Comments (9)
I think we will need more logs to be clever. Likely it is an issue of the max length APDU detection, but both cards and opensc should be able to split the long APDUs and responses mostly transparently.
Can you provide the logs from the APDU that is sending larger amount of data than allowed? Also version of the working 0.23.0 if possible.
from opensc.
This sounds like related to the discussion item in #3004. This should have been solved by recent commits in 0.25.0, but if not, we need current debug log from 0.25.0 (at least the affected parts around the failure).
from opensc.
Did not want to close this one. From the debug logs I got from @rliebscher over email, it looks like the issue of the APDU lengths as all the init finalizes correctly, but the failure comes from the register_mechanisms()
function, which fails for some reason:
pkcs15_bind: cannot register mechanisms; CKR 0x70
The function does not have any logging, the 0x70 is CKR_MECHANISM_INVALID
, which does not come from a lot of places, but it is not clear which one failed. I can submit a test PR with some more logging to see what is going on there if you could give it a try.
from opensc.
I suspect it will come from sc_pkcs11_register_sign_and_hash_mechanism()
when it is supplied by some of the mechanisms that are not supported by the OpenSSL build. Previously, it was likely failing silently, but now we implemented error checking, which probably surfaced this issue.
I opened #3092 to improve logging in the function where I suspect the issue happens. Can you try to install the package from that PR and provide debug log from this part (should not contain any sensitive information).
from opensc.
Did not test it yet, but reading OpenSSL in your previous comment, reminds me that I used --disable-openssl with configure (as written in the wiki)
from opensc.
Thanks for the pointer. This might be helpful to guess the location of the issue. Looking at the code, it looks like it will be likely the RSA-PSS mechanisms, that are not behind the #if ENABLE_OPENSSL
in register_mechanisms()
.
Let me update the PR with this fix and then you can take time to retry.
Regarding the CI, I think most of all or all the tests now build with openssl. Added on too.
from opensc.
I tried this commit 2fa13f5 and it resolves the problem.
I also tried 0.25.1 and it still has the problem.
from opensc.
Thank you for testing. I completely forgot about this while putting together the 0.25.1 so it will certainly be in the next release, unsure if 0.25.2 (it there will be some more issues) or 0.26.0 later this year.
The workaround is to build with OpenSSL or applying the patch b492a4c
from opensc.
It fails in here (rv is 112 then)
register_mechanisms(struct sc_pkcs11_card * p11card) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:6731)
pkcs15_bind(struct sc_pkcs11_card * p11card, struct sc_app_info * app_info) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:346)
card_detect(sc_reader_t * reader) (d:\opensc-0.25.1\src\pkcs11\slot.c:323)
card_detect_all() (d:\opensc-0.25.1\src\pkcs11\slot.c:429)
C_GetSlotList(CK_ULONG_PTR pulCount, CK_SLOT_ID_PTR pSlotList) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:524)
C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:496)
list_slots(int tokens, int print) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1609)
main(int argc, char ** argv) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1211)
sc_pkcs11_find_mechanism(struct sc_pkcs11_card *p11card, CK_MECHANISM_TYPE mech, CK_FLAGS flags)
returns NULL
requested mech is 592
p11card->nmechanisms = 10
p11card->mechanisms[] has mech 4161...4164, 4177, 4176, 4160, 3, 1, 13
from opensc.
Related Issues (20)
- Support D-Trust Card 5.1 (Std. RSA CardOS6.0) with CAN HOT 20
- Compilation error HOT 3
- SmartCard-HSM DKEK share error "error generating random number failed with transmit failed" HOT 1
- Chrome / Chromium crashes HOT 3
- crash in pcsc_transmit -> sc_apdu_log -> sc_hex_dump HOT 1
- Recursion too deep in piv_card_reader_lock_obtained HOT 12
- asymmetric key encryption in pkcs11 module does not work
- Use ccache to speed up CI builds
- Windows certificate caching in GIDS HOT 2
- OpenSC + Smartcard-HSM + secp521r1 + OpenSSH = signing failed for ECDSA "secp521r1": error in libcrypto HOT 12
- Unable to generate RSA key using piv-tool HOT 6
- OpenSC Minidriver with PIVApplet + ECC keys on Win11: error on slot 9c - public key does not match private key HOT 28
- MacOS S/MIME Outlook or Mail.app no certificates on Yubikey smartcard detected HOT 17
- OpenSC build for macOS M1 Pro HOT 10
- OpenSC 0.25.1 + SmartCard-HSM 3.6 + brainpoolP256t1 = `point is not on curve` HOT 3
- RSA padding in release 0.25.1 HOT 3
- French eID - reading HOT 1
- OpenSC Minidriver Does Not Display the Second Key Container of JPKI Card When certutil -scinfo Is Executed HOT 30
- Closing orphaned open sessions HOT 2
- Extend the tests with PivApplet to use piv-tool instead of yubico-piv-tool
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from opensc.