Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

v1.6.0-test.20231218: pkcs15-init: Not supported #430

Open
matthiasbock opened this issue Jan 12, 2024 · 1 comment
Open

v1.6.0-test.20231218: pkcs15-init: Not supported #430

matthiasbock opened this issue Jan 12, 2024 · 1 comment

Comments

@matthiasbock
Copy link

Hi,

I ran into problems when trying to initialize the Nitrokey 3 smartcard function
when it's running v1.6.0-test.20231218.

Steps to reproduce:

  • new token
  • gpg --card-edit -> admin -> factory-reset, change PIN, change admin PIN, no reset code
  • update firmware to v1.6.0-test.20231218 (previously v1.5.0)
  • run pkcs15-init --erase-card

Error:

$ pkcs15-init --erase-card 
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Couldn't bind to the card: Not supported

Debug log:

$ pkcs15-init --erase-card -vvvvv
...
P:300542; T:0x139849473816640 14:25:40.128 [pkcs15-init] reader-pcsc.c:325:pcsc_transmit: reader 'Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00'
P:300542; T:0x139849473816640 14:25:40.128 [pkcs15-init] reader-pcsc.c:326:pcsc_transmit: 
Outgoing APDU (11 bytes):
00 CB 3F FF 05 5C 03 5F C1 0C 0A ..?..\._...

P:300542; T:0x139849473816640 14:25:40.128 [pkcs15-init] reader-pcsc.c:244:pcsc_internal_transmit: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] reader-pcsc.c:335:pcsc_transmit: 
Incoming APDU (12 bytes):
53 08 C1 01 00 C2 01 00 FE 00 90 00 S...........

P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] apdu.c:382:sc_single_transmit: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] apdu.c:539:sc_transmit: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card.c:530:sc_unlock: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card.c:530:sc_unlock: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:583:piv_general_io: returning with: 10
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card.c:530:sc_unlock: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:958:piv_get_data: returning with: 10
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:1022:piv_get_cached_data: added #11  0x5611c9a96100:10 (nil):0
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:1043:piv_get_cached_data: returning with: 10
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:2860:piv_process_history: History on=0 off=0 URL=NONE
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:3002:piv_process_history: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:971:piv_get_cached_data: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:972:piv_get_cached_data: #10
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:979:piv_get_cached_data: found #10 0x5611c9a96000:20 (nil):0
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:1043:piv_get_cached_data: returning with: 20
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:2602:piv_parse_discovery: Discovery 0x60 0x1e 0x5611c9a96002:18
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:2617:piv_parse_discovery: Discovery pinp flags=0x40 0x00
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:2629:piv_parse_discovery: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card-piv.c:2649:piv_process_discovery: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] card.c:530:sc_unlock: called
P:300542; T:0x139849473816640 14:25:41.074 [pkcs15-init] reader-pcsc.c:740:pcsc_unlock: called
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card-piv.c:3495:piv_init: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:382:sc_connect_card: card info name:'Personal Identity Verification Card', type:14001, flags:0x0, max_send/recv_size:255/256
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:1612:sc_card_sm_check: called
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:1617:sc_card_sm_check: returning with: 0 (Success)
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:397:sc_connect_card: returning with: 0 (Success)
Using card driver Personal Identity Verification Card.
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] pkcs15-lib.c:321:sc_pkcs15init_bind: called
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:1062:sc_card_ctl: called
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card-piv.c:2199:piv_card_ctl: called
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card-piv.c:2233:piv_card_ctl: returning with: -1408 (Not supported)
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] card.c:1069:sc_card_ctl: card_ctl(4) not supported
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] pkcs15-lib.c:261:find_library: unable to locate pkcs15init driver for 'PIV-II'
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] pkcs15-lib.c:345:sc_pkcs15init_bind: Unsupported card driver PIV-II
P:300542; T:0x139849473816640 14:25:41.075 [pkcs15-init] pkcs15-lib.c:347:sc_pkcs15init_bind: Unsupported card driver: -1408 (Not supported)
Couldn't bind to the card: Not supported

Furthermore, errors occur also when running pkcs15-tool (potentially sensitive details removed):

$ pkcs15-tool -D
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
PKCS#15 Card [PIV_II]:
	Version        : 0
	Serial number  : ...
	Manufacturer ID: piv_II 
	Flags          : 

PIN [PIN]
	Object Flags   : [0x01], private
	Auth ID        : ...

