KrakenTyio / eid-applet

Automatically exported from code.google.com/p/eid-applet
Other
0 stars 0 forks source link

Incompatibility with the reader Gemalto GemPC Pinpad USB #63

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago
Hi,

I've tried to the authentication on https://www.e-contract.be/eid-applet-test/ 
and it fail with this reader.
If I use the reader provided by Fedict, it works.

I see the windows asking for the PIN showing briefly before disappearing.

This reader has a PIN pad but it can only be used to send all digit at one 
(it's not the kind of pinpad you're supporting)

Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR

Regards,
Vincent

eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
trusting localhost web applications
warning: web application (applet resource) not trusted.
running privileged code...
eID browser applet version: 1.0.1.GA
Java version: 1.6.0_21
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: https://www.e-contract.be/eid-applet-test/authenticate.jsp
Current time: Sat Jan 01 09:07:44 CET 2011
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: false
pre-logoff: false
TLS session Id channel binding: false
server certificate channel binding: false
include identity: false
include certificates: false
include address: false
include photo: false
include integrity data: false
require secure smart card reader: false
no PKCS11: false
Détection de la carte eID.
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
Veuillez introduire votre carte eID...
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
PKCS#11 path: C:\WINDOWS\system32\beidpkcs11.dll
library description: Belgium eID PKCS#11 interface v2
manufacturer ID: Belgium Government
library version: 1.0
cryptoki version: 2.b
reader: Gemalto GemPC Pinpad USB Smart Card Read 0
Belgium eID card in slot: 0
Autorisez...
getting protection parameter
key alias: Root
key alias: CA
key alias: Authentication
key alias: Signature
error: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
error type: java.security.ProviderException
at sun.security.pkcs11.P11Signature.engineSign:531
at java.security.Signature$Delegate.engineSign:-1
at java.security.Signature.sign:-1
at be.fedict.eid.applet.sc.Pkcs11Eid.signAuthn:432
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1262
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR
at sun.security.pkcs11.wrapper.PKCS11.C_SignFinal:-2
at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_SignFinal:1636
at sun.security.pkcs11.P11Signature.engineSign:493
at java.security.Signature$Delegate.engineSign:-1
at java.security.Signature.sign:-1
at be.fedict.eid.applet.sc.Pkcs11Eid.signAuthn:432
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1262
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Erreur générale.

Original issue reported on code.google.com by Vincent....@gmail.com on 1 Jan 2011 at 10:24

GoogleCodeExporter commented 8 years ago
Since your eID Applet instance is using the PKCS#11 wrapper, seems like you've 
probably stumbled upon an eID Middleware issue. I'll have the eID Middleware 
team check this one out. Thanks for reporting. Could you also run the following 
tests to see whether the eID Applet (when using direct card access mode) can 
handle this type of reader? 
https://www.e-contract.be/eid-applet-test/authn-logoff-card.jsp

Original comment by frank.co...@gmail.com on 2 Jan 2011 at 8:19

GoogleCodeExporter commented 8 years ago
As I said in a previous email, here is the trace of the test you proposed :

eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.2.Beta3
Java version: 1.6.0_23
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL: 
https://www.e-contract.be/eid-applet-test/authn-logoff-card.jsp
Current time: Sat Jan 22 22:55:28 CET 2011
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: false
include identity: true
include certificates: false
include address: true
include photo: true
include integrity data: true
require secure smart card reader: false
no PKCS11: false
Détection de la carte eID.
Détection de la carte eID.
Scanning card terminal: ACS CCID USB Reader 0
Scanning card terminal: Gemalto GemPC Pinpad USB Smart Card Read 0
eID card detected in card terminal : Gemalto GemPC Pinpad USB Smart Card Read 0
Autorisez...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
CCID GET_FEATURE IOCTL...
selecting key...
computing digital signature...
PIN verification required...
direct PIN verification...
error: transmitControlCommand() failed
error type: javax.smartcardio.CardException
at sun.security.smartcardio.CardImpl.transmitControlCommand:-1
at be.fedict.eid.applet.sc.PcscEid.verifyPinDirect:678
at be.fedict.eid.applet.sc.PcscEid.sign:614
at be.fedict.eid.applet.sc.PcscEid.signAuthn:964
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1331
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1196
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Caused by: sun.security.smartcardio.PCSCException: Unknown error 0x7a
at sun.security.smartcardio.PCSC.SCardControl:-2
at sun.security.smartcardio.CardImpl.transmitControlCommand:-1
at be.fedict.eid.applet.sc.PcscEid.verifyPinDirect:678
at be.fedict.eid.applet.sc.PcscEid.sign:614
at be.fedict.eid.applet.sc.PcscEid.signAuthn:964
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1331
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1196
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Erreur Carte.
card error: transmitControlCommand() failed

Original comment by Vincent....@gmail.com on 22 Jan 2011 at 9:55

GoogleCodeExporter commented 8 years ago
I've checked with the eID Middleware dev team. Seems like we don't support this 
card reader.

Original comment by frank.co...@gmail.com on 7 Feb 2011 at 10:48

GoogleCodeExporter commented 8 years ago
Ca m'est complétement égal que le mode PIN pad ne soit pas supporté. Ce qui 
est génant, c'est qu'il est impossible de lire la carte avec le driver fourni.
Si on regarde la façon d'interfacer les PIN PAD, on  remarque qu'il y a deux 
méthodes.
Via un event ou chaque touche est signalée puis l'APDU envoyé, soit on envoie 
un ADPU spécial (où le PIN est limité à 8 caractères) et tout est envoyé 
d'un coup.
Le problème, c'est que vous traitez tous les lecteurs comme faisant suivant la 
méthode 1. (quand on lit les capabilities).
Pourquoi forcer le mode 2 sur les lecteurs quand le code ne le supporte pas ? 
Il faudrait juste que le lecteur soit traité comme un lecteur sans PIN PAD.

Original comment by Vincent....@gmail.com on 7 Feb 2011 at 11:53

GoogleCodeExporter commented 8 years ago
Hi, 

I know this issue is closed for more than 2 years. 

Recently I stumbled with the same problem with this reader (Caused by: 
sun.security.smartcardio.PCSCException: Unknown error 0x7a), this problem only 
occurs on windows 
I think this is a problem in the driver of the reader, which could be solved by 
Gemalto if they want to.

Original comment by rmarti...@gmail.com on 31 Jul 2013 at 11:47

GoogleCodeExporter commented 8 years ago
I have had some experience with the "Unknown error 0x7a" from 
javax.smartcardio.CardException: sun.security.smartcardio.PCSCException

Point 1:  I get this error when using extended data length when the card should 
return a large amount of data. Specifically, I get it while using the command:

00 cb 3f ff    00 00 05    5c 03 5f c1 08    00 00

on a PIV card.  
If the data returned would be 6554 bytes, then the command works.
But a larger data object of 9407 fails every time with a 0x7A error.

Point 2:  Windows defines an error 122L == 0x7A of 
    MessageId: ERROR_INSUFFICIENT_BUFFER
    MessageText: The data area passed to a system call is too small.

So it looks to me like the java based library has a buffer of size perhaps 8K 
which is passed to a Windows API, which then returns that error code, and the 
java library passes it back to the user.

Point 3: The same APDU works just fine with C++ access to PC/SC using the same 
card and terminal.

So my suspicion is that there is a trivial bug in the Java smartcard libraries 
which could be fixed rather easily once the buffer size was increased to 64K.

Original comment by andrew7w...@gmail.com on 3 Jan 2014 at 7:13

GoogleCodeExporter commented 8 years ago
This is what I tried to report to Gemalto: 
The problem I've found is in the driver, only on Microsoft Windows, 
specifically when you use it with Java (I'll detail if further), however the 
problem can be reproduced not only in Java. I have a small code example in C 
where the problem can be also reproduced with some extra behavior. See attached 
zip file for the sources of the java example and C example. The C example is 
adapted from the example provided in the following document 
http://support.gemalto.com/fileadmin/user_upload/user_guide/Pinpad/PCPinpad_PC-S
C_UserGuide.pdf.

Use case:
Use the secure pin entry (designated as SPE) feature available on this 
smartcard reader (verify pin).

Errors/Exceptions found:
Executing the Java example the returned exception is
Exception in thread "main" javax.smartcardio.CardException: 
transmitControlCommand() failed
    at sun.security.smartcardio.CardImpl.transmitControlCommand(CardImpl.java:236)
    at sample.SimpleSample.init(SimpleSample.java:31)
    at sample.SimpleSample.main(SimpleSample.java:23)
Caused by: sun.security.smartcardio.PCSCException: Unknown error 0x7a
    at sun.security.smartcardio.PCSC.SCardControl(Native Method)
    at sun.security.smartcardio.CardImpl.transmitControlCommand(CardImpl.java:232)
    ... 2 more
Java Result: 1
Executing the C example with a buffer size of 256 bytes works fine (used the 
buffer size originally defined in the C source code)
C:\Users\rmartinho\Desktop>SimpleSample.exe 256
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
 Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82 
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
* lengthRes: 2
 card response: 64 01 I canceled the pin entry here.
SCardControl: OK
SCardDisconnect: OK 
Executing the C example with a buffer size equal to the java buffer size (8192 
bytes)
C:\Users\rmartinho\Desktop>SimpleSample.exe 8192
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
 Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82 
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
SCardControl: Error status (0x7A) Same error as in Java
SCardDisconnect: OK
Executing the C example with a buffer size of 513 bytes and above (tested a few 
random)
C:\Users\rmartinho\Desktop>SimpleSample.exe 513
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
 Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82 
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
SCardControl:Error status (0x7A) Same error as in Java
SCardDisconnect: OK
Executing the C example with a buffer size of between 503 and 512 bytes results 
in a blue screen (GPinPad.sys)

The C example I used was compiled on a windows server 2003 R2 with service pack 
2 using visual studio team system 2008.

Probable cause:
The problem lies on a declared buffer size, the driver seems to accept only a 
maximum reported size of 502 bytes, however Java uses a fixed buffer size of 
8192 bytes which cannot be modified (it's a native method, I checked on pcsc.c 
source file from OpenJDK). 
Providing a buffer size equal or bigger than 513 bytes results in a error, the 
return code is 0x7A. According to Microsoft documentation 
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx)
 the meaning of the return code is the following: ERROR_INSUFFICIENT_BUFFER 122 
(0x7A) The data area passed to a system call is too small.
I think buffer size should not be a problem, it is just an indication of how 
much can be securely read or written, if this is some sort of limitation, the 
workaround would be read or write only to the extend of 502 bytes (or less if 
the buffer is smaller than 502 bytes).

The drivers I used with the samples are located on 
http://support.gemalto.com/index.php?id=pc_pinpad, I tested with both 
architectures 32/64 bits achieving the same results.

Original comment by rmarti...@gmail.com on 4 Jan 2014 at 2:45

Attachments: