gnupg-pkcs11-scd "SCD LEARN" yields segfault in libcrypto.so.1.1

[jrozanski]

Problem Description

• Card: Smartcard-HSM
• OpenSC version: 0.17.0-3
• OS: Ubuntu 18.04
• GPG version: 2.2.4-1ubuntu1.2
• libcrypt version: 1:2.4-4

Card contains:

• 5 different RSA key pairs
• 1 certificate
• 1 file

The gpg-agent.conf

scdaemon-program /usr/bin/gnupg-pkcs11-scd
pinentry-program /usr/bin/pinentry-gnome3

The gnupg-pkcs11-scd.conf

verbose

pin-cache 20

providers opensc
provider-opensc-library /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so

Unable to get list of KEY-FRIENDLY entries using following:

OK Pleased to meet you
SCD LEARN
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=20966, reference='opensc', provider_location='/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: Adding provider 'opensc'-'/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so'
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: pkcs11h_addProvider Provider 'opensc' manufacturerID 'OpenSC Project'
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_slotevent_notify entry
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: Provider 'opensc' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
gnupg-pkcs11-scd[20966.1068033856]: Listening to socket '/tmp/gnupg-pkcs11-scd.zVDldy/agent.S'
gnupg-pkcs11-scd[20966.1068033856]: accepting connection
gnupg-pkcs11-scd[20966]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[20966.1068033856]: processing connection
gnupg-pkcs11-scd[20966]: chan_0 <- GETINFO socket_name
gnupg-pkcs11-scd[20966]: chan_0 -> D /tmp/gnupg-pkcs11-scd.zVDldy/agent.S
gnupg-pkcs11-scd[20966]: chan_0 -> OK
gnupg-pkcs11-scd[20966]: chan_0 <- LEARN
# ...
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: Creating a new session
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x55f456696478 form=0x55f8786a7a70
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x55f5646a7ee0
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x55f64696166
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x55f64696166, user_data=0x55f5417a64b0, mask_prompt=00000003
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_session_validate entry session=0x55f64696166
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[20966.1068033856]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
# ...

As it yields following errors:

gnupg-pkcs11-sc[20966]: segfault at 8 ip 00007f903eb5e910 sp 00007ffc71dc9768 error 4 in libcrypto.so.1.1[7f903eab2000+24d000]

[frankmorgner]

What about pkcs11-tool --login --test, does it work as expected?

Why do you think that there is a problem within OpenSC? Please try to get a backtrace of the crash.

[jrozanski]

The pkcs11-tool works fine AFAIK. The problem seems to be related to gnupg-pkcs11-scd and there is SEGFAULT (see final entry in the issue description).

I assumed (hopefully not incorrectly) that since all tools from opensc work and card communicates correctly except for gnupg-pkcs11-scd it is not card, but OpenSC issue.

[frankmorgner]

I'm not very familiar with gnupg's tools. Please find out what exactly crashes and run that with debug symbols in gdb or valgrind. These tools will show if the problem occurred while running some OpenSC functionality. Please also list the exact steps for reproducing this behavior.

[Jakuje]

Please, provide the backtrace from the segfault by attaching the gdb to the process or running under valgrind. It is not clear whether OpenSC or gnupg-pkcs11-scd itself crashes.

OpenSC debug log would be also helpful at least to see what is going on there in OpenSC.

[frankmorgner]

1. Run gnupg-pkcs11-scd --server with your configuration
2. Insert Smartcard HSM (GoID)
3. Write LEARN

...works for me as expected with both, OpenSC 0.17.0 (deprecated, see https://github.com/OpenSC/OpenSC/wiki#news) and master.

[mor-anshuman]

I have also hit the same issue, here are details -

Runtime -
OS: ubuntu 18.04
gnupg-pkcs11-scd: 0.9.1

Upon adding gdb, got the segmentation fault in BN_is_zero function -
(gdb) run --verbose --server
Starting program: /usr/bin/gnupg-pkcs11-scd --verbose --server
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/lib/x86_64-linux-gnu/libthread_db.so.1".
warning: Missing auto-load script at offset 0 in section .debug_gdb_scripts
of file xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx.
Use `info auto-load python-scripts [REGEXP]' to list them.
[New Thread 0x7ffff54f8700 (LWP 18102)]
[New Thread 0x7ffff4ae6700 (LWP 18103)]
[New Thread 0x7fffedfff700 (LWP 18104)]
[New Thread 0x7fffed7fe700 (LWP 18105)]
[New Thread 0x7fffecffd700 (LWP 18106)]
OK PKCS#11 smart-card server for GnuPG ready
LEARN
S SERIALNO D27600012401115031310321FA791111
S APPTYPE PKCS11

