Smartcard stopped working, CKR_GENERAL_ERROR thrown

[mrlnc]

Expected behaviour

I use OpenSC as Firefox Security Device to authenticate myself on a website. I'm asked for a PIN, then for a certificate to choose, and then successfully log-in.

This did work for me before, so it might be either a regression or something is wrong on my system. I'd like to ask for help to resolve this, since I don't know where to look for mistakes. For any debug information I could provide, please tell me if it compromise the smartcard's security.

Actual behaviour

I'm asked for the Smartcard PIN, certificate information is displayed correctly. When I proceed to use the selected certificate, Firefox throws this error:

Secure Connection Failed
An error occurred during a connection to fn2.flexnow.ruhr-uni-bochum.de. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. Error code: SEC_ERROR_PKCS11_GENERAL_ERROR

Output with pkcs11-tool is:

$ pkcs11-tool --module /usr/lib64/onepin-opensc-pkcs11.so -t -l
Using slot 0 with a present token (0x0)
Logging in to "Student Card (User Pin)".
Please enter User PIN: 
C_SeedRandom() and C_GenerateRandom():
  seeding (C_SeedRandom) not supported
  seems to be OK
Digests:
  all 4 digest functions seem to work
  MD5: OK
  SHA-1: OK
  RIPEMD160: OK
Signatures (currently only RSA signatures)
  testing key 0 (RUBSIGNCERT) 
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)

Hard- and Software versions

Reader: OmniKey AG CardMan 4321
Smartcard Software:
opensc 0.16.0-2
pcsc-perl 1.4.14-2
pcsc-tools 1.4.27-1
pcsclite 1.8.20-1
Firefox 52.0.1-1
In Firefox, Security Device is /usr/lib/opensc-pkcs11.so

So far, I tried to downgrade opensc and pcsclite without success. Please not that I do not know when it stopped working, since I rarely use the smartcard.

[mrlnc]

Tested with a different card reader (Advanced Card Systems, Ltd ACR38 SmartCard Reader) and it works like a charm.
Is there a way to tell whether support for CardMan 4321 has a regression, or my device is broken?

[frankmorgner]

Please add some debug output.

Please note, that we are not distributing any other packages than the ones listed here. So your OpenSC build may not be up to date.

[mrlnc]

https://gist.github.com/mrlnc/5a5a6261103047fa2e4542035e6ecb7f

I deleted quite a lot. Please tell me if I deleted too much or too few :-)

[frankmorgner]

try setting max_recv_size/max_send_size to a higher value.

[dengert]

The 4321 does not support extended So to send a large block, command chaining is being used. Line 3965: apdu.c:376:sc_single_transmit: CLA:10, INS:2A, P1:80, P2:86, data(255) 0x132cbd0 But you blanked out the command and data starting at line 3969 and you blanked out response in line 3989 so it is hard to tell what happened. But line 3992 says: card-cardos.c:304:cardos_check_sw: chaining error So it sounds like the card did not like the chaining. (I have never seen a chaining error) So it is possible some code change was introduced. The other reader may support extended APDU so chaining may not be not needed. To see reader features, see https://pcsclite.alioth.debian.org/ccid.html

…

On Tue, Mar 28, 2017 at 5:45 AM, Frank Morgner ***@***.***> wrote: try setting max_recv_size/max_send_size <https://github.com/OpenSC/OpenSC/blob/master/etc/opensc.conf.in#L78-L79> to a higher value. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#1005 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AA00MXAeQqA9OOqcoS0fvmkz8qhXiI_0ks5rqOTlgaJpZM4MoMuG> .

[frankmorgner]

how did your working setup look like?

[frankmorgner]

do you have a debug log for the working setup?

[mrlnc]

I now bought a different reader Gemalto GemPC Express. That works fine. I could not verify whether the old cardreader is broken.
Is it worth to test for a regression? I don't know when the reader stopped working, so it might be a hardware issue.

[frankmorgner]

thanks for the feedback

[mrlnc]

Whenever I reinstall my system, I end up googling this. Turns out this issue is first search result.

Therefore I'd like to include a note to myself and all the others with similar configuration:

• Ubuntu 18.04
• opensc 0.17.0
• Gemalto GemPC Express

In /etc/opensc/opensc.conf, set:

…
	# The following section shows definitions for PC/SC readers.
	reader_driver pcsc {
		# Limit command and response sizes. Some Readers don't propagate their
		# transceive capabilities correctly. max_send_size and max_recv_size

		# allow setting the limits manually, for example to enable extended
		# length capabilities.
		# Default: max_send_size = 255, max_recv_size = 256;
		max_send_size = 65535;
		max_recv_size = 65536;
…	

Works like a charm, then. Thanks @frankmorgner

[solfas]

Also you may try installing an older driver for your reader. With my HID Omnikey 3021 I had the same error. I installed a driver of 2012 and it started working.