CKR_GENERAL_ERROR when try to authentcate website #1118
Comments
|
I don't see an error in your log. Did you forget to paste something? Did that card work in a previous version of OpenSC or with a different PKCS#11 provider? |
|
Did you get the bug description via email? It was initially commented out between the xml comment tags. I removed it afterwards, sorry. error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5) First I tried with Version: 0.15.0-1ubuntu1, got the error and then compiled from git master. |
|
Yeah, I did see that. I was referring to the part that you skipped with (...); we need it. |
|
ok, here it is. I tried to remove any private information marked with |
|
Try setting the following in |
|
Is it a typo: I tried bothwith this reader: Does not work: I also tried another reader: same result. |
|
https://pcsclite.alioth.debian.org/ccid/supported.html
says your reader does not support extended APDU
Try another reader.
…On 8/6/2017 6:38 AM, Volker Voßkämper wrote:
Is it a typo:
max_send_size = 65535;
max_recv_size = 65536;
do you mean
max_send_size = 65536;
max_recv_size = 65536;
I tried bothwith this reader:
Bus 001 Device 010: ID 076b:3021 OmniKey AG CardMan 3121
Does not work:
|$ OPENSC_DEBUG=2 pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -t -l 0x7ff20ae47700 13:33:21.536 [opensc-pkcs11] card.c:200:sc_connect_card: called 0x7ff20ae47700 13:33:21.559 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.575 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.584 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.609 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.677 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.735 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.841 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.870 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:21.954 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:22.215 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:22.471 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:22.690 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:22.904 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called Using slot 0 with a present token (0x0) 0x7ff20ae47700 13:33:22.964 [opensc-pkcs11] sec.c:216:sc_pin_cmd: returning with: -1408 (Not supported) Logging in
to "PIN (Siemens Corporate ID Card)". Please enter User PIN: 0x7ff20ae47700 13:33:26.704 [opensc-pkcs11] sec.c:216:sc_pin_cmd: returning with: 0 (Success) C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported seems to be OK 0x7ff20ae47700 13:33:34.765 [opensc-pkcs11] sec.c:216:sc_pin_cmd: returning with: -1408 (Not supported) Digests: all 4 digest functions seem to work
MD5: OK SHA-1: OK RIPEMD160: OK 0x7ff20ae47700 13:33:34.774 [opensc-pkcs11] sec.c:216:sc_pin_cmd: returning with: -1408 (Not supported) Signatures (currently only for RSA) testing key 0 (Auth 07.04.17
09:28:56 - 07.04.18) 0x7ff20ae47700 13:33:34.780 [opensc-pkcs11] card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:34.801 [opensc-pkcs11] sec.c:78:sc_set_security_env: returning with:
0 (Success) 0x7ff20ae47700 13:33:34.839 [opensc-pkcs11] sec.c:46:sc_decipher: returning with: -1200 (Card command failed) 0x7ff20ae47700 13:33:34.848 [opensc-pkcs11]
card-cardos.c:484:cardos_select_file: called 0x7ff20ae47700 13:33:34.901 [opensc-pkcs11] ctx.c:870:sc_release_context: called error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.|
I also tried another reader:
Bus 001 Device 009: ID 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader
same result.
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub <#1118 (comment)>, or mute the thread
<https://github.com/notifications/unsubscribe-auth/AA00MeyfM0FK8pF2POTp32aHmqiqrGE6ks5sVaW9gaJpZM4OrFUR>.