PIN [PIV PUK]
	Object Flags   : [0x01], private
	ID             : ...

Data object 'Card Capability Container'
	applicationName: Card Capability Container
	applicationOID:  ...

Data object 'Card Holder Unique Identifier'
	applicationName: Card Holder Unique Identifier
	applicationOID:  ...

Data object 'Unsigned Card Holder Unique Identifier'
	applicationName: Unsigned Card Holder Unique Identifier
	applicationOID:  ...
Data object read failed: File not found

Data object 'X.509 Certificate for PIV Authentication'
	applicationName: X.509 Certificate for PIV Authentication
	applicationOID:  ...
Data object read failed: File not found

Data object 'Cardholder Fingerprints'
	applicationName: Cardholder Fingerprints
	applicationOID:  ...

Data object 'Printed Information'
	applicationName: Printed Information
	applicationOID:  ...

Data object 'Cardholder Facial Image'
	applicationName: Cardholder Facial Image
	applicationOID:  ...

Data object 'X.509 Certificate for Digital Signature'
	applicationName: X.509 Certificate for Digital Signature
	applicationOID:  ...
Data object read failed: File not found

Data object 'X.509 Certificate for Key Management'
	applicationName: X.509 Certificate for Key Management
	applicationOID:  ...
Data object read failed: File not found

Data object 'X.509 Certificate for Card Authentication'
	applicationName: X.509 Certificate for Card Authentication
	applicationOID:  ...
Data object read failed: File not found

Data object 'Security Object'
	applicationName: Security Object
	applicationOID:  ...
Data object read failed: File not found

Data object 'Discovery Object'
	applicationName: Discovery Object
	applicationOID:  ...

Data object 'Key History Object'
	applicationName: Key History Object
	applicationOID:  ...

Data object 'Cardholder Iris Image'
	applicationName: Cardholder Iris Image
	applicationOID:  ...
Data object read failed: File not found

System is Debian Linux 5.10.0 (amd64).

This issue is fixed, when downgrading the firmware to v1.6.0 on the same token.

Interestingly, this issue does not occur on another token, on which pkcs15 was set-up first and
the token was updated afterwards to v1.6.0-test.20231218.
@robin-nitrokey
Copy link
Member

I think the main problem is that v1.6.0 provides one CCID application, OpenPGP. v1.6.0-test.20231218 provides two CCID applications, OpenPGP and PIV. opensc-tool has the --card-driver option to select one:

$ opensc-tool --card-driver openpgp --name
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
OpenPGP card v3.4 (000F E5A62768)

$ opensc-tool --card-driver PIV-II --name
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
Personal Identity Verification Card

Unfortunately, pkcs15-tool and pkcs15-init don’t have this flag. You can also see in the output of pkcs15-tool --list-info that it prefers the PIV driver over the OpenPGP driver:

$ pkcs15-tool --list-info
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
PKCS#15 Card [PIV_II]:
	Version        : 0
	Serial number  : e5a627684295055fb30e52d7143d76b6
	Manufacturer ID: piv_II
	Flags          :

You can fix this by setting the OPENSC_DRIVER environment variable to openpgp:

$ OPENSC_DRIVER=openpgp pkcs15-tool --list-info
Using reader with a card: Nitrokey Nitrokey 3 [CCID/ICCD Interface] 00 00
PKCS#15 Card [OpenPGP card]:
	Version        : 0
	Serial number  : 000fe5a62768
	Manufacturer ID: OpenPGP project
	Language       :
	Flags          : PRN generation, EID compliant

Does that work for you? For me, pkcs15-init --erase-card works neither with v1.6.0 nor v1.6.0-test.20231218.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@matthiasbock @robin-nitrokey