SC-HSM: OpenSC 0.23.0 broken on Cygwin current #2944
Comments
|
We will probably need some more logs to see what is going on there and why it fails. If you mean the wiki by the documnetation, you can fix it already using a PR to https://github.com/OpenSC/Wiki/blob/master/Compiling-on-Cygwin.md as described in the footer of wiki. |
|
I will provide the logs ASAP. |
|
Is a PR possible by just creating a new branch and pull or do i need special permission? |
With normal GIthub workflow you should be good. You should be able to do the simple edits through the web UI too, which will end up in forking the project, creating a new branch with the changes and opening a new PR there. |
|
Ah, ok: need to fork, that was the question. |
|
Ok, PR has been created, logs following. |
|
Thanks! What about the debug logs? Do they show something useful? |
|
Sorry, due to usage of 0.22 on my current Win11 system (work) i have to compile on another machine. I suppose logs coming late this evening. |
|
Apollogizes. SC-reader in second laptop unexpected not working anymore. Very annoying. Logs following, sorry again. |
Still no progress, somehow reader seems broken :( ASAP logs follow. |
|
@Jakuje Attached the logs. |
|
Thanks! @CardContact do you see something obvious in the log that could be incompatible with SC-HSM in recent OpenSC versions? and what is failing is in pkcs15 emulator pulling of the CVC: |
|
But as i stated out "OpenSC 0.23.0 on Windows 11_x64" works like expected with the same SC-HSM card. Could someone else please check with another SC-vendor on CygWin, thanx! |
|
oh, missed that part that it works with different build. The logs looks like communication with the card is working ok. Could it be some missing dependency in the cygwin making some functionality unusable (zlib? openssl?). Can you compare output of the configure or |
I will do so, i assume something is wrong with openssl changing to new api calls. APX 1-2 days... |
Still in the pipe ... Too much projects in parallel ... |
Can you please state out where the CI build takes place / source / config files are located? I think i will write you some .md README files afterwards. I found the docker-container for building but no description how thw CI builds are triggered (or maybe i am blind). |
Ha, found it, just familiar with GitLab CI, github uses |
|
@Jakuje Went through the CI build process (scripts), i have too less knowledge about github actions / CI. In which environment (Linux VM / Docker) the build-process is initiated? I have some questions about the Mingw CI building.
if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
mkdir -p src/minidriver/CNG
wget https://raw.githubusercontent.com/open-eid/minidriver/master/cardmod.h -O src/minidriver/CNG/cardmod.h
if [ "$1" == "mingw" ]; then
HOST=x86_64-w64-mingw32
elif [ "$1" == "mingw32" ]; then
HOST=i686-w64-mingw32
fi
unset CC
unset CXX
CFLAGS="-I$PWD/src/minidriver/CNG -Wno-error=unknown-pragmas" \
CPPFLAGS="-DNTDDI_VERSION=0x06010000" \
./configure --host=$HOST --with-completiondir=/tmp --disable-openssl --disable-readline --disable-zlib --enable-minidriver --enable-notify --prefix=$PWD/win32/opensc || cat config.log;
make -j 4 V=1
# no point in running tests on mingw
if [ "$1" == "mingw" -o "$1" == "mingw32" ]; then
# pack installed files
wine "C:/Program Files/Inno Setup 5/ISCC.exe" win32/OpenSC.iss
fi
If you could provide me the information i am able to process much faster. |
This is how opensc is integrated into the windows authentication system and tools. If you use pkcs11-tool, you will not get in touch with this. Generally windows provides some of its own, but allows third party to install their own, which is what OpenSC do:
We likely do not have the dependencies under mingw under ubuntu.
