Contactless Reader - is secure messaging required?

[jaredvacanti]

I have followed the installation instructions and I can successfully interact with my smartcard & the SmartPGP applet over a contact reader, but the same applet & smartcard do not work over a contactless reader on the same OS (Ubuntu 20.04).

As a test, a Yubikey 5 NFC with the OpenPGP applet works both via the CCID reader (plugged in) and over the contactless reader, so I can confirm gpg is able to communicate with devices on the contactless reader.

Do I need to disable secure messaging for contactless on desktop, as well? Is there a constant to change, or should I compile from this branch?

[jaredvacanti]

I am able to use the gpg tool to interact with the card via a contact reader. I can access a Yubikey 5 NFC from the contactless reader. I cannot access the SmartPGP smartcard from the contactless reader. I recently built and compiled SmartPGP from the master branch. I did not specifically enable secure messaging.

                     +----------------+--------------------+
                     | Contact Reader | Contactless Reader |
---------------------+----------------+--------------------+
| SmartPGP smartcard | Success        | FAIL               |
+--------------------+----------------+--------------------+
| Yubikey 5 NFC      | Success        | Success            |
+--------------------+----------------+--------------------+

I traced the APDU's through pcscd for gpg --card-status for both readers.

• Ubuntu 20.04 LTS
• gpg (GnuPG) 2.2.19
• libgcrypt 1.8.5
• pcsc-lite version 1.8.26
• NXP J3H145 Dual Interface Java card - 144k

Contact Reader (success):

$ gpg --card-status
Reader ...........: FEITIAN iR301 00 00
Application ID ...: D276000124010304FFFF000000000000
Application type .: OpenPGP
Version ..........: 3.4
Manufacturer .....: test card
Serial number ....: 00000000
Name of cardholder: [not set]
Language prefs ...: en
Salutation .......: 
URL of public key : [not set]
Login data .......: [not set]
Signature PIN ....: forced
Key attributes ...: rsa2048 rsa2048 rsa2048
Max. PIN lengths .: 127 127 127
PIN retry counter : 3 0 3
Signature counter : 0
KDF setting ......: off
Signature key ....: [none]
Encryption key....: [none]
Authentication key: [none]
General key info..: [none]

Relevant logs from pcscd -f --debug -a:

eventhandler.c:423:EHStatusHandlerThread() Card inserted into FEITIAN iR301 00 00
Card ATR: 3B DC 18 FF 81 91 FE 1F C3 80 73 C8 21 13 66 05 03 63 51 00 02 50 

prothandler.c:107:PHSetProtocol() Attempting PTS to T=1
ifdhandler.c:694:IFDHSetProtocolParameters() protocol T=1, usb:096e/061c:libudev:0:/dev/bus/usb/002/004 (lun: 0)

ifdhandler.c:1410:IFDHControl() ControlCode: 0x42000D48, usb:096e/061c:libudev:0:/dev/bus/usb/002/004 (lun: 0)
Control TxBuffer: 
Control RxBuffer: 12 04 42 33 00 12 

ifdhandler.c:1410:IFDHControl() ControlCode: 0x42330012, usb:096e/061c:libudev:0:/dev/bus/usb/002/004 (lun: 0)
Control TxBuffer: 
Control RxBuffer: 01 02 00 00 03 01 00 09 01 00 0B 02 6E 09 0C 02 1C 06 0A 04 00 00 01 00 

APDU: 00 A4 00 0C 02 3F 00 
SW: 6A 86 

APDU: 00 A4 04 00 06 D2 76 00 01 24 01 
SW: 90 00 

APDU: 00 CA 00 4F 00 
SW: D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 90 00 

APDU: 00 CA 5F 52 00 
SW: 00 C1 C5 73 C0 01 80 05 90 00 90 00 

APDU: 00 CA 00 C4 00 
SW: 00 7F 7F 7F 03 00 03 90 00 

APDU: 00 CA 00 6E 00 
SW: 6E 81 D9 4F 10 D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 5F 52 0A 00 C1 C5 73 C0 01
80 05 90 00 73 81 B7 C0 0A FF 03 00 20 04 80 00 FF 00 00 C1 06 01 08 00 00 11 03 C2 06 01 08 00
00 11 03 C3 06 01 08 00 00 11 03 C4 07 00 7F 7F 7F 03 00 03 C5 3C 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 

