OpenSC
OpenSC copied to clipboard
OpenSC
pkcs15-init --store-pin fails silently on a MyEID smartcard
Problem Description
For reasons not yet known, "pkcs15-init --store-pin" fails silently, no PIN is created, no error message is returned.
opensc-0.22.0-2.el9.x86_64
Proposed Resolution
An error message must be returned to indicate what went wrong.
Steps to reproduce
Format a MyEid smartcard.
blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
Version : 0
Serial number : 00007303016884988479
Manufacturer ID: Aventra Ltd.
Last update : 20230615131231Z
Flags : PRN generation, EID compliant
sc_supported_algo_info[0]:
reference : 1 (0x01)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.1
algo_ref : [0x00]
sc_supported_algo_info[1]:
reference : 2 (0x02)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.2
algo_ref : [0x00]
sc_supported_algo_info[2]:
reference : 3 (0x03)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.41
algo_ref : [0x00]
sc_supported_algo_info[3]:
reference : 4 (0x04)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.42
algo_ref : [0x00]
PIN [Security Officer PIN]
Object Flags : [0x03], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3 (0x03)
Type : ascii-numeric
Attempt to create a PIN. This step has worked fine with many other MyEID cards.
blackadder ~ # pkcs15-init --store-pin --auth-id 1 --label "Smartcard PIN"
Using reader with a card: ACS ACR39U ICC Reader 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Note - no error message. Dumping the card, we see no PIN created.
blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
Version : 0
Serial number : 00007303016884988479
Manufacturer ID: Aventra Ltd.
Last update : 20230615131231Z
Flags : PRN generation, EID compliant
sc_supported_algo_info[0]:
reference : 1 (0x01)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.1
algo_ref : [0x00]
sc_supported_algo_info[1]:
reference : 2 (0x02)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.2
algo_ref : [0x00]
sc_supported_algo_info[2]:
reference : 3 (0x03)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.41
algo_ref : [0x00]
sc_supported_algo_info[3]:
reference : 4 (0x04)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.42
algo_ref : [0x00]
PIN [Security Officer PIN]
Object Flags : [0x03], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3 (0x03)
Type : ascii-numeric
Try to set the PIN a second time:
blackadder ~ # pkcs15-init --store-pin --auth-id 1 --label "Smartcard PIN"
Using reader with a card: ACS ACR39U ICC Reader 00 00
New User PIN.
Please enter User PIN:
Please type again to verify:
Unblock Code for New User PIN (Optional - press return for no PIN).
Please enter User unblocking PIN (PUK):
Please type again to verify:
Failed to store PIN: Invalid arguments
This second attempt above fails with the meaningless message "invalid arguments". Dump shows no PIN:
blackadder ~ # pkcs15-tool --dump
Using reader with a card: ACS ACR39U ICC Reader 00 00
PKCS#15 Card [Thyone]:
Version : 0
Serial number : 00007303016884988479
Manufacturer ID: Aventra Ltd.
Last update : 20230615131231Z
Flags : PRN generation, EID compliant
sc_supported_algo_info[0]:
reference : 1 (0x01)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.1
algo_ref : [0x00]
sc_supported_algo_info[1]:
reference : 2 (0x02)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.2
algo_ref : [0x00]
sc_supported_algo_info[2]:
reference : 3 (0x03)
mechanism : [0x1081] CKM_AES_ECB
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.41
algo_ref : [0x00]
sc_supported_algo_info[3]:
reference : 4 (0x04)
mechanism : [0x1082] CKM_AES_CBC
operations : [0x30], encipher, decipher
algo_id : 2.16.840.1.101.3.4.1.42
algo_ref : [0x00]
PIN [Security Officer PIN]
Object Flags : [0x03], private, modifiable
ID : ff
Flags : [0xB0], initialized, needs-padding, soPin
Length : min_len:4, max_len:8, stored_len:8
Pad char : 0xFF
Reference : 3 (0x03)
Type : ascii-numeric
Can you try adding another PIN to the card?
pkcs15-init --store-pin --auth-id 2 --label "Smartcard PIN2"
One more note, check your configuration again, is file_cache on? This would explain the stated problem.
Looking at the /etc/opensc.conf in use, file caching appears to be off:
blackadder ~ # cat /etc/opensc.conf
app default {
# debug = 3;
# debug_file = opensc-debug.txt;
framework pkcs15 {
use_file_caching = true;
}
reader_driver pcsc {
# The pinpad is disabled by default,
# because of many broken readers out there
enable_pinpad = false;
}
}
# the pkcs15-init is used for card initialization when the file caching
# brings more trouble than use so disable that:
app pkcs15-init {
framework pkcs15 {
use_file_caching = false;
}
}
Changing the app default (not pkcs15-init, default) to false works around the problem.
It looks like:
- file caching breaks PIN setting operations (setting PIN has no effect when file caching is on).
- the "app pkcs15-init" mechanism that tries to switch file caching off doesn't work.
The issue of file_cache was discussed in https://github.com/OpenSC/OpenSC/pull/2501
I have prepared a solution for the MyEID card, which allows to signal every change in the content of the card in relation to the content of the cache: https://github.com/OpenSC/OpenSC/pull/2798
Without applying https://github.com/OpenSC/OpenSC/pull/2798, I do not recommend turning on file_cache while performing any write operation on the card (initializing the card, uploading keys, generating keys, unwrapping keys).
the "app pkcs15-init" mechanism that tries to switch file caching off doesn't work.
Can you provide an opensc debug log with the default config containing the app pkcs15-init block? To my testing, the cache disablement solves the issue so I would like to try to understand what is going on there.
It seems to me that the app pkcs15-init section in the opensc configuration does not cause any reaction .. config:
app default {
}
app pkcs15-init {
debug = 255;
debug_file = opensc-debug_init.txt;
}
After initializing the card, I don't have the opensc-debug_init.txt file created..
Accordingly, app default overwrites the information in the app pkcs11-init section.
The debug file is created with the following configuration (no app default section):
app pkcs15-init {
debug = 255;
debug_file = opensc-debug_init.txt;
}
For this reason, it is not even possible to turn off the file cache only for app pkcs15-init, but leave it on in the app default section.
Sigh ... I was putting this together quite some time ago when I did not have MyEID cards to test. I think a colleague tested this and I did not double-check the code. Well, good to have this solved inside of the myeid driver now ...