This is Inno Setup, which craetes Windows installers. Its downloaded in here Lines 79 to 87 in 53f81e7 |
Understood. But, can you please state out where and which container (dockerfile) will be started for the build / CI process. I do not find somehow. Additionally provide me with some helpful documentation links about the github CI so i am able to understand faster. |
|
The mingw builds are defined here in the syntax defined for github actions, they run in https://github.com/OpenSC/OpenSC/blob/master/.github/workflows/linux.yml#L76 But the scripts are independent from the github actions and could be executed locally with https://github.com/OpenSC/OpenSC/blob/master/containers/README.md There is https://github.com/OpenSC/OpenSC/blob/master/containers/opensc-mingw/Containerfile |
|
Can you provide opensc-debug log using the working version of OpenSC? It could be a config option or some change in OpenSC that is being more conservative in 0.23.0 on setting the sizes. In you log at line 1698: The max_send/recv_size:238/254 looks way to small. On an older device with builtin reader on Ubuntu i see: Do you have a different reader? Can you try try the same code on Windows 10? (Help isolate if w10 to w11 changed something about reasder capabilities) |
I remember this is reader-driver-specific (i did this on a very old windows machine). The reader-hw settings are handled by OpenSC in Linux and CygWin similar? And if no what is the difference?
Yes, imported from our office, also i am able to compile on a different machine or VM. Results following.
Queued. |
|
Google for: "alcor micro usb smart card reader" Or try using device manager to look for new Windows 11 driver. ALso try setting env |
On Win11 with with CygWin installed in parallel on Win11 native OpenSC 0.23.0 works fine, CygWin OpenSC 0.23.0 compiles without problems but does not work, OpenSC version before works with compatibility OpenSSL (old) API calls only. |
|
That's good. By current, you mean 0.24.0 that was just released Dec 13, 2023? If there is nothing else, you can close the ticket. |
|
Here is something else to try to see if problems are with reader sizes: It will list the sizes in opensc-debug log will trying to match a driver. OPENSC_DRIVER=sc-hsm is a run time option to tell OpenSC to only try the sc-hsm driver. |
|
Found some time. Works with CygWin with this patch: sc-hsm-cygwin.diff.txt card-sc-hsm.c now set the max_send_size to at least 256, so the card can return data, When it was 254, the card would return errors, as suggested in #2944 (comment) The change to reader-pcsc.c was to make sure some of the tests where still run even if 0x0000001 was returned. I would like @istr and @clauspruefer to give this a try. I still don't understand all of what aadd82b is trying to do. |
|
I will give a try and report back. |
Correct Version 0.24$ pkcs11-tool -I
Cryptoki version 3.0
Manufacturer OpenSC Project
Library OpenSC smartcard framework (ver 0.24)
Using slot 0 with a present token (0x0)Object List ok
@dengert Close issue or wait for istr reply? |
|
The patch just proves one problem is making the In other words, on windows OpenSC can not detect the reader sizes and should not set artificial limits. In the sc-hsm case the card drive to the most part assumes the reader will support extended APDU large enough for its needs. Other card drivers may fail back to using the 255/256 and use command chaining and get response to handle larger outgoing commands and incoming data. Wait for @istr as there are still unanswered questions as to how to fix the symmetric key issue with read/write binary operations with odd number APDU instructions. @clauspruefer where With your 4096 bit key, the outgoing would be 521 bytes with Lc length of The response would look like: But for 514 bytes different bytes, ending in |
On the run. I think it might also be helpful to check if i can gen a new key with Important Just using different card with existing RSA 4096 bit key. Card / Key info
Get signing mechs (Hardware)
Using slot 0 with a present token (0x0) Sign with default (RSA-PKCS)
