Keycard not recognized on Linux

[fryorcraken]

Bug Report

Description

When using keycard flow to login, the app remains on "plugin keycard player" screen.

Steps to reproduce

• Start App fresh
• Select "I have a Status account"
• Select "keycard"
• Screen display "plug keycard reader"
• Plug in ACS keycard reader -> nothing happens
• Insert keycard in reader -> nothing happens

Expected behavior

Keycard reader is recognized and keys imported from reader

Actual behavior

Stuck to "plug keycard reader" screen

Additional Information

• Status desktop version: 0.8.0
• Operating System:Fedora Linux

Log

DBG 2022-12-05 16:13:45.410+11:00 on_keycard_response                        topics="app-controller" tid=2079020 file=module.nim:307 currFlow=FirstRunOldUserKeycardImport currState=KeycardPluginReader

I created an udev file (Fedora)

/etc/udev/rules.d                                                                                                                    
▶ cat 21-keycard.rules 
# ACS Key card reader
SUBSYSTEMS=="usb", ATTRS{idVendor}=="072f", ATTRS{idProduct}=="b100", TAG+="uaccess", TAG+="udev-acl"

sudo udevadm control --reload-rules
sudo udevadm trigger     

Didn't help

dmesg:

[1307221.217794] usb 1-5: new full-speed USB device number 7 using xhci_hcd
[1307221.347347] usb 1-5: New USB device found, idVendor=072f, idProduct=b100, bcdDevice=30.09
[1307221.347351] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1307221.347352] usb 1-5: Product: ACR39U ICC Reader
[1307221.347353] usb 1-5: Manufacturer: ACS
[1307237.493258] usb 1-5: USB disconnect, device number 7
[1307243.992789] usb 1-5: new full-speed USB device number 8 using xhci_hcd
[1307244.122960] usb 1-5: New USB device found, idVendor=072f, idProduct=b100, bcdDevice=30.09
[1307244.122964] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1307244.122965] usb 1-5: Product: ACR39U ICC Reader
[1307244.122966] usb 1-5: Manufacturer: ACS
[1307409.391242] usb 1-5: USB disconnect, device number 8
[1307415.873702] usb 1-5: new full-speed USB device number 9 using xhci_hcd
[1307416.002753] usb 1-5: New USB device found, idVendor=072f, idProduct=b100, bcdDevice=30.09
[1307416.002758] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1307416.002759] usb 1-5: Product: ACR39U ICC Reader
[1307416.002761] usb 1-5: Manufacturer: ACS
[1307565.796149] usb 1-5: USB disconnect, device number 9
[1307571.365684] usb 1-5: new full-speed USB device number 10 using xhci_hcd
[1307571.494963] usb 1-5: New USB device found, idVendor=072f, idProduct=b100, bcdDevice=30.09
[1307571.494967] usb 1-5: New USB device strings: Mfr=1, Product=2, SerialNumber=0
[1307571.494968] usb 1-5: Product: ACR39U ICC Reader
[1307571.494969] usb 1-5: Manufacturer: ACS

Also, I have a pcscd running (was already running afaik)

▶ pgrep -a pcscd   
2086258 /usr/sbin/pcscd --foreground --auto-exit

[fryorcraken]

I installed pcsc-tools and can confirm the reader is recognized:

▶ /usr/bin/pcsc_scan
Using reader plug'n play mechanism
Scanning present readers...
0: ACS ACR39U ICC Reader 00 00

Tue Dec  6 10:46:25 2022
 Reader 0: ACS ACR39U ICC Reader 00 00
  Event number: 4
  **Card state: Card inserted,** 
  ATR: 3B D5 18 FF 81 91 FE 1F C3 80 73 C8 21 10 0A

ATR: 3B D5 18 FF 81 91 FE 1F C3 80 73 C8 21 10 0A
+ TS = 3B --> Direct Convention
+ T0 = D5, Y(1): 1101, K: 5 (historical bytes)
  TA(1) = 18 --> Fi=372, Di=12, 31 cycles/ETU
    129032 bits/s at 4 MHz, fMax for Fi = 5 MHz => 161290 bits/s
  TC(1) = FF --> Extra guard time: 255 (special value)
  TD(1) = 81 --> Y(i+1) = 1000, Protocol T = 1 
-----
  TD(2) = 91 --> Y(i+1) = 1001, Protocol T = 1 
-----
  TA(3) = FE --> IFSC: 254
  TD(3) = 1F --> Y(i+1) = 0001, Protocol T = 15 - Global interface bytes following 
-----
  TA(4) = C3 --> Clock stop: no preference - Class accepted by the card: (3G) A 5V B 3V 
+ Historical bytes: 80 73 C8 21 10
  Category indicator byte: 80 (compact TLV data object)
    Tag: 7, len: 3 (card capabilities)
      Selection methods: C8
        - DF selection by full DF name
        - DF selection by partial DF name
        - Implicit DF selection
      Data coding byte: 21
        - Behaviour of write functions: proprietary
        - Value 'FF' for the first byte of BER-TLV tag fields: invalid
        - Data unit in quartets: 2
      Command chaining, length fields and logical channels: 10
        - Logical channel number assignment: by the card
        - Maximum number of logical channels: 1
+ TCK = 0A (correct checksum)

Possibly identified card (using /usr/share/pcsc/smartcard_list.txt):
3B D5 18 FF 81 91 FE 1F C3 80 73 C8 21 10 0A
    ComSign digital signature card (eID)
    https://www.comsign.co.uk/

[fryorcraken]

Some logs from the pcscd service:

Dec 06 10:52:18 xps-franck pcscd[2303558]: 11313948 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:18 xps-franck pcscd[2303558]: 00000058 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:18 xps-franck pcscd[2303558]: 00000002 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:21 xps-franck pcscd[2303558]: 03007324 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:21 xps-franck pcscd[2303558]: 00000007 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:21 xps-franck pcscd[2303558]: 00000002 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:24 xps-franck pcscd[2303558]: 03010607 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:24 xps-franck pcscd[2303558]: 00000005 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:24 xps-franck pcscd[2303558]: 00000001 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:27 xps-franck pcscd[2303558]: 03011302 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:27 xps-franck pcscd[2303558]: 00000008 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:27 xps-franck pcscd[2303558]: 00000002 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:30 xps-franck pcscd[2303558]: 03012763 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:30 xps-franck pcscd[2303558]: 00000007 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:30 xps-franck pcscd[2303558]: 00000001 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:31 xps-franck systemd[1]: fprintd.service: Deactivated successfully.
░░ Subject: Unit succeeded
░░ Defined-By: systemd
░░ Support: https://lists.freedesktop.org/mailman/listinfo/systemd-devel
░░ 
░░ The unit fprintd.service has successfully entered the 'dead' state.
Dec 06 10:52:31 xps-franck audit[1]: SERVICE_STOP pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:>
Dec 06 10:52:31 xps-franck audit: BPF prog-id=0 op=UNLOAD
Dec 06 10:52:33 xps-franck pcscd[2303558]: 03007499 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:33 xps-franck pcscd[2303558]: 00000007 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:33 xps-franck pcscd[2303558]: 00000002 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:36 xps-franck pcscd[2303558]: 03012514 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:36 xps-franck pcscd[2303558]: 00000007 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:36 xps-franck pcscd[2303558]: 00000001 winscard_svc.c:386:ContextThread() Server protocol is 4:4
Dec 06 10:52:39 xps-franck pcscd[2303558]: 03008331 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Dec 06 10:52:39 xps-franck pcscd[2303558]: 00000006 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Dec 06 10:52:39 xps-franck pcscd[2303558]: 00000002 winscard_svc.c:386:ContextThread() Server protocol is 4:4

[fryorcraken]

Also installed https://src.fedoraproject.org/rpms/pcsc-lite-acsccid but did not help

[3esmit]

I can confirm this issue.

Additional Information

Status desktop version: v0.12.0-85bbd3-x86_6
Operating System: Linux Mint 21 kernel 5.15.0-75-generic
Card reader: HID OMNIKEY 3121
keycard-cli 0.7.0 works fine.

