Esign firma digital avanzada en linux (Chile Bit4id)

firma_fotoThis is a tutorial  on how to make a USB token (25dd:2621 / 25dd:2611) work on linux, theres no linux driver provided to Chileans using this specific token, so i would like to share my findings on how to make it work.

Its very sad that our government is using companies known for handle user data and foreign spy agencies like M******t, insecure by design and of course closed source, no linux/open driver is given to the citizens for this token.

But lets fight the right cause (we shouldn’t be forced to buy w*****s in order to accomplish our basic taxes operations).

#lsusb
Bus 001 Device 047: ID 25dd:2621

detailed version (lsusb -d 25dd:2612 -v):

lsusb -d 25dd:2612 -v
Bus 001 Device 050: ID 25dd:2611
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0 (Defined at Interface level)
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x25dd
idProduct 0x2611
bcdDevice 1.31
iManufacturer 1
iProduct 2
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 41
bNumInterfaces 1
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 2
bInterfaceClass 3 Human Interface Device
bInterfaceSubClass 0 No Subclass
bInterfaceProtocol 0 None
iInterface 0
HID Device Descriptor:
bLength 9
bDescriptorType 33
bcdHID 1.00
bCountryCode 0 Not supported
bNumDescriptors 1
bDescriptorType 34 Report
wDescriptorLength 34
Report Descriptors:
** UNAVAILABLE **
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x02 EP 2 OUT
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 10
Endpoint Descriptor:
bLength 7
bDescriptorType 5
bEndpointAddress 0x82 EP 2 IN
bmAttributes 3
Transfer Type Interrupt
Synch Type None
Usage Type Data
wMaxPacketSize 0x0040 1x 64 bytes
bInterval 10

STEP ONE: Initializing the USB Token with usb_modeswitch.

I had to snoop the usb connection in order to see how the usb token was initialized, lets see the usb communication (altho its not a full com log, i learned a lot about this card just looking at the log).


...
PipeHandle = 87d10404 [endpoint 0x00000002]
TransferFlags = 00000002 (USBD_TRANSFER_DIRECTION_OUT, USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 00000040
TransferBuffer = baf69699
TransferBufferMDL = 00000000
00000000: 01 b0 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
UrbLink = 00000000
[1938 ms] UsbSnoop - MyInternalIOCTLCompletion(bac59db0) : fido=87e20730, Irp=881e1ce0, Context=87e113d0, IRQL=2
[1938 ms] <<< URB 24 coming back <<<
-- URB_FUNCTION_BULK_OR_INTERRUPT_TRANSFER:
PipeHandle = 87d10404 [endpoint 0x00000002]
TransferFlags = 00000002 (USBD_TRANSFER_DIRECTION_OUT, USBD_SHORT_TRANSFER_OK)
TransferBufferLength = 00000040
TransferBuffer = baf69699
TransferBufferMDL = 881b1200
UrbLink = 00000000

Something i took from looking at the logs, is that the token, once initialized shows a new id

lsusb (before initialization) —> lsusb (after initialization)

Bus 001 Device 050: ID 25dd:2611 ---> Bus 001 Device 050: ID 25dd:2621

so, i remembered how the usb_modeswitch system works for 3g modem usb dongles, and since i have the usb logs i figured i could try to send some data hoping it will initialize the token. (PS: you can write a conf file too, but in this case i just used one line of code, just to figure if it will work, and it did !)

sudo usb_modeswitch -v 25dd -p 2611 -V 25dd -P 2621 -m 0x2 -M 01b0000000000000000000000000000000000000000000000000000000000000 -r 0x02

STEP 2

Now comes the difficult part, in order to pcscd to recognice the driver (sudo pcscd -f -d), we need to add the vendor id and model id to the long file list located in/usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/, lets add our device for ccid to recognize

vim /usr/lib/pcsc/drivers/ifd-ccid.bundle/Contents/Info.plist

This large xml file contains entrys for different devices, lets add ours first of the list, remember the VendorID and the ProductID must be the ones AFTER the initialization (25dd,2622), the file should look like this:

...
<key>ifdVendorID</key>
<array>
<string>0x25DD</string>
<string>0x072F</string>
...
<key>ifdFriendlyName</key>
<array>
<string>MY_SPECIAL_NAME</string>
<string>ACS ACR 38U-CCID</string>
...
<key>ifdProductID</key>
<array>
<string>0x2621</string>
<string>0x90CC</string>
...

