install_attestation_cert.py: "Could not find any FIDO PC/SC devices!"

[digitalentropy]

First, thank you for endless hard work on the FIDO2 applet!

Currently I'm loading the cap to JCOP3 and JCOP4 cards without any issue, and using "aa00f504f50505061820071904000818200918fe0a1904000b1904000e04" for the params to enable attestation.

The issue comes up when running install_attestation_cert.py.

D:\FIDO2Applet>python install_attestation_cert.py Generated CA private key: b'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgZRlzq/r/3zddxdyh7BcBg4pJZ6/U0bxPRi6XB2s2zaihRANCAAQJRuzh7RqU7fRysOQ70cubsuEBZggBEYK/dSXzeDecM3rxp9Jl/3sl+va5rmYPKbgyNNYsUc7N32ircIi02EFM' Generated CA cert: b'MIIBPzCB5qADAgECAhQwNyvXraQ2xo9TGjpwAHHIMPBGMTAKBggqhkjOPQQDAjAgMQ0wCwYDVQQKDARBQ01FMQ8wDQYDVQQDDAZBdXRoQ0EwHhcNMjQwNTIwMTYxNzEzWhcNMzQwNTE5MTYxNzEzWjAgMQ0wCwYDVQQKDARBQ01FMQ8wDQYDVQQDDAZBdXRoQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAAQJRuzh7RqU7fRysOQ70cubsuEBZggBEYK/dSXzeDecM3rxp9Jl/3sl+va5rmYPKbgyNNYsUc7N32ircIi02EFMMAoGCCqGSM49BAMCA0gAMEUCIFlTZBnwirnPyLwY1mMVGic2GanMK+HJMjRlcAdFR9wKAiEA4iLswfgJ/mmHsGptwBJkhS6E3Yibx8MXfaO7cY6ryfU=' Using AAGUID: 837b664326e0d505c5918fa1c3ff5cc4 b'837b664326e0d505c5918fa1c3ff5cc42fff19422f2c7498def28f27cbcf0836bd52f94860772f44db13fd28e80544bb01908159018c308201883082012ea00302010202145e99d41b6556135db5ef307144cbfcb1a03d40dc300a06082a8648ce3d0403023020310d300b060355040a0c0441434d45310f300d06035504030c06417574684341301e170d3234303532303136313731335a170d3334303531393136313731335a3056310b3009060355040613025553310d300b060355040a0c0441434d4531223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3114301206035504030c0b4649444f324170706c65743059301306072a8648ce3d020106082a8648ce3d030107034200046791aff30daa286049f5dd6544abea4eb926413e0b1ec2b5e121c727a001d4ae407474fdd31cf8c117aacf03e26c9e7eff2c54daea57497d649d815bb2b686cfa310300e300c0603551d130101ff04023000300a06082a8648ce3d0403020348003045022040e9893e38e90fa4bd8af676479a47cdc011d807b5988afaa1da97de0f75ac1d022100f2f6ffc7b2d5675894c678f197b636ea7b946deb6fc482a8687fa1d5becd279f' Could not find any FIDO PC/SC devices!

It doesn't seem to matter what PCSC reader I use. I know the readers themselves are working because I did some testing in the console:

>>> list(System.readers()) ['Identiv uTrust 4701 F CL Reader 1', 'Identiv uTrust 4701 F Contact Reader 0', 'Microsoft IFD 0', 'Windows Hello for Business 1']

I suspect the issue is somewhere in the Ctap library but I'm not sure how to debug it.

Any thoughts?

[BryanJacobs]

I'm just using the library python-fido2, which uses pyscard. Another user reported the same issue as you.

Since the pyscard listing of readers is working, here's the python-fido2 code:

    def list_devices(cls, name: str = "") -> Iterator[CtapPcscDevice]:                                                                                                                                             
        for reader in _list_readers():                                                                                                                                                                             
            if name in reader.name:                                                                                                                                                                                
                try:                                                                                                                                                                                               
                    yield cls(reader.createConnection(), reader.name)                                                                                                                                              
                except Exception as e:                                                                                                                                                                             
                    logger.debug("Error %r", e)   

You're welcome to change the debug log line to a print() and see what the error is - probably you don't have permission to connect to the reader...