Logs:

$ ./StatusIm-Desktop-v0.12.0-85bbd3-x86_64.AppImage 
INFO [06-20|12:02:30.884] Status backend initialized               backend=geth version=0.150.1 commit=9950a3146 IpfsGatewayURL=https://ipfs.status.im/
INF 2023-06-20 12:02:31.123-03:00 Version: 0.12.0                            topics="status-app" tid=4820 file=nim_status_client.nim:186
INF 2023-06-20 12:02:31.124-03:00 Commit: 85bbd3f49                          topics="status-app" tid=4820 file=nim_status_client.nim:187
INF 2023-06-20 12:02:31.124-03:00 Current date:                              topics="status-app" tid=4820 file=nim_status_client.nim:188 currentDateTime=2023-06-20T12:02:31-03:00
INF 2023-06-20 12:02:31.124-03:00 starting application controller...         topics="status-app" tid=4820 file=nim_status_client.nim:190
INF 2023-06-20 12:02:34.924-03:00 starting application...                    topics="status-app" tid=4820 file=nim_status_client.nim:193
keycard - no-pcsc

● pcscd.service - PC/SC Smart Card Daemon
     Loaded: loaded (/lib/systemd/system/pcscd.service; indirect; vendor preset: enabled)
     Active: active (running) since Tue 2023-06-20 12:02:58 -03; 19s ago
TriggeredBy: ● pcscd.socket
       Docs: man:pcscd(8)
   Main PID: 5425 (pcscd)
      Tasks: 6 (limit: 18821)
     Memory: 1.4M
        CPU: 20ms
     CGroup: /system.slice/pcscd.service
             └─5425 /usr/sbin/pcscd --foreground --auto-exit

Jun 20 12:02:58 pc systemd[1]: Started PC/SC Smart Card Daemon.
Jun 20 12:02:58 pc pcscd[5425]: 00000000 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Jun 20 12:02:58 pc pcscd[5425]: 00000053 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Jun 20 12:02:58 pc pcscd[5425]: 00000006 winscard_svc.c:386:ContextThread() Server protocol is 4:4

I tested keycard-cli with a random credit card laying around, just to see if it can communicate with card reader.

$ ./keycard-linux-amd64 info
INFO [06-20|12:13:00.386] waiting for a card                       package=keycard-cli
INFO [06-20|12:13:00.386] card found                               package=keycard-cli index=0
INFO [06-20|12:13:00.451] info started                             package=keycard-cli
INFO [06-20|12:13:00.451] select keycard applet                    package=keycard-cli
INFO [06-20|12:13:00.470] select cash applet                       package=keycard-cli
Keycard Applet:
  Installed: false
  Initialized: false
  Key Initialized: false
  InstanceUID: 0x
  SecureChannelPublicKey: 0x
  Version: 0x
  AvailableSlots: 0x
  KeyUID: 0x
  Capabilities:
    Secure channel:false
    Key management:false
    Credentials Management:false
    NDEF:false
Cash Applet:
  Installed: false

[fryorcraken]

For me the keycard client works fine (https://github.com/status-im/keycard-cli/ 0.7.0)

▶ keycard-cli info
INFO [07-20|10:56:18.813] waiting for a card                       package=keycard-cli
INFO [07-20|10:56:18.813] card found                               package=keycard-cli index=0
INFO [07-20|10:56:18.935] info started                             package=keycard-cli
INFO [07-20|10:56:18.935] select keycard applet                    package=keycard-cli
INFO [07-20|10:56:19.178] select cash applet                       package=keycard-cli
Keycard Applet:
  Installed: true
  Initialized: true
  Key Initialized: true
  InstanceUID: 0xa6dfaed412ea57f1e146b4e81a03878e
  SecureChannelPublicKey: 0x04d3432fede0d735ed4d1a8a97d541771574b90dcded4801764de5f1937b5375f023de1663ca6ceba32c9a8859467e2522e837f7456d8f8f3ac80832b685fffdf8
  Version: 0x0300
  AvailableSlots: 0x01
  KeyUID: 0x756eccbf02cf0aa6458394d5b41a7be9a9b5984d34e5436a33714762bdfdf1ee
  Capabilities:
    Secure channel:true
    Key management:true
    Credentials Management:true
    NDEF:true
Cash Applet:
  Installed: true
  PublicKey: 0x04bf4aadf5f0a873d4b68c7e5d99fd9089b9cf033c314bdcd3871132e2c7dc631791d1e5f33f7ad1016f24904d071c85e1efc72a2a2f0a47e1236a05cd90388aec
  Address: 0x171add2f1d5d06ede352237479cb3df9f94a784b
  Public Data: 0x
  Version: 0x0300

