PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed

[vovata]

Using my card I have an security error issue.
Here below are the outputs of tools:

opensc-tool -l

Detected readers (pcsc)

Nr. Card Features Name
0 Yes Bit4id miniLector-s 00 00

---

opensc-tool --atr
Using reader with a card: Bit4id miniLector-s 00 00
3b:f2:18:00:02:c1:0a:31:fe:58:c8:08:74

---

opensc-tool --name
Using reader with a card: Bit4id miniLector-s 00 00
CardOS M4

---

pkcs11-tool -lt --module onepin-opensc-pkcs11.so
Using slot 0 with a present token (0x0)
Logging in to "PIN (InfoNotary)".
Please enter User PIN:
C_SeedRandom() and C_GenerateRandom():
seeding (C_SeedRandom) not supported
seems to be OK
Digests:
all 4 digest functions seem to work
MD5: OK
SHA-1: OK
RIPEMD160: OK
Signatures (currently only for RSA)
warning: PKCS11 function C_GetAttributeValue(MODULUS_BITS) failed: rv = CKR_GENERAL_ERROR (0x5)

testing key 0 (8999444B-0958-4867-979A-3F82D5701532) -- can't be used for signature, skipping: can't obtain modulus
testing key 1 (0835F722-EE3C-483C-ACF6-D9538FCDBBEE)
all 4 signature functions seem to work
testing signature mechanisms:
RSA-X-509: OK
RSA-PKCS: OK
SHA1-RSA-PKCS: OK
MD5-RSA-PKCS: OK
RIPEMD160-RSA-PKCS: OK
SHA256-RSA-PKCS: OK
testing key 1 (1024 bits, label=0835F722-EE3C-483C-ACF6-D9538FCDBBEE) with 1 signature mechanism
RSA-X-509: OK
testing key 2 (2048 bits, label=42CD5BED-1F7B-4A2F-9198-D2921FEBA8AE) with 1 signature mechanism
error: PKCS11 function C_Sign failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.

---

In Firefox after entering pin and choose the certificate there is an error:
Secure Connection Failed

An error occurred during a connection to www.epay.bg. A PKCS #11 module returned CKR_GENERAL_ERROR, indicating that an unrecoverable error has occurred. Error code: SEC_ERROR_PKCS11_GENERAL_ERROR

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

After some diging with git bisect I found the commit which broke my card using:
fcc8ea5 is the first bad commit
commit fcc8ea5
Author: Frank Morgner [email protected]
Date: Tue Nov 15 22:48:48 2016 +0100

reader-pcsc: removed cardmod driver

- pcsc driver takes over all the functionality
- no dedicated reader driver config values for cardmod, use application
  specific blocks to define a different behavior for the pcsc reader if
  needed
- removes legacy code; requiring at least libpcsclite 1.6.5

Fixes https://github.com/OpenSC/OpenSC/issues/892

:040000 040000 6240de371a96d285a1648aa1af119317b9964430 91bd88f2d1f06835a0c959a86dc5c4262ba0e4df M etc
:040000 040000 91237489ee5a6039d9668f2c0c842cee15d1b581 e8f91de043a2fc13027ea16def22aea58f35e3c8 M src

[frankmorgner]

could you upload a log with debug = 3; in opensc.conf when running pkcs11-tool?

[frankmorgner]

maybe you need to adjust max_send_size/max_recv_size to the actual limits of your reader.

[vovata]

