Slovenian eOI on Mac only exposes the PIN-less applet

[craftbyte]

Problem Description

The Slovenian eID implementation on Mac seems to only expose the PIN-less applet to the OS. Running pkcs11-tool --list-slots works though. Seems like there is something weird between the CryptoTokenKit service (OpenSC.tokend) and OpenSC.
Pinging @llogar, since he was the main implementor of this and may have some details.

Proposed Resolution

Expose both applets to the OS. Maybe we need to present all the certificates as one token?

Steps to reproduce

Insert eOI into Mac. Run security list-smartcards and security export-smartcard. The output will only show the PIN-less applet details.

Logs

https://gist.github.com/craftbyte/9be5e9c0b9d319880eac7fb6d13ef289

[llogar]

Currently only one applet at a time can be active. I think this is an OpenSC limitation. To select an active applet, enable/disable the relevant application block in opensc.conf (either E828BD080F014E585031 or E828BD080F014E585030)`. However I think the pinless applet should, by default, be disabled, so I am not sure why you are only seeing the pinless applet/slot

[frankmorgner]

I think this is a limitation of OpenSCToken, which expects all keys and certificates to be in the generic card application:
https://github.com/frankmorgner/OpenSCToken/blob/f860cabca2d99bd600eb2affb2a8ef0a2a9b4bc0/OpenSCToken/Token.m#L106-L108

Basically, that needs to be extended to the other applications on the card as well, which is similar to what is done in the PKCS#11 library:

OpenSC/src/pkcs11/slot.c

Lines 347 to 361 in c354501

	/* Now bind the rest of applications that are not 'generic' */
	for (j = 0; j < p11card->card->app_count; j++) {
	struct sc_app_info *app_info = p11card->card->app[j];
	char *app_name = app_info ? app_info->label : "<anonymous>";
	if (app_generic && app_generic == p11card->card->app[j])
	continue;
	sc_log(context, "%s: Binding %s token.", reader->name, app_name);
	rv = frameworks[i]->bind(p11card, app_info);
	if (rv != CKR_OK) {
	sc_log(context, "%s: bind %s token error Ox%lX",
	reader->name, app_name, rv);
	continue;
	}

Interestingly, minidriver.c also only binds the generic application. Could you please check if this problem also occurs on Windows using certutil.exe -scinfo?

[llogar]

Yes, it's the same on Windows. As I've said before, the solution, or rather workaround, (at least on Windows, I have no experience with Macs) is to enable just the applet you need...

[frankmorgner]

I added multi-app support into OpenSCToken. Unfortunately, I can only do some basic tests. Would you mind testing the macOS package from here https://github.com/OpenSC/OpenSC/actions/runs/7653681110 ?

[frankmorgner]

Would someone please test the macOS artifacts linked above? This adds support for all applications on the card, without the need for the mentioned workaround. thank you

[msetina]

Should this work on Linux?

[craftbyte]

@frankmorgner Sorry for the late reply, I have been hit with life as a truck. I tested this and am having issues with basic OpenSC usage. MacOS doesnt detect any smartcards and pkcs11-tool takes a suspiciously long time to list slots. What kind of logs would be useful to you?

Here is a log of OPENSC_DEBUG=9 pkcs11-tool --list-slots: https://gist.github.com/craftbyte/02f689b04e8e45bfbb43b72e32c96f1b

[llogar]

Should this work on Linux?

It should... The pinless applet is disabled by default though and when/if enabled it erroneously asks for PIN, although it is not needed. See #2646 (comment)

[msetina]

Thank you @llogar. I was wondering about this modification @frankmorgner linked, because I was following this support and as I can see there are two features missing as "by desing as of now" in openSC:

1. PINless is not there but with circumvention
2. Support is there for just one app per card and the forementioned fix should add this. So all 3 apps on the card need to be enabled in config. One at a time.

[llogar]

There are only 2 applets of interest (well, the 3rd one is eMRTD applet, but I think it's irrelevant in this context). If both are enabled there are 3 virtual slots (1 slot for pinless applet and 2 slots for the signature applet (1 for NormPIN and 1 for SigPIN). I prefer to have only one applet enabled at a time, as If I remember correctly, firefox (or perhaps thunderbird) kept nagging me for PIN entry for the unneeded one. But ymmv.

[frankmorgner]

I added multi-app support into OpenSCToken. Unfortunately, I can only do some basic tests. Would you mind testing the macOS package from here https://github.com/OpenSC/OpenSC/actions/runs/7653681110 ?

This modification should allow using all certificates from all applets in OpenSCToken at the same time without modifying the active applet in opensc.conf. To test this, download the build artifact (https://github.com/OpenSC/OpenSC/actions/runs/7653681110/artifacts/1194532843), install the dmg. sc_auth identities should now show all certificates.

[msetina]

@craftbyte maybe a fix to your problem is just adding:

framework pkcs15 {
                # Slovenian eID - low level (pinless, "Prijava brez PIN-a")
                application E828BD080F014E585031 {
                model = "ChipDocLite";
                disable = true;
                user_pin = "Norm PIN";
                }

                # Slovenian eID - high level (QES, "Podpis in prijava")
                application E828BD080F014E585030 {
                model = "ChipDocLite";
                # disable = true;
                user_pin = "Norm PIN";
                sign_pin = "Sig PIN";
                }
        }

to app default section of opensc.conf. This is from example opensc.conf and it works for me.

[frankmorgner]

@llogar , the settings you are referring to are present in opensc.conf.example, but they are not distributed as opensc.conf, i.e. they are not the default settings. Ideally, we'd like to keep it that way so that OpenSC runs with sane settings even when a configuration file is missing.

There are already tweaks to the PKCS#15 profile in pkcs15-eoi.c and if possible, this is where you can modify the profile to work out of the box. For example, you could easily modify sc_pkcs15emu_eoi_init_ex to return an error if binding E828BD080F014E585031 is requested (also with a driver specific option to maybe enable this again). Manually renaming *Norm PIN" to "UserPIN" and Sig PIN to "SignPIN" could also be an option, but I don't know if it is required to be identified correctly.