APDU: 00 CA 7F 74 00 
SW: 6A 88 

APDU: 00 CA 00 5E 00 
SW: 90 00 

APDU: 00 CA 00 6E 00 
SW: 6E 81 D9 4F 10 D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 5F 52 0A 00 C1 C5 73 C0 01 80
05 90 00 73 81 B7 C0 0A FF 03 00 20 04 80 00 FF 00 00 C1 06 01 08 00 00 11 03 C2 06 01 08 00 00
11 03 C3 06 01 08 00 00 11 03 C4 07 00 7F 7F 7F 03 00 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 

APDU: 00 CA 00 6E 00 
SW: 6E 81 D9 4F 10 D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 5F 52 0A 00 C1 C5 73 C0 01 80
05 90 00 73 81 B7 C0 0A FF 03 00 20 04 80 00 FF 00 00 C1 06 01 08 00 00 11 03 C2 06 01 08 00 00
11 03 C3 06 01 08 00 00 11 03 C4 07 00 7F 7F 7F 03 00 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 

APDU: 00 CA 00 6E 00 
SW: 6E 81 D9 4F 10 D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 5F 52 0A 00 C1 C5 73 C0 01 80
05 90 00 73 81 B7 C0 0A FF 03 00 20 04 80 00 FF 00 00 C1 06 01 08 00 00 11 03 C2 06 01 08 00 00
11 03 C3 06 01 08 00 00 11 03 C4 07 00 7F 7F 7F 03 00 03 C5 3C 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 

APDU: 00 CA 00 65 00 
SW: 5B 00 5F 2D 02 65 6E 5F 35 01 30 90 00 

APDU: 00 CA 5F 50 00 
SW: 90 00 

APDU: 00 CA 00 6E 00 
SW: 6E 81 D9 4F 10 D2 76 00 01 24 01 03 04 FF FF 00 00 00 00 00 00 5F 52 0A 00 C1 C5 73 C0 01
80 05 90 00 73 81 B7 C0 0A FF 03 00 20 04 80 00 FF 00 00 C1 06 01 08 00 00 11 03 C2 06 01 08 00
00 11 03 C3 06 01 08 00 00 11 03 C4 07 00 7F 7F 7F 03 00 03 C5 3C 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C6 3C 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 CD 0C 00 00 00 00 00 00 00 00 00 00 00 00 90 00 

APDU: 00 CA 00 C4 00 
SW: 00 7F 7F 7F 03 00 03 90 00 

APDU: 00 CA 00 7A 00 
SW: 93 03 00 00 00 90 00 

APDU: 00 CA 00 F9 00 
SW: 81 01 00 90 00 

APDU: 00 CA 01 01 00 
SW: 90 00 

APDU: 00 CA 01 02 00 
SW: 90 00 

APDU: 00 47 81 00 02 B6 00 00 
SW: 6A 88 

APDU: 00 47 81 00 02 B8 00 00 
SW: 6A 88 

APDU: 00 47 81 00 02 A4 00 00 
SW: 6A 88 

Contactless Reader (failure - Function not supported):

$ gpg --card-status
gpg: selecting card failed: No such device
gpg: OpenPGP card not available: No such device

relevant logs from pcscd -f --debug -a:

Card ATR: 3B 80 80 01 01 

prothandler.c:107:PHSetProtocol() Attempting PTS to T=1

APDU: 00 A4 00 0C 02 3F 00 
SW: 90 00 

APDU: 00 A4 02 0C 02 2F 02 
SW: 6A 82 

APDU: 00 A4 04 00 06 D2 76 00 01 24 01 
SW: 6A 82 

APDU: 00 A4 04 0C 07 D2 76 00 00 03 01 02 
SW: 6A 82 

APDU: 00 A4 04 0C 0C A0 00 00 00 63 50 4B 43 53 2D 31 35 
SW: 6A 82 

APDU: 00 A4 08 0C 02 2F 00 
SW: 6A 86 

APDU: 00 A4 01 0C 02 50 15 
SW: 6A 82 

APDU: 00 A4 04 0C 09 D2 76 00 00 25 45 50 02 00 
SW: 6A 82 

APDU: 00 A4 04 0C 06 D2 76 00 00 66 01 
SW: 6A 82 

APDU: 00 A4 04 0C 0B E8 2B 06 01 04 01 81 C3 1F 02 01 
SW: 6A 82 

I can provide more diagnostics if they're helpful. Thanks in advance for any assistance.