[digitalentropy]

Do you know where the logs are saved by default? I can probably just pull those, correct?

[BryanJacobs]

Do you know where the logs are saved by default?

They're not.

[digitalentropy]

Turning on the logger was indeed helpful. Here's what we get now:

D:\FIDO2Applet>python install_attestation_cert.py Generated CA private key: b'MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg1hwQ+ku8hndqVO5/VictaKYFXRd44r2L5aW3uuz0y26hRANCAARWy0ArhpwwKyY/4m8sHvnC6pijK8eag0MpQv0OUqXAQ2KWHUttZoIekbCXee8vdJH/JZ77ApFz6KPy+ywAzi9q' Generated CA cert: b'MIIBPjCB5qADAgECAhQy5IJftA+07KCbHbN6NubXxJO5PzAKBggqhkjOPQQDAjAgMQ0wCwYDVQQKDARBQ01FMQ8wDQYDVQQDDAZBdXRoQ0EwHhcNMjQwNTIwMTY0ODA2WhcNMzQwNTE5MTY0ODA2WjAgMQ0wCwYDVQQKDARBQ01FMQ8wDQYDVQQDDAZBdXRoQ0EwWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARWy0ArhpwwKyY/4m8sHvnC6pijK8eag0MpQv0OUqXAQ2KWHUttZoIekbCXee8vdJH/JZ77ApFz6KPy+ywAzi9qMAoGCCqGSM49BAMCA0cAMEQCICrphxFUltkUxhneXNcJ+bVFpbK4qAwP53YMOrhJr3VRAiAoWZTWkxKDCaGHPq63F6PubLWSLKvrFfkMm3/JNiiP5A==' Using AAGUID: e1f411690152ecf01fa7141a80a8c083 b'e1f411690152ecf01fa7141a80a8c0838a519ac5bd363441b4c3f1778a9618b517bae0f8d118bd2da9c25bce9c0d20ce01908159018c308201883082012ea003020102021446b07dad7eb894af85c18809d9296036c582eb1b300a06082a8648ce3d0403023020310d300b060355040a0c0441434d45310f300d06035504030c06417574684341301e170d3234303532303136343830365a170d3334303531393136343830365a3056310b3009060355040613025553310d300b060355040a0c0441434d4531223020060355040b0c1941757468656e74696361746f72204174746573746174696f6e3114301206035504030c0b4649444f324170706c65743059301306072a8648ce3d020106082a8648ce3d03010703420004f2370e60f1043eaca5f3153ff73a23861ebff16fab33cbd35c3885ceabd638a2d44c8fb02e566d94d22bc34ac97c69b133792a39b204a2ac33af8e3f62f98545a310300e300c0603551d130101ff04023000300a06082a8648ce3d0403020348003045022100a7516b4b0d51d7edf1870972b2014a59bc1626b506cd79f76c43ba53e29edc3d022077a9244411b807df9addb0fff6c7b1eccd07c17066e261d414e9dc2f930b1212' DEBUG:fido2.pcsc:Error CardConnectionException('Failed to transmit with protocol T1. Access is denied to this file. ') DEBUG:fido2.pcsc:Error NoCardException('Unable to connect') DEBUG:fido2.pcsc:Error NoCardException('Unable to connect') DEBUG:fido2.pcsc:Error CardConnectionException('Failed to transmit with protocol T1. Access is denied to this file. ') Could not find any FIDO PC/SC devices!

[BryanJacobs]

Yep. Looks like your user account does not have permission to access the PC/SC device.

[digitalentropy]

Yeah, resolving it was as simple as running as admin. Apologies for the simple oversight.

Is it worth adding some extra error text in the event of no cards found to ask the user to make sure they're running as admin?

[BryanJacobs]

I've added a clue to the warning message, although of course the problem/cause is down in python-fido2 and not up in the script.

From the script's perspective, there just weren't any usable readers...

Anyway, glad you were able to resolve the issue.

[digitalentropy]

Agreed, I know the issue is with python-fido2. The warning in the script will still be helpful. Thank you!