Skip to content

include ATR of SafeNet eToken 5110 in the IDPrime driver #2812

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
Jakuje merged 1 commit into from
Jun 30, 2023
Merged

include ATR of SafeNet eToken 5110 in the IDPrime driver #2812

Jakuje merged 1 commit into from
Jun 30, 2023

Conversation

@jurajsarinay
Copy link
Contributor

@jurajsarinay jurajsarinay commented Jun 26, 2023

I have a USB token labelled SafeNet 5110 (cf. #1320) known to be an IDPrime "card". It turns out to work well with the IDPrime driver (possibly thanks to #2666) after adding the appropriate ATR (also listed here) to card-idprime.c.

$./pkcs11-tool --login --test
Using slot 1 with a present token (0x4)
Logging in to "QES JS".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  RIPEMD160: OK
  SHA-1: OK
  SHA256: OK
Signatures (currently only for RSA)
  testing key 0 (Private key 1) 
  all 4 signature functions seem to work
  testing signature mechanisms:
    RSA-PKCS: OK
    SHA256-RSA-PKCS: OK
Verify (currently only for RSA)
  testing key 0 (Private key 1)
    RSA-PKCS: OK
Decryption (currently only for RSA)
  testing key 0 (Private key 1) -- can't be used to decrypt, skipping
No errors

I only have a single (production) token. I am therefore not very keen on testing any other (advanced) features of the driver.

It appears that none of the IDPrime cards are included in the Windows minidriver. I guess this must have been deliberate. An attempt to include the token resulted in an error.

>certutil /scinfo
=======================================================
Analyzing card in reader: SafeNet eToken 5100 [eToken 5110 SC] 01 00
Microsoft Base Smart Card Crypto Provider: Missing stored keyset
Microsoft Smart Card Key Storage Provider: Missing stored keyset

--------------===========================--------------
CertUtil: -SCInfo command FAILED: 0x80090016 (-2146893802 NTE_BAD_KEYSET)
CertUtil: Keyset does not exist

Feel free to change SC_CARD_TYPE_IDPRIME_GENERIC (or the description) to a more appropriate value.

Checklist
  • PKCS#11 module is tested

@Jakuje
Copy link
Member

Jakuje commented Jun 27, 2023

No objections. @xhanulik do we need some more information from the card be helpful to improve the driver?

@xhanulik
Copy link
Member

xhanulik commented Jun 28, 2023

As the pkcs11-tool --test works, it suggests that the given card matches the key references which were set for SC_CARD_TYPE_IDPRIME_GENERIC (the default one)

OpenSC/src/libopensc/card-idprime.c

Lines 469 to 471 in 18034fe

default:
new_object.key_reference = 0x56 + cert_id;
break;

It would be maybe useful to get opensc debug log traces from pkcs11-tool --test to check, whether the changes introduced in #2666 are working fine.

@Jakuje Jakuje merged commit 232265d into OpenSC:master Jun 30, 2023
@jurajsarinay jurajsarinay deleted the etoken branch June 30, 2023 12:26
@xhanulik xhanulik mentioned this pull request Jul 3, 2023
Closed
@Jakuje Jakuje mentioned this pull request Feb 27, 2024
Merged
5 tasks
@jurajsarinay
Copy link
Contributor Author

jurajsarinay commented Feb 27, 2024

For future reference, this is what SafeNet Authentication Client 10.8 reports about my token:

Token category: Hardware
Reader name: SafeNet eToken 5100/5110 [eToken 5110 SC] 01 00
Free space (minimum estimated): 65794
Product name: eToken 5110 CC (940)
Card type: IDPrime
Applet Version: IDPrime Java Applet 4.4.2.A
Mask version: G286
Token Password: Present
Token Password retries remaining: 5
Maximum Token Password retries: 5
Token Password expiration: No expiration
Administrator Password: Present
Administrator Password retries remaining: 5
Maximum administrator Password retries: 5
FIPS: N/A
Common Criteria (CC): CC EAL5+ / PP QSCD 
Token unlock objects: Administrator
Digital Signature PIN retries remaining: 1
Digital Signature PIN maximum retries: 3
Digital Signature PUK retries remaining: 3
Digital Signature PUK maximum retries: 3
Sign padding on-board: Yes
Supported key size: 4096 bits
ECC: Supported

@jurajsarinay jurajsarinay mentioned this pull request May 27, 2024
Merged
4 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Jakuje Jakuje Jakuje approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@jurajsarinay @Jakuje @xhanulik