:80:73:c8:21:10:30
$ opensc-tool -n
Using reader with a card: AKS ifdh [eToken 5110 SC] 00 00
Unsupported card
System information:
$ opensc-tool --info
OpenSC 0.17.0 [gcc 5.4.0 20160609]
Enabled features: locking zlib readline openssl pcsc(libpcsclite.so.1)
$ pcscd --version
pcsc-lite version 1.8.14.
Copyright (C) 1999-2002 by David Corcoran <[email protected]>.
Copyright (C) 2001-2011 by Ludovic Rousseau <[email protected]>.
Copyright (C) 2003-2004 by Damien Sauveron <[email protected]>.
Report bugs to <[email protected]>.
Enabled features: Linux x86_64-pc-linux-gnu serial usb libudev usbdropdir=/usr/lib/pcsc/drivers ipcdir=/var/run/pcscd configdir=/etc/reader.conf.d
$ pkcs15-tool -D
Using reader with a card: AKS ifdh [eToken 5110 SC] 00 00
Failed to connect to card: Card is invalid or cannot be handled
Given that pkcs11-tool can use the device with --module /lib/libeToken.so.9 there must be a way to get opensc-tool to work too, but opensc-tool(1) would not accept the same --module parameter. Quote from github website this is the condition to use opensc for high level functions:
opensc-tool is the basic test tool. With “-l” you can see the readers, with “-n” you can see if opensc identifies the card correctly. Both are necessary for OpenSC to work.