OpenSC.tokend icon indicating copy to clipboard operation
OpenSC.tokend copied to clipboard

Published 20 hours ago verified publisher icon OpenSC

PIN Code gets rejected when trying to logon to an Active Directory Domain

Open simartin14 opened this issue 9 years ago • 6 comments

First a short but very necessary thank you for that wonderful piece of software made publicly available - it has helped a great deal so far. In an attempt to logon to an Active Directory Domain using a PKCS15 SmartCard we got as close as being prompted with the proper domain user and asked to enter the PIN Code.

opensc-tokend.log, Level 3 - Find Level 5 attached below.

10x7fff78cb0000 16:43:25.514 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.579 [tokend] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.4294968016 [tokend] card-atrust-acos.c:754:atrust_acos_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff78cb0000 16:43:25.4294968016 [tokend] sec.c:58:sc_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff78cb0000 16:43:25.140733193388833 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff78cb0000 16:43:25.801 [tokend] card-atrust-acos.c:748:atrust_acos_compute_signature: returning with: -1300 (Invalid arguments)
0x7fff78cb0000 16:43:25.801 [tokend] sec.c:58:sc_compute_signature: returning with: -1300 (Invalid arguments)

loglevel5.txt

From what we could figure is that each attempt of entering the PIN Code reaches the Smart Card. So if we would enter a wrong code for more than 4 times the card gets locked, but even if we enter the correct PIN it would keep asking for it.

I would really appreciate advice on that matter.

Best Regards Martin

simartin14 avatar Jan 07 '16 18:01 simartin14

OpenSC.tokend has been totally broken (for PIV tokens at least) till very recently. It is much better now, but still somewhat short of the mark.

The symptoms you describe remind me of the problem I used to have trying to unlock the token using Keychain Access.

My recommendation: get the latest Github version of OpenSC (not the released version), and try mouse07410/OpenSC.tokend fork with it. This combination would give you the best chance.

mouse07410 avatar Jan 08 '16 02:01 mouse07410

The card driver implements an internal caching mechanism for the current EF/DF. Your log shows that it thinks of a cache hit and does not issue a select command on your key:

0x7fff78cb0000 16:37:24.608 [tokend] card.c:650:sc_select_file: called; type=2, path=3f00df71
0x7fff78cb0000 16:37:24.608 [tokend] card-atrust-acos.c:399:atrust_acos_select_file: current path (path, valid): 3f00df71 (len: 4)
0x7fff78cb0000 16:37:24.608 [tokend] card-atrust-acos.c:491:atrust_acos_select_file: cache hit
0x7fff78cb0000 16:37:24.608 [tokend] card.c:678:sc_select_file: returning with: 0 (Success)

Could you check if disabling the cache fixes the problem?

Also note that OpenSC internally tries to re-validate the cached PIN to then re-issue the signature command. For some strange reason the signature operation changes now and results in an error:

0x7fff78cb0000 16:37:24.993 [tokend] pkcs15-pin.c:682:sc_pkcs15_pincache_revalidate: returning with: 0 (Success)
0x7fff78cb0000 16:37:24.4294968289 [tokend] sec.c:54:sc_compute_signature: called
0x7fff78cb0000 16:37:24.140733193389025 [tokend] card-atrust-acos.c:748:atrust_acos_compute_signature: returning with: -1300 (Invalid arguments)
0x7fff78cb0000 16:37:24.4294968289 [tokend] sec.c:58:sc_compute_signature: returning with: -1300 (Invalid arguments)

I hope this gives you some directions, but debugging is really only possible with the card.

Please also try pkcs11-tool --login --test to check if this is a problem within tokend or within the core library!

frankmorgner avatar Jan 08 '16 08:01 frankmorgner

@mouse07410 Thanks for the quick reply, about to try that.

@frankmorgner Also thanks for the advise - unfortunately Turning of the cache did not solve the problem - however the logfiles are looking slightly different now.

We are using PKCS15 to access the card as there is no PKCS11 plugin available on OSX for our card. So we did disable use_pin_caching in the PKCS15 Framework.

Here are the logs (level 3) after turning of the cache:

Inserting the card

0x7fff73a82000 14:55:43.140733193388566 [tokend] reader-pcsc.c:1122:pcsc_detect_readers: returning with: 0 (Success)
0x7fff73a82000 14:55:43.140733193388566 [tokend] card.c:148:sc_connect_card: called
0x7fff73a82000 14:55:43.536 [tokend] reader-pcsc.c:301:refresh_attributes: returning with: 0 (Success)
0x7fff73a82000 14:55:43.7741534218664018458 [tokend] card-entersafe.c:106:entersafe_match_card: called
0x7fff73a82000 14:55:43.140733193388570 [tokend] card-rutoken.c:103:rutoken_match_card: called
0x7fff73a82000 14:55:43.4294967899 [tokend] card-mcrd.c:296:mcrd_match_card: SELECT AID: 6A82
0x7fff73a82000 14:55:43.4294967982 [tokend] muscle.c:271:msc_select_applet: returning with: -1200 (Card command failed)
0x7fff73a82000 14:55:43.4294968082 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:43.4294968128 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.4294968176 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.4294968225 [tokend] card-atrust-acos.c:332:atrust_acos_select_fid: returning with: -1201 (File not found)
0x7fff73a82000 14:55:43.929 [tokend] pkcs15-syn.c:140:sc_pkcs15_bind_synthetic: called
0x7fff73a82000 14:55:43.140733193388961 [tokend] pkcs15-itacns.c:854:sc_pkcs15emu_itacns_init_ex: called
0x7fff73a82000 14:55:43.4294968226 [tokend] pkcs15-piv.c:1028:sc_pkcs15emu_piv_init_ex: called
0x7fff73a82000 14:55:43.140733193388962 [tokend] pkcs15-piv.c:234:piv_detect_card: called
0x7fff73a82000 14:55:43.4294968226 [tokend] pkcs15-gemsafeGPK.c:168:gemsafe_detect_card: called
0x7fff73a82000 14:55:44.4294967462 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967541 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967658 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:44.4294967776 [tokend] card-atrust-acos.c:376:atrust_acos_select_fid: returning with: 0 (Success)
0x7fff73a82000 14:55:45.200 [tokend] sec.c:206:sc_pin_cmd: returning with: -1214 (PIN code or key incorrect)

Entering the valid PIN

0x7fff73a82000 14:55:48.695 [tokend] sec.c:206:sc_pin_cmd: returning with: 0 (Success)
0x7fff73a82000 14:55:48.760 [tokend] sec.c:72:sc_set_security_env: returning with: 0 (Success)
0x7fff73a82000 14:55:48.4294968197 [tokend] card-atrust-acos.c:754:atrust_acos_compute_signature: returning with: -1211 (Security status not satisfied)
0x7fff73a82000 14:55:48.4294968197 [tokend] sec.c:58:sc_compute_signature: returning with: -1211 (Security status not satisfied)

simartin14 avatar Jan 08 '16 14:01 simartin14

Disabling the file cache I talked about requires modification of the sourcecode (see card-atrust-acos.c:491).

OpenSC ships with a PKCS#11 library on OS X. If your card works in tokend, it also works in opensc-pkcs11.dylib

frankmorgner avatar Jan 08 '16 17:01 frankmorgner

I concur regarding testing with pkcs11-tool. If that doesn't work, no need to even try tokend.

mouse07410 avatar Jan 09 '16 03:01 mouse07410

What kind of card/token is it? Is it provisioned fully?

mouse07410 avatar Jan 09 '16 03:01 mouse07410