pkcs11-tool fails with (GetSlotInfo failed, CKR_MECHANISM_INVALID) since 0.24 when built with --disable-openssl about opensc HOT 9 OPEN

I think we will need more logs to be clever. Likely it is an issue of the max length APDU detection, but both cards and opensc should be able to split the long APDUs and responses mostly transparently.

Can you provide the logs from the APDU that is sending larger amount of data than allowed? Also version of the working 0.23.0 if possible.

from opensc.

This sounds like related to the discussion item in #3004. This should have been solved by recent commits in 0.25.0, but if not, we need current debug log from 0.25.0 (at least the affected parts around the failure).

from opensc.

Did not want to close this one. From the debug logs I got from @rliebscher over email, it looks like the issue of the APDU lengths as all the init finalizes correctly, but the failure comes from the register_mechanisms() function, which fails for some reason:

pkcs15_bind: cannot register mechanisms; CKR 0x70

The function does not have any logging, the 0x70 is CKR_MECHANISM_INVALID, which does not come from a lot of places, but it is not clear which one failed. I can submit a test PR with some more logging to see what is going on there if you could give it a try.

from opensc.

I suspect it will come from sc_pkcs11_register_sign_and_hash_mechanism() when it is supplied by some of the mechanisms that are not supported by the OpenSSL build. Previously, it was likely failing silently, but now we implemented error checking, which probably surfaced this issue.

I opened #3092 to improve logging in the function where I suspect the issue happens. Can you try to install the package from that PR and provide debug log from this part (should not contain any sensitive information).

from opensc.

Did not test it yet, but reading OpenSSL in your previous comment, reminds me that I used --disable-openssl with configure (as written in the wiki)

from opensc.

Thanks for the pointer. This might be helpful to guess the location of the issue. Looking at the code, it looks like it will be likely the RSA-PSS mechanisms, that are not behind the #if ENABLE_OPENSSL in register_mechanisms().

Let me update the PR with this fix and then you can take time to retry.

Regarding the CI, I think most of all or all the tests now build with openssl. Added on too.

from opensc.

I tried this commit 2fa13f5 and it resolves the problem.
I also tried 0.25.1 and it still has the problem.

from opensc.

Thank you for testing. I completely forgot about this while putting together the 0.25.1 so it will certainly be in the next release, unsure if 0.25.2 (it there will be some more issues) or 0.26.0 later this year.
The workaround is to build with OpenSSL or applying the patch b492a4c

from opensc.

It fails in here (rv is 112 then)

register_mechanisms(struct sc_pkcs11_card * p11card) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:6731)
pkcs15_bind(struct sc_pkcs11_card * p11card, struct sc_app_info * app_info) (d:\opensc-0.25.1\src\pkcs11\framework-pkcs15.c:346)
card_detect(sc_reader_t * reader) (d:\opensc-0.25.1\src\pkcs11\slot.c:323)
card_detect_all() (d:\opensc-0.25.1\src\pkcs11\slot.c:429)
C_GetSlotList(CK_ULONG_PTR pulCount, CK_SLOT_ID_PTR pSlotList) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:524)
C_GetSlotList(CK_BBOOL tokenPresent, CK_SLOT_ID_PTR pSlotList, CK_ULONG_PTR pulCount) (d:\opensc-0.25.1\src\pkcs11\pkcs11-global.c:496)
list_slots(int tokens, int print) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1609)
main(int argc, char ** argv) (d:\opensc-0.25.1\src\tools\pkcs11-tool.c:1211)

sc_pkcs11_find_mechanism(struct sc_pkcs11_card *p11card, CK_MECHANISM_TYPE mech, CK_FLAGS flags)
returns NULL
requested mech is 592
p11card->nmechanisms = 10
p11card->mechanisms[] has mech 4161...4164, 4177, 4176, 4160, 3, 1, 13

from opensc.