[fryorcraken]

When I click "check what's on a keycard" the following lines appears on systemtctl:

$ journalctl -f -u pcscd
...
Jul 25 21:54:15 xps-franck pcscd[1970]: 14462347 winscard_svc.c:382:ContextThread() Communication protocol mismatch!
Jul 25 21:54:15 xps-franck pcscd[1970]: 00000021 winscard_svc.c:384:ContextThread() Client protocol is 4:3
Jul 25 21:54:15 xps-franck pcscd[1970]: 00000006 winscard_svc.c:386:ContextThread() Server protocol is 4:4

This logs do not appear when I use keycard-cli info.

[fryorcraken]

Ok the issue seems to be a mismatch of pcsc version between my system and the app image: https://ludovicrousseau.blogspot.com/2022/02/accessing-smart-cards-from-inside.html

4.4 since pcsc-lite 1.8.24, Oct 2018 4.3 since pcsc-lite 1.8.9, Oct 2013 4.2 since pcsc-lite 1.6.5, Dec 2010 4.1 since pcsc-lite 1.6.5, Dec 2010 4.0 since pcsc-lite 1.6.0, May 2010

I have 1.9.9 installed locally:

▶ dnf info pcsc-lite  
... 
Installed Packages
Name         : pcsc-lite
Version      : 1.9.9

Looks like an older version is packaged? How old is the ubuntu LTS that is building the App image? can a more recent LTS be used?

[fryorcraken]

1.9.9 is the only version available on Fedora's mirrors:

▶ dnf --showduplicates list pcsc-lite
Last metadata expiration check: 0:07:31 ago on Tue 25 Jul 2023 22:04:50.
Installed Packages
pcsc-lite.x86_64                                                 1.9.9-3.fc38                                                  @fedora
Available Packages
pcsc-lite.x86_64                                                 1.9.9-3.fc38  

I need 1.8.23...

Jumped here: https://koji.fedoraproject.org/koji/packageinfo?packageID=245 Page 2: pcsc-lite-1.8.23-4.fc29 Download:

• pcsc-lite-1.8.23-4.fc29.x86_64.rpm
• pcsc-lite-libs-1.8.23-4.fc29.x86_64.rpm

sudo dnf remove pcsc-lite-devel # not needed as I am not compiling locally
sudo dnf downgrade ./pcsc-lite-1.8.23-4.fc29.x86_64.rpm ./pcsc-lite-libs-1.8.23-4.fc29.x86_64.rpm

Now, when hitting "check card" it says "this keycard has no metadata". Ok, sounds better. Signed off and quit. Try to login with keycard when hitting "Login with Keycard".

keycard - listing readers
keycard - waiting for card
keycard - card found at index 0
keycard - using reader ACS ACR39U ICC Reader 00 00
keycard - card protocol T1
keycard - pair failed invalid card cryptogram

They keycard works with Status Mobile 1.20.3

[fryorcraken]

I use Status Mobile to change my keycard pairing code to KeycardDefaultPairing. I was able to then go through the Status desktop recovery flow welcome back > Add existing user > I don't have other device > Login with Keycard using my keycard.

I think the issue should remain open to track 2 issues:

1. old pcsc-lite library being used to build app image
2. Keycard recovery flow fails if keycard pairing code is not KeycardDefaultPairing

[anastasiyaig]

@fryorcraken can you please revisit this issue with last desktop app and outline what is left to be fixed? I dont have fedora, but it works on my Ubuntu 22.04

[fryorcraken]

Experience is still a bit rough:

1. Start app (yubikey plugged in)
2. Add new user
3. Generate key for a new keycard
4. Error saying it's not a key card
5. remove yubikey, insert keycard
6. Generate key for a new keycard: nothing happens

However, after restarting app and ensuring yubikey was not plugged in, I was able to make it work. Happy to close.

[tscharly]

Same issue here with: StatusIm-Desktop-v2.28.1-ee0590-x86_64 Fedora 40 Keycard 3.0.2 and 3.1.0

Error "This is not a Keycard"