Thread 1 "gnupg-pkcs11-sc" received signal SIGSEGV, Segmentation fault.
0x00007ffff70a78d0 in BN_is_zero () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
(gdb)

(gdb) info break
Num Type Disp Enb Address What
1 breakpoint keep y 0x00007ffff70a78d0 <BN_is_zero>
(gdb) bt
#0 0x00007ffff70a78d0 in BN_is_zero () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#1 0x00007ffff70ad09e in BN_bn2hex () from /usr/lib/x86_64-linux-gnu/libcrypto.so.1.1
#2 0x000055555555bf46 in ?? ()
#3 0x000055555555c020 in ?? ()
#4 0x000055555555961a in ?? ()
#5 0x0000555555559920 in ?? ()
#6 0x000055555555a233 in ?? ()
#7 0x00007ffff79b4906 in ?? () from /usr/lib/x86_64-linux-gnu/libassuan.so.0
#8 0x00007ffff79b4c38 in assuan_process () from /usr/lib/x86_64-linux-gnu/libassuan.so.0
#9 0x00005555555590a5 in ?? ()
#10 0x0000555555557c69 in ?? ()
#11 0x00007ffff6a10b97 in __libc_start_main (main=0x555555557770, argc=3, argv=0x7fffffffe448, init=, fini=,
rtld_fini=, stack_end=0x7fffffffe438) at ../csu/libc-start.c:310
#12 0x000055555555865a in ?? ()