Outgoing APDUIncoming APDU |
|
@istr and @CardContact Thanks for running the test with 4K key. So we are close. The main problem is Windows does not support Changes in aadd82b in I have some questions about aadd82b and existing
@clauspruefer Thanks for running the test with 4K key. So we are close. |
All of the above commands are explicitly setting the Le to 0 (and encode extended lenght if needed) except the select command, which instead calls the iso7816 driver for selecting. A quick way for fixing this, would be to force Le = 0 in the select: diff --git a/src/libopensc/card-sc-hsm.c b/src/libopensc/card-sc-hsm.c
index e68975077..a236a2cbc 100644
--- a/src/libopensc/card-sc-hsm.c
+++ b/src/libopensc/card-sc-hsm.c
@@ -151,6 +151,8 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
sc_hsm_private_data_t *priv = (sc_hsm_private_data_t *) card->drv_data;
sc_file_t *file = NULL;
sc_path_t cpath;
+ size_t card_max_recv_size = card->max_recv_size;
+ size_t reader_max_recv_size = card->reader->max_recv_size;
if (file_out == NULL) { // Versions before 0.16 of the SmartCard-HSM do not support P2='0C'
rv = sc_hsm_select_file_ex(card, in_path, forceselect, &file);
@@ -184,7 +186,11 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
&& in_path->aid.len == sc_hsm_aid.len
&& !memcmp(in_path->aid.value, sc_hsm_aid.value, sc_hsm_aid.len))) {
if (!priv || (priv->dffcp == NULL) || forceselect) {
+ /* Force use of Le = 0x00 in iso7816_select_file as required by SC-HSM */
+ card->max_recv_size = card->reader->max_recv_size = 256;
rv = (*iso_ops->select_file)(card, in_path, file_out);
+ card->max_recv_size = card_max_recv_size;
+ card->reader->max_recv_size = reader_max_recv_size;
LOG_TEST_RET(card->ctx, rv, "Could not select SmartCard-HSM application");
if (priv) {
@@ -213,14 +219,24 @@ static int sc_hsm_select_file_ex(sc_card_t *card,
*file_out = file;
return SC_SUCCESS;
} else {
+ /* Force use of Le = 0x00 in iso7816_select_file as required by SC-HSM */
+ card->max_recv_size = card->reader->max_recv_size = 256;
sc_path_t truncated;
memcpy(&truncated, in_path, sizeof truncated);
truncated.len = in_path->len - 2;
memcpy(truncated.value, in_path->value+2, truncated.len);
- return (*iso_ops->select_file)(card, &truncated, file_out);
+ rv = (*iso_ops->select_file)(card, &truncated, file_out);
+ card->max_recv_size = card_max_recv_size;
+ card->reader->max_recv_size = reader_max_recv_size;
+ return rv;
}
}
- return (*iso_ops->select_file)(card, in_path, file_out);
+ /* Force use of Le = 0x00 in iso7816_select_file as required by SC-HSM */
+ card->max_recv_size = card->reader->max_recv_size = 256;
+ rv = (*iso_ops->select_file)(card, in_path, file_out);
+ card->max_recv_size = card_max_recv_size;
+ card->reader->max_recv_size = reader_max_recv_size;
+ return rv;
}An alternative would be to explicitly implement the APDU encoding for SELECT in sc-hsm instead of forwarding to iso7816. I hope the above suggestion fixes the problem. |
|
Looks reasonable. I don't have the manual. Does the SC-HSM manual talk about Le = 00 with short APDUs and use of get-response? In which case OpenSC apdu.c would do the get response. Or does SC-HSM require the use of an extended reader? The main problem is OpenSC has no way on Windows to query the reader for is max sizes and the card-sc-hsm.c sets max sizes less then 255/256 |
|
The manual does not mention GET RESPONSE and also doesn't mention command chaining for anything else than device authentication. If I remember correctly, @CardContact already confirmed that there is no support for this and that extended length APDUs are indeed required in cases with big chunks of data. |
|
I've created a PR, so that you can pick binaries from the CI pipeline for testing #2978 |
|
32 bit binaries are available here 64 bit binaries here |
frankmorgner
changed the title
|
@clauspruefer would you mind testing the suggested fix, please? |
|
Hi,
sorry, authentication to GitHub broken, laptop got hacked...
Checked yesterday. Win_64bit 0.24 also is working. Tested with 2 Smartcards.
Cygwin 0.24 is working with the last patch i got...
