Eutron regressions in 0.11.0 ?

Hi all,

  We've order a developer package of Eutron USB tokens and I have tried to get 
the two supported models ITSEC-I and ITSEC-P to work together with 
openct-0.6.7 and opensc-0.11.0 under SuSE10.0.

  My mileage has been very discouraging, so maybe someone can help me with the 
following issues.

  First, I sum up the knowledge I gathered about the tokens:

1) My ITSEC-I is based on Siemens CardOS v4.01a (ATR 
3b:f2:98:00:ff:c1:10:31:fe:55:c8:04:12) and this cardOS/token should be 
supported at least since opensc-0.9.x

2) My ITSEC-P is based on StarCOS 2.3 (ATR 
3b:b7:94:00:81:31:fe:65:53:50:4b:32:33:90:00:d1) and the cardOS is supported 
for quite a long time by opensc. The implementation of the transport layer in 
openct has been subject to a recent patch to ifd-eutron.c by Chaskiel 
Grundman, which has been incorporated into openct-0.6.7

OK, now to the things I have done with the tokens:

1) I generated a pkcs15- structure on the ITSEC-I with 
openct-0.6.5/opensc-0.9.6, which i included with SuSE-10.0, this operation 
worked out-of-the-box.

# pkcs15-init -C

2) I generated a PIN on the ITSEC-I with openct-0.6.5/opensc-0.9.6, this 
operation worked out-of-the-box.

# pkcs15-init -P -a 1

3) I tried to generate a private key on the ITSEC-I with 
openct-0.6.5/opensc-0.9.6 using the generated PIN. This operation failed with 
an error message, which incidentially cannot remember anymore .

4) However I was able to generate a private key  wuth out  a PIN using 
opensc-0.9.6:

# pkcs15-init -G rsa/1024 --insecure -i 45 -u sign

5) I upgraded to openct-0.6.7/opensc-0.11.0 (contact me, if someone needs 
spec/rpm files for SuSE 10.0...) an tried to clean up the pkcs15-structure 
using

# pkcs15-init -E -C

This command asked me for the unspecified PIN 115 (0x73) and I tried to enter 
the factory default SO PIN several times, which was a fatal error, because 
after contacting Eutron support I received their tool to reset the token 
(see: doc/euton.html in the openct ditribution), but this tool is unable to 
reset the token anyways, because I obviously blocked this factory-default 
transport PIN, which is undocumented and a secret of Siemens Italia.

6) However, when I try to generate a private key using opensc-0.11.0 and the 
PIN I generated with opensc-0.9.6, I get the follwing errors:

# pkcs15-init -G rsa/1024 -a 1 -i 46 -u sign
card-cardos.c:225:cardos_check_sw: invalid parameters in data field
card.c:376:sc_create_file: returning with: Incorrect parameters in APDU
Failed to generate key: Incorrect parameters in APDU

Well, this is the traditional game over situation, so I gave up with the 
ITSEC-I at this point. [cannot delete the content of the token, cannot 
generate another private key :-( ] I will kindly receive another ITSEC-I 
token from Eutron next week, so I can try it again with a legacy 
openct-0.6.7/opensc-0.11.0 environment again.

7) I switched over to the ITSEC-P token, which should be supported by 
openct-0.6.7/opensc-0.11.0 and I successfully generated a pkcs15- structure.

8) I successfully generated a PIN on the ITSEC-P using 
openct-0.6.7/opensc-0.11.0:

# pkcs15-init -P -a 1

9) However, I cannot generate any certificate using this token, here are the 
corresponding errors:

# pkcs15-init -G rsa/1024 -a 1 -i 45 -u sign
Security officer PIN required.
Please enter Security officer PIN:
iso7816.c:99:iso7816_check_sw: No precise diagnosis
card.c:686:sc_card_ctl: returning with: Card command failed
Failed to generate key: Card command failed

Either no succes with ITSEC-P :-(

So any help is appreciated, because I really do not like to use Eutron's 
commercial software stack.

  TIA

     Wolfgang

-- 
Dr. Wolfgang Glas                          ev-i Informationstechnologie GmbH.
Geschäftsführer                            Sebastian-Kneipp-Weg 17
wolfgang.glas@xxxxxxx                      A-6020 Innsbruck/Austria
phone: +43-512-284883-2 +43-699-12665927 fax: +43-720-699931