--
Douglas E. Engert <[email protected]>
|
|
looks like 08e6:3437 Gemalto (was Gemplus) GemPC Twin SmartCard Reader also does not support extended APDUs |
|
In: https://github.com/OpenSC/OpenSC/files/1196827/pkcs11-test.out.txt line 5189: 0x7fa965a12700 14:49:07.646 [opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:10, INS:2A, P1:80, P2:86, data(255) 0xde6d90 This looks like a short APDU with CLA:10 set to command chaining because the reader does not support extended APDU. The card may not support command chaining. But you removed line 5193 making it harder to see what was actually sent. '68XX' Functions in CLA not supported (further qualification in SW2, see table 16) 84 look like it does not accept Command Chaining, but I can't find the reference. |
|
But the reader ist not marked with "Limitations: No extended APDU" :-o But anyway, the CardMan 3121 works in Windows... So there must be a way... |
|
If you need I will provide more log output, but not just all. I don't want to expose private data to public. |
|
Here is that missing pice starting from line 5192 |
|
@vosskaem have you tested CardMan 3121 on Windows with No typo! It should be: Are you sure setting the configuration was successful? You should give the full debug log (without PINs). If you're reader doesn't support extended length, then you can't use all algorithms, but some may work. |
|
Under Windows it works with the CardOS Driver from Atos (Company standard) |
|
How to locate the PIN data? |
|
I found my name and company name in clear text in the log. I don't want to post my certificate data here. |
|
The CardMan 3121 does not support standard extended APDU, but only using a nonstandard "hack", that was dropped from upstream some time ago (in 2014). In Fedora/RHEL we reverted this change, because this reader is still very popular. |
|
Can you please revert that in upstream too? |
|
I am not upstream of CCID. @LudovicRousseau removed that intentionally since it is old, not CCID compliant and needs hacks to work with long APDUs. Fastest way is probably to install Fedora. Or rebuild and install locally ccid [1] with the following patch [2] (whatever other distro you have). [1] http:https://pcsclite.alioth.debian.org/ccid.html |
|
The reader GemPC Twin reader https://pcsclite.alioth.debian.org/ccid/supported.html#0x08E60x3437 DOES support extended APDU. When the current problem is fixed you can try again with the CardMan 3121. |
|
Thanks a lot, but it all does not help.
It still does not work.
This also does not work! |
|
Using Ubuntu 16.04 with Linux 4.11.0-13-generic (linux-image-generic-hwe-16.04-edge from backports) |
|
in fact the Gemalto Reader seems to be this one, |
|
so, what to buy that finally work? |
|
Maybe you can go into a store and simply try some smart card readers and buy which ever works. The issue seems solved (need reader with extended length). |
|
I bought a SCR uTrust SCR3500 A SmartFold contact reader which works perfectly. http:https://www.scm-pc-card.de/index.php?page=product&function=show_product&lang=de&category_id=46&p=SCR uTrust SCR3500 A SmartFold contact reader&c=SmartCard (SCR)&product_id=922 The vendor provided driver is NOT necessary. The only thing to get it running is the change in You can add it to the list of supported devices. Thanks for your help. |
Fixes OpenSC#1208 Fixes OpenSC#1118 Fixes OpenSC#1005 Fixes OpenSC#802
|
Try installing an older driver for your card reader. With my HID Omnikey 3021 I had the same error. I installed a driver of 2012 and it started working. |
Problem Description
Trying to login into a website and authenticate with corporate id card which works under Windows with cardos.
Using OpenSC-0.16.0-321-g3d187d9, rev: 3d187d9, commit-time: 2017-08-02 11:23:43 +0200
$ opensc-tool -n
Using reader with a card: OMNIKEY AG CardMan 3121 00 00
CardOS M4
Steps to reproduce
pkcs11-tool --module /usr/local/lib/opensc-pkcs11.so -t -l
Logs
(...)
0x7fa965a12700 14:49:07.724 [opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called
0x7fa965a12700 14:49:07.733 [opensc-pkcs11] framework-pkcs15.c:1472:pkcs15_release_token: pkcs15_release_token() not implemented
0x7fa965a12700 14:49:07.733 [opensc-pkcs11] slot.c:474:slot_token_removed: slot_token_removed(0x1)
0x7fa965a12700 14:49:07.733 [opensc-pkcs11] pkcs11-session.c:140:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x1) 0
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] slot.c:474:slot_token_removed: slot_token_removed(0x2)
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] pkcs11-session.c:140:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x2) 0
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] slot.c:474:slot_token_removed: slot_token_removed(0x3)
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] pkcs11-session.c:140:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x3) 0
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] pkcs15.c:1273:sc_pkcs15_unbind: called
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] pkcs15-pin.c:826:sc_pkcs15_pincache_clear: called
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
0x7fa965a12700 14:49:07.734 [opensc-pkcs11] card.c:346:sc_disconnect_card: called
0x7fa965a12700 14:49:07.758 [opensc-pkcs11] reader-pcsc.c:597:pcsc_disconnect: OMNIKEY AG CardMan 3121 00 00:SCardDisconnect returned: 0x00000000
0x7fa965a12700 14:49:07.758 [opensc-pkcs11] card.c:368:sc_disconnect_card: returning with: 0 (Success)
0x7fa965a12700 14:49:07.758 [opensc-pkcs11] ctx.c:870:sc_release_context: called
0x7fa965a12700 14:49:07.758 [opensc-pkcs11] reader-pcsc.c:896:pcsc_finish: called
error: PKCS11 function C_SignFinal failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
The text was updated successfully, but these errors were encountered: