Cannot use PIN-pad reader

[n4al]

Hello,

Summary: gnupg-pkcs11-scd fails o sign or decrypt when PIN-pad usage is required.

Environment:

• OS: macOS 10.14
• OpenSC 0.19
• reader: REINER SCT cyberjack komfort
• card: SmartCard-HSM v1.0
• GPG: GPGSuite 2020.1 (gpg (GnuPG/MacGPG2) 2.2.20)
• gnupg-pkcs11-scd 0.9.2_1 (homebrew version)

Steps to reproduce:

• note that these steps are specific to this type of card, but I do not have a different one o test if it is a general problem
  0. Prerequisites: all software is installed, drivers for the reader too, the card is initialised, the card has a keypair and x509 certificate (FYI, this is a setup which I previously used with success with gnupg-pkcs11-scd's older versions and different combinations of older versions of the rest of the software including the operating system and other Reiner PIN-pad readers) For details, steps outlined here are useful:
     • https://blogs.gnome.org/danni/2017/07/07/using-the-nitrokey-hsm-with-gpg-in-macos/
     • https://github.com/OpenSC/OpenSC/wiki/SmartCardHSM
  1. gpg-agent.conf:

     default-cache-ttl 30
     max-cache-ttl 60
     scdaemon-program /usr/local/bin/gnupg-pkcs11-scd
     pinentry-program /usr/local/MacGPG2/libexec/pinentry-mac.app/Contents/MacOS/pinentry-mac

  2. gnupg-pkcs11-scd

     pin-cache 1
     providers opensc
     provider-opensc-library /Library/OpenSC/lib/opensc-pkcs11.so
     provider-opensc-allow-protected-auth

  3. get the card status

     gpg --card-status

  4. encrypt and sign a file

     echo test > test.txt
     gpg -se -r <mail associated with the key> test.txt
     # here PIN is requested, entered in the reader, accepted, and...
     gpg: signing failed: Card error
     gpg: test.txt: sign+encrypt failed: Card error

     If provider-opensc-allow-protected-auth is not used, then the PIN provided via pinentry-program is accepted and the signing/encryption operation is successful.

gnupg-pkcs11-scd log shows:

gnupg-pkcs11-scd[35148]: chan_0 <- PKSIGN --hash=sha512 www\x2ECardContact\x2Ede/PKCS\x2315\x20emulated/DECM0104457/UserPIN\x20\x28SmartCard\x2DHSM\x29/02

gnupg-pkcs11-scd[35148]: chan_0 -> ERR 108 Card error <Unspecified source>
gnupg-pkcs11-scd[35148]: chan_0 <- RESTART
gnupg-pkcs11-scd[35148]: chan_0 -> OK

Please let me know which other information I need to provide. Thank you.

[alonbl]

Please provide gnupg-pkcs11-scd debug log, need to see what happens with protected auth.

[n4al]

The snippet above is with debug-all level, is there are more verbose level? The whole session is:

gnupg-pkcs11-scd[36353]: chan_0 <- SERIALNO
gnupg-pkcs11-scd[36353]: chan_0 -> S SERIALNO D2760001240111503131F3D0A30F1111 0
gnupg-pkcs11-scd[36353]: chan_0 -> OK
gnupg-pkcs11-scd[36353]: chan_0 <- SERIALNO
gnupg-pkcs11-scd[36353]: chan_0 -> S SERIALNO D2760001240111503131F3D0A30F1111 0
gnupg-pkcs11-scd[36353]: chan_0 -> OK
gnupg-pkcs11-scd[36353]: chan_0 <- GETATTR KEY-FPR
gnupg-pkcs11-scd[36353]: chan_0 -> S KEY-FRIEDNLY XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S CERTINFO 101 XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEYPAIRINFO  XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEY-FRIEDNLY XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S CERTINFO 101 XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEYPAIRINFO XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEY-FRIEDNLY XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S CERTINFO 101 XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEYPAIRINFO XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEY-FRIEDNLY XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S CERTINFO 101 XXX
gnupg-pkcs11-scd[36353]: chan_0 -> S KEYPAIRINFO XXX
gnupg-pkcs11-scd[36353]: chan_0 -> OK
gnupg-pkcs11-scd[36353]: chan_0 <- SERIALNO --demand=D2760001240111503131F3D0A30F1111
gnupg-pkcs11-scd[36353]: chan_0 -> S SERIALNO D2760001240111503131F3D0A30F1111 0
gnupg-pkcs11-scd[36353]: chan_0 -> OK
gnupg-pkcs11-scd[36353]: chan_0 <- SETDATA 3051300D060960864801650304020305000440889302AFEB8E79333BB3D722EC39498757B62993C8273652DF17943E59671BDABB06910C3902DBDA21C61739DA0FF8F7FC9CA03CD0E1611D70BE14B87C48CF7D
gnupg-pkcs11-scd[36353]: chan_0 -> OK
gnupg-pkcs11-scd[36353]: chan_0 <- PKSIGN --hash=sha512 www\x2ECardContact\x2Ede/PKCS\x2315\x20emulated/DECM0104457/UserPIN\x20\x28SmartCard\x2DHSM\x29/02
gnupg-pkcs11-scd[36353]: chan_0 -> ERR 108 Card error <Unspecified source>
gnupg-pkcs11-scd[36353]: chan_0 <- RESTART
gnupg-pkcs11-scd[36353]: chan_0 -> OK