after that restart ccid, and stop pcscd, lets run in foreground mode, if everything went right you should see this when invoking pcs_scan
dms@G1:~$ pcsc_scan
PC/SC device scanner
V 1.4.23 (c) 2001-2011, Ludovic Rousseau <ludovic.rousseau@free.fr>
Compiled with PC/SC lite version: 1.8.11
Using reader plug'n play mechanism
Scanning present readers...
0: Oberthur ID-One Cosmo V7-n it's a java card 2.2.2 00 00
Mon Oct 17 04:51:51 2016
Reader 0: Oberthur ID-One Cosmo V7-n it's a java card 2.2.2 00 00
Card state: Card inserted,
ATR: 3B FF 18 00 00 81 31 FE 45 00 6B 11 05 07 00 01 21 01 43 4E 53 10 31 80 4A
+ TS = 3B --> Direct Convention
+ T0 = FF, Y(1): 1111, K: 15 (historical bytes)
TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
TB(1) = 00 --> VPP is not electrically connected
TC(1) = 00 --> Extra guard time: 0
TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1
-----
TD(2) = 31 --> Y(i+1) = 0011, Protocol T = 1
-----
TA(3) = FE --> IFSC: 254
TB(3) = 45 --> Block Waiting Integer: 4 - Character Waiting Integer: 5
+ Historical bytes: 00 6B 11 05 07 00 01 21 01 43 4E 53 10 31 80
Category indicator byte: 00 (compact TLV data object)
Tag: 6, len: B (pre-issuing data)
Data: 11 05 07 00 01 21 01 43 4E 53
Mandatory status indicator (3 last bytes)
LCS (life card cycle): 10 (Proprietary)
SW: 3180 (Error not defined by ISO 7816)
+ TCK = 4A (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B FF 18 00 00 81 31 FE 45 00 6B 11 05 07 00 01 21 01 43 4E 53 10 31 80 4A
Oberthur ID-One Cosmo V7-n it’s a java card 2.2.2

There we have it, Oberthur, Bit4id, AK910 usb token, now lets try opensc, ATR 3B FF 18 00 00 81 31 FE 45 00 6B 11 05 07 00 01 21 01 43 4E 53 10 31 80 4A.

with this information i was able to track some linux drivers in some italian web, the pkcs11 file its called:

1b2b932045acc0cd32150f303ffcf623 libbit4xpki.so


pkcs11-tool --module /usr/local/lib/libbit4p11.so.0 --login --sign --input-file hola.txt --output-file hola.txt.sig --mechanism SHA1-RSA-PKCS && xxd hola.txt.sig

Using slot 0 with a present token (0x0)
Logging in to “Carta Nazionale dei Servizi”.
Please enter User PIN:
Using signature algorithm SHA1-RSA-PKCS
0000000: 4c13 a81c 9f19 eee5 422d fead 1f9b d71e L…….B-……
0000010: e347 0212 44e2 8e12 d48e ba7a ec74 060e .G..D……z.t..
0000020: be39 ab18 f11e a7b0 439f e0d7 24cd d070 .9……C…$..p
0000030: 8ad8 0e66 dae2 b2af a11e 0327 7444 393e …f…….’tD9>
0000040: a641 1ba5 f633 8450 baeb 1233 1bb0 4d01 .A…3.P…3..M.
0000050: 1fdf 5cb5 c637 d23d 30ec 0a93 ef77 86c9 ..\..7.=0….w..
0000060: ae5f 4625 2cf4 cf09 2853 909e 2650 65e4 ._F%,…(S..&Pe.
0000070: 43d7 4cb1 1b78 a00d f28c 3b51 ac22 295d C.L..x….;Q.”)]
0000080: f381 bd29 b200 11ae fe67 9fa1 5e9b 3138 …)…..g..^.18
0000090: a48a 30f6 bdbb 980a c26c 3460 6f0e b39e ..0……l4`o…
00000a0: b106 ecbe 9c90 931d 5ce4 39b9 0acd 647b ……..\.9…d{
00000b0: eab3 89f1 8299 ec4b f470 f713 39f1 4ee5 …….K.p..9.N.
00000c0: e818 ad19 9c7e b6e7 ab7d d567 dc29 a85c …..~…}.g.).\
00000d0: bf28 b774 68fb 76ae b448 ce7d daf7 2afe .(.th.v..H.}..*.
00000e0: d238 8e53 ae4b 285c be1a 39e3 f93f f0a5 .8.S.K(\..9..?..
00000f0: 4790 5afc 4dac 0cb5 ec97 fc81 8128 8ca6 G.Z.M……..(..

voila, the signing process was a success, that means, the pkcs11 provided library works for this card, now you can configure your favorite app, so far im able to log in to sii.cl web with chromium and firefox, im able to do my taxes using only Linux.

i hope this guide will help all chileans to make this hardware compatible and to ask our goverment for open tecnologies, with linux support, not nsa spyware from big corporations.

You can download it and use it with pkcs-tool, and finally we have our driver working, in firefox, chrome, PGP.

some screenshots:

Works in firefox

Works in firefox

Works in Chrome

 


closed