[af-anssi]

Could you try with the applet compiled from the javacard-3.0.4-without-secure-messaging branch ?

[jaredvacanti]

I've installed the applet from javacard-3.0.4-without-secure-messaging and from master. Both are accessible from a contact reader but unfortunately inaccessible over the Identiv 3700F.

[af-anssi]

The problem does not come from the applet since it is not selected; the SELECT operation fails it contactless mode with "File not found" error :

APDU: 00 A4 04 00 06 D2 76 00 01 24 01 
SW: 6A 82 

It could come from the token/card or from the reader. Do you have any other applet working correctly on this token on contactless mode ?

[jaredvacanti]

I have two of these cards, the NXP J3H145 Dual Interface Java card - 144k, and both of them seem to give erroneous ATRs via pcsc_scan with the SmartPGP Applet installed as the default app:

Mon Jul 27 12:05:34 2020
 Reader 0: Identiv uTrust 3700 F CL Reader [uTrust 3700 F CL Reader] (55021921203314) 00 00
  Event number: 11
  Card state: Card inserted, 
  ATR: 3B 80 80 01 01

ATR: 3B 80 80 01 01
+ TS = 3B --> Direct Convention
+ T0 = 80, Y(1): 1000, K: 0 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 
-----
+ Historical bytes: 
+ TCK = 01 (correct checksum)

Possibly identified card (using /home/jared/.cache/smartcard_list.txt):
3B 80 80 01 01
    ISO 14443 Type B without historical bytes
    Electronic Passport
    Spanish passport (2012)
    Canadian Passport
    Venez_Prox

but a similar Javacard 2.2.2 or the Yubikey 5 NFC produce acceptable ATRs over the contactless interface, e.g.:

Mon Jul 27 12:21:41 2020
 Reader 0: Identiv uTrust 3700 F CL Reader [uTrust 3700 F CL Reader] (55021921203314) 00 00
  Event number: 15
  Card state: Card inserted, 
  ATR: 3B 8F 80 01 00 66 46 53 05 10 00 FF 71 DF 00 00 00 00 00 39

ATR: 3B 8F 80 01 00 66 46 53 05 10 00 FF 71 DF 00 00 00 00 00 39
+ TS = 3B --> Direct Convention
+ T0 = 8F, Y(1): 1000, K: 15 (historical bytes)
  TD(1) = 80 --> Y(i+1) = 1000, Protocol T = 0 
-----
  TD(2) = 01 --> Y(i+1) = 0000, Protocol T = 1 
-----
+ Historical bytes: 00 66 46 53 05 10 00 FF 71 DF 00 00 00 00 00
  Category indicator byte: 00 (compact TLV data object)
    Tag: 6, len: 6 (pre-issuing data)
      Data: 46 53 05 10 00 FF
    Tag: 7, len: 1 (card capabilities)
      Selection methods: DF
        - DF selection by full DF name
        - DF selection by partial DF name
        - DF selection by file identifier
        - Implicit DF selection
        - Short EF identifier supported
        - Record number supported
        - Record identifier supported
    Tag: 0, len: 0 (unknown)
    Tag: 0, len: 0 (unknown)
    Mandatory status indicator (3 last bytes)
      LCS (life card cycle): 00 (No information given)
      SW: 0000 (Error not defined by ISO 7816)
+ TCK = 39 (correct checksum)

Possibly identified card (using /home/jared/.cache/smartcard_list.txt):
3B 8F 80 01 00 66 46 53 05 10 00 FF 71 DF 00 00 00 00 00 39
    JavaCOS A40 dual interface Java card - 64K (JavaCard)

So it does seem like it may be a card error over contactless. But the card is advertised as working well with these specifications. I have installed applications with GlobalPlatformPro - do I need to ensure there is a correct master AID first?

[martinpaljak]

Contactless cards don't really produce ATR-s, the ATR-s you see are synthesized by readers based on historical bytes but might be different with different readers.