I have no opensc.conf in my distribution (Fedora 26 or 27).
I don't know how to setup pkcs11-tool to use this conf file.
When I try to copy in /etc nothing is changed.
When I set an environment variable export OPENSC_DEBUG=3 I have very big output.
And it finishes with:
0x7f49748f3740 13:52:11.860 [onepin-opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f49748f3740 13:52:11.860 [onepin-opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:10, INS:2A, P1:80, P2:86, data(255) 0x55fd2275bff0
0x7f49748f3740 13:52:11.860 [onepin-opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Bit4id miniLector-s 00 00'
0x7f49748f3740 13:52:11.860 [onepin-opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit:
Outgoing APDU (262 bytes):
10 2A 80 86 00 00 FF 00 00 01 FF FF FF FF FF FF .*..............
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
FF FF FF FF 00 30 21 30 09 06 05 2B 0E 03 02 1A .....0!0...+....
05 00 04 14 29 B0 E7 87 82 71 64 5F FF B7 EE C7 ....)....qd_....
DB 4A 74 73 A1 C0 .Jts..
0x7f49748f3740 13:52:11.860 [onepin-opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit:
Incoming APDU (2 bytes):
68 84 h.
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] card-cardos.c:313:cardos_check_sw: chaining error
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] card.c:459:sc_unlock: called
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] iso7816.c:984:iso7816_decipher: APDU transmit failed: -1200 (Card command failed)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] sec.c:46:sc_decipher: returning with: -1200 (Card command failed)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] card.c:459:sc_unlock: called
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] pkcs15-sec.c:227:sc_pkcs15_decipher: use_key() failed: -1200 (Card command failed)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] pkcs15-sec.c:375:sc_pkcs15_compute_signature: returning with: -1200 (Card command failed)
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] card.c:459:sc_unlock: called
0x7f49748f3740 13:52:11.903 [onepin-opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] framework-pkcs15.c:3743:pkcs15_prkey_sign: Sign complete. Result -1200.
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: -1200 (Card command failed)
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] mechanism.c:462:sc_pkcs11_signature_final: returning with: 5
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] mechanism.c:327:sc_pkcs11_sign_final: returning with: 5
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] pkcs11-object.c:701:C_Sign: C_Sign() = CKR_GENERAL_ERROR
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] pkcs11-global.c:311:C_Finalize: C_Finalize()
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] ctx.c:845:sc_cancel: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] reader-pcsc.c:712:pcsc_cancel: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] slot.c:195:card_removed: Bit4id miniLector-s 00 00: card removed
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] slot.c:476:slot_token_removed: slot_token_removed(0x0)
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] pkcs11-session.c:140:sc_pkcs11_close_all_sessions: real C_CloseAllSessions(0x0) 1
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] pkcs11-session.c:109:sc_pkcs11_close_session: real C_CloseSession(0x55fd2275df00)
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] pkcs15-pin.c:826:sc_pkcs15_pincache_clear: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] card.c:748:sc_select_file: called; type=2, path=3f00
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] card-cardos.c:484:cardos_select_file: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] card.c:407:sc_lock: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] reader-pcsc.c:612:pcsc_lock: called
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f49748f3740 13:52:11.913 [onepin-opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f49748f3740 13:52:11.914 [onepin-opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f49748f3740 13:52:11.914 [onepin-opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:0, INS:A4, P1:0, P2:C, data(2) 0x7ffeb79707c0
0x7f49748f3740 13:52:11.914 [onepin-opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Bit4id miniLector-s 00 00'
0x7f49748f3740 13:52:11.914 [onepin-opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit:
Outgoing APDU (7 bytes):
00 A4 00 0C 02 3F 00 .....?.
0x7f49748f3740 13:52:11.914 [onepin-opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f49748f3740 13:52:11.925 [onepin-opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit:
Incoming APDU (2 bytes):
90 00 ..
0x7f49748f3740 13:52:11.925 [onepin-opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.925 [onepin-opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.925 [onepin-opensc-pkcs11] card.c:459:sc_unlock: called
0x7f49748f3740 13:52:11.925 [onepin-opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] iso7816.c:557:iso7816_select_file: returning with: 0 (Success)
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] card-cardos.c:488:cardos_select_file: returning with: 0 (Success)
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] card.c:783:sc_select_file: returning with: 0 (Success)
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] apdu.c:554:sc_transmit_apdu: called
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] card.c:407:sc_lock: called
0x7f49748f3740 13:52:11.934 [onepin-opensc-pkcs11] reader-pcsc.c:612:pcsc_lock: called
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] card.c:449:sc_lock: returning with: 0 (Success)
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] apdu.c:521:sc_transmit: called
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] apdu.c:371:sc_single_transmit: called
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] apdu.c:378:sc_single_transmit: CLA:80, INS:EA, P1:0, P2:0, data(0) (nil)
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] reader-pcsc.c:283:pcsc_transmit: reader 'Bit4id miniLector-s 00 00'
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] reader-pcsc.c:284:pcsc_transmit:
Outgoing APDU (4 bytes):
80 EA 00 00 ....
0x7f49748f3740 13:52:11.935 [onepin-opensc-pkcs11] reader-pcsc.c:212:pcsc_internal_transmit: called
0x7f49748f3740 13:52:11.941 [onepin-opensc-pkcs11] reader-pcsc.c:293:pcsc_transmit:
Incoming APDU (2 bytes):
90 00 ..
0x7f49748f3740 13:52:11.941 [onepin-opensc-pkcs11] apdu.c:390:sc_single_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.941 [onepin-opensc-pkcs11] apdu.c:543:sc_transmit: returning with: 0 (Success)
0x7f49748f3740 13:52:11.942 [onepin-opensc-pkcs11] card.c:459:sc_unlock: called
0x7f49748f3740 13:52:11.942 [onepin-opensc-pkcs11] reader-pcsc.c:662:pcsc_unlock: called
0x7f49748f3740 13:52:11.950 [onepin-opensc-pkcs11] framework-pkcs15.c:1472:pkcs15_release_token: pkcs15_release_token() not implemented
0x7f49748f3740 13:52:11.951 [onepin-opensc-pkcs11] pkcs15.c:1273:sc_pkcs15_unbind: called
0x7f49748f3740 13:52:11.951 [onepin-opensc-pkcs11] pkcs15-pin.c:826:sc_pkcs15_pincache_clear: called
0x7f49748f3740 13:52:11.951 [onepin-opensc-pkcs11] misc.c:61:sc_to_cryptoki_error_common: libopensc return value: 0 (Success)
0x7f49748f3740 13:52:11.951 [onepin-opensc-pkcs11] card.c:346:sc_disconnect_card: called
0x7f49748f3740 13:52:12.120 [onepin-opensc-pkcs11] reader-pcsc.c:597:pcsc_disconnect: Bit4id miniLector-s 00 00:SCardDisconnect returned: 0x00000000
0x7f49748f3740 13:52:12.120 [onepin-opensc-pkcs11] card.c:368:sc_disconnect_card: returning with: 0 (Success)
0x7f49748f3740 13:52:12.120 [onepin-opensc-pkcs11] ctx.c:870:sc_release_context: called
0x7f49748f3740 13:52:12.120 [onepin-opensc-pkcs11] reader-pcsc.c:896:pcsc_finish: called
error: PKCS11 function C_Sign failed: rv = CKR_GENERAL_ERROR (0x5)
Aborting.
RSA-X-509:

[frankmorgner]

Yes, you need to set max_send_size/max_recv_size. If you can't find the system wide opensc.conf you can also set the OPENSC_CONF environment variable to the path of your file.

[frankmorgner]

duplicate of #1118, #1005, #802

Maybe @Jakuje knows where the system wide configuration file is...

[Jakuje]

Frank, thank you for the fast feedback. The configuration in Fedora is in /etc/opensc-x86_64.conf on x86_64 architecture.

The original bug also said it worked with 0.16.0 and before the suggested commit. So you mean that with this worked with the old cardmod driver, but does not work with the pcsc?

The extended APDU in Ominkey 3121 were implemented in PCSC in Fedora 26

https://bugzilla.redhat.com/show_bug.cgi?id=1420024

But Omnkey 3021 is probably older. In PCSC it does not support extended APDU:

http:https://pcsclite.alioth.debian.org/ccid/shouldwork.html#0x076B0x3021

So fastest solution would be to buy a new card reader. Not sure if there would be a way to implement some workaround also for this driver. Bad thing is that it does not CCID compliant APDUs.

[vovata]

Thanks, on Fedora 26/27 when the values max_send_size/max_recv_size in /etc/opensc-x86_64.conf are increased everything is fine.

[Jakuje]

Thank you for confirmation that it got resolved by updating the sizes. I will close also the bug.

[nmav]

Can these limits be detected by opensc?

[gocarlos]

making max_send_size and max_recv_size worked for me on a Thinkpad P51