Closed GoogleCodeExporter closed 8 years ago
Since your eID Applet instance is using the PKCS#11 wrapper, seems like you've
probably stumbled upon an eID Middleware issue. I'll have the eID Middleware
team check this one out. Thanks for reporting. Could you also run the following
tests to see whether the eID Applet (when using direct card access mode) can
handle this type of reader?
https://www.e-contract.be/eid-applet-test/authn-logoff-card.jsp
Original comment by frank.co...@gmail.com
on 2 Jan 2011 at 8:19
As I said in a previous email, here is the trace of the test you proposed :
eID Applet - Copyright (C) 2008-2010 FedICT.
Released under GNU LGPL version 3.0 license.
More info: http://code.google.com/p/eid-applet/
checking applet privileges...
security manager permission check for java 1.6...
checking web application trust...
running privileged code...
eID browser applet version: 1.0.2.Beta3
Java version: 1.6.0_23
Java vendor: Sun Microsystems Inc.
OS: Windows 7
OS version: 6.1
OS arch: x86
Web application URL:
https://www.e-contract.be/eid-applet-test/authn-logoff-card.jsp
Current time: Sat Jan 22 22:55:28 CET 2011
session cookie detected
sending message: HelloMessage
current protocol state: null
protocol state transition: INIT
SSL handshake finish cipher suite: SSL_RSA_WITH_RC4_128_MD5
response message: AuthenticationRequestMessage
current protocol state: INIT
protocol state transition: AUTHENTICATE
include hostname: false
include inet address: false
remove card after authn: false
logoff: true
pre-logoff: true
TLS session Id channel binding: false
server certificate channel binding: false
include identity: true
include certificates: false
include address: true
include photo: true
include integrity data: true
require secure smart card reader: false
no PKCS11: false
Détection de la carte eID.
Détection de la carte eID.
Scanning card terminal: ACS CCID USB Reader 0
Scanning card terminal: Gemalto GemPC Pinpad USB Smart Card Read 0
eID card detected in card terminal : Gemalto GemPC Pinpad USB Smart Card Read 0
Autorisez...
performing a pre-logoff
logoff...
CCID GET_FEATURE IOCTL...
CCID GET_FEATURE IOCTL...
selecting key...
computing digital signature...
PIN verification required...
direct PIN verification...
error: transmitControlCommand() failed
error type: javax.smartcardio.CardException
at sun.security.smartcardio.CardImpl.transmitControlCommand:-1
at be.fedict.eid.applet.sc.PcscEid.verifyPinDirect:678
at be.fedict.eid.applet.sc.PcscEid.sign:614
at be.fedict.eid.applet.sc.PcscEid.signAuthn:964
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1331
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1196
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Caused by: sun.security.smartcardio.PCSCException: Unknown error 0x7a
at sun.security.smartcardio.PCSC.SCardControl:-2
at sun.security.smartcardio.CardImpl.transmitControlCommand:-1
at be.fedict.eid.applet.sc.PcscEid.verifyPinDirect:678
at be.fedict.eid.applet.sc.PcscEid.sign:614
at be.fedict.eid.applet.sc.PcscEid.signAuthn:964
at be.fedict.eid.applet.Controller.performEidPcscAuthnOperation:1331
at be.fedict.eid.applet.Controller.performEidAuthnOperation:1196
at be.fedict.eid.applet.Controller.run:373
at be.fedict.eid.applet.Applet$AppletThread$1.run:602
at java.security.AccessController.doPrivileged:-2
at be.fedict.eid.applet.Applet$AppletThread.run:597
at java.lang.Thread.run:-1
Erreur Carte.
card error: transmitControlCommand() failed
Original comment by Vincent....@gmail.com
on 22 Jan 2011 at 9:55
I've checked with the eID Middleware dev team. Seems like we don't support this
card reader.
Original comment by frank.co...@gmail.com
on 7 Feb 2011 at 10:48
Ca m'est complétement égal que le mode PIN pad ne soit pas supporté. Ce qui
est génant, c'est qu'il est impossible de lire la carte avec le driver fourni.
Si on regarde la façon d'interfacer les PIN PAD, on remarque qu'il y a deux
méthodes.
Via un event ou chaque touche est signalée puis l'APDU envoyé, soit on envoie
un ADPU spécial (où le PIN est limité à 8 caractères) et tout est envoyé
d'un coup.
Le problème, c'est que vous traitez tous les lecteurs comme faisant suivant la
méthode 1. (quand on lit les capabilities).
Pourquoi forcer le mode 2 sur les lecteurs quand le code ne le supporte pas ?
Il faudrait juste que le lecteur soit traité comme un lecteur sans PIN PAD.
Original comment by Vincent....@gmail.com
on 7 Feb 2011 at 11:53
Hi,
I know this issue is closed for more than 2 years.
Recently I stumbled with the same problem with this reader (Caused by:
sun.security.smartcardio.PCSCException: Unknown error 0x7a), this problem only
occurs on windows
I think this is a problem in the driver of the reader, which could be solved by
Gemalto if they want to.
Original comment by rmarti...@gmail.com
on 31 Jul 2013 at 11:47
I have had some experience with the "Unknown error 0x7a" from
javax.smartcardio.CardException: sun.security.smartcardio.PCSCException
Point 1: I get this error when using extended data length when the card should
return a large amount of data. Specifically, I get it while using the command:
00 cb 3f ff 00 00 05 5c 03 5f c1 08 00 00
on a PIV card.
If the data returned would be 6554 bytes, then the command works.
But a larger data object of 9407 fails every time with a 0x7A error.
Point 2: Windows defines an error 122L == 0x7A of
MessageId: ERROR_INSUFFICIENT_BUFFER
MessageText: The data area passed to a system call is too small.
So it looks to me like the java based library has a buffer of size perhaps 8K
which is passed to a Windows API, which then returns that error code, and the
java library passes it back to the user.
Point 3: The same APDU works just fine with C++ access to PC/SC using the same
card and terminal.
So my suspicion is that there is a trivial bug in the Java smartcard libraries
which could be fixed rather easily once the buffer size was increased to 64K.
Original comment by andrew7w...@gmail.com
on 3 Jan 2014 at 7:13
This is what I tried to report to Gemalto:
The problem I've found is in the driver, only on Microsoft Windows,
specifically when you use it with Java (I'll detail if further), however the
problem can be reproduced not only in Java. I have a small code example in C
where the problem can be also reproduced with some extra behavior. See attached
zip file for the sources of the java example and C example. The C example is
adapted from the example provided in the following document
http://support.gemalto.com/fileadmin/user_upload/user_guide/Pinpad/PCPinpad_PC-S
C_UserGuide.pdf.
Use case:
Use the secure pin entry (designated as SPE) feature available on this
smartcard reader (verify pin).
Errors/Exceptions found:
Executing the Java example the returned exception is
Exception in thread "main" javax.smartcardio.CardException:
transmitControlCommand() failed
at sun.security.smartcardio.CardImpl.transmitControlCommand(CardImpl.java:236)
at sample.SimpleSample.init(SimpleSample.java:31)
at sample.SimpleSample.main(SimpleSample.java:23)
Caused by: sun.security.smartcardio.PCSCException: Unknown error 0x7a
at sun.security.smartcardio.PCSC.SCardControl(Native Method)
at sun.security.smartcardio.CardImpl.transmitControlCommand(CardImpl.java:232)
... 2 more
Java Result: 1
Executing the C example with a buffer size of 256 bytes works fine (used the
buffer size originally defined in the C source code)
C:\Users\rmartinho\Desktop>SimpleSample.exe 256
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
* lengthRes: 2
card response: 64 01 I canceled the pin entry here.
SCardControl: OK
SCardDisconnect: OK
Executing the C example with a buffer size equal to the java buffer size (8192
bytes)
C:\Users\rmartinho\Desktop>SimpleSample.exe 8192
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
SCardControl: Error status (0x7A) Same error as in Java
SCardDisconnect: OK
Executing the C example with a buffer size of 513 bytes and above (tested a few
random)
C:\Users\rmartinho\Desktop>SimpleSample.exe 513
SCardControl sample code with examples of PCSC V2 part 10 commands
0: Dell Smart Card Reader Keyboard 0
1: Gemalto GemPC Pinpad USB Smart Card Read 0
Select a reader between 0 and 1
1
Protocol: 1 on reader: Gemalto GemPC Pinpad USB Smart Card Read 0
SCardConnect: OK
==> Secure verify PIN
* command: 1E 00 82 04 00 08 04 02 01 04 09 00 00 00 00 0D 00 00 00 00 20 00 82
08 FF FF FF FF FF FF FF FF
* length: 32
* verify_ioctl: 0x312110
* bRecvBuffer: 4
Enter your PIN in the Pinpad reader keypad...
SCardControl:Error status (0x7A) Same error as in Java
SCardDisconnect: OK
Executing the C example with a buffer size of between 503 and 512 bytes results
in a blue screen (GPinPad.sys)
The C example I used was compiled on a windows server 2003 R2 with service pack
2 using visual studio team system 2008.
Probable cause:
The problem lies on a declared buffer size, the driver seems to accept only a
maximum reported size of 502 bytes, however Java uses a fixed buffer size of
8192 bytes which cannot be modified (it's a native method, I checked on pcsc.c
source file from OpenJDK).
Providing a buffer size equal or bigger than 513 bytes results in a error, the
return code is 0x7A. According to Microsoft documentation
(http://msdn.microsoft.com/en-us/library/windows/desktop/ms681382(v=vs.85).aspx)
the meaning of the return code is the following: ERROR_INSUFFICIENT_BUFFER 122
(0x7A) The data area passed to a system call is too small.
I think buffer size should not be a problem, it is just an indication of how
much can be securely read or written, if this is some sort of limitation, the
workaround would be read or write only to the extend of 502 bytes (or less if
the buffer is smaller than 502 bytes).
The drivers I used with the samples are located on
http://support.gemalto.com/index.php?id=pc_pinpad, I tested with both
architectures 32/64 bits achieving the same results.
Original comment by rmarti...@gmail.com
on 4 Jan 2014 at 2:45
Attachments:
Original issue reported on code.google.com by
Vincent....@gmail.com
on 1 Jan 2011 at 10:24