gnupg-pkcs11-scd logs
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_addProvider entry version='1.22', pid=18294, reference='p1', provider_location='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx', allow_protected_auth=0, mask_private_mode=00000000, cert_is_private=0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: Adding provider 'p1'-'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_addProvider Provider 'p1' manufacturerID 'xxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_slotevent_notify entry
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_slotevent_notify return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: Provider 'p1' added rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_addProvider return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: accepting connection
gnupg-pkcs11-scd[18294]: chan_0 -> OK PKCS#11 smart-card server for GnuPG ready
gnupg-pkcs11-scd[18294.3506784064]: processing connection
gnupg-pkcs11-scd[18294]: chan_0 <- LEARN
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_enumTokenIds entry method=1, p_token_id_list=0x7ffe79fcc160
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55f498c98c30, token_present=1, pSlotList=0x7ffe79fcc028, pulCount=0x7ffe79fcc030
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x55f498cc1138
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe79fcbfc0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_enumTokenIds return rv=0-'CKR_OK', *p_token_id_list=0x7ffe79fcc160
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=(nil), *max=0000000000000000, token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000043, sz='(null)'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_serializeTokenId entry sz=0x55f498cbf3a0, *max=0000000000000043, token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_serializeTokenId return rv=0-'CKR_OK', *max=0000000000000043, sz='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenIdList entry token_id_list=0x55f498cc1130
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenIdList return
gnupg-pkcs11-scd[18294]: chan_0 -> S SERIALNO D27600012401115031310321FA791111
gnupg-pkcs11-scd[18294]: chan_0 -> S APPTYPE PKCS11
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_enumCertificateIds entry method=1, mask_prompt=00000003, p_cert_id_issuers_list=0x7ffe79fcc198, p_cert_id_end_list=0x7ffe79fcc190
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55f498c98c30, token_present=1, pSlotList=0x7ffe79fcc050, pulCount=0x7ffe79fcc058
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffe79fcc068
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe79fcbfc0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x55f498cc2a30, p_session=0x7ffe79fcc060
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: Creating a new session
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x55f498cc07b8 form=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x55f498cc2ea0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates entry session=0x55f498cc07a0, user_data=0x55f498cc52d0, mask_prompt=00000003
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_validate entry session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_validate return rv=179-'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: Get certificate attributes failed: 179:'CKR_SESSION_HANDLE_INVALID'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_login entry session=0x55f498cc07a0, is_publicOnly=1, readonly=1, user_data=0x55f498cc52d0, mask_prompt=00000001
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_logout entry session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_logout return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_reset entry session=0x55f498cc07a0, user_data=0x55f498cc52d0, mask_prompt=00000001, p_slot=0x7ffe79fcbaa8
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_reset Expected token manufacturerID='xxxxxxxxxxxxx' model='xxxxxxxxxxxxx', serialNumber='1', label='xxxxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList entry provider=0x55f498c98c30, token_present=1, pSlotList=0x7ffe79fcb958, pulCount=0x7ffe79fcb960
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSlotList return rv=0-'CKR_OK' *pulCount=1
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId entry p_token_id=0x7ffe79fcb968
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId entry p_token_id=0x7ffe79fcb8d0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_newTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc61a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_token_getTokenId return rv=0-'CKR_OK', *p_token_id=0x55f498cc61a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_reset Found token manufacturerID='xxxxxxxxxxxxx' model='xxxxxxxxxxxxx', serialNumber='1', label='xxxxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55f498cc61a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_reset return rv=0-'CKR_OK', *p_slot=0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_login return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_validate entry session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_validate session->pin_expire_time=0, time=1576297849
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_validate return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_findObjects entry session=0x55f498cc07a0, filter=0x7ffe79fcbf60, filter_attrs=1, p_objects=0x7ffe79fcbf40, p_objects_found=0x7ffe79fcbf48
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_findObjects return rv=0-'CKR_OK', *p_objects_found=1
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getObjectAttributes entry session=0x55f498cc07a0, object=1, attrs=0x7ffe79fcbf80, count=2
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getObjectAttributes return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_certificate_newCertificateId entry p_certificate_id=0x7ffe79fcbf50
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_certificate_newCertificateId return rv=0-'CKR_OK', *p_certificate_id=0x55f498cc65c0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_duplicateTokenId entry to=0x55f498cc65c0 form=0x55f498cc2ea0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_duplicateTokenId return rv=0-'CKR_OK', *to=0x55f498cc69f0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription entry certificate_id=0x55f498cc65c0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: __pkcs11h_openssl_ex_data_free entered - parent=0x55f498cdad10, ptr=(nil), ad=0x55f498cdad70, idx=1, argl=0, argp=0x7f55cfe67842
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: __pkcs11h_certificate_updateCertificateIdDescription return displayName='xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_freeObjectAttributes entry attrs=0x7ffe79fcbf80, count=2
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_freeObjectAttributes return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_certificate_enumSessionCertificates return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_release entry session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x55f498cc1158 form=0x55f498cc65c0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList entry cert_id_all=0x55f498cc1150, p_cert_id_issuers_list=0x7ffe79fcc198, p_cert_id_end_list=0x7ffe79fcc190
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x55f498cc7538 form=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x55f498cdb650
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: __pkcs11h_certificate_splitCertificateIdList return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList entry cert_id_list=0x55f498cc1150
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55f498cdb1e0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateIdList return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_enumCertificateIds return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_create entry certificate_id=0x55f498cdb650, user_data=0x55f498cc52d0, mask_prompt=00000003, pin_cache_period=-1, p_certificate=0x7ffe79fcc058
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId entry to=0x55f498cbf700 form=0x55f498cdb650
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_duplicateCertificateId return rv=0-'CKR_OK', *to=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSessionByTokenId entry token_id=0x55f498cdb1e0, p_session=0x55f498cbf710
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: Using cached session
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_getSessionByTokenId return rv=0-'CKR_OK', *p_session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_create return rv=0-'CKR_OK' *p_certificate=0x55f498cbf700
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x55f498cbf700, certificate_blob=(nil), *p_certificate_blob_size=0000000000000000
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_getCertificateBlob entry certificate=0x55f498cbf700, certificate_blob=0x55f498cdc310, *p_certificate_blob_size=000000000000040d
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_getCertificateBlob return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificate entry certificate=0x55f498cbf700
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_release entry session=0x55f498cc07a0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: _pkcs11h_session_release return rv=0-'CKR_OK'
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateId entry certificate_id=0x55f498cc2a30
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId entry certificate_id=0x55f498cdb1e0
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_token_freeTokenId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificateId return
gnupg-pkcs11-scd[18294.3506784064]: PKCS#11: pkcs11h_certificate_freeCertificate return

I used pkcs11-logger for debugging pkcs#11 and noticed that the last function executed is C_GetAttributeValue[CKA_ID and CKA_VALUE] for the certificate object which is returned successfully and after that no more logs.

I am trying my best to debug but any help would be greatly appreciated.

[mor-anshuman]

Ok, so quick update, I built the latest gnupg-pkcs11-scd 0.9.2 and the issue is resolved, I can get the details but have hit with another problem -

gpg: OpenPGP card not available: Bad session key.

My PKCS#11 token returns both PublicKey and Certificate as public object for only RSA key!

Can you suggest something here?

[Jakuje]

Sorry for a delay. I think the OpenSC at the time of writing did not support anything else but RSA keys. Now, the ECDSA and EDDSA should be supported too. Can you check with current master or latest release candidate?

[Jakuje]

No update for three years -> Closing. If it is still an issue, open a new one.