[jaredvacanti]

I did find the translation/mapping in the Identiv Reference Manual:

My cards seem to be giving no historical bytes in its ATS so it's not being identified. Is the ATS/ATR relevant to further communication? After getting the incorrect translated ATR (or at least one with no identifying info), the OID lookup succeeds but everything else fails:

APDU: 00 A4 00 0C 02 3F 00        SELECT ODF (Object Directory File)
SW: 90 00                         Command successfully executed (OK)

APDU: 00 A4 02 0C 02 2F 02 
SW: 6A 82                         File not found

...

[jaredvacanti]

I've done a bit more research on this. I'm still having issues, but of a different sort. I have both the Identiv 3700F and the ACR122U NFC Reader for testing, an android device, and multiple cards. So far with each of my tests the results have been the same for both readers.

With a new card (the ACOSJ dual interface Java card - 95K) I can install the applet from the v1.17-3.0.4 tag and interact with it over a PCSC contactless device. Before nothing worked over contactless.

I made one adjustment to INTERNAL_BUFFER_MAX_LENGTH (0x500 -> 0x730) in order to support RSA4096 keys. I'm building with the JC304 kit. I installed on the card (fresh) with gp -install SmartPGPApplet.cap -default, and over contactless and contact devices I am able to query the card with gpg --card-status. Now with the new card I cannot import private keys.

> keytocard

APDU: 00 CA 00 C4 00 
SW: 6C 07 

APDU: 00 CA 00 C4 07 
SW: 00 7F 7F 7F 03 00 03 90 00 

APDU: 00 CA 00 F9 00 
SW: 6C 03 

APDU: 00 CA 00 F9 03 
SW: 81 01 00 90 00 

APDU: 00 20 00 83 08 31 32 33 34 35 36 37 38 
SW: 90 00 

APDU: 10 DB 3F FF FE ... 
... (7 of these)
SW: 90 00 

APDU: 00 DB 3F FF 39 86 91 F5 4E 9B D5 E6 36 E4 C2 ED 8E FC A7 80 53 ED 2C AD 2B 75 73 C6 83 FF CD E8 35 22 56 02 8A 85 27 F2 C0 B5 77 58 BF AB 06 6F 4B 98 8C FD D1 03 FD 1A 45 9A 34 38 4E 87
SW: 6F 00

I also tried this on Android using OpenKeychain, but key imports also fail for this card. Debugging is less verbose on the app.

Is there a way to enable further debugging or increase verbosity? Any ideas if I'm doing something else wrong?

[jaredvacanti]

The other 3.0.4 card I have, the NXP J3H145 Dual Interface Java card - 144k, advertises the same Java Card 3.0.4 (JCOP v3) and GP2.2.1 support as the ACOSJ card. I have a couple of the J3H145 and they both have the same issue over contactless, but work OK over contact.

I followed the exact same build steps as above, including changing the size for RSA4096 import. I was also able to test the J3H145 cards with OpenKeychain on Android. The contactless mode does work OK with the Android app, but still gives the

APDU: 00 A4 00 0C 02 3F 00        SELECT ODF (Object Directory File)
SW: 90 00                         Command successfully executed (OK)

APDU: 00 A4 02 0C 02 2F 02 
SW: 6A 82                         File not found

errors when making connects from scdaemon and pcscd on a desktop machine. I also tried disabling pcscd and using GPG's default CCID drivers. I got the same errors so I reverted back to using pcscd.

quick summary:

                +----------------+---------------+---------------------+----------------------------+
                | Contact Reader | ACR122U (NFC) | Identiv 3700F (NFC) | Android OpenKeychain (NFC) |
+---------------+----------------+---------------+---------------------+----------------------------+
| Yubikey 5 NFC | Success        | Success       | Success             | Success                    |
+---------------+----------------+---------------+---------------------+----------------------------+
| J3H145        | Success        | FAIL          | FAIL                | Success                    |
+---------------+----------------+---------------+---------------------+----------------------------+
| ACOSJ         | Success**      | Success**     | Success**           | Success**                  |
+---------------+----------------+---------------+---------------------+----------------------------+

**communication works OK, but not able to import a key, so not yet usable

[af-anssi]

Could you try with the v1.18-3.0.4-without-secure-messaging tag ? Could you also test with default INTERNAL_BUFFER size with RSA 2048 bits ?

[af-anssi]

Do you have any update on this issue ?