[n4al]

The outcome of entering PIN is this line:

gnupg-pkcs11-scd[36353]: chan_0 -> ERR 108 Card error <Unspecified source>

[alonbl]

Please attach full log, do not paste. Need to see everything since agent start

On Fri, 12 Jun 2020 at 16:13 n4al notifications@github.com wrote:

The outcome of entering PIN is this line:

gnupg-pkcs11-scd[36353]: chan_0 -> ERR 108 Card error

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/25#issuecomment-643263759, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLLFFTZ6HMW4JYA5YXTRWISZNANCNFSM4N4GKGDA .

[n4al]

gnupg-pkcs11-scd.log

[alonbl]

This is not gnupg-pkcs11-scd debug log file, please use debug-all and log-file directives in configuration.

[n4al]

But, that's exactly what I have used to produce the file I uploaded above:

% grep -v -e '\#' -e '^$' gnupg-pkcs11-scd.conf
log-file /tmp/gnupg-pkcs11-scd.log
verbose
debug-all
pin-cache 1
providers opensc
provider-opensc-library /Library/OpenSC/lib/opensc-pkcs11.so
provider-opensc-allow-protected-auth

Am I missing something here?

[alonbl]

You are not missing anything, however, the behavior is unexpected, see[1] if verbose is set we should see debug log of pkcs11-helper library, and we see that verbose=1. I've never seen this kind of problem.

Have you compiled everything from source? including pkcs11-helper? If it is a patched version of components it will be hard to assist and especially without proper logs.

[1] https://github.com/alonbl/gnupg-pkcs11-scd/blob/master/gnupg-pkcs11-scd/scdaemon.c#L1119

[n4al]

I deployed it via homebrew. I will download the sources and compile it. Please let me know if I should use any particular parameters to facilitate the debugging.

[alonbl]

Per pkcs11-helper do not —disable-debug

On Sat, 13 Jun 2020 at 12:35 n4al notifications@github.com wrote:

I deployed it via homebrew. I will download the sources and compile it. Please let me know if I should use any particular parameters to facilitate the debugging.

— You are receiving this because you commented.

Reply to this email directly, view it on GitHub https://github.com/alonbl/gnupg-pkcs11-scd/issues/25#issuecomment-643598282, or unsubscribe https://github.com/notifications/unsubscribe-auth/AAJURLO6OX7YCCMXOAZPLFDRWNB5NANCNFSM4N4GKGDA .

[n4al]

Apparently, the cause of no debug info in the logs is Homebrew's version of pkcs11-helper. I compiled it and now the debug log is showing a lot more information.

gnupg-pkcs11-scd.log

[alonbl]

Please set pin-cache to 5 as the cache was immediately invalidated post the authentication.

[n4al]

Fantastic. That solved it! Thank you very much!

[savely-krasovsky]

@alonbl I have seems to be the same problem with Yubikey 4 NFC. It allows me to enter pin 5 times but with no success, cannot sign anything...

gnupg-pkcs11-scd.conf:

providers pkcs11
provider-pkcs11-library /usr/lib/opensc-pkcs11.so

log-file ~/.gnupg/gnupg-pkcs11-scd.log
verbose
debug-all

gnupg-pkcs11-scd.log: https://gist.github.com/L11R/448a10648259f1b78fde2a0f0544a4f1

[alonbl]

@alonbl I have seems to be the same problem with Yubikey 4 NFC.

Hi @L11R, please do not use closed tickets to report new issues, even if you unsure, worse case we mark as dup. It seems that you built the gnupg-pkcs11-scd with older pkcs11-helper that did not have this feature. Please recompile with pkcs11-helper-1.29.0. Thanks,

[savely-krasovsky]

@alonbl sorry, created I new issue! (I have pkcs11-helper-1.29.0).