Best regards,
Claus
…On 27.01.24 01:47, Frank Morgner wrote:
@clauspruefer <https://github.com/clauspruefer> would you mind testing
the suggested fix, please?
—
Reply to this email directly, view it on GitHub
<#2944 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEEC77P4QLMJMADUQRW7H3TYQRFD7AVCNFSM6AAAAAA737M35GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJSHA3TQMJTGI>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
With "the last patch" you mean #2978? |
|
I currently do not have access to Github, it was a small patch in a
reply to Issue #294. I will recheck when i have access to Github (this
evening).
Regards,
Claus
…On 29.01.24 14:00, Frank Morgner wrote:
With "the last patch" you mean #2978
<#2978>?
—
Reply to this email directly, view it on GitHub
<#2944 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AEEC77IDN54OBIOBFNSDSELYQ6MPNAVCNFSM6AAAAAA737M35GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTSMJUGY2DSOJRGQ>.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
|
The diff attached to the comment from dengert: #2944 (comment) |
|
then please Test the above pull request or binaries This should be the correct fix |
|
The real problem is As @LudovicRousseau said in: #2944 (comment) PCSClite implements It is not just a Cygwin problem, it is a problem for OpenSC code run on windows both which use See: https://github.com/OpenSC/OpenSC/files/13796437/sc-hsm-cygwin.diff.txt which handles the failure better. |
|
Sorry, but I disagree. The real problem (tm) seems to be that SELECT is called with Le!=0, which is caused by not having PCSCv2_PART10_PROPERTY_dwMaxAPDUDataSize at hand. We should be able to cope with PCSCv2_PART10_PROPERTY_dwMaxAPDUDataSize unset or even set incorrectly on all PC/SC platforms, but SELECT should always be issued with Le=0, as required by the SC-HSM specification. |
|
My point in https://github.com/OpenSC/OpenSC/files/13796437/sc-hsm-cygwin.diff.txt is that when the 178 lines of code:
This results in a card driver like This lack of the features from PCSClite in the Windows implementation could be addressed if OpenSC took some of the changes from PCSClite to fill in info for readers. Or at least look in This problem may be the same problem as in #3004 and other card drivers may have similar problems. (I actually found that building OpenSC from github using Cygwin was easy and could debug using |
|
Thats indeed another Problem for which ive created a seperate issue |
|
I don't know. |
|
both patches are needed to reliably fix this in all situations |
fixes #2944 Co-authored-by: Jakub Jelen <[email protected]>
Problem Description
OpenSC 0.23.0 (current git) and 0.24.0 broken on Cygwin (Win11_64 current). Under OpenSC 0.22 everything is working fine.
Steps to reproduce
setup-x86_64.exeand installCygwin64 Terminalgit clone https://github.com/OpenSC/OpenSC.git)./bootstrap./configure(--strict obsolete)make(-jX)make installProof (Compile OpenSC 0.22 with declaration-errors disabled)
Cygwin64 Terminal./bootstrapenv "CFLAGS=-Wno-error=deprecated-declarations" ./configuremake(-jX)make install=> Result: working
Log Results
pkcs11-tool -L)Available slots:
Slot 0 (0x0): Alcor Micro USB Smart Card Reader 0
(empty)
pkcs11-tool -L)Available slots:
Slot 0 (0x0): (GetSlotInfo failed, CKR_DATA_INVALID)
Logs for 2.) attached as file.
It seems that the used smart-card (SC-HSM) has been detected (line 406) and then stuck in endless loop
Could not decode card verifiable certificate: -1401 (Invalid ASN.1 object). I am not too deep in pkcs15 protocol, also it could be a SC-HSM issue, but why just on CygWin, On my native Win11 (same machine) works fine.opensc.log
Remarks
OpenSC 0.23.0 on Win11_x64 installed is working fine (no errors with pkcs11 and pkcs15).
Also the Cygwin documentation should be updated (
--strictcompiler flag not needed anymore, also uncommenting / setting CPPFLAGS in configure.ac obslete).The text was updated successfully, but these errors were encountered: